ponta37 / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

peid_to_yara.py #47

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hi,

There seems to be a change in the peid resources.
The only available userdb.txt is found here: 
http://research.pandasecurity.com/blogs/images/userdb.txt

Extract from the file shows:
;  Made with Add Signature v2.00 by BoB / BobSoft ..
;  3520 Signatures in list ..

[Native UD Packer 1.1 (Modded Poison Ivy Shellcode) -> okkixot]
signature = 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 
FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 
C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 $
ep_only = true

[Obsidium v1.3.0.0 -> Obsidium Software (h)]
signature = EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C 
EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 
05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 $
ep_only = true

Running the script with verbose output results in:

./peid_to_yara.py -f userdb.txt -o peid.yara -v
Found 0 signatures in PEiD input file
Wrote 0 rules to peid.yara

I have not worked through the python script yet but I would expect the syntax 
changed somewhere.

Although the yara wiki contains some peid examples they seem to fall short of 
the 3000+ listed in the userdb.txt

Original issue reported on code.google.com by gertho...@gmail.com on 22 Jan 2013 at 11:16

Attachments:

GoogleCodeExporter commented 8 years ago
The problem is the regex. I had a similar issue yesterday: 

signature = re.compile('\[(.+?)\]\r\nsignature = (.+?)\r\nep_only = (.+?)\r\n', 
re.M|re.S)

Try changing it to the following and rerun the script:

signature = re.compile('\[(.+?)\]\nsignature = (.+?)\nep_only = (.+?)\n', 
re.M|re.S)

Original comment by m...@zentific.com on 4 Feb 2013 at 7:02