PackerInspector is an online service that will help you understand the
complexity of run-time packers. This tool analyzes Windows PE-executables
and generates reports that show the complexity of the packer, a graph
representing its structure and several features that characterize the
behaviour of a packer.
In addition to dynamic analysis, static analysis is leveraged to extract
general information about the PE file. Finally, we check the sample’s hash
The static analysis generates the following info:
- General File identification: hashes, fuzzy hashes, file and
MIME type, known names of the sample, TrID file identification and known
Yara rules’ results.
- General PE file information: overlay size, target machine,
compilation timestamp, entry point, imports, exports, resources and
The dynamic analysis yields the following results:
- General features of the packer:
Initially you may not understand all these features, but this page should
help you go through the reports and extract useful information.
- Execution time
- Granularity of the packer
- Number of processes
- Number of layers
- Number of regions
- Number of forward and backward transitions
- Number of multiframe layers
- Number of processes that communicate
- Number of regions with special APIs
- Unpacking graph: a graph-viz generated graph that shows how
the different memory regions of the binary are structured in terms of
layers and unpacking behavior.
- Last executed region. Shows several properties for the last
memory region executed during analysis: process and region,
base address, size, memory type, number of total and different APIs
executed, whether the region was remotely modified or modified an
- Applies heuristics to obtain a list of regions that potentially
contain the original code.
- Memory dump/s of the processes that potentially contain the
original code. Available for registered users.
- Remote memory writes: specify the type
(Memory unmap|deallocate, ReadFile etc), source and destination
addresses, source and destination
processes, and size.
- Loaded modules: name, PID, start address and size.
- Layers and regions: summary of the layers of the sample with
their size, number of regions and frames, lowest address, highest
address and the number of API calls with DLL and function name per
layer and region.
reference page for a more detailed explanation of the collected
These are some example reports generated by Deep Packer Inspector:
You can submit samples to PackerInspector using its
If you submit more than one file at the same time (e.g., main binary
and required DLLs) you must specify which is the main PE file, the other
files will be treated as auxiliary
files needed in the analysis phase. Please note that both the main and
auxiliary files cannot exceed the 8MB file upload limit.
Once the file(s) have been submitted, you will be redirected to the
Report Page, there the results will be displayed as soon as they are
In the Report Page a progress bar will display the progress of
sample’s analysis, which is divided into five phases: File
identification, Static PE information, Analysis, Layers & Regions and
An uncompleted phase is shown in orange,
a completed phase is shown in
green, and a phase colored in
red means that there was an error in such
phase. Note that errors in the Analysis and Layer & regions phases may
be produced by different causes: a timeout was reached in the analysis,
the file format was not supported, or an error occurred during the analysis
You can access your reports through the
Status Page and see the progress
of the analysis:
Submitted (the sample is in our system),
(the sample is being analyzed) or
You can create an account at
PackerInspector to access to some features unavailable to common users:
- Private analyses. You will be able to mark an
analysis as private that will be visible just for your account.
'Public VS private analysis reports'
to know more about private analyses.
- Download memory dumps. You will be able to download
the memory dumps of the processes that potentially contain the original
code (only of the reports where you have submitted a sample).
- No more ReCAPTCHAs. You will not need to solve
a ReCAPTCHA at every submission.
- Access your past submissions. You will be able to
access all your past submissions, either Public or Private, on your
- Search within your submissions. Given a MD5, SHA1,
SHA256, ssdeep... you will be able to locate submissions.
- Access to the public API. You can automatize
the scans and the report retrieval using our public API. See
Reference - DPI API for more details.
Public VS private analysis reports
- Public reports are: submitted by anonymous users
(non-registered users), submitted by registered users who want their
submission to be public, or private reports turn public.
If you don't have an account, or if you have one and do not set
the 'Private analysis' option, all the data displayed in the
report is publicly available.
- Public reports are reused. This is, if PackerInspector detects
that it has analyzed a sample before (the same sample with the same
auxiliary files), it will notify you and show you that analysis.
However, reports terminated with an unknown error
Error - Reason not specified.) do not count as
- Public reports can be shared without restriction using the
- To access a public report about a sample that you have submitted
without an account, you must remember its URL. If you have an
account, the report will be listed in your
- On Public reports, just the account which triggered the analysis
will be able to download the memory dump. If the analysis was
triggered by an anonymous user (non-registered user) the memory
dump will not be available.
- You can't turn a Public report Private.
- Private analyses are only available to registered users.
- To perform a private analysis you must explicitly set the 'Private
Analysis' option. Please note that by default the analyses are public.
- Private reports are not reused. Every private submission, repeated
or not, will trigger an analysis.
- Private reports may show public data. For example, if you analyze
privately a sample that was submitted publicly before, in the 'Known
names' section of the report, all the known names for this sample on
public reports will appear.
- Private reports cannot be shared using their URL. Only the account
which triggered the analysis can access it.
- You will be able to download the memory dumps.
- Private reports can be turn Public by the owner, the owner of the
report will not change.
Please note that regardless of the privacy settings of your analysis,
the comments are always public.
Deep Packer Inspector has been created with the collaboration of:
- Xabier Ugarte-Pedrero.
- Davide Balzarotti
- Irene Díez-Franco, DeustoTech, University of Deusto.