Skip navigation.

Detecting Packers in Network Streams with Pynids and Pefile

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).