scanning a pe/dll (delphi)

[StreamLine]

i was wondering how peid,die,fastscan etc implement their scanning techinques anyone got an example source code in delphi, or shed some light on it? set a few bp in peid using olly, on createfile etc but didnt break, so wondering if ive missed something. wanting to make my own tool similar to peid

tia

[ghandi]

Just quickly looking at PEiD 0.94 in OllyDbg, it does the following:

004384BD CALL CreateFileA = Open file for reading

004384CE CALL GetFileSize

004384E4 CALL CreateFileMappingA = Get handle of file mapping object

004384F9 CALL MapViewOfFile = Map the file into memory so it can scan it

00444F77 CALL 0044B300 = Validate PE file

From there it gets the various informations which are available for displaying in PEiD, before going on to the scanning part.

Generally the scan checks the entrypoint code against a database, both internal and external (user database), displaying the first hit that it gets. There is the possibility of scanning the whole file, but it doesnt appear to be used a great deal.

This is taken from the PEiD user.db file:

ep_only can be either true or false. When true, the signature is scanned for at the EntryPoint only.

Else it is scanned throughout the file.

HR,

Ghandi

Edited April 24, 2009 by ghandi

[StreamLine]

thank you for the quick responce, and your time, i am still interested in the actual comparing method peid or other scanners use, is it simply byte for byte? like in theory if database entry reads 00 0F 04, does peid compare 00 with the 1st byte of a pe or w/e? then move to the second and dos this for each signiture?

[atom0s]

thank you for the quick responce, and your time, i am still interested in the actual comparing method peid or other scanners use, is it simply byte for byte? like in theory if database entry reads 00 0F 04, does peid compare 00 with the 1st byte of a pe or w/e? then move to the second and dos this for each signiture?

Yeah thats the basic method of how it works. ?? is used a a wildcard which means the next byte in the array can be anything.

For example:

[UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser]
signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB
ep_only = true

A simple sig for UPX taken from PEiD's forums. This would scan at the entry point for the sig. Just as you said, it would compare 60, if found step to next byte in sig and in the file, compare for BE, if found step to the next byte, ?? is found so it skips this byte and steps again, and so on til the end of the signature. If the full signature is matched then it is a found signature.

Edit:

For a Delphi example, JohnWho made a reply in another topic similar to this with an example in Delphi:

http://forum.tuts4you.com/index.php?s=&amp...ost&p=82610

I posted examples in C/C++ and VB6 as well in that topic if you wish to see those as well.

Edited April 25, 2009 by Atomos

[StreamLine]

thank you for you detailed reply, my query is if lets say i have 5000 signitures wouldnt scanning them one by one be really sow?

[evlncrn8]

yes...

and entrypoint signature scanning is prone to false positives...

its simply a memory compare against a database... if it ran from disk it would be considerably slower, which is why they map it into memory (which can actually cause problems in itself... eg: recently a denial of service exploit was found for some of them, where they basically did a buffer overrun, processing data that wasn't there (mapping the exe into memory will only load it with page alignment, which means, at the end of the file.. typically where resources and such are, processing them, if they're damaged can result in a crash....)

protectionid works slightly differently... the exe is not mapped into memory, its simply loaded from disk into a buffer, and rva->offset conversions are done, and the detection method checks considerably more than just the bytes at the entrypoint...