From PEiD To YARA
Some time ago, Jim Clausing had a diary entry about PeID (a packer identifier which is no longer maintained/hosted) and since then he has a PEiD signature database on his handler page.
Now, wouldn't it be great if we could reuse these signatures? For example as YARA rules?
That's why I wrote a Python program that converts PEiD signatures to YARA rules: peid-userdb-to-yara-rules.py
Here is an example:
PEiD signature:
[!EP (ExE Pack) V1.0 -> Elite Coding Group]
signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
ep_only = true
Generated YARA rule:
rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
{
meta:
description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
ep_only = "true"
strings:
$a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
condition:
$a
}
PEiD signatures have an ep_only property that can be true or false. This property specifies if the signature has to be found at the PE file’s entry point (true) or can be found anywhere (false).
Program option -p generates rules that use YARA’s pe module. If a signature has ep_only property equal to true, then the YARA rule’s condition becomes $a at pe.entry_point instead of just $a.
Example:
import "pe"
rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
{
meta:
description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
ep_only = "true"
strings:
$a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
condition:
$a at pe.entry_point
}
I produced 2 sets of YARA rules based on Jim's database: peid-userdb-rules-with-pe-module.yara and peid-userdb-rules-without-pe-module.yara. As the names imply, the first one uses YARA's PE module, and the second one not. I use the second set of rules when I analyze files that are not PE files, but that can contain (partial) PE files.
You can find my YARA rules here.
Comments