I would have liked to create a PEiD signature for PE files created with PyInstaller, because then I could just use my pecheck tool (it's essentially a wrapper for pefile). But testing this YARA rule I created is much easier for me than testing a PEiD rule. So I made a few changes to pecheck so that it also supports YARA rules. And overlays. Here I use it on a PE file created with PyInstaller (together with the YARA rule to detect such PE files). The output tells you that the PE file has an overlay (2.4 MB in size, that's 95.15% of the PE file) and that the YARA rule to detect PE files created with PyInstaller triggered (PE_File_pyinstaller). Didier Stevens |
DidierStevens 650 Posts ISC Handler May 21st 2016 |
Thread locked Subscribe |
May 21st 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!