Packer detection of PE files
https://stackoverflow.com/questions/7287808
-
19-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I want to know how detectors like Peid exe tools or protectid detect the packer/protection of pe files. I thought maybe some constant values when a program is packed, but i dont know well. Can someone explain me how that exactly works, the best way showing it in OllyDbg or other Debugers like that. Its a real mystery for me how those programs can detect that.
Thanks in advance for anything!
Solução
Most of these tools are signature based with some additional heuristics in place. Same goes for detecting compilers (by detecting compiler startup code and other signatures). It's even easier to detect compiler then protectors since most protectors are morphing the part of code that does decryption/decompression of packed application.
