UPX is a popular open source tool which can pack Windows EXE and other executable formats to reduce their size.
The process typically compresses files more than zipping, but otherwise has no apparent effect on the file. Run a packed EXE and it quickly decompresses and launches the original image, with no sign that anything unusual has happened.
Executable packers are used by many legitimate developers. If you’ve ever wondered why NirSoft’s programs are so small, for instance, that’s partly because many are compressed by UPX.
Unfortunately, the technology also has a down side: packing an EXE obfuscates its contents, making it more difficult to analyse and figure out what it’s doing. That’s a problem if you’re manually checking an executable, perhaps to see if it’s malware, and antivirus packages may sometimes flag an EXE as dangerous simply because it’s been packed.
If you’re suspicious of an EXE, then, it’s a good idea to check whether it’s been packed. Drag and drop it onto static EXE analyzer pestudio and watch the “Signature” field: recognised packers will be named there.
Packed files aren’t necessarily dangerous, but tools like pestudio won’t be able to tell you as much about them. For example, pestudio’s Strings feature looks for plain text strings – URLs, prompts, messages – in the EXE image, often very informative, but if the image has been compressed then most of this will be invisible.
One way to find out more is to unpack the file yourself. Free UPX can decompress UPX-packed files in seconds: make a copy of the EXE, drag and drop it onto Free UPX, click Decompress and your file will be rewritten with an unpacked version.
This really can make a dramatic difference. We pointed pestudio at NirSoft’s WirelessNetView, and it found only 28 “interesting” strings in the UPX’ed version, but after unpacking this ramped up to 126 (and the extras were the ones that mattered).
Unpacking an EXE may also make it less likely to be flagged as malware. The difference is only very marginal – UPX is so well-known that most antivirus engines just unpack and check it as normal – but it is visible. For example, we found WirelessNetView scored 11/57 on VirusTotal for the UPX’ed version, dropping to 8/57 when it was unpacked.
If you need to squeeze a lot of executables into a very small space, you could also use Free UPX to compress them. The results are often impressive – we cut multimedia toolkit ffmpeg.exe from 30.59MB to 11.48MB – but beware, packing can cause problems with some applications. It’s best left as a last resort.
Put it all together, and while Free UPX isn’t for the average user, it can be handy occasionally, and as it’s also compact and portable there’s no penalty in keeping a copy around. Give it a try.
Free UPX is a free program for Windows XP and later.
Your Comments & Opinion