AD2060: DetectPackedBinary¶

Summary¶

Detects Windows PE binaries that have been compressed or packed using executable packers like UPX, ASPack, Themida, VMProtect, etc.

Description¶

This rule detects binaries that have been compressed or packed using executable packers. Packed binaries strip or encrypt section headers, debug information, and symbol tables that security analysis tools rely on. When a packer is detected, other analysis results should be treated as potentially unreliable.

Packers are commonly used to: - Reduce binary size - Obfuscate code to hinder reverse engineering - Protect intellectual property

However, packed binaries present challenges for security analysis because: - Section information may be incorrect or missing - Debug symbols are stripped - Import tables are hidden or encrypted - Security flags may reflect the packer, not the original code

Detected Packers¶

• UPX - Ultimate Packer for eXecutables
• ASPack
• PECompact
• Themida/WinLicense
• VMProtect
• Enigma Protector
• MPRESS
• Petite
• FSG
• NSPack
• .NET Reactor (for .NET binaries)
• ConfuserEx (for .NET binaries)

Resolution¶

To get accurate security analysis results, unpack the binary before scanning:

UPX¶

# Decompress a UPX-packed binary
upx -d packed_binary.exe

# Decompress to a new file
upx -d -o unpacked.exe packed_binary.exe

Other Packers¶

See the Packed Binaries Guide for instructions on unpacking other formats.

Alternative: Scan Before Packing¶

Run security analysis on your binaries before applying any packer:

# Analyze the original binary
aldur analyze myapp.exe

# Then pack for distribution
upx myapp.exe

Configuration¶

To suppress this warning:

# aldur.toml
[analysis]
exclude_rules = ["AD2060"]

Note: Even if you suppress this warning, other analysis results may be unreliable for packed binaries.

See Also¶

• Packed Binaries Guide
• AD3060: DetectPackedBinary (ELF)
• AD5060: DetectPackedBinary (Mach-O)