reminder-detector 1.0.2

Implementation of the packing detection heuristic from the paper "Packed PE File Detection for Malware Forensics" of Han et al.

REMINDer

Detect packers on executable files using a simple entropy-based heuristic.

REMINDer (REsponse tool for Malware INDication) is an implementation based on this paper into a Python package with a console script to detect whether an executable is packed.

lief is used for binary parsing.

$ pip install reminder-detector

$ reminder --help
[...]
usage examples:
- reminder program.exe
- reminder /bin/ls --entropy-threshold 6.9

:bulb: Detection Mechanism

1. Find the EP section
2. Check whether it is writable
3. If yes, check whether entropy is beyond a threshold (depending on the executable format)
4. If yes, the input executable is packed ; otherwise, it is not

:star: Related Projects

You may also like these:

• Awesome Executable Packing: A curated list of awesome resources related to executable packing.
• Bintropy: Analysis tool for estimating the likelihood that a binary contains compressed or encrypted bytes.
• Dataset of packed ELF files: Dataset of ELF samples packed with many different packers.
• Dataset of packed PE files: Dataset of PE samples packed with many different packers.
• Docker Packing Box: Docker image gathering packers and tools for making datasets of packed executables.
• PEiD: Python implementation of the Packed Executable iDentifier (PEiD).
• PyPackerDetect: Packing detection tool for PE files.

:clap: Supporters