PyHiew and PEiD

Many times I find myself viewing a file with Hiew and at the same time wondering what kind of packer is applied to the file. Normally, I would run PEiD in parallel and check the packer signatures there.

For this reason, I created a small PyHiew script that allows you to detect the packer directly from Hiew using a text files having the same format as PEiD’s signature database .

A PEiD signature file is essentially an INI file with the packer name as the section name and two keys: the signature key containing the byte pattern and the ep_only key (which is ignored by the PEiD.py script), example:

[Packer Name]
signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD  21
ep_only = true

In order to run the script you need to get the latest PyHiew (PyHiew 0.2.1a) and a copy of UserDb.TXT (it used to be here http://research.pandasecurity.com/blogs/images/userdb.txt):

  • Unpack the Pyhiew archive into Hiew’s folder
  • Copy “UserDb.txt” to %hiew%\PyHiew
  • Now open a PE file with Hiew
    • Switch to Hex view (press ENTER)
    • Press F8 to show the header info
    • Press F5 to jump to OEP
  • Now press F11 to load the HEM plugins
    • Select PyHiew
    • Select PEiD script

Please note that you can configure PEiD.py to use any signature database or databases of your choice. Simply edit the script and adjust the following lines:

# Add more PEiD signatures to this list
PEID_DATABASES      = ['UserDB.TXT']

When PEiD.py parses the signature files, it will generate a cache file (peid-db.cache) so that the next time scanning will be faster. Please delete the cache file if you edit your signature files (it will be regenerated again).

And here is PyHiew’s PEiD in action:

PyHiew's PEiD

The depth value indicates after how many bytes scanned the pattern was matched. If there is more than one match, the output window will display the rest of the matches.

About these ads

About 0xeb

I am a programmer and reverse engineer. I like to write software utilities, designing APIs and reverse engineering interesting stuff.
This entry was posted in Programming. Bookmark the permalink.

10 Responses to PyHiew and PEiD

  1. sys_dev says:

    >>(it used to be here http://www.peid.info/BobSoft/Downloads/UserDB.zip):
    I cant download this file. Is URL of “UserBD.zip” corrected?

  2. 0xeb says:

    I just updated the link in the blog, please try now.

  3. 0xeb says:

    @Zeroes: what do you mean??

  4. 0xeb says:

    @Zeroes1: But I updated the blog post long before you posted your initial comment! Please try the new link in the post again.

  5. rize says:

    Does this mean panda av is the best there is for opening and checking through every packed file and installer type using the userdb.txt ?

  6. 0xeb says:

    @rize: No, it does not really mean anything. Panda is just one database you can use. If you find another you can use. Actually, you can use as many as you want combined. See the readme file.

  7. rize says:

    Actualy i use the db for unpacking. Have to do this since i have found all av softwares to be brainless.

    The way av should work is not so much at runtime wjen running an installer. But when scanning a system. Or as i would prefer when using explorer context menu to scan a chosen file. The av would know from the db what file it is and be able to open it using its unpackers. Ok i know there are missing tools to unpack some still for use in av softwares. But at least if they could use what is available now then could scan installer files for over 90% of them (if not many more). Its not just av software it also is trojan, malware and the rest.

    If the protector you depend on doesn’t know how to open the file, how do we expect it to be safe. Just like if protector software doesn’t know the threat how can it protect the pc. Overall the pc is lessprotected because of not been able to do what it is supposed to do… Protect.

    Not everyone is able to run a pc with active guards running. The ammount of times i have seen this. The reason can be many, underpowered pc for software but ok otherwise. Mainly all are put down to memory and cpu resources, but do find they nearly all had schedule scans setup. So can check doing scanning (nightly or whatever). But will never be able to protect the pc, since an installer to the protectors is one file (compressed and unknwon). It can only check them after unpacking the to the protectors own secure sandbox. They don’t because they don’t know them to start with. Catch22 i think this is called, ever lasting circle with no escape, until able to unpack the files and installers.

    Avira i know can unpack a few but isn’t such a good av, infact has gotten worse over time. But as this can unpack and check inside it is the reason i use it. But always looking for better, and so the reason i asked you the question above.

    Sure i have a few time written to the av companies and more asking for this ability. So far only avira has done this, but since has never upgraded for more types of installers or archives. They don’t even use this db which is a shame. We know with a copuple of tools they can make there own, but why not help Bob to make his the biggest and tehy all use it.

    I have this saying, if i cannot unpack it and i know the protion softwares cannot then i will not be using it. My pc has never been so safe, no infection in years.

    This is not ideal as it limits what i can install or try out. Knock on since if did try and like maybe would purchase some of them.

    If the protection developers have no balls. Its time better developers stepped in to show them the way how to make such softwares that really do protect pc.

    (sorry this was long, it won’t happen again.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s