-
Notifications
You must be signed in to change notification settings - Fork 95
Signature Scanning
Karsten Hahn edited this page Mar 17, 2021
·
4 revisions
Search for signatures of compilers and packers in a PE file. The epOnly flag denotes if the scanner only searches at the entry point for signatures (which is more fast and robust) or searches the whole file (which might be useful if nothing is found otherwise).
SignatureScanner scanner = SignatureScanner.newInstance();
boolean epOnly = true;
File file = new File("peid.exe");
List<String> results = scanner.scanAll(file, epOnly);
for(String signature : results) {
System.out.println(signature);
}
The default implementation uses the userdb.txt database from PEiD. However you can load and use your own database:
List<Signature> signatures = SignatureScanner.loadSignatures(new File("testuserdb.txt"));
SignatureScanner scanner = new SignatureScanner(signatures);
Jar2ExeScanner enables you to scan for java to exe wrappers in a PE file. You can create a scan report like this:
Jar2ExeScanner scanner = new Jar2ExeScanner(new File("launch4jexe.exe"));
System.out.println(scanner.createReport());
You are able to dump embedded files found in the PE. The following example shows how to dump an embedded jar or zip file.
List<Long> addresses = scanner.getZipAddresses();
int i = 0;
for (Long address : addresses) {
i++;
scanner.dumpAt(address, new File("dumped" + i + ".jar"));
}
Detailed information on the signatures found during the scan can be retrieved like this.
j2eScanner = new Jar2ExeScanner(new File("launch4jexe.exe"));
List<MatchedSignature> result = j2eScanner.scan();
for (MatchedSignature sig : result) {
System.out.println("name: " + sig.getName());
System.out.println("address: " + sig.getAddress());
System.out.println("epOnly: " + sig.isEpOnly());
System.out.println("signature: " + sig.getSignature());
System.out.println();
}