Packerid
Jump to navigation
Jump to search
Description
packerid.py is a python based script written by Jim Clausing to help identifying what eventual packer is used in an executable file.
Installation
packerid.py
$ wget http://handlers.sans.org/jclausing/packerid.py $ chmod +x packerid.py
userdb.txt
Packerid will search a userdb.txt file in /usr/local/etc/. This is the same file used by PEiD.
$ cd /usr/local/etc/ $ sudo wget https://dl.dropboxusercontent.com/u/10761700/PEiD/userdb.txt
Usage
Syntax
Usage: packerid.py [options] file [file ...]
Options
- -h, --help
- show this help message and exit
- -a, --all
- show all PE info
- -D DB, --database=DB
- use alternate signature database DB
- -m, --all-matches
- show all signature matches
- -V, --version
- show version number
Examples
$ ./packerid.py /data/tmp/brbbot.exe ['UPX 2.90 (LZMA)']
$ ./packerid.py /data/malware/winhiddev.DLL ['Borland Delphi 3.0 (???)']
$ ./packerid.py /data/malware/winfixer.exe ['Installer VISE Custom']
$ ./packerid.py /data/malware/windos.exe None
$ ./packerid.py /data/malware/sylxabsoxdea.exe ['PE Diminisher v0.1']
$ ./packerid.py /data/malware/rundll32.exe ['Microsoft Visual C++ v6.0']
$ ./packerid.py /data/malware/Loka_zahir.exe ['Microsoft Visual C# v7.0 / Basic .NET']