packlab is a defensive static-analysis CLI for spotting packer indicators in PE, ELF, and raw binary files. It reads metadata, maps section entropy, applies explainable packer rules, and writes text, JSON, and HTML reports.
This implements the Notion project "Binary Packer Analysis Lab" in Go.
- PE and ELF metadata parsing.
- SHA-256 hashing and entry point reporting.
- Import library extraction where available.
- Section-level entropy map.
- PE overlay detection.
- UPX marker and UPX-like section detection.
- Rules for high entropy, W+X sections, low imports, and overlays.
- Explainable score and verdict.
- JSON and HTML reports.
- Benign synthetic fixtures in tests.
go build -o bin/packlab.exe ./cmd/packlabbin/packlab.exe analyze .\some-binary.exe --json packlab-report.json --html packlab-report.htmlFail CI when suspicious indicators are found:
bin/packlab.exe analyze .\some-binary.exe --fail-on-suspiciousnot-packed: no meaningful packer indicators fired.suspicious: one or more weak or medium indicators fired.packed-likely: strong UPX markers or a high combined score fired.
This lab is for static defensive analysis of binaries you own, compile, or are authorized to inspect. It does not execute samples, unpack payloads, patch binaries, or ship malware fixtures.
go test ./...
go build -o bin/packlab.exe ./cmd/packlabcmd/packlab CLI entry point
internal/analysis parsers, entropy, rule engine
internal/report text, JSON, and HTML reports
docs/ architecture and safe sample notes