PEiD – Popular PE packer/cryptor/compiler detector

This article is the original content of AppNee. All rights reserved. To repost or reproduce, please make a footnote with our article link!

PEiD (short for PE iDentifier) is a well-known professional packer/cryptor/compiler detecting tool. It’s so powerful that it can detect the types/signatures of almost any PE file packing tools (at present, the number has been more than 600 kinds). In addition to the official version, AppNee also provides you its full-plugin version, which can be treated as the most perfect one version (contains 60+ plugins and necessary runtime library files: mfc70.dll, msvcr70.dll, rtl70.bpl, vcl70.bpl) on the Internet at present. I do believe reverse engineers or software cracking/unpacking enthusiasts must like it very much.

PEiD mainly utilizes the search and find of characteristic string to finish the signature recognizing work. This is because a variety of programming languages have their respective and fixed startup code section. By this, we can identify what programming language a PE file used to compile it. Besides, PE files processed by a packing program will keep the corresponding packer’s information. Through this, we can identify what packer a PE file used to encrypt it.

In addition, PEiD provides an extensible interface file ‘userdb.txt’, in which users are allowed to customize some signatures. This way, we are able to identify more new PE file’s signature types (the production of signature can be finished with the ‘Add Signature’ plug-in). BTW, there is a universal unpacker among PEiD plug-ins, which can take off most of packers. And, if the import table is damaged after unpacking, it can also automatically call up the ‘ImportREC’ to repair this import table.

// Key Features //

  • It has a superb GUI and the interface is really intuitive and simple.
  • Detection rates are among the best given by any other identifier.
  • Special scanning modes for *advanced* detection of modified and unknown files.
  • Shell integration, Command line support, Always on top and Drag’n’Drop capabilities.
  • Multiple file and directory scanning with recursion.
  • Task viewer and controller.
  • Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
  • Extra scanning techniques used for even better detection.
  • Heuristic Scanning options.
  • PE details, Imports, Exports and TLS viewers
  • built in quick disassembler.
  • built in hex viewer.
  • External signature interface which can be updated by the user.

// 3 Different and Unique Scanning Modes //

Normal Mode Scans the PE files at their Entry Point for all documented signatures. This is what all other identifiers also do.
Deep Mode Scans the PE file’s Entry Point containing section for all the documented signatures. This ensures detection of around 80% of modified and scrambled files.
Hardcore Mode Does a complete scan of the entire PE file for the documented signatures. You should use this mode as a last option as the small signatures often tend to occur a lot in many files and so erroneous outputs may result.

*** The scanner’s inbuilt scanning techniques have error control methods which generally ensure correct outputs even if the last mode is chosen. The first two methods produce almost instantaneous outputs but the last method is a bit slow due to obvious reasons!

// Included Plugins //

  • UnreaL.DLL
  • advanced_scan.dll
  • AntiSPack.dll
  • crc32.dll
  • Easy Screen 1.3.0.dll
  • eCrap.dll
  • eCrapOepVerify.dll
  • EPScan.dll
  • ExtOverlay.dll
  • ExtractOverlay.dll
  • FC.DLL
  • FileInfo.dll
  • FixCRC.DLL
  • FNE.dll
  • GenOEP.dll
  • GUID.dll
  • IDToText.DLL
  • ImpREC.dll
  • kanal.dll
  • Morphine.DLL
  • oepscan.dll
  • ohfixer_v01.dll
  • Oversaver.dll
  • Patch_Maker_0.5.0.dll
  • PE2HTML.dll
  • PE2HTML.exe
  • PEExtract.DLL
  • PEiDBundle.DLL
  • PESniffer4PEiD.ASM
  • PESniffer4PEiD.DLL
  • PlgLdr.dll
  • PluginEx.dll
  • pluzina.dll
  • pluzina1.dll
  • pluzina4.dll
  • QuickChSum.dll
  • RebuildPE.dll
  • RelocRebuilder.dll
  • SecFix.dll
  • SecTool.DLL
  • Sendspy.dll
  • StringViewer.dll
  • unbero.dll
  • UnCDS_SS.DLL
  • undef.dll
  • UnFakeNinja.DLL
  • unfsg.dll
  • UnitsBrowser.dll
  • UnPPP.DLL
  • UnRCrypt.DLL
  • UnRPolyCrypt.DLL
  • UnUPolyX.dll
  • UNUPX.DLL
  • unupx2.dll
  • UnUPXShit.dll
  • UPXI.dll
  • uupx.dll
  • VerA.dll
  • xInfo.DLL
  • XNResourceEditor_Plugin.DLL
  • XP.dll
  • YPP.DLL
  • ZDRx.dll

// Command Line Parameters //

peid -time Show statistics before quitting
peid -r Recurse through subdirectories
peid -nr Don’t scan subdirectories even if its set
peid -hard Scan files in Hardcore Mode
peid -deep Scan files in Deep Mode
peid -norm Scan files in Normal Mode
peid <file1> <file2> <dir1> <dir2> n/a

You can combine one or more of the parameters. For example:

  • peid -hard -time -r c:\windows\system32
  • peid -time -deep c:\windows\system32\*.dll

// System Requirements //

  • Visual Studio .NET 2002 (for MFC70.DLL)
  • Microsoft Visual C++ 2008 Redistributable Package
  • Microsoft Visual C++ 2010 Redistributable Package

// Prompts //

The plugin ‘xInfo.DLL‘ can only work under Windows 32-bit, not supports for Windows 64-bit (causes PEiD to crash/exit instantly).

// Download URLs //

Version Type Download Size
v0.95 Original 384 KB
along with most plugins and runtime library files 2.94 MB

(No Homepage)