Pack Detection Rule on PE Files

JIANG Xiao-xin,DUAN Hai-xin
DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.14.049
2010-01-01
Abstract:In the automatic malicious code analysis system,the first step is the file format analysis of malicious code and detect whether it is packed.For detecting the packed PE files more accurately,NFPS,which is a packed PE file detection rule based on the file header and many parts of content,is proposed.Through extracting five characteristics of PE files and calculating them based on NFPS rule,it can detect the packed PE files accurately.Through the test,the rate of detection accuracy of NFPS can reach more than 95%,and it can support loop detection of multilayer packed PE files.
What problem does this paper attempt to address?