Friday, January 8, 2010

PE Section md5 - pe-sig ruby script

For malware analysis, PE section md5 surely much efficient than the normal file md5. pe-sig is a Ruby script which can be used to calculate the PE section md5 by using the metasploit library function. The script may download from SourceFire blog http://vrt-sourcefire.blogspot.com/2009/03/generating-virus-signatures-automated.html

I have tested the script with Metasploit 3.3.3 (the latest version), 3.2 and 3.0. It failed to execute correctly and error as shown :

./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7d1ac38> (NoMethodError)
from ./pe-sig:33:in `each'
from ./pe-sig:33

With the following modication, this pe-sig may executed correctly :
- add these after the 'require' part

module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; en

The snippet of code will be

require 'digest/md5'
require 'rex/peparsey'
require 'rex/pescan'
module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; end

# location of your local signatures
local_sigs = 'signatures.txt'

( Special thanks to neo1 and bmc in #clamav for the help)

2 comments:

  1. gento, do you have a copy of pe-sig ? i can't find in the sourcefire website, probably taken of already.

    thanks!

    ReplyDelete