Thursday, July 23, 2009

Win32 Portable Executable Packing Uncovered

This paper introduces Win32 Portable Executable (PE) packing from a technical perspective. This includes PE file manipulation, compression, obfuscation, anti-dumping, import protection, and more. The paper describes various protection techniques, and presents a brief history of packers. Note that the most advanced techniques are found in commercial protection systems, and therefore are not presented here.

This paper provides enough information to understand the inner workings of executable packers: most packers are based on what is described here. Almost all custom packers (which means real packers, not loaders) seen in malware are based on the packing theory presented in this document.


No comments: