Packerid

From aldeid
Jump to: navigation, search

Description

packerid.py is a python based script written by Jim Clausing to help identifying what eventual packer is used in an executable file.

Installation

packerid.py

$ wget http://handlers.sans.org/jclausing/packerid.py
$ chmod +x packerid.py

userdb.txt

Packerid will search a userdb.txt file in /usr/local/etc/. This is the same file used by PEiD.

$ cd /usr/local/etc/
$ sudo wget https://dl.dropboxusercontent.com/u/10761700/PEiD/userdb.txt

Usage

Syntax

Usage: packerid.py [options] file [file ...]

Options

-h, --help
show this help message and exit
-a, --all
show all PE info
-D DB, --database=DB
use alternate signature database DB
-m, --all-matches
show all signature matches
-V, --version
show version number

Examples

$ ./packerid.py /data/tmp/brbbot.exe 
['UPX 2.90 (LZMA)']
$ ./packerid.py /data/malwares/winhiddev.DLL
['Borland Delphi 3.0 (???)']
$ ./packerid.py /data/malwares/winfixer.exe
['Installer VISE Custom']
$ ./packerid.py /data/malwares/windos.exe 
None
$ ./packerid.py /data/malwares/sylxabsoxdea.exe
['PE Diminisher v0.1']
$ ./packerid.py /data/malwares/rundll32.exe
['Microsoft Visual C++ v6.0']
$ ./packerid.py /data/malwares/Loka_zahir.exe 
['Microsoft Visual C# v7.0 / Basic .NET']

Comments

blog comments powered by Disqus