Identifying an EXE packer is a key part of software analysis. You may need to do it for reverse engineering or analysis of a malicious code. So here are some free, portable tools that can help you in identifying an executable file packer:
PEiD
This is the most well known and widely used tool for detecting packers, cryptors and compilers for PE files. It detects over 600 different signatures in PE files.
PEiD has a simple, standard interface where it shows you the EXE packer name, entry point, file offset, linker information, EP section, first bytes, and subsystem information on the selected file.
PEiD has three scanning modes:
- Normal Mode: Scans PE files at their Entry Point for documented signatures
- Deep Mode: Scans the Entry Point containing section for all the documented signature
- Hardcore Mode: This does a complete scan of the entire PE file for documented signatures
You can select an EXE file using the file browser or the “drag and drop” method. It can also perform recursive directory scanning for multiple files. It supports shell integration, command line input, and you can even pin it on top of all other applications.
Download: PEiD
Exeinfo PE
Exeinfo PE is a more advanced program than PEiD. Along with the packer details, it shows you information such as the entry point, file offset, linker information, file size, EP section, first bytes, sub-system and overlay of an executable file. It has got lot of other features as well.
You can select an EXE or DLL using the file browser or by just dragging and dropping it on to the program window.
From the program options, you can enable Exeinfo PE to perform a fast scan, ignore EXE errors, integrate into the shell, always be on top and make the interface bigger. Also, you can enable logging, and change skin and language.
Download: Exeinfo PE
Language 2000
Language 2000 is simple tool that shows very basic information like the compiler language, compiler name, compiler author and its URL. This info will help you determine which compiler was used to make the binary file or with which compressor the file is compressed, but that’s it.
It can detect Compiler/Encryptor/Packer of EXE, DLL and OCX files.
Download: Language 2000