Binary Analysis
PECompact2 Jun 23 2006 06:08PM
als hush com (4 replies)
RE: PECompact2 Jun 25 2006 11:07PM
Earl_Marcus_Tan dell com

You would want to confirm that with a PE identifier because some packers
change the strings in the sections table in the PE header to confuse
people. A good tool to use for this is PEiD (


-----Original Message-----
From: als (at) hush (dot) com [email concealed] [mailto:als (at) hush (dot) com [email concealed]]
Sent: Saturday, June 24, 2006 2:09 AM
To: binaryanalysis (at) securityfocus (dot) com [email concealed]
Subject: PECompact2


I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.

I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably

Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.

Thanks for any help.


Concerned about your privacy? Instantly send FREE secure email, no
account required

Get the best prices on SSL certificates from Hushmail

[ reply ]
Re: PECompact2 Jun 23 2006 11:08PM
derez (derez packetforge net)
Re: PECompact2 Jun 23 2006 10:42PM
Lance James (phishing securescience net)
Re: PECompact2 Jun 23 2006 09:59PM
Greg Hunt (gregory hunt gmail com)


Privacy Statement
Copyright 2010, SecurityFocus