Durchschuss Posted November 8, 2007 Posted November 8, 2007 Do you know how PEiD (esp. KANAL) and ProtectionID search for signatures?Is it just searching for a coherent byte pattern?
Pimp.exe Posted November 8, 2007 Posted November 8, 2007 Yes, It reads the file's bytes much like Olly or IDA and checks them against known signatures. The detectors require a database of known sigs to work. Here is a link for external sigs on PEiD forums. http://www.secretashell.com/PEiD/viewforum.php?f=7 That will show you what a signature looks like and hopefully that will give some help. The term "external" for signatures only means that they are signatures not released with the program. Hope that helps
Durchschuss Posted November 8, 2007 Author Posted November 8, 2007 Thanks! Yes this helps, now I got an idea of how this looks like. Just need to find some code for searching those patterns. Maybe with some regex library.
Durchschuss Posted November 8, 2007 Author Posted November 8, 2007 (edited) Don't know yet. Guess this will be too complex in asm. Probably I'll use D, but maybe with a dll written in asm for time-critical parts. Edited November 8, 2007 by Durchschuss
Durchschuss Posted November 10, 2007 Author Posted November 10, 2007 Aho-Corasick seems to be a good choice for pattern matching.
Durchschuss Posted December 10, 2007 Author Posted December 10, 2007 Another topic where I posted some information:http://forum.xentax.com/viewtopic.php?t=2861
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now