Deep Packer Inspector

a service based on:

SoK: Deep Packer Inspection:

A Longitudinal Study of the Complexity of Run-Time Packers

Ugarte-Pedrero, Xabier; Balzarotti, Davide; Santos, Igor; Bringas, Pablo G.

What is PackerInspector?

PackerInspector is an online service that will help you understand the complexity of run-time packers. This tool analyzes Windows PE-executables and generates reports that show the complexity of the packer, a graph representing its structure and several features that characterize the behaviour of a packer.

In addition to dynamic analysis, static analysis is leveraged to extract general information about the PE file. Finally, we check the sample’s hash against VirusTotal’s service.

Extracted information

The static analysis generates the following info:

  1. General File identification: hashes, fuzzy hashes, file and MIME type, known names of the sample, TrID file identification and known Yara rules’ results.
  2. General PE file information: overlay size, target machine, compilation timestamp, entry point, imports, exports, resources and sections.

The dynamic analysis yields the following results:

  1. General features of the packer:
    • Execution time
    • Granularity of the packer
    • Number of processes
    • Number of layers
    • Number of regions
    • Number of forward and backward transitions
    • Number of multiframe layers
    • Number of processes that communicate
    • Number of regions with special APIs
  2. Initially you may not understand all these features, but this page should help you go through the reports and extract useful information.
  3. Unpacking graph: a graph-viz generated graph that shows how the different memory regions of the binary are structured in terms of layers and unpacking behavior.
  4. Last executed region. Shows several properties for the last memory region executed during analysis: process and region, base address, size, memory type, number of total and different APIs executed, whether the region was remotely modified or modified an executed region.
  5. Applies heuristics to obtain a list of regions that potentially contain the original code.
  6. Memory dump/s of the processes that potentially contain the original code. Available for registered users.
  7. Remote memory writes: specify the type (Memory unmap|deallocate, ReadFile etc), source and destination addresses, source and destination processes, and size.
  8. Loaded modules: name, PID, start address and size.
  9. Layers and regions: summary of the layers of the sample with their size, number of regions and frames, lowest address, highest address and the number of API calls with DLL and function name per layer and region.

See the reference page for a more detailed explanation of the collected information.

Example reports

These are some example reports generated by Deep Packer Inspector:

How does it work?

You can submit samples to PackerInspector using its main page.

If you submit more than one file at the same time (e.g., main binary and required DLLs) you must specify which is the main PE file, the other files will be treated as auxiliary files needed in the analysis phase. Please note that both the main and auxiliary files cannot exceed the 8MB file upload limit.

Once the file(s) have been submitted, you will be redirected to the Report Page, there the results will be displayed as soon as they are available.

In the Report Page a progress bar will display the progress of sample’s analysis, which is divided into five phases: File identification, Static PE information, Analysis, Layers & Regions and VirusTotal scans.

File identification
Static PE information
Analysis
Layers & regions
VirusTotal scans

An uncompleted phase is shown in orange, a completed phase is shown in green, and a phase colored in red means that there was an error in such phase. Note that errors in the Analysis and Layer & regions phases may be produced by different causes: a timeout was reached in the analysis, the file format was not supported, or an error occurred during the analysis process.

You can access your reports through the Status Page and see the progress of the analysis: Submitted (the sample is in our system), Analysing (the sample is being analyzed) or Finished.

Accounts

You can create an account at PackerInspector to access to some features unavailable to common users:

  • Private analyses. You will be able to mark an analysis as private that will be visible just for your account. Refer to 'Public VS private analysis reports' to know more about private analyses.
  • Download memory dumps. You will be able to download the memory dumps of the processes that potentially contain the original code (only of the reports where you have submitted a sample).
  • No more ReCAPTCHAs. You will not need to solve a ReCAPTCHA at every submission.
  • Access your past submissions. You will be able to access all your past submissions, either Public or Private, on your Status Page.
  • Search within your submissions. Given a MD5, SHA1, SHA256, ssdeep... you will be able to locate submissions.
  • Access to the public API. You can automatize the scans and the report retrieval using our public API. See Reference - DPI API for more details.

Public VS private analysis reports

Public
  • Public reports are: submitted by anonymous users (non-registered users), submitted by registered users who want their submission to be public, or private reports turn public.
  • If you don't have an account, or if you have one and do not set the 'Private analysis' option, all the data displayed in the report is publicly available.
  • Public reports are reused. This is, if PackerInspector detects that it has analyzed a sample before (the same sample with the same auxiliary files), it will notify you and show you that analysis. However, reports terminated with an unknown error (Error - Reason not specified.) do not count as repeated reports.
  • Public reports can be shared without restriction using the report's URL.
  • To access a public report about a sample that you have submitted without an account, you must remember its URL. If you have an account, the report will be listed in your Status Page.
  • On Public reports, just the account which triggered the analysis will be able to download the memory dump. If the analysis was triggered by an anonymous user (non-registered user) the memory dump will not be available.
  • You can't turn a Public report Private.
Private
  • Private analyses are only available to registered users.
  • To perform a private analysis you must explicitly set the 'Private Analysis' option. Please note that by default the analyses are public.
  • Private reports are not reused. Every private submission, repeated or not, will trigger an analysis.
  • Private reports may show public data. For example, if you analyze privately a sample that was submitted publicly before, in the 'Known names' section of the report, all the known names for this sample on public reports will appear.
  • Private reports cannot be shared using their URL. Only the account which triggered the analysis can access it.
  • You will be able to download the memory dumps.
  • Private reports can be turn Public by the owner, the owner of the report will not change.

Please note that regardless of the privacy settings of your analysis, the comments are always public.

Team

Deep Packer Inspector has been created with the collaboration of:
  • Xabier Ugarte-Pedrero.
  • Davide Balzarotti , EURECOM.
  • Irene Díez-Franco, DeustoTech, University of Deusto.