From PEiD To YARA

Published: 2015-03-17. Last Updated: 2015-03-17 14:06:02 UTC
by Didier Stevens (Version: 1)
4 comment(s)

Some time ago, Jim Clausing had a diary entry about PeID (a packer identifier which is no longer maintained/hosted) and since then he has a PEiD signature database on his handler page.

Now, wouldn't it be great if we could reuse these signatures? For example as YARA rules?

That's why I wrote a Python program that converts PEiD signatures to YARA rules: peid-userdb-to-yara-rules.py

Here is an example:
PEiD signature:

 [!EP (ExE Pack) V1.0 -> Elite Coding Group]
 signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
 ep_only = true

Generated YARA rule:

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
 {
     meta:
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
     strings:
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
     condition:
         $a
 }

PEiD signatures have an ep_only property that can be true or false. This property specifies if the signature has to be found at the PE file’s entry point (true) or can be found anywhere (false).

Program option -p generates rules that use YARA’s pe module. If a signature has ep_only property equal to true, then the YARA rule’s condition becomes $a at pe.entry_point instead of just $a.

Example:

 import "pe"

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
 {
     meta:
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
     strings:
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
     condition:
         $a at pe.entry_point
 }

I produced 2 sets of YARA rules based on Jim's database: peid-userdb-rules-with-pe-module.yara and peid-userdb-rules-without-pe-module.yara. As the names imply, the first one uses YARA's PE module, and the second one not. I use the second set of rules when I analyze files that are not PE files, but that can contain (partial) PE files.

You can find my YARA rules here.

Keywords: PEiD YARA
4 comment(s)

Comments

I think that the first link for PEiD to hxxp://peid.has.it/ in the referenced diary from Jim Clausing (https://isc.sans.edu/diary/Python+script+for+packer+identification/3432 ) is no longer any good. I clicked on it and got redirected about 6 times before I was told my Firefox was out of date (it's not) and needed to download some update.
Yup, it looks like the original URL and its successor peid.info have both been abandoned. Too bad it was a great tool.
That is correct, the original PEiD is no longer available.
The only reliable place to get PEiD is from Softpedia. The link is known by google.

Diary Archives