peutils¶
Portable Executable Utilities Module
-
class
peutils.SignatureDatabase(filename=None, data=None)¶ This class loads and keeps a parsed PEiD signature database.
Usage:
sig_db = SignatureDatabase('/path/to/signature/file')
and/or
sig_db = SignatureDatabase() sig_db.load('/path/to/signature/file')
Signature databases can be combined by performing multiple loads.
The
filenameparameter can be a URL, too. In that case, the signature database will be downloaded from that location.-
generate_ep_signature(pe, name, sig_length=512)¶ Generate signatures for the entry point of a PE file.
Creates a signature whose name will be the parameter
name, plus the section number and section name.
-
generate_section_signatures(pe, name, sig_length=512)¶ Generates signatures for all the sections in a PE file.
If the section contains any data, then a signature will be created for it. The signature name will be a combination of the parameter
name, plus the section number and section name.
-
load(filename=None, data=None)¶ Load a PEiD signature file.
Invoking this method on different files combines the signatures.
-
match(pe, ep_only=True, section_start_only=False)¶ Matches and returns the exact match(es).
If
ep_onlyis True, then the result will be a string with the packer name. Otherwise, it will be a list of the form (file_offset, packer_name) specifying where in the file the signature was found.
-
match_all(pe, ep_only=True, section_start_only=False)¶ Matches and returns all the likely matches.
-
match_data(code_data, ep_only=True, section_start_only=False)¶
-
-
peutils.is_probably_packed(pe)¶ Returns True if there is a high likelihood that a file is packed or contains compressed data.
The sections of the PE file will be analyzed. If enough sections look like they contain compressed data, and the data makes up for more than 20% of the total file size, then the function will return True.
-
peutils.is_suspicious(pe)¶ Returns True if:
- import tables are in unusual locations
- section names are unrecognized
- there is a presence of long ASCII strings
-
peutils.is_valid(pe)¶