Home :: Detecting Packers in Network Streams with Pynids and Pefile

Reply to comment

Detecting Packers in Network Streams with Pynids and Pefile

Submitted by famousjs on Tue, 05/19/2009 - 21:59

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPEiD (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).

Example Output:

famousjs@youbantoo:~/npeid$ ./npeid.py out.pcap
['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']

Download: http://www.malforge.com/npeid/npeid.zip

*UPDATE - Added http gzip encoding, and FTP handling
Old located at npeid/npeid_orig.zip

-Added '-e' option to extract and save binaries.

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
SPAM isn't that great. I bought it once...big disappointment.
Image CAPTCHA
Enter the characters shown in the image. Ignore spaces and be careful about upper and lower case.