suggestion ?

[philoo9999]

Hi !

just to say, i tested peframe and it is very powerfull and simple at the same time. awesome work you did here ! I am currently trying to use Peframe in an automated way: --> my customers send me many files / days --> a preliminary check get me a score about the files (as do PeStudio) to see if it should be interesting to investigate.

Do you think it would be possible to have a scoring system in PEframe (even it's not very representative), so we could use a trigger (for example, if score > 50, we send the file to our CERT)

Kind regards

[guelfoweb]

Great idea, but I need to establish a criterion of evaluation. Suggestions?

[philoo9999]

yep, I was thinking about it. I am not a expert, but I can try to imagine something. We would have to establish a list of the worst suspecious

1. anti VM tricks ? Why should a software avoid virtualization ? (even in my tests, i found putty had anti VM... I wonder why)
2. Suspicious Sections. Many suspecious sections are often found in malware. maybe if it's > 2, you have a warning, >4 you have a critical 3)Suspicious API discovered: often seen in malware as in many applcations. I don't know to interpret them...
3. Anti Debug: idem

after that, we can have a mathematical way to calculate the score: For example : 1 VM trick = coef 10, 3 suspicious sections with coef 3, 25 suspicious API with coef 0.5, 12 anti debug with coef 0.5 total = 10 + 9 + 12.5 + 6 : 37.5

the example is not good enough because you can have 150 suspicious API, and the score will be high. Be I think that could be possible :)