Packed PE File Detection for Malware Forensics


The KIPS Transactions:PartC, Vol. 16, No. 5, pp. 555-562, Oct. 2009
10.3745/KIPSTC.2009.16.5.555,   PDF Download:

Abstract

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and ‘write’ properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.


Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from September 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
S. W. Han and S. J. Lee, "Packed PE File Detection for Malware Forensics," The KIPS Transactions:PartC, vol. 16, no. 5, pp. 555-562, 2009. DOI: 10.3745/KIPSTC.2009.16.5.555.

[ACM Style]
Seung Won Han and Sang Jin Lee. 2009. Packed PE File Detection for Malware Forensics. The KIPS Transactions:PartC, 16, 5, (2009), 555-562. DOI: 10.3745/KIPSTC.2009.16.5.555.