Windows EXE/DLL: what is a "packed image"

Question

Process Explorer sometimes shows an EXE as "packed image", but what does it mean.

What I have found out is: Compiling an exe (using Visual C++ 2010) with /ZI option results in a packed image, but /Zi does not. Why such difference?

BTW: a DLL compiled with /ZI is also considered "packed image" and marked purple.

Answer 1

A "packed image" is one where executable code is compressed with the intention to make the file smaller. Typical file size reduction hovers around 50%. It uses a "loader" at runtime to decompress the data back to executable code before it starts executing. It was useful back in the olden days with limited disk storage capacity and limited network bandwidth.

Today with terabyte disks and megabit networks it is a smell, packing can also be exploited to hide malicious code. Surely the reason why Process Explorer colors it differently.

The exact heuristic that PE uses to detect packing is not documented. Of course not, that would make it too easy to circumvent. It is not trivial, there is no standard way to implement packing. Roughly, it would look at the sections in the executable file and raise the Blue Flag when too much of it looks like non-executable code.

And yes, when you use /ZI then there will be a lot of it. More significant is the linker's /INCREMENTAL option, turned on automatically when you use /ZI. Which allows you to write code while debugging, the Edit+Continue option. And quickly relink the executable file without the linker having to completely re-generate the file. This can only work when there is lots of empty space in the executable file, available to add new machine code bytes. That's a Blue Flag.

Not a real concern of course, your user will only ever see the Release build of your program. Which is built without /ZI and without /INCREMENTAL.

Answer 2

From the Process Hacker source code:

An image is packed if:

1. It references fewer than 3 modules, and
2. It imports fewer than 5 functions, and
3. It does not use the Native subsystem.

Or:

1. The function-to-module ratio is lower than 3 (on average fewer than 3 functions are imported from each module), and
2. It references more than 2 modules but fewer than 6 modules.

Or:

1. The function-to-module ratio is lower than 2 (on average fewer than 2 functions are imported from each module), and
2. It references more than 5 modules but fewer than 31 modules.

Or:

1. It does not have a section named ".text".

An image is not considered to be packed if it has only one import from a module named "mscoree.dll".

You can also take a look at the soruce code to figure out how to determine if an image is probably packed or if it isn't.