PyPackerDetect
A malware dataset curation tool which helps identify packed samples.
Install / Use
/learn @cylance/PyPackerDetectREADME
PyPackerDetect
A small python script/library to detect whether an executable is packed.
This is one of many tools we use for dataset curation within the ARG team at Cylance. Accuracy is not perfect, but is sufficient in accomplishing what we need.
Tested and devloped using Python 3.
pefile is used for PE parsing, found in ./deps/libpefile.
PEID Signatures are also used. There are two signature collections compiled from multiple online sources, found in ./deps/peid.
Multiple other hueristics are used for detection, and those are found in *Detector.py files, with the base class in PackerDetector.py.
Usage
Example usage is in DetectPacker.py. Can be run via command line.
Detection Mechanisms
- PEID signatures
- Known packer section names
- Entrypoint in non-standard section
- Threshhold of non-standard sections reached
- Low number of imports
- Overlapping entrypoint sections
Resources
Big thanks to Hexacorn, a good portion of the known PE section names come from there.
Related Skills
healthcheck
346.8kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
346.8kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
346.8kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
107.6kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
