Static packer / loader fingerprinter (C) — is this binary packed, and by what?
Part of the Cognis Neural Suite. The classic first step in malware triage: packpeek searches a binary for the documented markers of common runtime packers/protectors — UPX, ASPack, Themida, WinLicense, MPRESS, PECompact, Petite, FSG, MEW, NsPack, Enigma, VMProtect, Armadillo — and measures Shannon entropy. A packer marker plus high entropy is a strong "this is packed, look closer" signal.
Format-agnostic (PE / ELF / Mach-O / firmware blob), dependency-free, JSON-out. Pairs with entroc for windowed entropy and emits YARA + SARIF via the bundled companion.
Defensive triage only — reads a file, makes no network calls, executes nothing.
Sample result format (illustrative values — run on your own data for real findings):
{
"packs": [
{
"id": "1234567890",
"name": "Pack 1",
"size": 100,
"weight": 5.2,
"contents": [
{"item": "Item A", "quantity": 3},
{"item": "Item B", "quantity": 2}
]
},
{
"id": "2345678901",
"name": "Pack 2",
"size": 50,
"weight": 2.8,
"contents": [
{"item": "Item C", "quantity": 4},
{"item": "Item D", "quantity": 1}
]
}
]
}
gcc -O2 -std=c99 -o packpeek packpeek.c -lmpackpeek <file> [--threshold F]
--threshold entropy (bits, 0..8) above which a file is "high entropy" (default 7.2)
packpeek suspicious.exe
packpeek suspicious.exe | python sarif.py # -> SARIF for code scanning
packpeek suspicious.exe | python sarif.py --yara # -> deployable YARA rule{"tool":"packpeek","file":"suspicious.exe","size":204800,"entropy":7.91,
"high_entropy":true,"threshold":7.20,
"packers":[{"name":"UPX","offset":336}],"packer_count":1,"verdict":"packed"}Exit 2 if packed/likely-packed, 0 if clean, 1 on error — gate CI on it.
COCL 1.0 — see LICENSE. Commercial use → licensing@cognis.digital