PE-Sig

PE-Sig is a security tool for analysts to identify malicious signatures in known malware-embedded executable files. PE-Sig is written in Ruby and uses the PE parsing and signature library from within Metasploit 3. It automatically generates PE sections signatures for known PE packers appropriate for loading into ClamAV.


Example of How it Works

When processing a file using PE-sig that was packed via pklite, PE-sig generates the following output:

16384:39ae378e47f13ceecca20d06201d0cc1:SIGNATURE__.pklstb__PKLITE32v1.1 [535]

Note, this is very similar to a signature that was released in mid-2008:

16384:39ae378e47f13ceecca20d06201d0cc1:Trojan.Downloader

When processing PE files that might not be packed, or are from a packer we currently do not have signatures for, the output shown is all of the sections of the PE file:

157105664:8d85afc534f0b55fde3781a34ee8d995:UNKNOWN__.rsrc 34304:ae582babaad5a738c32ad1c074e1f3e2:UNKNOWN__.text 1024:730893b14fc930a187215e7fb53bc0a5:UNKNOWN__.data

Based on the knowledge of the file being processed via pe-sig, we know the packed data exists in .rsrc. The first thing to do would be to find an appropriate signature for the packing portion fo the executable, add it to the signature list, specifying that .rsrc is the location of the packed data. Then next time we run across this packer, we won't have to remember what it is, or where its data is stored. The work will have already been done.