For malware analysis, PE section md5 surely much efficient than the normal file md5. pe-sig is a Ruby script which can be used to calculate the PE section md5 by using the metasploit library function. The script may download from SourceFire blog http://vrt-sourcefire.blogspot.com/2009/03/generating-virus-signatures-automated.html
I have tested the script with Metasploit 3.3.3 (the latest version), 3.2 and 3.0. It failed to execute correctly and error as shown :
./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7d1ac38> (NoMethodError)
from ./pe-sig:33:in `each'
With the following modication, this pe-sig may executed correctly :
- add these after the 'require' part
module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; en
The snippet of code will be
module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; end
# location of your local signatures
local_sigs = 'signatures.txt'
( Special thanks to neo1 and bmc in #clamav for the help)