Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: From PEiD To YARA - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
From PEiD To YARA

Some time ago, Jim Clausing had a diary entry about PeID (a packer identifier which is no longer maintained/hosted) and since then he has a PEiD signature database on his handler page.

Now, wouldn't it be great if we could reuse these signatures? For example as YARA rules?

That's why I wrote a Python program that converts PEiD signatures to YARA rules: peid-userdb-to-yara-rules.py

Here is an example:
PEiD signature:

 [!EP (ExE Pack) V1.0 -> Elite Coding Group]
 signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
 ep_only = true

Generated YARA rule:

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
 {
     meta:
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
     strings:
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
     condition:
         $a
 }

PEiD signatures have an ep_only property that can be true or false. This property specifies if the signature has to be found at the PE file’s entry point (true) or can be found anywhere (false).

Program option -p generates rules that use YARA’s pe module. If a signature has ep_only property equal to true, then the YARA rule’s condition becomes $a at pe.entry_point instead of just $a.

Example:

 import "pe"

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
 {
     meta:
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
     strings:
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
     condition:
         $a at pe.entry_point
 }

I produced 2 sets of YARA rules based on Jim's database: peid-userdb-rules-with-pe-module.yara and peid-userdb-rules-without-pe-module.yara. As the names imply, the first one uses YARA's PE module, and the second one not. I use the second set of rules when I analyze files that are not PE files, but that can contain (partial) PE files.

You can find my YARA rules here.

DidierStevens

385 Posts
ISC Handler
I think that the first link for PEiD to hxxp://peid.has.it/ in the referenced diary from Jim Clausing (https://isc.sans.edu/diary/Python+script+for+packer+identification/3432 ) is no longer any good. I clicked on it and got redirected about 6 times before I was told my Firefox was out of date (it's not) and needed to download some update.
Brian

1 Posts
Yup, it looks like the original URL and its successor peid.info have both been abandoned. Too bad it was a great tool.
Jim

407 Posts
ISC Handler
That is correct, the original PEiD is no longer available.
DidierStevens

385 Posts
ISC Handler
The only reliable place to get PEiD is from Softpedia. The link is known by google.
Povl H.

71 Posts

Sign Up for Free or Log In to start participating in the conversation!