Do you know how PEiD (esp. KANAL) and ProtectionID search for signatures?

Is it just searching for a coherent byte pattern?

Yes, It reads the file's bytes much like Olly or IDA and checks them against known signatures. The detectors require a database of known sigs to work.

Here is a link for external sigs on PEiD forums.

http://www.secretashell.com/PEiD/viewforum.php?f=7

That will show you what a signature looks like and hopefully that will give some help. The term "external" for signatures only means that they are signatures not released with the program.

Hope that helps

Thanks! Yes this helps, now I got an idea of how this looks like.

Just need to find some code for searching those patterns. Maybe with some regex library.

Umm what language are you going to use?

Don't know yet. Guess this will be too complex in asm.

Probably I'll use D, but maybe with a dll written in asm for time-critical parts.

Edited November 8, 200717 yr by Durchschuss

Aho-Corasick seems to be a good choice for pattern matching.

Another topic where I posted some information:

http://forum.xentax.com/viewtopic.php?t=2861