{"id":1370,"date":"2012-10-14T16:25:37","date_gmt":"2012-10-14T16:25:37","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1370"},"modified":"2024-06-07T23:41:13","modified_gmt":"2024-06-07T23:41:13","slug":"random-stats-from-1-2m-samples-pe-section-names","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/10\/14\/random-stats-from-1-2m-samples-pe-section-names\/","title":{"rendered":"Random Stats from 1.2M samples \u2013 PE Section Names"},"content":{"rendered":"<p><strong>update3<\/strong><\/p>\n<p>There is a newer version of this list <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/pe-section-names-re-visited\/\">here<\/a><\/p>\n<p><strong>update2<\/strong><\/p>\n<p>updated section list\/fixed bugs &#8211; thanks to Nicolas Brulez and Tomislav Pericin (ap0x)<\/p>\n<p><strong>update<\/strong><\/p>\n<p>added one more list &#8211; List of popular section names<\/p>\n<p><strong>old post<\/strong><\/p>\n<p>I continue to batch analyze my malware collection and the latest list I generated contains:<\/p>\n<ul>\n<li>The most popular PE file section names<\/li>\n<li>The packer\/protector section names\/keywords &#8211; I tried to build a separate list of known section names\/keywords that belong to known packers\/protectors<\/li>\n<\/ul>\n<p>You can find the lists below &#8211; please let me know if you find any mistakes (especially in packer sections&#8217; names\/attribution); Thanks!<\/p>\n<p><strong>The most popular PE file section names (top 100)<\/strong><\/p>\n<pre style=\"padding-left: 30px;\">&nbsp;658574 .rsrc&nbsp; &nbsp;\n&nbsp;590338 .text&nbsp; &nbsp;\n&nbsp;545976 .data&nbsp; &nbsp;\n&nbsp;442607 .rdata &nbsp;\n&nbsp;298316 .reloc &nbsp;\n&nbsp;194273&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp;178386 .idata &nbsp;\n&nbsp;111369 .tls&nbsp;&nbsp; &nbsp;\n&nbsp;109676 CODE&nbsp;&nbsp; &nbsp;\n&nbsp;105309 DATA&nbsp;&nbsp; &nbsp;\n&nbsp;100668 BSS&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp; 40293 UPX0&nbsp;&nbsp; &nbsp;\n&nbsp; 37838 UPX1&nbsp;&nbsp; &nbsp;\n&nbsp; 35164 .adata &nbsp;\n&nbsp; 35020 .bss&nbsp;&nbsp; &nbsp;\n&nbsp; 31336 .edata &nbsp;\n&nbsp; 28137 .ndata &nbsp;\n&nbsp; 15890 .itext &nbsp;\n&nbsp; 15451 .aspack\n&nbsp; 12818 INIT&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 9665 UPX2&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 9376 .Upack &nbsp;\n&nbsp;&nbsp; 7727 PS&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 6786 .CRT&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 6628 .vmp0&nbsp; &nbsp;\n&nbsp;&nbsp; 6602 .nsp1&nbsp; &nbsp;\n&nbsp;&nbsp; 6590 .nsp0&nbsp; &nbsp;\n&nbsp;&nbsp; 6560 .code&nbsp; &nbsp;\n&nbsp;&nbsp; 6542 .sdata &nbsp;\n&nbsp;&nbsp; 6423 .nsp2&nbsp; &nbsp;\n&nbsp;&nbsp; 6270 .pdata &nbsp;\n&nbsp;&nbsp; 5710 tldksods\n&nbsp;&nbsp; 5462 .&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 5395 Themida\n&nbsp;&nbsp; 4313 .vmp1&nbsp; &nbsp;\n&nbsp;&nbsp; 4054 .MaskPE\n&nbsp;&nbsp; 3926 PAGE&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 3721 .text-co\n&nbsp;&nbsp; 3721 .data-co\n&nbsp;&nbsp; 3314 rdata&nbsp; &nbsp;\n&nbsp;&nbsp; 3249 BitArts\n&nbsp;&nbsp; 3035 .didata\n&nbsp;&nbsp; 2886 idata&nbsp; &nbsp;\n&nbsp;&nbsp; 2881 .packed\n&nbsp;&nbsp; 2803&nbsp;&nbsp; @&nbsp;&nbsp; @\n&nbsp;&nbsp; 2707 .textbss\n&nbsp;&nbsp; 2299 .text1 &nbsp;\n&nbsp;&nbsp; 2257 .data1 &nbsp;\n&nbsp;&nbsp; 2150 .petite\n&nbsp;&nbsp; 2079 .texc&nbsp; &nbsp;\n&nbsp;&nbsp; 1926 Shared &nbsp;\n&nbsp;&nbsp; 1793 pebundle\n&nbsp;&nbsp; 1714&nbsp;&nbsp; u&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 1557 MEW F&nbsp; &nbsp;\n&nbsp;&nbsp; 1536 .UPX0&nbsp; &nbsp;\n&nbsp;&nbsp; 1513&nbsp;&nbsp;&nbsp;&nbsp; t&nbsp; &nbsp;\n&nbsp;&nbsp; 1450 .data2 &nbsp;\n&nbsp;&nbsp; 1434 text&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 1346 .RLPack\n&nbsp;&nbsp; 1331 .vmp2&nbsp; &nbsp;\n&nbsp;&nbsp; 1300 .ex_cod\n&nbsp;&nbsp; 1286 sdt&nbsp;&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 1280 mdata&nbsp; &nbsp;\n&nbsp;&nbsp; 1267 cdata&nbsp; &nbsp;\n&nbsp;&nbsp; 1263 sdata&nbsp; &nbsp;\n&nbsp;&nbsp; 1240 .pklstb\n&nbsp;&nbsp; 1238 .MPRESS1\n&nbsp;&nbsp; 1235 .MPRESS2\n&nbsp;&nbsp; 1204 .UPX1&nbsp; &nbsp;\n&nbsp;&nbsp; 1201 .rdata p\n&nbsp;&nbsp; 1191 .brdata\n&nbsp;&nbsp; 1183 .udata &nbsp;\n&nbsp;&nbsp; 1131 .crt&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 1114 .sxdata\n&nbsp;&nbsp; 1091 htomaota\n&nbsp;&nbsp; 1083 .perplex\n&nbsp;&nbsp; 1076 PAGEWMI\n&nbsp;&nbsp; 1057 edata&nbsp; &nbsp;\n&nbsp;&nbsp; 1044 .delete\n&nbsp;&nbsp; 1038 .relo2 &nbsp;\n&nbsp;&nbsp; 1031 pec1&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp; 1015 .mackt &nbsp;\n&nbsp;&nbsp; 1009 PAGEDRV\n&nbsp;&nbsp;&nbsp; 981 .svkp&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 980 .avp&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 969 .ByDwing\n&nbsp;&nbsp;&nbsp; 967 .DATA&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 963 .debug &nbsp;\n&nbsp;&nbsp;&nbsp; 943 0 ext&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 899 .xdata &nbsp;\n&nbsp;&nbsp;&nbsp; 876 .ccg&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 865 .data ri\n&nbsp;&nbsp;&nbsp; 857 .wqvwbj\n&nbsp;&nbsp;&nbsp; 857 .kewyo &nbsp;\n&nbsp;&nbsp;&nbsp; 857 .axlgt &nbsp;\n&nbsp;&nbsp;&nbsp; 852 .spack &nbsp;\n&nbsp;&nbsp;&nbsp; 849&nbsp;&nbsp;&nbsp;&nbsp; ta &nbsp;\n&nbsp;&nbsp;&nbsp; 839 .exc&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 824 .avc&nbsp;&nbsp; &nbsp;\n&nbsp;&nbsp;&nbsp; 807 PAGESYS<\/pre>\n<p><strong>The packer\/protector section names\/keywords<\/strong><\/p>\n<ul>\n<li>.aspack &#8211; Aspack packer<\/li>\n<li>.adata &#8211; Aspack packer\/Armadillo packer<\/li>\n<li>ASPack &#8211; Aspack packer<\/li>\n<li>.ASPack &#8211; ASPAck Protector<\/li>\n<li>.ccg &#8211; CCG Packer (Chinese Packer)<\/li>\n<li>BitArts &#8211; Crunch 2.0 Packer<\/li>\n<li>DAStub &#8211; DAStub Dragon Armor protector<\/li>\n<li>!EPack &#8211; Epack packer<\/li>\n<li>FSG! &#8211; FSG packer (not a section name, but a good identifier)<\/li>\n<li>kkrunchy &#8211; kkrunchy Packer<\/li>\n<li>.mackt &#8211; ImpRec-created section<\/li>\n<li>.MaskPE &#8211; MaskPE Packer<\/li>\n<li>MEW &#8211; MEW packer<\/li>\n<li>.MPRESS1 &#8211; Mpress Packer<\/li>\n<li>.MPRESS2 &#8211; Mpress Packer<\/li>\n<li>.neolite &#8211; Neolite Packer<\/li>\n<li>.neolit &#8211; Neolite Packer<\/li>\n<li>.nsp1 &#8211; NsPack packer<\/li>\n<li>.nsp0 &#8211; NsPack packer<\/li>\n<li>.nsp2 &#8211; NsPack packer<\/li>\n<li>nsp1 &#8211; NsPack packer<\/li>\n<li>nsp0 &#8211; NsPack packer<\/li>\n<li>nsp2 &#8211; NsPack packer<\/li>\n<li>.packed &#8211; &#8211; RLPack Packer (first section)<\/li>\n<li>pebundle &#8211; PEBundle Packer<\/li>\n<li>PEBundle &#8211; PEBundle Packer<\/li>\n<li>PEC2TO &#8211; PECompact packer<\/li>\n<li>PECompact2 &#8211; PECompact packer (not a section name, but a good identifier)<\/li>\n<li>PEC2 &#8211; PECompact packer<\/li>\n<li>pec1 &#8211; PECompact packer<\/li>\n<li>pec2 &#8211; PECompact packer<\/li>\n<li>PEC2MO &#8211; PECompact packer<\/li>\n<li>PELOCKnt &#8211; PELock Protector<\/li>\n<li>.perplex &#8211; Perplex PE-Protector<\/li>\n<li>PESHiELD &#8211; PEShield Packer<\/li>\n<li>.petite &#8211; Petite Packer<\/li>\n<li>ProCrypt &#8211; ProCrypt Packer<\/li>\n<li>.RLPack &#8211; RLPack Packer (second section)<\/li>\n<li>RCryptor &#8211; RPCrypt Packer<\/li>\n<li>.RPCrypt &#8211; RPCrypt Packer<\/li>\n<li>.sforce3 &#8211; StarForce Protection<\/li>\n<li>.spack &#8211; Simple Pack (by bagie)<\/li>\n<li>.svkp &#8211; SVKP packer<\/li>\n<li>Themida &#8211; Themida Packer<\/li>\n<li>.Themida &#8211; Themida Packer<\/li>\n<li>.packed &#8211; Unknown Packer<\/li>\n<li>.Upack &#8211; Upack packer<\/li>\n<li>.ByDwing &#8211; Upack Packer<\/li>\n<li>UPX0 &#8211; UPX packer<\/li>\n<li>UPX1 &#8211; UPX packer<\/li>\n<li>UPX2 &#8211; UPX packer<\/li>\n<li>UPX! &#8211; UPX packer<\/li>\n<li>.UPX0 &#8211; UPX Packer<\/li>\n<li>.UPX1 &#8211; UPX Packer<\/li>\n<li>.UPX2 &#8211; UPX Packer<\/li>\n<li>.vmp0 &#8211; VMProtect packer<\/li>\n<li>.vmp1 &#8211; VMProtect packer<\/li>\n<li>.vmp2 &#8211; VMProtect packer<\/li>\n<li>VProtect &#8211; Vprotect Packer<\/li>\n<li>WinLicen &#8211; WinLicense (Themida) Protector<\/li>\n<li>.WWPACK &#8211; WWPACK Packer<\/li>\n<li>.yP &#8211; Y0da Protector<\/li>\n<li>.y0da &#8211; Y0da Protector<\/li>\n<\/ul>\n<p><strong>List of popular section names<\/strong><\/p>\n<ul>\n<li>.arch &#8211; Alpha-architecture section<\/li>\n<li>.bss &#8211; Uninitialized Data Section<\/li>\n<li>.BSS &#8211; Uninitialized Data Section<\/li>\n<li>.code &#8211; Code Section<\/li>\n<li>.cormeta &#8211; CLR Metadata Section<\/li>\n<li>.CRT &#8211; Initialized Data Section&nbsp; (C RunTime)<\/li>\n<li>.data &#8211; Data Section<\/li>\n<li>.DATA &#8211; Data Section<\/li>\n<li>.data1 &#8211; Data Section<\/li>\n<li>.debug &#8211; Debug info Section<\/li>\n<li>.debug$F &#8211; Debug info Section<\/li>\n<li>.debug$P &#8211; Debug info Section<\/li>\n<li>.debug$S &#8211; Debug info Section<\/li>\n<li>.debug$T &#8211; Debug info Section<\/li>\n<li>.didata &#8211; Delay Import Section<\/li>\n<li>.edata &#8211; Export Data Section<\/li>\n<li>.fasm &#8211; FASM flat Section<\/li>\n<li>.flat &#8211; FASM flat Section<\/li>\n<li>.idata &#8211; Initialized Data Section&nbsp; (Borland)<\/li>\n<li>.idlsym &#8211; IDL Attributes<\/li>\n<li>.itext &#8211; Code Section&nbsp; (Borland)<\/li>\n<li>.ndata &#8211; Nullsoft Installer section<\/li>\n<li>.pdata &#8211; Exception Handling Functions Section (PDATA records)<\/li>\n<li>.rdata &#8211; Read-only Data Section&nbsp; (Borland)<\/li>\n<li>.reloc &#8211; Relocations Section<\/li>\n<li>.rodata &#8211; Read-only Data Section<\/li>\n<li>.rsrc &#8211; Resource section<\/li>\n<li>.sbss &#8211; GP-relative Uninitialized Data Section<\/li>\n<li>.sdata &#8211; GP-relative Initialized Data Section<\/li>\n<li>.srdata &#8211; GP-relative Read-only Data Section<\/li>\n<li>.sxdata &#8211; Registered Exception Handlers Section<\/li>\n<li>.text &#8211; Code Section<\/li>\n<li>.text1 &#8211; Code Section<\/li>\n<li>.textbss &#8211; Section used by incremental linking<\/li>\n<li>.tls &#8211; Thread Local Storage Section<\/li>\n<li>.tls$ &#8211; Thread Local Storage Section<\/li>\n<li>.udata &#8211; Uninitialized Data Section<\/li>\n<li>.vsdata &#8211; GP-relative Initialized Data<\/li>\n<li>.xdata &#8211; Exception Information Section<\/li>\n<li>BSS &#8211; Uninitialized Data Section&nbsp; (Borland)<\/li>\n<li>CODE &#8211; Code Section (Borland)<\/li>\n<li>DATA &#8211; Data Section (Borland)<\/li>\n<li>edata &#8211; Export Data Section<\/li>\n<li>idata &#8211; Initialized Data Section&nbsp; (C RunTime)<\/li>\n<li>INIT &#8211; INIT section (drivers)<\/li>\n<li>PAGE &#8211; PAGE section (drivers)<\/li>\n<li>rdata &#8211; Read-only Data Section<\/li>\n<li>sdata &#8211; Initialized Data Section<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>update3 There is a newer version of this list here update2 updated section list\/fixed bugs &#8211; thanks to Nicolas Brulez and Tomislav Pericin (ap0x) update added one more list &#8211; List of popular section names old post I continue to &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/14\/random-stats-from-1-2m-samples-pe-section-names\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9,120],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1370"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1370"}],"version-history":[{"count":15,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions"}],"predecessor-version":[{"id":9212,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions\/9212"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}