Many times I find myself viewing a file with Hiew and at the same time wondering what kind of packer is applied to the file. Normally, I would run PEiD in parallel and check the packer signatures there.
For this reason, I created a small PyHiew script that allows you to detect the packer directly from Hiew using a text files having the same format as PEiD’s signature database .
A PEiD signature file is essentially an INI file with the packer name as the section name and two keys: the signature key containing the byte pattern and the ep_only key (which is ignored by the PEiD.py script), example:
[Packer Name] signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21 ep_only = true
In order to run the script you need to get the latest PyHiew (PyHiew 0.2.1a) and a copy of UserDb.TXT (it used to be here http://research.pandasecurity.com/blogs/images/userdb.txt):
- Unpack the Pyhiew archive into Hiew’s folder
- Copy “UserDb.txt” to %hiew%\PyHiew
- Now open a PE file with Hiew
- Switch to Hex view (press ENTER)
- Press F8 to show the header info
- Press F5 to jump to OEP
- Now press F11 to load the HEM plugins
- Select PyHiew
- Select PEiD script
Please note that you can configure PEiD.py to use any signature database or databases of your choice. Simply edit the script and adjust the following lines:
# Add more PEiD signatures to this list PEID_DATABASES = ['UserDB.TXT']
When PEiD.py parses the signature files, it will generate a cache file (peid-db.cache) so that the next time scanning will be faster. Please delete the cache file if you edit your signature files (it will be regenerated again).
And here is PyHiew’s PEiD in action:
The depth value indicates after how many bytes scanned the pattern was matched. If there is more than one match, the output window will display the rest of the matches.