nPEiD: Network PEiD!

by Black on June 7, 2009 · 0 comments

in Malware Analysis, Open Source

Okay! Don’t confuse yourselves with the PEiD & nPEiD. It is not a tool by the same people. Though, it can be used to perform similar tasks on a whole new level. Consider that you are watching a live file transfer in progress on the wire. You want to verify if it has been packed or not. How do you do that? All you need is nPEiD!

This tool has been written by famousjs one of the guys at Offensive Computing (a very good RCE  blog!) The author first wrote a few packer identifier scripts for Snort like PEiD2Snort. He then thought of diving in right at the network by using a library that handled stream reassembly within python. After the connection is closed and output dumped, it is scanned with PeFile, there by giving you the possible packer/protector identification. Of course, all of this is done by the python script! The script can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).

All this little tool needs is:
pynids: http://jon.oberheide.org/projects/pynids/downloads/pynids-0.5a.tar.gz
pefile: http://pefile.googlecode.com/files/pefile-1.2.10-63.tar.gz
libnet
libpcap
libglib
python2.x-dev

Sample usage:

To scan a pcap

./npeid.py name.pcap

To scan an interface

./npeid.py

To extract binaries

./npeid. py -e

Sample output:

famousjs@youbantoo:~/npeid$ ./npeid.py out.pcap
['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']

Download nPEiD here.

Related External Links

Searches leading to this post:
npeid, peid linux, peid plugins, peid windows 7, themida peid, peid for linux, peid for windows, themida 2 1 1 unpacker, pynids examples, npeid download, peid themida, peid scanner, PEiD Plugins Sources, peid plugin, linux packer identification

Random Posts

Tagged as: , , , , ,

Previous post:

Next post: