Jump to content

Recommended Posts

  • 1 month later...
Posted

Mobius's example was very relevant to what I was after, I added a few other compressor signature strings to his function.

$Test = _IsPKD(@DesktopDir & "\1.exe", 1)
MsgBox(0, "compressor detector", $Test[0] & @CRLF & $Test[1])
 
Func _IsPKD($sFilePath, $iDeep = 0)
Local $iValue[2] = [0, False], $sData, _
$hFileOpen = FileOpen($sFilePath, 16)
If $hFileOpen = -1 Then Return SetError(1, 0, -1)
If FileRead($hFileOpen, 2) <> "MZ" Then
FileClose($hFileOpen)
Return SetError(2, 0, 0)
EndIf
FileSetPos($hFileOpen, 0, 0)
Switch $iDeep
Case True
$sData = FileRead($hFileOpen)
Case Else
$sData = FileRead($hFileOpen, 1024)
EndSwitch
FileClose($hFileOpen)
Select
Case StringInStr($sData, '58436F6D70', 2, 1) ;XCompw
StringReplace($sData, 'C00000D02E58436F6D70', 'C00000D02E58436F6D70', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "XCompw"
Case StringInStr($sData, '585061636B', 2, 1) ;XPackw
StringReplace($sData, 'D02E585061636B', 'D02E585061636B', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "XPackw"
Case StringInStr($sData, '5757503332', 2, 1) ;wwpack
StringReplace($sData, '57575061636B3332', '57575061636B3332', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "wwpack"
Case StringInStr($sData, '2E524C5061636B00', 2, 1) ;RLPack
StringReplace($sData, '7061636B6564', '7061636B6564', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "RLPack"
Case StringInStr($sData, '6E737061636B', 2, 1) ;nSpack
StringReplace($sData, '6E737030', '6E737030', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "nSpack"
Case StringInStr($sData, '557061636B', 2, 1) Or StringInStr($sData, 'C80346382BC7ABE2E55E', 2, 1);WinUpackE
StringReplace($sData, 'C075FB380674EA8B', 'C075FB380674EA8B', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "WinUpackE"
Case StringInStr($sData, '65786533327061636B20', 2, 1);exe32pack
StringReplace($sData, '65786533327061636B20', '65786533327061636B20', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "exe32pack"
Case StringInStr($sData, '46534721', 2, 1);FSG
StringReplace($sData, 'C073FA753A', 'C073FA753A', 0, 2);Maybe shouldn't use this value
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "FSG"
Case StringInStr($sData, '61737061636B', 2, 1);ASPack
StringReplace($sData, '00400000E000', '00400000E000', 0, 2);Maybe shouldn't use this value
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "ASPack"
Case StringInStr($sData, '50454332', 2, 1);PECompact
StringReplace($sData, '5045436F6D70616374', '5045436F6D70616374', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "PECompact"
Case StringInStr($sData, '555058', 2, 1);UPX
StringReplace($sData, '555058', '555058', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "UPX"
Case StringInStr($sData, '4D5052455353', 2, 1);MPress
StringReplace($sData, '4D5052455353', '4D5052455353', 0, 2)
If $iDeep = 0 Then
Return SetError(0, @extended, 1)
EndIf
$iValue[0] += 1
$iValue[1] = "MPress"
Case Else
If $iDeep = 0 Then
Return SetError(3, 0, 0)
EndIf
EndSelect
If @extended Then
$iValue[0] += 1
EndIf
Return SetError(0, @extended, $iValue)
EndFunc   ;==>_IsPKD
  • 6 months later...
Posted

I came up with another method using work done by trancexx, is this a good way about doing this? in the process I even added other miscellaneous detentions, but aside from that, it seems to detect most packed PE files I've encountered.

PACKED file detector.rar

  • 7 months later...
Posted

I've updated the syntax of both functions as well as the documentation headers. See the original post for more details.

UDF List:

  Reveal hidden contents

Updated: 22/04/2018

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...