Jump to content
Tuts 4 You

How To Search For Signatures


Durchschuss

Recommended Posts

Posted

Do you know how PEiD (esp. KANAL) and ProtectionID search for signatures?

Is it just searching for a coherent byte pattern?

Posted

Yes, It reads the file's bytes much like Olly or IDA and checks them against known signatures. The detectors require a database of known sigs to work.

Here is a link for external sigs on PEiD forums.

http://www.secretashell.com/PEiD/viewforum.php?f=7

That will show you what a signature looks like and hopefully that will give some help. The term "external" for signatures only means that they are signatures not released with the program.

Hope that helps :)

Posted

Thanks! :) Yes this helps, now I got an idea of how this looks like.

Just need to find some code for searching those patterns. Maybe with some regex library.

Posted

Umm what language are you going to use?

Posted (edited)

Don't know yet. Guess this will be too complex in asm.

Probably I'll use D, but maybe with a dll written in asm for time-critical parts. ;)

Edited by Durchschuss
Posted

Aho-Corasick seems to be a good choice for pattern matching.

  • 5 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...