Packer Identification by File section names

The packer/protector/tools section names/keywords

.aspack – Aspack packer
.adata – Aspack packer/Armadillo packer
ASPack – Aspack packer
.ASPack – ASPAck Protector
.boom – The Boomerang List Builder (config+exe xored with a single byte key 0x77)
.ccg – CCG Packer (Chinese Packer)
.charmve – Added by the PIN tool
BitArts – Crunch 2.0 Packer
DAStub – DAStub Dragon Armor protector
!EPack – Epack packer
.ecode – Built with EPL
.edata – Built with EPL
.enigma1 – Enigma Protector
.enigma2 – Enigma Protector
FSG! – FSG packer (not a section name, but a good identifier)
.imrsiv – special section used for applications that can be loaded to OS desktop bands.
.gentee – Gentee installer
kkrunchy – kkrunchy Packer
lz32.dll – Crinkler
.mackt – ImpRec-created section
.MaskPE – MaskPE Packer
MEW – MEW packer
.mnbvcx1 – most likely associated with Firseria PUP downloaders
.mnbvcx2 – most likely associated with Firseria PUP downloaders
.MPRESS1 – Mpress Packer
.MPRESS2 – Mpress Packer
.neolite – Neolite Packer
.neolit – Neolite Packer
.nsp1 – NsPack packer
.nsp0 – NsPack packer
.nsp2 – NsPack packer
nsp1 – NsPack packer
nsp0 – NsPack packer
nsp2 – NsPack packer
.packed – RLPack Packer (first section)
PEPACK!! – Pepack
pebundle – PEBundle Packer
PEBundle – PEBundle Packer
PEC2TO – PECompact packer
PECompact2 – PECompact packer (not a section name, but a good identifier)
PEC2 – PECompact packer
pec – PECompact packer
pec1 – PECompact packer
pec2 – PECompact packer
pec3 – PECompact packer
pec4 – PECompact packer
pec5 – PECompact packer
pec6 – PECompact packer
PEC2MO – PECompact packer
PELOCKnt – PELock Protector
.perplex – Perplex PE-Protector
PESHiELD – PEShield Packer
.petite – Petite Packer
.pinclie – Added by the PIN tool
ProCrypt – ProCrypt Packer
.RLPack – RLPack Packer (second section)
.rmnet – Ramnit virus marker
RCryptor – RPCrypt Packer
.RPCrypt – RPCrypt Packer
.seau – SeauSFX Packer
.sforce3 – StarForce Protection
.shrink1 – Shrinker
.shrink2 – Shrinker
.shrink3 – Shrinker
.spack – Simple Pack (by bagie)
.svkp – SVKP packer
Themida – Themida Packer
.Themida – Themida Packer
.taz – Some version os PESpin
.tsuarch – TSULoader
.tsustub – TSULoader
.packed – Unknown Packer
PEPACK!! – Pepack
.Upack – Upack packer
.ByDwing – Upack Packer
UPX0 – UPX packer
UPX1 – UPX packer
UPX2 – UPX packer
UPX3 – UPX packer
UPX! – UPX packer
.UPX0 – UPX Packer
.UPX1 – UPX Packer
.UPX2 – UPX Packer
.vmp0 – VMProtect packer
.vmp1 – VMProtect packer
.vmp2 – VMProtect packer
VProtect – Vprotect Packer
.winapi – Added by API Override tool
WinLicen – WinLicense (Themida) Protector
_winzip_ – WinZip Self-Extractor
.WWPACK – WWPACK Packer
.WWP32 – WWPACK Packer (WWPack32)
.yP – Y0da Protector
.y0da – Y0da Protector

List of popular section names

.00cfg – Control Flow Guard (CFG) section (added by newer versions of Visual Studio)
.AAWEBS – section used by Amiti Antivirus DLLs webspam.dll and webspamwow64.dll
.apiset – a section present inside the apisetschema.dll
.arch – Alpha-architecture section
.autoload_text – cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.
.bindat – Binary data (also used by one of the downware installers based on LUA)
.bootdat – section that can be found inside Visual Studio files; contains palette entries
.bss – Uninitialized Data Section
.BSS – Uninitialized Data Section
.buildid – gcc/cygwin; Contains debug information (if overlaps with debug directory)
.CLR_UEF – .CLR Unhandled Exception Handler section; see https://github.com/dotnet/coreclr/blob/master/src/vm/excep.h
.code – Code Section
.cormeta – .CLR Metadata Section
.complua – Binary data, most likely compiled LUA (also used by one of the downware installers based on LUA)
.CRT – Initialized Data Section  (C RunTime)
.cygwin_dll_common – cygwin section containing flags representing Cygwin’s capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time
.data – Data Section
.DATA – Data Section
.data1 – Data Section
.data2 – Data Section
.data3 – Data Section
.debug – Debug info Section
.debug$F – Debug info Section (Visual C++ version <7.0)
.debug$P – Debug info Section (Visual C++ debug information – precompiled information
.debug$S – Debug info Section (Visual C++ debug information – symbolic information)
.debug$T – Debug info Section (Visual C++ debug information – type information)
.drectve  – directive section (temporary, linker removes it after processing it; should not appear in a final PE image)
.didat – Delay Import Section
.didata – Delay Import Section
.edata – Export Data Section
.eh_fram – gcc/cygwin; Exception Handler Frame section
.export – Alternative Export Data Section
.fasm – FASM flat Section
.flat – FASM flat Section
.gfids – section added by new Visual Studio (14.0); purpose unknown
.giats – section added by new Visual Studio (14.0); purpose unknown
.gljmp – section added by new Visual Studio (14.0); purpose unknown
.glue_7t – ARMv7 core glue functions (thumb mode)
.glue_7 – ARMv7 core glue functions (32-bit ARM mode)
.idata – Initialized Data Section  (Borland)
.idlsym – IDL Attributes (registered SEH)
.impdata – Alternative Import data section
.import – Alternative Import data section
.itext – Code Section  (Borland)
.ndata – Nullsoft Installer section
.orpc – Code section inside rpcrt4.dll
.pdata – Exception Handling Functions Section (PDATA records)
.rdata – Read-only initialized Data Section  (MS and Borland)
.reloc – Relocations Section
.rodata – Read-only Data Section
.rsrc – Resource section
.sbss – GP-relative Uninitialized Data Section
.script – Section containing script
.shared – Shared section
.sdata – GP-relative Initialized Data Section
.srdata – GP-relative Read-only Data Section
.stab – Created by Haskell compiler (GHC)
.stabstr – Created by Haskell compiler (GHC)
.sxdata – Registered Exception Handlers Section
.text – Code Section
.text0 – Alternative Code Section
.text1 – Alternative Code Section
.text2 – Alternative Code Section
.text3 – Alternative Code Section
.textbss – Section used by incremental linking
.tls – Thread Local Storage Section
.tls$ – Thread Local Storage Section
.udata – Uninitialized Data Section
.vsdata – GP-relative Initialized Data
.xdata – Exception Information Section
.wixburn – Wix section; see https://github.com/wixtoolset/wix3/blob/develop/src/burn/stub/StubSection.cpp
.wpp_sf  – section that is most likely related to WPP (Windows software trace PreProcessor); not sure how it is used though; the code inside the section is just a bunch of routines that call FastWppTraceMessage that in turn calls EtwTraceMessage
BSS – Uninitialized Data Section  (Borland)
CODE – Code Section (Borland)
DATA – Data Section (Borland)
DGROUP – Legacy data group section
edata – Export Data Section
idata – Initialized Data Section  (C RunTime)
INIT – INIT section (drivers)
minATL – Section that can be found inside some ARM PE files; purpose unknown; .exe files on Windows 10 also include this section as well; its purpose is unknown, but it contains references to ___pobjectentryfirst,___pobjectentrymid,___pobjectentrylast pointers used by Microsoft::WRL::Details::ModuleBase::… methods described e.g. here, and also referenced by .pdb symbols; so, looks like it is being used internally by Windows Runtime C++ Template Library (WRL) which is a successor of Active Template Library (ATL); further research needed
PAGE – PAGE section (drivers)
rdata – Read-only Data Section
sdata – Initialized Data Section
shared – Shared section
Shared – Shared section
testdata – section containing test data (can be found inside Visual Studio files)
text – Alternative Code Section

PreviousMalware Analysis Fundamentals NextAnalyzing Malicious Documents

Last updated 3 years ago