📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
ero
's Blog
Created: Saturday, June 9 2007 01:19.00 CDT
Modified: Saturday, June 9 2007 01:48.31 CDT
This is an imported entry.
View original
.
Printer Friendly ...
pefile and packer detection
Author:
ero
# Views:
2401
Ive always wanted some tool that I could run over large collections of executable files and would tell me whats packed and whats not and, ideally, also the packer.
PEiD
has wonderful signature libraries but my ideal tool would be easier to integrate with other components and not restricted to Windows.
The guys at
OffensiveComputing
had put together some code to, by making use of
PEiD
signatures
and
pefile
, recognize packers.
Ive decided that its time for
pefile
to have such functionality by default and Ive reimplemented the signature parsing and matching. The next version of
pefile
should include this new code.
Ive also found some pretty
extensive signature libraries
and here are some of results of the test runs in some files Ive laying around.
Of the 48.025 files (all malware) that I scanned, in ~42% no packer could be found using the current signature database. In the remaining ~58% the tests found 227 different packers and compiler signatures.
A more extense listing of the most frequently found packers looks like:
Given that Ive run pefile in several tens of thousands of pieces of malware with all kind of exotic PE format contortions, Ive managed to find and fix a couple of obscure bugs. The forthcoming release will be even stronger when facing files that push the limits of the PE format well-formedness.
If you wish to comment on this blog entry, please do so on the
original site
it was imported from.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}