Malware analysis

What Are Packed Executables?

Matthew Jones
March 26, 2020 by
Matthew Jones

Introduction

The battle between cybersecurity and malicious files is ever-changing, as the goalposts are always being moved. Whenever analysts figure out a way to reverse-engineer a particular type of malware, hackers undermine their efforts with more complex encryption and new obfuscation techniques. This means that your computer and data security measures should be up to date in order to ensure the safety of your hardware, software and information. 

That said, there are some common obfuscation techniques that have changed very little over time. One of the most common methods used by hackers is the packed executable file. But what exactly are packed executables? And what purpose do they serve? We will answer both of these questions and more. First, though, let’s define the term “executable file.” 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is an executable file?

Generally, an executable file can be easily distinguished from a data file. A data file stores information (or data) on a computer. You can open a data file and read or modify the data. In most cases, data files do not contain executable code.

Alternatively, an executable file performs a particular function on a computer. When an executable file is opened, the function is “executed” according to the code contained within the file. Unlike data files, executable files cannot be read, because they are written in a compiled programming language.

You can usually identify an executable file by its file extension. On most Microsoft-based software, executable files end in .COM or .EXE; on macOS, they end in .DMG or .APP. In either case, these files will begin their designated operations as soon as they are opened.

What is packing?

Now that you have an understanding of an executable file, we can look at the act of “packing.” When an executable file is packed, the executable code is compressed. This means that the code can be modified without changing the underlying function of the file. In essence, packing simply means changing what executable code looks like without changing anything about the file’s purpose.

The function of packed executables

Packing an executable file helps reduce the size of files and protects them against reverse engineering. However, it can also be used for malicious purposes. For example, let’s say that a hacker wants to pack an executable file that functions as malware. Why would they do this? They would likely pack the file because it makes it more difficult to access and analyze. 

When a file’s code is changed, it is harder to figure out the function of the file. If the file is malicious, this means that you will need to spend more time reverse-engineering it to analyze its effects. So while packed executables are a great way to save space and secure files, they are also a common method to obfuscate malicious files.

Conclusion

In short, packed executables are executable files that have been compressed. While the reasons for needing to compress an executable file vary, “packing” always has a similar end result. A packed file is smaller and more difficult to analyze. As a result, packed executables are commonly used as an obfuscation technique for malware. 

If you’d like to learn more about reverse-engineering packed executables, check out this useful article!

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

 

Sources

  1. Executable file, Computer Hope
  2. Mozgalo: Detecting Packed Executable Files, Reversing Labs
Matthew Jones
Matthew Jones