字节码/PE签名扫描 [英] Byte Patterns/PE Signature Scanning

问题描述

我最近遇到了一个问题.如果有人能帮助我完成任务，我将不胜感激.

目前，我正在从事仅出于教育目的的项目；它在其中检测PE签名.签名是混淆器/打包器和/或编程语言.

诸如PEStudio之类的程序会使用您所谓的字节模式".例如，对于每个已知签名，此字节系列都与Microsoft C#/VB.NET系列有关. (该程序将告诉您此文件是.NET文件，因为它检测到此模式 不知何故)

    FF 25 00 20 xx xx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

我的问题是，如何检查文件中是否包含这些特定字节?
已经尝试过File.ReadAllBytes()，并尝试在HxD中手动查看它，只是找不到该模式.我也可能完全误认为字节部分，可能与我习惯的有所不同.

谢谢

Hi, 

I have lately been facing an issue. I'd appreciate if somebody would assist me get it done.

Currently, I am working on a project just for educational purposes; where it detects PE signatures. By signature I mean obfuscator/packer, and/or programming language.

A program such as PEStudio uses what you would call "Byte Patterns" for each known signature, for example, this byte series relates to the Microsoft C#/VB.NET family. (The program will tell you this file is a .NET file because it detected this pattern somehow)

    FF 25 00 20 xx xx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

My question is, how do I check if a file contains those specific bytes?
Already tried File.ReadAllBytes(), and tried viewing it manually in HxD, just couldn't find the pattern. I could be completely mistaken about the bytes part too, might be different than what I am used to.

Thank you 

推荐答案

SykoKar，

Hi SykoKar,

谢谢您在这里发布.

对于您的问题，您想检查文件是否包含特定字节.我从图片的网址下载了一个字节文件.然后将其保存为文本.然后输入特定的字节数( FF 25 00 20 xx xx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00).并使用以下代码检查文件是否包含特定的 字节.

For your question, you want to check if the file contains specific bytes. I download a bytes file from the url of image. And the save it to a text. Then put the specific bytes (FF 25 00 20 xx xx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00) in the text. And use the following code to check if the file contains those specific bytes.

请尝试以下代码.我尝试过这个.效果很好.

Please try the following code. I tried it. It works well.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace check_bytes
{
    class Program
    {
        static void Main(string[] args)
        {
            using (StreamReader sr = File.OpenText(@"C:\Users\v-wezan\Desktop\bytes.txt"))
            {
                string[] lines = File.ReadAllLines(@"C:\Users\v-wezan\Desktop\bytes.txt");
                bool isMatch = false;
                string contents = "FF 25 00 20 xx xx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00";
                if (lines.Contains(contents))
                {
                    sr.Close();
                    MessageBox.Show("there is a match");
                    isMatch = true;
                }
                if (!isMatch)
                {
                    sr.Close();
                    MessageBox.Show("there is no match");
                }
            }
        }
    }
}

我希望这会对您有所帮助.

I hope this would be helpful to you.

如果还有其他问题，请随时与我们联系.

If you have something else, please feel free to contact us.

最好的问候，

温迪

这篇关于字节码/PE签名扫描的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！