> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/malware-analysis/packer-identification-by-file-section-names.md). # Packer Identification by File section names The packer/protector/tools section names/keywords ``` .aspack – Aspack packer .adata – Aspack packer/Armadillo packer ASPack – Aspack packer .ASPack – ASPAck Protector .boom – The Boomerang List Builder (config+exe xored with a single byte key 0x77) .ccg – CCG Packer (Chinese Packer) .charmve – Added by the PIN tool BitArts – Crunch 2.0 Packer DAStub – DAStub Dragon Armor protector !EPack – Epack packer .ecode – Built with EPL .edata – Built with EPL .enigma1 – Enigma Protector .enigma2 – Enigma Protector FSG! – FSG packer (not a section name, but a good identifier) .imrsiv – special section used for applications that can be loaded to OS desktop bands. .gentee – Gentee installer kkrunchy – kkrunchy Packer lz32.dll – Crinkler .mackt – ImpRec-created section .MaskPE – MaskPE Packer MEW – MEW packer .mnbvcx1 – most likely associated with Firseria PUP downloaders .mnbvcx2 – most likely associated with Firseria PUP downloaders .MPRESS1 – Mpress Packer .MPRESS2 – Mpress Packer .neolite – Neolite Packer .neolit – Neolite Packer .nsp1 – NsPack packer .nsp0 – NsPack packer .nsp2 – NsPack packer nsp1 – NsPack packer nsp0 – NsPack packer nsp2 – NsPack packer .packed – RLPack Packer (first section) PEPACK!! – Pepack pebundle – PEBundle Packer PEBundle – PEBundle Packer PEC2TO – PECompact packer PECompact2 – PECompact packer (not a section name, but a good identifier) PEC2 – PECompact packer pec – PECompact packer pec1 – PECompact packer pec2 – PECompact packer pec3 – PECompact packer pec4 – PECompact packer pec5 – PECompact packer pec6 – PECompact packer PEC2MO – PECompact packer PELOCKnt – PELock Protector .perplex – Perplex PE-Protector PESHiELD – PEShield Packer .petite – Petite Packer .pinclie – Added by the PIN tool ProCrypt – ProCrypt Packer .RLPack – RLPack Packer (second section) .rmnet – Ramnit virus marker RCryptor – RPCrypt Packer .RPCrypt – RPCrypt Packer .seau – SeauSFX Packer .sforce3 – StarForce Protection .shrink1 – Shrinker .shrink2 – Shrinker .shrink3 – Shrinker .spack – Simple Pack (by bagie) .svkp – SVKP packer Themida – Themida Packer .Themida – Themida Packer .taz – Some version os PESpin .tsuarch – TSULoader .tsustub – TSULoader .packed – Unknown Packer PEPACK!! – Pepack .Upack – Upack packer .ByDwing – Upack Packer UPX0 – UPX packer UPX1 – UPX packer UPX2 – UPX packer UPX3 – UPX packer UPX! – UPX packer .UPX0 – UPX Packer .UPX1 – UPX Packer .UPX2 – UPX Packer .vmp0 – VMProtect packer .vmp1 – VMProtect packer .vmp2 – VMProtect packer VProtect – Vprotect Packer .winapi – Added by API Override tool WinLicen – WinLicense (Themida) Protector _winzip_ – WinZip Self-Extractor .WWPACK – WWPACK Packer .WWP32 – WWPACK Packer (WWPack32) .yP – Y0da Protector .y0da – Y0da Protector ``` ## List of popular section names ``` .00cfg – Control Flow Guard (CFG) section (added by newer versions of Visual Studio) .AAWEBS – section used by Amiti Antivirus DLLs webspam.dll and webspamwow64.dll .apiset – a section present inside the apisetschema.dll .arch – Alpha-architecture section .autoload_text – cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork. .bindat – Binary data (also used by one of the downware installers based on LUA) .bootdat – section that can be found inside Visual Studio files; contains palette entries .bss – Uninitialized Data Section .BSS – Uninitialized Data Section .buildid – gcc/cygwin; Contains debug information (if overlaps with debug directory) .CLR_UEF – .CLR Unhandled Exception Handler section; see https://github.com/dotnet/coreclr/blob/master/src/vm/excep.h .code – Code Section .cormeta – .CLR Metadata Section .complua – Binary data, most likely compiled LUA (also used by one of the downware installers based on LUA) .CRT – Initialized Data Section (C RunTime) .cygwin_dll_common – cygwin section containing flags representing Cygwin’s capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time .data – Data Section .DATA – Data Section .data1 – Data Section .data2 – Data Section .data3 – Data Section .debug – Debug info Section .debug$F – Debug info Section (Visual C++ version <7.0) .debug$P – Debug info Section (Visual C++ debug information – precompiled information .debug$S – Debug info Section (Visual C++ debug information – symbolic information) .debug$T – Debug info Section (Visual C++ debug information – type information) .drectve – directive section (temporary, linker removes it after processing it; should not appear in a final PE image) .didat – Delay Import Section .didata – Delay Import Section .edata – Export Data Section .eh_fram – gcc/cygwin; Exception Handler Frame section .export – Alternative Export Data Section .fasm – FASM flat Section .flat – FASM flat Section .gfids – section added by new Visual Studio (14.0); purpose unknown .giats – section added by new Visual Studio (14.0); purpose unknown .gljmp – section added by new Visual Studio (14.0); purpose unknown .glue_7t – ARMv7 core glue functions (thumb mode) .glue_7 – ARMv7 core glue functions (32-bit ARM mode) .idata – Initialized Data Section (Borland) .idlsym – IDL Attributes (registered SEH) .impdata – Alternative Import data section .import – Alternative Import data section .itext – Code Section (Borland) .ndata – Nullsoft Installer section .orpc – Code section inside rpcrt4.dll .pdata – Exception Handling Functions Section (PDATA records) .rdata – Read-only initialized Data Section (MS and Borland) .reloc – Relocations Section .rodata – Read-only Data Section .rsrc – Resource section .sbss – GP-relative Uninitialized Data Section .script – Section containing script .shared – Shared section .sdata – GP-relative Initialized Data Section .srdata – GP-relative Read-only Data Section .stab – Created by Haskell compiler (GHC) .stabstr – Created by Haskell compiler (GHC) .sxdata – Registered Exception Handlers Section .text – Code Section .text0 – Alternative Code Section .text1 – Alternative Code Section .text2 – Alternative Code Section .text3 – Alternative Code Section .textbss – Section used by incremental linking .tls – Thread Local Storage Section .tls$ – Thread Local Storage Section .udata – Uninitialized Data Section .vsdata – GP-relative Initialized Data .xdata – Exception Information Section .wixburn – Wix section; see https://github.com/wixtoolset/wix3/blob/develop/src/burn/stub/StubSection.cpp .wpp_sf – section that is most likely related to WPP (Windows software trace PreProcessor); not sure how it is used though; the code inside the section is just a bunch of routines that call FastWppTraceMessage that in turn calls EtwTraceMessage BSS – Uninitialized Data Section (Borland) CODE – Code Section (Borland) DATA – Data Section (Borland) DGROUP – Legacy data group section edata – Export Data Section idata – Initialized Data Section (C RunTime) INIT – INIT section (drivers) minATL – Section that can be found inside some ARM PE files; purpose unknown; .exe files on Windows 10 also include this section as well; its purpose is unknown, but it contains references to ___pobjectentryfirst,___pobjectentrymid,___pobjectentrylast pointers used by Microsoft::WRL::Details::ModuleBase::… methods described e.g. here, and also referenced by .pdb symbols; so, looks like it is being used internally by Windows Runtime C++ Template Library (WRL) which is a successor of Active Template Library (ATL); further research needed PAGE – PAGE section (drivers) rdata – Read-only Data Section sdata – Initialized Data Section shared – Shared section Shared – Shared section testdata – section containing test data (can be found inside Visual Studio files) text – Alternative Code Section ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/malware-analysis/packer-identification-by-file-section-names.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.