Oddities with Process Explorer / Detours / Packed Images

Sysinternals' Process Explorer can detect binary images it suspects are packed, and highlights them. Packed executables are highlighted in the top pane, and packed DLLs in a selected process are highlighted in the lower pane's "DLL View".

Interestingly, debug builds of binaries that link with Detours cause Process Explorer to suspect that the binary is packed ("Image is probably packed"). Release builds are not, however.

I would be interested to know how Process Explorer determines that a binary is probably packed.

No comments: