Raw Size(section's size on the disk) is 0 bytes for the UPX0 section (.text/.code section) and therefore much smaller than the
Virtual Size(space allocated for this section in the process memory), whereas these values in a non-packed binary are of similar sizes. This is another good indicator suggesting the binary may be packed.
WSOCK32.dlland many more are imported by a non-packed binary:
KERNEL32.dllonly importing a couple of functions, including:
GetProcAddress. These are crucial for the binary as they are used to locate other important functions of the
KERNEL32.dlllocated in the process memory, hence packed binaries will almost always have those functions exposed since they are required for the binary to work properly:
strings.exe, you can make a fairly good educated guess whether the binary is packed by just running strings against it and noting the DLL imports - if there's only a few of them (and more importantly - GetProcAddress and LoadLibrary) and they are from KERNEL32.dll - the binary is likely packed: