|
PEiDSignatures
Using PEiD signatures
IntroductionSince version 1.2.6 pefile supports parsing PEiD's signatures. Comprehensive signature datbases can be found at: http://www.PEiD.info/BobSoft/Downloads.html (Look for UserDB.TXT) Thanks to PEiD and BobSoft for the signatures! UsageLoadingFirst import the new module, peutils, included with pefile import peutils Then we need to load a signature database, we can do this in different ways.
signatures = peutils.SignatureDatabase('/path/to/signature.txt')
signatures = peutils.SignatureDatabase('http://url.to/signature/file.txt')
signatures = peutils.SignatureDatabase(data='/path/to/signature/file.txt') It's also possible to aggregate more signatures to an already created instance by just using the load() method: signatures.load('/Users/ero/Devel/pefile/userdb-extra.txt')MatchingOnce we have a SignatureDatabase_ instance, we can run PE instances through it in order to find matching packer signatures: matches = signatures.match(pe, ep_only = True) Output['Upack 0.24 - 0.27 beta / 0.28 alpha -> Dwing'] We can also get all possible matches found as the signature tree is walked. The last signature will always be the most precise (as more bytes will have been matched) and is the one returned by the match() method. matches = sig.match_all(pe, ep_only = True) Output[['Upack v0.1x - v0.2x -> Dwing'], ['Upack v0.24 ~ v0.28 Alpha -> Dwing'], ['Upack 0.24 - 0.27 beta / 0.28 alpha -> Dwing']] Signature generationExperimental and not specially intelligent when generating signatures, peutils is able to generate a signature for a given PE file. One can generate signatures for the entry point of a PE file as follows: signatures.generate_ep_signature(pe, 'Name of the signature', length_of_the_signature) Alternatively signatures for all section in a PE file can be generated as follows: signatures.generate_section_signatures(pe, 'Name of the signature', length_of_the_signature) Both of those methods will return a string following the same format as any other PEiD signature. For instance (straight out of UserDB.txt) [!EP (ExE Pack) V1.0 -> Elite Coding Group] signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 ep_only = true [$pirit v1.5] signature = ?? ?? ?? 5B 24 55 50 44 FB 32 2E 31 5D ep_only = true [* PseudoSigner 0.1 [32Lite 0.03] --> Anorganix] signature = 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? ep_only = true |
Sign in to add a comment
for consistency's sake that should be
since that's the object name you're using in this example. "sigs" is an unknown object name for those of us cutting and pasting.
nice work!
Definitely a useful addition to a great library, however, I believe that UserDB.txt only includes all external PEiD signatures and thus using this file would miss out on the 600 sig files that PEiD detects internally. Is there a comprehensive UserDB.txt file floating around out there - or are these internal signatures held under lock and key?
Thanks.
It's a very good addition, but as ed.murphy said, the UserDB.txt is not enought complet. I'm trying to use the sigtool by BlackPanther? (V1.04) but i have issues with some signatures which contain some special term as J1, J2, J3, ? that the module does not like. Does anyone know what is the problem ?
I have the problem like you. But I am using the sigtool is "PEiDSO".