search

packing-box / peid

Python implementation of the Packed Executable iDentifier (PEiD)
GNU General Public License v3.0
124 stars 14 forks source link

Invalid PE signature errors #3

Closed Sembiance closed 3 weeks ago

Sembiance commented 3 months ago

I'm attempting to use this to check these .exe files: https://sembiance.com/fileFormatSamples/executable/exe/CNDRAW.EXE https://sembiance.com/fileFormatSamples/executable/exe/VIEWGIF.EXE https://sembiance.com/fileFormatSamples/executable/exe/VESA.EXE

Running peid <exe> against any of them yields:

Traceback (most recent call last):
  File "/home/sembiance/Downloads/wip/env/bin/peid", line 8, in <module>
    sys.exit(main())
  File "/home/sembiance/Downloads/wip/env/lib/python3.10/site-packages/peid/__main__.py", line 67, in main
    results = identify_packer(*args.path, db=args.db, ep_only=args.ep_only, sec_start_only=args.sec_start_only,
  File "/home/sembiance/Downloads/wip/env/lib/python3.10/site-packages/peid/__init__.py", line 67, in identify_packer
    results.append((path, db.match(path, ep_only, sec_start_only, match_all)))
  File "/home/sembiance/Downloads/wip/env/lib/python3.10/site-packages/peid/db/__init__.py", line 80, in match
    with PE(pe, logger=self.logger) as f:
  File "/home/sembiance/Downloads/wip/env/lib/python3.10/site-packages/peid/pe.py", line 28, in __init__
    raise OSError("Invalid PE signature")
OSError: Invalid PE signature

I'm able to run it ok on some other .exe files, but not these.

Versions installed:

$ pip list
Package    Version
---------- -------
msgspec    0.18.6
peid       2.1.1
pip        24.0
setuptools 69.5.1
wheel      0.43.0

$ python --version
Python 3.10.14

Is it not designed to work with all .exe's? Is there something wrong with my configurations?

dhondta commented 3 months ago

Hi @Sembiance ! Thanks for reporting this error. This comes from the fact that MSDOS Executable format is currently not supported. I just added it but, given the 3 samples you mention, did you expect any of them to have a signature matching from PEiD's database ?

Sembiance commented 3 months ago

Thanks for the fix!

Using Detect-It-Easy it found: CNDRAW.EXE Packer: EXEPACK(3.69) VIEWGIF.EXE Packer: LZEXE(0.91, 1.0)

VESA.EXE doesn't have anything special, it was just a test.

I'm not sure if peid is supposed to find packers like that or not, I was just looking into other things I could use to help identify EXE files.