Corelight::PE_XOR

Zeek plugin to detect and decrypt XOR-obfuscated Windows EXEs.

The key used to XOR the file will be automatically discovered and used to XOR the file back to the original Window's executable. Once the file is deobfucated, it is passed back into the file analysis framework for further analysis.

Installation

From Source

git clone https://github.com/corelight/zeek-xor-exe-plugin.git
cd zeek-xor-exe-plugin
./configure
sudo make install

Now confirm that Zeek can see it:

zeek -N | grep Corelight

Usage

Notices

Corelight::XOR_Encrypted_PE_File_Seen - This notice will be generated when an XOR'd Windows executable is discovered.

Name		Name	Last commit message	Last commit date
Latest commit History 45 Commits
scripts		scripts
src		src
tests		tests
.gitignore		.gitignore
CHANGES		CHANGES
CMakeLists.txt		CMakeLists.txt
COPYING		COPYING
Makefile		Makefile
README.rst		README.rst
configure		configure
configure.plugin		configure.plugin
zkg.meta		zkg.meta

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Corelight::PE_XOR

Installation

From Source

Usage

Notices

About

Releases 2

Packages

Contributors 4

Languages

License

corelight/zeek-xor-exe-plugin

Folders and files

Latest commit

History

Repository files navigation

Corelight::PE_XOR

Installation

From Source

Usage

Notices

About

Resources

License

Stars

Watchers

Forks

Releases 2

Packages 0

Contributors 4

Languages

Packages