What are packers and obfuscation, and how do you detect them in a binary?
Short answer
Packing compresses or encrypts the real payload and prepends a stub that unpacks it into memory at runtime; obfuscation transforms the code or data to resist reading and signatures. You detect packing from high section entropy near 8.0, a tiny or stub-only import table, unusual or writable-executable section names like UPX0, an entry point that sits outside .text, a large virtual size versus small raw size, and detectors like Detect It Easy or PEiD. None of these is conclusive alone, so analysts weigh several signals together and confirm by observing the unpack at runtime.
Most commodity and targeted malware is packed to shrink its footprint and, more importantly, to defeat static signatures and slow analysts down. Interviewers ask this to check that you can recognize a packed sample quickly rather than wasting hours disassembling a stub.
Packing versus obfuscation
A packer takes the real payload, compresses or encrypts it, and wraps it in a small unpacking stub. At runtime the stub allocates memory, restores the original code, and transfers execution to it — so on disk you only see the stub plus an opaque blob. Obfuscation is broader: control-flow flattening, junk instructions, opaque predicates, string encryption, and API hashing all make the code harder to read and to fingerprint, whether or not the file is packed. Packing hides the payload; obfuscation hides the logic.
Detection signals
No single signal is proof — you stack them:
- High entropy. Sections measuring close to 8.0 bits per byte indicate compression or encryption. Caveat: legitimate compressed media and installers also score high, so entropy is a hint, not a verdict.
- Tiny import table. A real program imports dozens of APIs; a packed one often imports only
LoadLibraryandGetProcAddressbecause it resolves everything dynamically after unpacking. - Odd sections. Names like
UPX0/UPX1, sections marked writable and executable, or a small raw size with a large virtual size. - Entry point location. The entry point sitting outside
.text, in a writable section, is suspicious. - Detectors. Detect It Easy (DIE), PEiD signatures, and entropy graphs identify many known packers by name.
Confirming it
The decisive confirmation is dynamic: run the sample and watch it allocate executable memory and write into it (the unpack). A strong answer says detection is probabilistic statically and certain dynamically.
Likely follow-ups
- Why does a packed binary often have only LoadLibrary and GetProcAddress in its imports?
- Is high entropy proof of packing? What produces false positives?
- How does obfuscation differ from packing in what it protects?