Win32 EXE packers

Discussion in 'other anti-virus software' started by minacross, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    forgive my ignorance :oops: :oops:
    what are win32 EXE packers, how the AV scanners get more efficient by supporting more packers? o_O :rolleyes:
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    EXE packers are for example UPX,ASPack,PECompact,NeoLite,PkLite and so on. They act similar to SFX archives using ZIP or RAR compression,but they work without any complications or need for external programs to unpack them for execution plus they are very fast(much faster then ZIP or RAR archives) at self-unpacking.

    Supporting more packers means that you can extract and investigate more content of such packers before actual exxecution of packed program (the one which is inside). If you don't have support for that packer,the compressed executable must be executed in order to be detected. But doing this isn't always a good idea since the malicous program can bypass AV software at that state.
    If its detected (unpacked) before execution (usually on create/copy/move actions) this cannot happen.
     
  3. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear minacross, packers are different from SFX when it comes to decompressing a file. SFX archives DOESN'T use any external programs but decompresses in the disk. it can also run a file after decompression. packers decompress the file on-the-fly which means it deson't write anything on disk, it decompresses the file in the memory. so if the AV can't unpack the file, the malicious code will be loaded in the memory.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I added SFX archives as comparison so its easier to understand.
     
Thread Status:
Not open for further replies.