We evaluated two packer type estimation/detection tools (pypeid and Detect It Easy (DIE)) to fix this issue.
DIE can detect packed binaries and estimate the type of packer with high precision compared with pypeid. However, the detection coverage of DIE is slightly lower than pypeid. See results for more details.
We use two datasets for evaluating packer type estimation/detection tools.
This dataset contains both packed and normal (i.e., non-packed) binaries, which are used in the paper titled "All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis." Since it contains both packed and normal binaries, we use it for the performance evaluation of both the packer type estimation and detection.
Specification
- It contains 458 normal binaries.
- It contains 2469 packed binaries.
- These binaries are created by packing 130 PE files using the following 19 packers (but 129 PE files for JDPack):
- ASPack, BeRoEXEPacker, FSG, JDpack, MEW, MPRESS, Molebox, NSPack, Neolite, PECompact, Petite, Packman, RLPack, UPX, WinUpack, Yoda’s Crypter, Yoda’s Protector, eXpressor, exe32pack
- These binaries are created by packing 130 PE files using the following 19 packers (but 129 PE files for JDPack):
Notes about PackingData dataset (2021/03/11)
We noticed that PackingData dataset contains some mislabeled samples after publishing the first evaluation result.
(For example, PackingData/Notpacked/avs_check_x86.exe is an UPX packed-binary, but labeled as NotPacked.)
So, we changed the labels of some samples for the precise evaluation. To fix the labeles of mislabeled samples, please run change_dataset_labels.py script.
TPRs and FPRs slightly differs from the previous result, but the conclusion does not change.
This dataset contains binaries packed by various different packers. We only use the binaries in tuts4you/Unpack* for evaluation. Since this dataset does not contain normal binaries, we mainly use it for evaluating the performance of packer type estimation.
The following table shows the comparison of packer type estimation performance between pypeid and DIE. You can see the DIE's improvement of estimation performance to pypeid.
| pypeid | DIE | |
|---|---|---|
| Accuracy | 73.2% | 84.9% |
The following table shows the comparison of packer detection performance between pypeid and DIE. You can see the great reduction of FPR for DIE compared with pypeid.
| pypeid | DIE | |
|---|---|---|
| TPR | 94.5% | 93.5% |
| FPR | 54.8% | 0.7% |
The following table shows the comparison of packer type estimation performance between pypeid and DIE. You can also see the improvement of estimation performance in this dataset.
| pypeid | DIE | |
|---|---|---|
| Accuracy | 65.1% | 69.0% |
The following table shows the comparison of packer detection performance between pypeid and DIE. We do not show the FPR because this dataset does not contain normal binaries. The packer detection performance of DIE is slight lower than pypeid.
| pypeid | DIE | |
|---|---|---|
| TPR | 88.2% | 83.1% |
- Ubuntu 20.04 LTS on WSL on Windows 10 version 1909
- Python 3.6
- Poetry
$ git clone --depth=1 https://github.com/chesvectain/PackingData.git dataset/PackingData
$ git clone --depth=1 https://github.com/apuromafo/RCE_Lab.git
$ mkdir dataset/UnpackMe
$ mv RCE_Lab/tuts4you/Unpack* dataset/UnpackMe
$ python change_dataset_labels.py
$ sudo apt install unrar # To resolve rarfile's dependencies manually
$ poetry shell
$ poetry update
$ python peid_packer_scan.py
$ python peid_packer_scan_statistics.py
PackingData
- PackingData.json
- Total: 2476
- Scan-failed samples: 0
- Samples scanned: 2476
- Purely detected as packed: 129
- Excessively detected as packed (containing true label): 1810
- Purely detected as non-packed: 137
- Excessively detected as packed (not containing true label): 400
- Notpacked.json
- Total: 451
- Scan-failed samples: 0
- Samples scanned: 451
- Purely detected as packed: 0
- Excessively detected as packed (containing true label): 0
- Purely detected as non-packed: 204
- Excessively detected as packed (not containing true label): 247
Categorical Accuracy: 0.7321489579774513
TPR: 0.9446688206785138
FPR: 0.5476718403547672
...
$ wget https://github.com/horsicq/DIE-engine/releases/download/3.00/die_lin64_portable_3.00.tar.gz
$ mkdir die_lin64_portable_3.00
$ tar -zxvf die_lin64_portable_3.00.tar.gz -C die_lin64_portable_3.00
$ python die_packer_scan.py
$ python die_packer_scan_statistics.py
PackingData
- PackingData.json
- Total: 2476
- Scan-failed samples: 0
- Samples scanned: 2476
- Purely detected as packed: 2037
- Excessively detected as packed (containing true label): 146
- Purely detected as non-packed: 161
- Excessively detected as packed (not containing true label): 132
- Notpacked.json
- Total: 451
- Scan-failed samples: 0
- Samples scanned: 451
- Purely detected as packed: 0
- Excessively detected as packed (containing true label): 0
- Purely detected as non-packed: 448
- Excessively detected as packed (not containing true label): 3
Categorical Accuracy: 0.8489921421250427
TPR: 0.9349757673667205
FPR: 0.0066518847006651885
...
You can get the scan result as JSON arrays. Each element of this JSON arrays is as follows.
{
"path": The location where the target executable file at the time of judgment existed,
"name": The name of the target executable file,
"scan": Judgment result,
"detectable": Success or failure of packer type judgment
"feature": [
Label of the target executable file
]
}
Tsubasa Kuwabara. © FFRI Security, Inc. 2020