Durchschuss Posted November 8, 2007 Share Posted November 8, 2007 Do you know how PEiD (esp. KANAL) and ProtectionID search for signatures?Is it just searching for a coherent byte pattern? Link to comment
Pimp.exe Posted November 8, 2007 Share Posted November 8, 2007 Yes, It reads the file's bytes much like Olly or IDA and checks them against known signatures. The detectors require a database of known sigs to work. Here is a link for external sigs on PEiD forums. http://www.secretashell.com/PEiD/viewforum.php?f=7 That will show you what a signature looks like and hopefully that will give some help. The term "external" for signatures only means that they are signatures not released with the program. Hope that helps Link to comment
Durchschuss Posted November 8, 2007 Author Share Posted November 8, 2007 Thanks! Yes this helps, now I got an idea of how this looks like. Just need to find some code for searching those patterns. Maybe with some regex library. Link to comment
Pimp.exe Posted November 8, 2007 Share Posted November 8, 2007 Umm what language are you going to use? Link to comment
Durchschuss Posted November 8, 2007 Author Share Posted November 8, 2007 (edited) Don't know yet. Guess this will be too complex in asm. Probably I'll use D, but maybe with a dll written in asm for time-critical parts. Edited November 8, 2007 by Durchschuss Link to comment
Durchschuss Posted November 10, 2007 Author Share Posted November 10, 2007 Aho-Corasick seems to be a good choice for pattern matching. Link to comment
Durchschuss Posted December 10, 2007 Author Share Posted December 10, 2007 Another topic where I posted some information:http://forum.xentax.com/viewtopic.php?t=2861 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now