Most legitimate executables do not obfuscate content, but some executables may do it to prevent others from examining their code. When you come across a sample that is packed, there is a high chance of it being malicious. To detect packers on Windows, you can use a freeware tool such as Exeinfo PE (http://exeinfo.atwebpages.com/); it has an easy-to-use GUI. At the time of writing this book, it uses more than 4,500 signatures (stored in userdb.txt in the same directory) to detect various compilers, packers, or cryptors utilized to build the program. In addition to detecting Packers, another interesting feature of Exeinfo PE is that it gives information/references on how to unpack the sample. ...
5.2 Detecting File Obfuscation Using Exeinfo PE
Get Learning Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.