pefile and packer detection
 Ero Carrera (ero) <ero carrera gmailcom> |
Saturday, June 9 2007 01:19.00 CDT |
Ive always wanted some tool that I could run over large collections of executable files and would tell me whats packed and whats not and, ideally, also the packer. PEiD has wonderful signature libraries but my ideal tool would be easier to integrate with other components and not restricted to Windows.
The guys at OffensiveComputing had put together some code to, by making use of PEiD signatures and pefile, recognize packers.
Ive decided that its time for pefile to have such functionality by default and Ive reimplemented the signature parsing and matching. The next version of pefile should include this new code.
Ive also found some pretty extensive signature libraries and here are some of results of the test runs in some files Ive laying around.
Of the 48.025 files (all malware) that I scanned, in ~42% no packer could be found using the current signature database. In the remaining ~58% the tests found 227 different packers and compiler signatures.
A more extense listing of the most frequently found packers looks like:
Given that Ive run pefile in several tens of thousands of pieces of malware with all kind of exotic PE format contortions, Ive managed to find and fix a couple of obscure bugs. The forthcoming release will be even stronger when facing files that push the limits of the PE format well-formedness.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |