Created
October 22, 2020 19:11
-
-
Save islem-esi/4335858775cd919494949bc3ae7b9205 to your computer and use it in GitHub Desktop.
peid rules for packers cryptors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#first, let's define the list of packers/cryptors we want to detect | |
packers = ['AHTeam', 'Armadillo', 'Stelth', 'yodas', 'ASProtect', 'ACProtect', 'PEnguinCrypt', | |
'UPX', 'Safeguard', 'VMProtect', 'Vprotect', 'WinLicense', 'Themida', 'WinZip', 'WWPACK', | |
'Y0da', 'Pepack', 'Upack', 'TSULoader' | |
'SVKP', 'Simple', 'StarForce', 'SeauSFX', 'RPCrypt', 'Ramnit', | |
'RLPack', 'ProCrypt', 'Petite', 'PEShield', 'Perplex', | |
'PELock', 'PECompact', 'PEBundle', 'RLPack', 'NsPack', 'Neolite', | |
'Mpress', 'MEW', 'MaskPE', 'ImpRec', 'kkrunchy', 'Gentee', 'FSG', 'Epack', | |
'DAStub', 'Crunch', 'CCG', 'Boomerang', 'ASPAck', 'Obsidium','Ciphator', | |
'Phoenix', 'Thoreador', 'QinYingShieldLicense', 'Stones', 'CrypKey', 'VPacker', | |
'Turbo', 'codeCrypter', 'Trap', 'beria', 'YZPack', 'crypt', 'crypt', 'pack', | |
'protect', 'tect' | |
] | |
#next, we will try to match peid rules with an exe file | |
try: | |
matches = peid_rules.match(exe_file_path) | |
if matches: | |
for match in matches: | |
for packer in packers: | |
#this line is simply trying to see if one of the known packers has been detected | |
if packer.lower() in match.lower(): | |
print('packer detected') | |
print(packer) | |
except: | |
print('error') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment