Low-entropy Packed Binary Detection using Hardware Performance Counters

Malware analysis faces a critical challenge in accurately identifying packed executables, especially those with low entropy. Existing software-based solutions often fail in detecting packers used by malware, resulting in inaccurate classifications. To address this shortcoming, in this study we introduce a novel method usingHardware Performance Counters (HPCs) to facilitate the classification of binary packers due to HPCs’ minimal access overhead and ability to obviate the necessity for source code. We trained classic machine-learning models by selecting relevant hardware attributes associated with the unpacking procedure for detectingpackers used by low-entropy binary programs. Extensive experiments shows the substantial role played by Hardware Performance Counters in detecting binary packing characterized by low entropy,offering a promising avenue for further exploration and refinement of techniques in malware analysis The following zip files are executables that represent low entropy versions of software packers using byte-padding. The name of the files are the names of the packers which are represened,  Acprotect, Armadillo, Aspack, Nspack, Pecompact, Petite, UPX, and Zprotect. These can be used to measure the unpacking process using hardware performance counters in order to test & train machine earning classifiers for accurate classification of low entropy packers.