Consider migrate the PEFile signatures functionality from peutils/peid to YARA signatures #185

wesinator · 2024-11-28T18:40:28Z

Feature

Cuckoo inherits the pre-processing PE packer and linker signature identification from the pefile / peutils module, which leverages signatures in the old PEiD sig format (really an ini format).
The peid sigs can have low fidelity packer identification (e.g. cuckoosandbox/cuckoo#2538 (comment)), and the mechanism is somewhat opaque compared with more modern frameworks like YARA

Proposed solution

Rip out the peutils sigdb code that is within the PEFile class, the old peutils/userdb.txt peid sig format file, and replace it with a YARA ruleset that can be run using the existing yara processing module.

The peid_signatures field would get collapsed into signatures

Alternative would be to leave the peutils sigdb file in place and maintain it as needed.

The text was updated successfully, but these errors were encountered:

cert-ee-raidar · 2024-12-02T08:16:05Z

@wesinator
Thank you for submitting the proposal.
We will look into this first chance we get and I will get back to you with an answer.

wesinator mentioned this issue Nov 28, 2024

peid_signatures db file - use db version from packing-box #186

Merged

1 task

cert-ee-raidar added the enhancement New feature or request label Dec 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider migrate the PEFile signatures functionality from peutils/peid to YARA signatures #185

Consider migrate the PEFile signatures functionality from peutils/peid to YARA signatures #185

wesinator commented Nov 28, 2024

cert-ee-raidar commented Dec 2, 2024

Consider migrate the PEFile signatures functionality from peutils/peid to YARA signatures #185

Consider migrate the PEFile signatures functionality from peutils/peid to YARA signatures #185

Comments

wesinator commented Nov 28, 2024

Feature

Proposed solution

cert-ee-raidar commented Dec 2, 2024