Skip to main content
SpringerLink
Log in

Experimental Toolkit for Manipulating Executable Packing

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14529))

Included in the following conference series:

Abstract

Executable packing is a well-known problematic especially in the field of malware analysis. It often consists in applying compression or encryption to a binary file and embedding a stub for reversing these transformations at runtime. This way, the packed executable is more difficult to reverse-engineer and/or is obfuscated, which is effective for evading static detection techniques. Many detection approaches, including machine learning, have been proposed in the literature so far, but most studies rely on questionable ground truths and do not provide any open implementation, making the comparison of state-of-the-art solutions tedious. We thus think that first solving the issue of repeatability shall help to compare existing executable packing static detection techniques. Given this challenge, we propose an experimental toolkit, named Packing Box, that leverages automation and containerization in an open source platform that brings a unified solution to the research community. We present our engineering approach for designing and implementing our solution. We then showcase it with a few basic experiments, including a performance evaluation of open source static packing detectors and training a model with machine learning pipeline automation. This introduces the toolset that will be used in further studies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (Canada)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.secretashell.com/codomain/peid.

  2. 2.

    https://github.com/chesvectain/PackingData.

  3. 3.

    https://github.com/packing-box/dataset-packed-elf.

  4. 4.

    https://web.archive.org/web/20141221153307/http://malfease.oarci.net.

  5. 5.

    https://web.archive.org/web/20170817143838/http://vxheaven.org.

  6. 6.

    https://www.virusign.com.

  7. 7.

    https://bazaar.abuse.ch/browse.

  8. 8.

    https://virusshare.com.

  9. 9.

    https://www.docker.com.

  10. 10.

    https://www.winehq.org.

  11. 11.

    https://www.mono-project.com.

  12. 12.

    https://www.darlinghq.org.

  13. 13.

    https://lief-project.github.io.

  14. 14.

    https://scikit-learn.org.

  15. 15.

    https://waikato.github.io/weka-site.

  16. 16.

    Yet Another Markup Language.

  17. 17.

    https://joblib.readthedocs.io.

  18. 18.

    https://github.com/horsicq/DIE-engine.

  19. 19.

    https://github.com/JusticeRage/Manalyze.

  20. 20.

    https://github.com/guelfoweb/peframe.

  21. 21.

    https://github.com/avast/retdec.

  22. 22.

    https://github.com/packing-box/pypackerdetect.

  23. 23.

    https://github.com/packing-box/bintropy.

  24. 24.

    https://github.com/packing-box/peid.

  25. 25.

    https://github.com/packing-box/reminder.

  26. 26.

    https://scikit-learn.org/stable/modules/model_evaluation.html.

References

  1. Aghakhani, H., et al.: When malware is Packin’ heat; limits of machine learning classifiers based on static analysis features, p. 20 (2020)

    Google Scholar 

  2. Anderson, H.S., Roth, P.: EMBER: an open dataset for training static PE malware machine learning models (2018)

    Google Scholar 

  3. Bertrand Van Ouytsel, C.H., Given-Wilson, T., Minet, J., Roussieau, J., Legay, A.: Analysis of machine learning approaches to packing detection (2021)

    Google Scholar 

  4. Biondi, F., Enescu, M.A., Given-Wilson, T., Legay, A., Noureddine, L., Verma, V.: Effective, efficient, and robust packing detection and classification (2019)

    Google Scholar 

  5. Cesare, S., Xiang, Y.: A fast flowgraph based classification system for packed and polymorphic malware on the endhost. In: 24th International Conference on Advanced Information Networking and Applications. IEEE (2010)

    Google Scholar 

  6. Cesare, S., Xiang, Y., Zhou, W.: Malwise - an effective and efficient classification system for packed and polymorphic malware (2013)

    Google Scholar 

  7. Choi, M.J., Bang, J., Kim, J., Kim, H., Moon, Y.S., Díaz-Verdejo, J.: All-in-one framework for detection, unpacking, and verification for malware analysis (2019)

    Google Scholar 

  8. Choi, Y.S., Kim, I.K., Oh, J.T., Ryou, J.C.: PE file header analysis-based packed PE file detection technique (PHAD). In: International Symposium on Computer Science and Its Applications, pp. 28–31. IEEE (2008)

    Google Scholar 

  9. D’Hondt, A.: Dataset file format (DSFF) (2022). https://github.com/packing-box/python-dsff

  10. D’Hondt, A.: Dataset of packed PE files (2022). https://github.com/packing-box/dataset-packed-pe

  11. D’Hondt, A.: Packing box – study executable packing easy (2022). https://github.com/packing-box/docker-packing-box

  12. Hai, N.M., Ogawa, M., Tho, Q.T.: Packer identification based on metadata signature. In: Proceedings of the 7th Software Security, Protection, and Reverse Engineering. SSPREW-7, p. 11. ACM (2017)

    Google Scholar 

  13. Han, S., Lee, K., Lee, S.: Packed PE file detection for malware forensics. In: 2nd International Conference on Computer Science and Its Applications. IEEE (2009)

    Google Scholar 

  14. Lim, C., Nicsen: Mal-EVE: static detection model for evasive malware. In: 10th International Conference on Communications and Networking in China. IEEE (2015)

    Google Scholar 

  15. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware (2007)

    Google Scholar 

  16. Mantovani, A., Aonzo, S., Ugarte-Pedrero, X., Merlo, A., Balzarotti, D.: Prevalence and impact of low-entropy packing schemes in the malware ecosystem. In: Network and Distributed Systems Security Symposium. NDSS (2020)

    Google Scholar 

  17. Muralidharan, T., Cohen, A., Gerson, N., Nissim, N.: File packing from the malware perspective: Techniques, analysis approaches, and directions for enhancements. ACM Comput. Surv. (2022)

    Google Scholar 

  18. Naval, S., Laxmi, V., Gaur, M.S., Vinod, P.: SPADE: signature based PAcker DEtection. In: Proceedings of the First International Conference on Security of Internet of Things. SecurIT ’12, pp. 96–101. ACM (2012)

    Google Scholar 

  19. Noureddine, L., Heuser, A., Puodzius, C., Zendra, O.: SE-PAC: a self-evolving PAcker classifier against rapid packers evolution. In: Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. CODASPY ’21, pp. 281–292. ACM (2021)

    Google Scholar 

  20. Perdisci, R., Lanzi, A., Lee, W.: McBoost: boosting scalability in malware collection and analysis using statistical classification of executables. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 301–310 (2008)

    Google Scholar 

  21. Santos, I., Nieves, J., Bringas, P.G.: Semi-supervised learning for unknown malware detection. In: Abraham, A., Corchado, J.M., González, S.R., De Paz Santana, J.F. (eds.) International Symposium on Distributed Computing and Artificial Intelligence. AISC, vol. 91, pp. 415–422. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19934-9_53

    Chapter  Google Scholar 

  22. Shafiq, M.Z., Tabish, S.M., Farooq, M.: PE-probe: leveraging packer detection and structural information to detect malicious portable executables. In: Proceedings of the Virus Bulletin Conference (2009)

    Google Scholar 

  23. Shin, D., Im, C., Jeong, H., Kim, J., Won, D.: The new signature generation method based on an unpacking algorithm and procedure for a packer detection. Int. J. Adv. Sci. Technol. IJAST (2011)

    Google Scholar 

  24. Sun, L., Versteeg, S., Boztaş, S., Yann, T.: Pattern recognition techniques for the classification of malware packers. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 370–390. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_23

    Chapter  Google Scholar 

  25. Treadwell, S., Zhou, M.: A heuristic approach for detection of obfuscated malware. In: International Conference on Intelligence and Security Informatics. IEEE (2009)

    Google Scholar 

  26. Ugarte-Pedrero, X., Santos, I., Bringas, P.G., Gastesi, M., Esparza, J.M.: Semi-supervised learning for packed executable detection. In: 5th International Conference on Network and System Security. IEEE (2011)

    Google Scholar 

Download references

Acknowledgements

Charles-Henry Bertrand Van Ouytsel is FRIA grantee of the Belgian Fund for Scientific Research (FNRS-F.R.S.). The authors are funded by the CyberExcellence project (RW, Convention 2110186).

Author information

Authors and Affiliations

  1. Université Catholique de Louvain, Rue Archimede 1, Louvain-la-Neuve, Belgium

    Alexandre D’Hondt, Charles Henry Bertrand Van Ouytsel & Axel Legay

Authors
  1. Alexandre D’Hondt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Charles Henry Bertrand Van Ouytsel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Axel Legay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Alexandre D’Hondt , Charles Henry Bertrand Van Ouytsel or Axel Legay .

Editor information

Editors and Affiliations

  1. Computer Science Department, Mohammed V University, Rabat, Morocco

    Abderrahim Ait Wakrime

  2. Universitat Autònoma de Barcelona, Bellaterra, Barcelona, Spain

    Guillermo Navarro-Arribas

  3. Polytechnique Montreal, Montréal, QC, Canada

    Frédéric Cuppens

  4. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  5. Computer Science Department, Mohammed V University, Rabat, Morocco

    Redouane Benaini

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

D’Hondt, A., Van Ouytsel, C.H.B., Legay, A. (2024). Experimental Toolkit for Manipulating Executable Packing. In: Ait Wakrime, A., Navarro-Arribas, G., Cuppens, F., Cuppens, N., Benaini, R. (eds) Risks and Security of Internet and Systems. CRiSIS 2023. Lecture Notes in Computer Science, vol 14529. Springer, Cham. https://doi.org/10.1007/978-3-031-61231-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-61231-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-61230-5

  • Online ISBN: 978-3-031-61231-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation