cognis-digital/packpeek

GitHub: cognis-digital/packpeek

一款无依赖的 C 语言静态加壳检测工具，通过特征标记匹配和 Shannon 熵值计算快速判断二进制文件是否被加壳。

Stars: 0 | Forks: 0

# packpeek **静态加壳/加载器指纹识别工具 (C)** —— 这个二进制文件加壳了吗？是被什么加的？ [![ci](https://github.com/cognis-digital/packpeek/actions/workflows/ci.yml/badge.svg)](https://github.com/cognis-digital/packpeek/actions/workflows/ci.yml) ![lang](https://img.shields.io/badge/lang-C-A8B9CC) ![license](https://img.shields.io/badge/license-COCL%201.0-2ea043) **[Cognis Neural Suite](https://github.com/cognis-digital)** 的一部分。这是恶意软件分类的经典第一步：`packpeek` 会在二进制文件中搜索常见运行时加壳/保护工具的已知标记 —— **UPX, ASPack, Themida, WinLicense, MPRESS, PECompact, Petite, FSG, MEW, NsPack, Enigma, VMProtect, Armadillo** —— 并测量 **Shannon 熵**。加壳标记加上高熵值是一个强烈的“已加壳，需深入检查”的信号。格式无关（PE / ELF / Mach-O / 固件 blob），无依赖，输出 JSON。与 [`entroc`](https://github.com/cognis-digital/entroc) 配合使用以获取滑动窗口熵，并通过内置配套工具生成 **YARA + SARIF**。 ## 构建 ``` gcc -O2 -std=c99 -o packpeek packpeek.c -lm ``` ## 用法 ``` packpeek [--threshold F] --threshold entropy (bits, 0..8) above which a file is "high entropy" (default 7.2) ``` ``` packpeek suspicious.exe packpeek suspicious.exe | python sarif.py # -> SARIF for code scanning packpeek suspicious.exe | python sarif.py --yara # -> deployable YARA rule ``` ## 输出 ``` {"tool":"packpeek","file":"suspicious.exe","size":204800,"entropy":7.91, "high_entropy":true,"threshold":7.20, "packers":[{"name":"UPX","offset":336}],"packer_count":1,"verdict":"packed"} ``` 如果 `packed`/`likely-packed` 则退出码为 **2**，`clean` 为 **0**，出错则为 **1** —— 可据此对 CI 进行门控。 ## 许可证 COCL 1.0 —— 详见 [LICENSE](LICENSE)。商业使用 → licensing@cognis.digital

标签：客户端加密, 逆向工具