src/conf/detectors.yml

defaults:
  maintained: true
  multiclass: true
  vote:       false
  weak:       false


Analyze_PE:
  comment: Relies on pefile and peutils with a userdb.txt signatures database.
  description: Wraps around various tools and provides some additional checks/information to produce a centralized report of a PE file.
  formats:
    - PE
  maintained: false
  source: https://github.com/hiddenillusion/AnalyzePE
  status: useless

ASL:
  comment: Uses a signature database (userdb.txt) slightly more recent than PEiD, but works the same way.
  description: Free windows software. Detect packer, compiler, protector, .NET obfuscator or binary packed data (rar, zip ,iso ,img , ...).
  formats:
    - PE
  source: https://github.com/ExeinfoASL/ASL
  status: useless

Bintropy:
  description: Bintropy is an analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes.
  formats:
    - ELF
    - MSDOS
    - PE
  install:
    - pip: bintropy
  multiclass: false
  references:
    - https://ieeexplore.ieee.org/document/4140989
  silent:
    - Unable to find the section associated with
    - out of range
    - will be discarded
    - Can't read the padding
    - template corrupted
    - Address of new exe header is corrupted
    - Fail to parse the DOS Stub
  source: https://github.com/packing-box/bintropy
  status: ok

CFF_Explorer:
  comment: Relies on a very limited set of signatures.
  description: Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources.
  formats:
    - PE
  references:
    - https://ntcore.com/files/CFF_Explorer.zip
  source: https://ntcore.com/?page_id=388
  status: info

DIE:
  author: Hors (horsicq)
  command: $OPT/die_lin64_portable/diec.sh {path}
  description: Detect It Easy (DIE) is a program for determining types of files.
  formats:
    - All
  install:
    - gitr: https://github.com/horsicq/DIE-engine.git
    - cd:   $TMP/die-engine
    - exec:
      - wget -q https://raw.githubusercontent.com/horsicq/DIE-engine/5ce44b7a9551804f93b2f9ade6d71f4f1fc6922c/build_lin64.sh
      - chmod +x build_lin64.sh
      - ./build_lin64.sh 2>/dev/null
      - find $TMP/die-engine/release -type f -exec tar xzf {} -C $OPT \;
      - tar xf $TMP/die.tar.xz -C $OPT/die_lin64_portable
      - cp $TMP/die-engine/release_version.txt $OPT/die_lin64_portable/
      - sed -i 's/\"\?\$\*\"\?/\"\$\*\"/g' $OPT/die_lin64_portable/diec.sh
    - rm: $TMP/die-engine
  license: mit
  silent:
    - "\\+{1,2} ([a-z]{2,12}|[A-Z]+([-_][A-Z]+)*)"
  source:  https://github.com/horsicq/Detect-It-Easy
  status:  ok
  version: $OPT/die_lin64_portable/release_version.txt
  vote:    true

ExeScan:
  comment: Relies on pefile and peutils with a userdb.txt signatures database and also the entropy-based function `peutils.is_probably_packed`.
  description: ExeScan is a console based tool to detect anomalies in PE (Portable Executable) files. It quickly scans given executable file and detect all kind of anomalies in its PE header fields including checksum verifications, size of various header fields, improper size of raw data, non-ascii/empty section names etc.
  formats:
    - PE
  maintained: false
  source: https://github.com/cysinfo/Exescan
  status: info

Language_2000:
  comment: Candidate for integration.
  description: Language 2000 is the ultimate compiler detection utility. Using this program you can determine which compiler used to make your binary file or with which compressor the file is compressed.
  formats:
    - PE
  maintained: false
  source: https://farrokhi.net/language
  status: info

Manalyze:
  command: $OPT/manalyze/bin/manalyze -p packer {path} 2>/dev/null
  description: A static analyzer for PE executables.
  formats:
    - MSDOS
    - PE
  install:
    - git:  https://github.com/JusticeRage/Manalyze
    - exec: mv $TMP/manalyze $OPT/manalyze
    - cd:   $OPT/manalyze
    - exec:
      - cmake .
      - sed -i 's/#include <cstring>/#include <cstdint>\n#include <cstring>/' $OPT/manalyze/external/hash-library/sha512.h
      - make -j5
  source: https://github.com/JusticeRage/Manalyze
  status: ok
  weak:   true

MPESM:
  comment: Mnemonic PE Signature Matching
  description: MPESM uses a weighted distance metric to compare assembly mnemonics of a PE file to those in a signature in order to help determine the compiler/packer/cryptor that likely generated the file.
  formats:
    - Mach-O
    - PE
  maintained: false
  source: https://github.com/vmware-archive/tic/tree/master/mpesm
  status: info

MRC:
  description: Mandiant Red Curtain is a free utility for identifying both binary obfuscation mechanisms and other malicious characteristics. It examines a PE file and determines a threat score by evaluating it against criteria such as entropy, indicators of obfuscation, packing signatures and other characteristics to determine whether it requires more extensive investigation.
  formats:
    - MSDOS
    - PE32
  maintained: false
  references:
    - http://www.mandiant.com/products/free_software/red_curtain
    - https://www.amazon.fr/Malware-Forensics-Field-Windows-Systems/dp/1597494720
  source: https://mandiant-red-curtain.apponic.com/download
  status: info

PackerID:
  comment: This relies on an old userdb.txt. This tool does not perform better than PEiD.
  description: Fork of packerid.py. Used to check PEid databases against files in Python. Additional output types, and formats, digital signature extraction, and disassembly support. Added a userdb.txt that I put together because who doesn't need another one.
  formats:
    - PE
  source: https://github.com/sooshie/packerid
  status: info

PeFrame:
  author: Gianni Amato
  comment: TO BE FIXED
  description: Open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  formats:
    - MSDOS
    - PE
  install:
    - pip: git+https://github.com/digitalsleuth/peframe
  license: gpl
  silent:
    - "RuntimeWarning: too many matches for string"
    - "for match in rules"
  source:  https://github.com/guelfoweb/peframe
  status:  broken
  version: <output>
  weak:    true

PEiD:
  description: PEiD detects most common packers, cryptors and compilers for PE files.
  formats:
    - MSDOS
    - PE
  install:
    - pip:  peid>=2.1.1
    - exec: rm -f $OPT/.userdb_txt.json $OPT/.userdb_asl_txt.json
  references:
    - https://www.aldeid.com/wiki/PEiD
    - www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml
    - https://github.com/ynadji/peid/
    - https://github.com/wolfram77web/app-peid
  source: https://github.com/packing-box/peid
  status: ok
  vote:   true

PePack:
  command: /usr/bin/pepack {path}
  description: Check if a PE file is packed. This tool belongs to pev, an open source, full-featured, multiplatform command line toolkit to work with PE (Portable Executables) binaries.
  formats:
    - MSDOS
    - PE
  install:
    - apt: pev
  source: https://github.com/merces/pev
  status: ok

PyPackerDetect:
  comment: Relies on PEiD but also uses custom heuristics (e.g. known packer section names, entrypoint in non-standard section, threshhold of non-standard sections reached, low number of imports and overlapping entrypoint sections).
  description: A complete refactoring of the original PyPackerDetect to a Python package with a console script to detect whether an executable is packed.
  formats:
    - MSDOS
    - PE
  install:
    - pip: pypackerdetect>=1.1.2
  source: https://github.com/packing-box/pypackerdetect
  status: ok
  vote:   true
  weak:   true

PyPeid:
  author: Koh M. Nakagawa
  comment: May replace PEiD thanks to its support for Yara rules. TO BE CHECKED
  description: Yet another implementation of PEiD with yara-python.
  formats:
    - MSDOS
    - PE
  install:
    - gitr: https://github.com/FFRI/pypeid.git
    - cd:   $TMP/pypeid
    - exec:
      - poetry build -q
      - find dist -iname *.whl -exec pip3 -qq install --user --no-warn-script-location --ignore-installed --break-system-packages {} \;
  license: apache-2.0
  maintained: false
  source:  https://github.com/FFRI/pypeid
  status:  ok
  version: pypeid:__version__

RDG:
  description: RDG Packer Detector is a detector for packers, Cryptors, Compilers, Packers Scrambler, Joiners, Installers.
  formats:
    - PE
  maintained: false
  source: http://www.rdgsoft.net
  status: info

REMINDer:
  description: REMINDer is a detection tool that applies a simple entropy-based heuristic to determine whether the target is packed or not.
  formats:
    - All
  install:
    - pip: reminder-detector>=1.2.0
  multiclass: false
  references:
    - https://ieeexplore.ieee.org/document/5404211
  source: https://github.com/packing-box/reminder
  status: ok

RetDec:
  author: Avast
  command: $OPT/retdec/bin/retdec-fileinfo {path}
  description: RetDec is a retargetable machine-code decompiler based on LLVM.
  formats:
    - All
  install:
    - wget:  https://github.com/avast/retdec:latest{Linux}
    - untar: $OPT/retdec
  license: mit
  source:  https://github.com/avast/retdec
  status:  ok
  version: $OPT/retdec/share/retdec/CHANGELOG.md
  vote:    true

StudPE:
  comment: This tool relies on PEiD signatures.
  description: StudPE is a multipurpose PE analysis tool that provides a flexible packer signature identification feature and the ability to query a suspect file against a built-in or external signature database.
  formats:
    - PE32
  references:
    - https://www.amazon.fr/Malware-Forensics-Field-Windows-Systems/dp/1597494720
  source: https://www.cgsoftlabs.ro/studpe.html
  status: info