Consideration of packer identification tools

[kohnakagawa]

FFRI Dataset provides the types of packers used in executables extracted by PEiD. However, some types of packers cannot be detected using this tool. A dataset user wants output results by other packer identification tools.

NOTE: This issue is originally pointed out by Mamoru Mimura at MWS Slack. Thank you.

[kohnakagawa]

We evaluated the following packer detection tools to improve the detection coverage of FFRI Dataset scripts.

• PyPackerDetect
• Manalyze

As the evaluation, we use binaries of RCE_Lab UNPACME challenge.

Evaluation result

You can find the detailed analysis result at this repository.

By combining two packer detection tools, we improve the detection coverage from 83% to 96%.

[y-oyama]

The link to the RCE lab is broken. Is the correct link to https://github.com/apuromafo/RCE_Lab/tree/master/tuts4you ?

It would be nice if you could add the results of experiments with other packers such as:

• UNIX file command
• pefile
• pecheck.py
• DIE (Detect It Easy)
• Exeinfo PE
• PE Explorer
  Some of these tools are GUI-based tools, and it may be difficult to process a large number of binary programs in a batch manner.

[kohnakagawa]

@y-oyama

Thank you for your comment!
We have already evaluated DIE. This result will be shared soon.

(I also fix the broken link. Thank you again.)

[kohnakagawa]

We have published the evaluation results of DIE.
https://github.com/FFRI/PackerDetectionToolEvaluation

[y-oyama]

We have published the evaluation results of DIE.
https://github.com/FFRI/PackerDetectionToolEvaluation

Thanks!