AD3060: DetectPackedBinary¶

Summary¶

Detects Linux/Unix ELF binaries that have been compressed or packed using executable packers like UPX.

Description¶

This rule detects binaries that have been compressed or packed using executable packers. Packed binaries strip or encrypt section headers, debug information, and symbol tables that security analysis tools rely on. When a packer is detected, other analysis results should be treated as potentially unreliable.

For ELF binaries, UPX is the most common packer. UPX-packed ELF binaries typically have: - UPX! magic bytes in the binary - Section names like UPX0, UPX1 - Missing or stripped section headers

Detected Packers¶

• UPX - Ultimate Packer for eXecutables
• Other packers detected by signature or heuristics

Why This Matters for ELF¶

ELF security analysis relies on: - Section headers for checking permissions (e.g., executable stack) - DWARF debug info for compiler detection - Symbol tables for API usage analysis - Program headers for segment permissions

Packed binaries may have these structures stripped or encrypted, leading to: - False negatives (missing security issues) - False positives (incorrect flags from packer stub) - Incomplete analysis

Resolution¶

UPX¶

# Decompress a UPX-packed binary
upx -d packed_binary

# Decompress to a new file
upx -d -o unpacked_binary packed_binary

# Force decompression
upx -d -f packed_binary

Scan Before Packing¶

Run security analysis on your binaries before applying any packer:

# Analyze the original binary
aldur analyze myapp

# Then pack for distribution
upx myapp

Configuration¶

To suppress this warning:

# aldur.toml
[analysis]
exclude_rules = ["AD3060"]

Note: Even if you suppress this warning, other analysis results may be unreliable for packed binaries.

See Also¶

• Packed Binaries Guide
• AD2060: DetectPackedBinary (PE)
• AD5060: DetectPackedBinary (Mach-O)