pe_to_shellcode VS upx

Finally, we also have the option to transform a native PE back to shellcode. This may be done, for example, via hasherezade's pe_to_shellcode tool.

According to this source:

Following optimization, tools like UPX can compress the resulting binary, significantly reducing file size. This compression is invaluable for resource-constrained environments but adds a decompression step during binary execution.

I have been using UPX but I'm quite sure if there's something out there that offers better compression.

Ah that's nice, long ago I used parchment.js to load a inform7 created z5 file on my website. You could try to compress your executable with upx https://upx.github.io/

In this process, the given packer tool embeds a natively compiled PE into another executable that contains the information needed to unpack the original content and execute it. Perhaps the most well known packer, which is not even for malicious purposes, is Golang's UPX package.

Rewrite in C#, and use an obfuscator on the DLL. You can also write some parts in C++ as many variable and function names are forgotten when compiling. You should also encrypt the PCK, and see if you can embed it. If it's embedded, you can make it more annoying to deal with by packing it with https://upx.github.io/

Another good example of false positives like this would be binaries that are compressed with UPX - the way it works is apparently very similar to how stub-loader malware operates and signature detection tools will flag it as malicious.

This will optimise the release binary to be as small as possible. Additionally with upx we can create really small docker image !

Then I compressed it with upx, cp small.exe smallUpx.exe && upx --brute smallUpx.exe, got a 10752 bytes executable, half the size, but still pretty large