https://github.com/dosx-dev/pe-litescan

A simple crossplatform heuristic PE-analyzer
https://github.com/dosx-dev/pe-litescan

aot csharp detect detector engine entropy hacktoberfest heuristic linux malware-analysis malware-research packer pentest program-analysis reverse-engineering scanner static-analysis

Last synced: about 1 month ago
JSON representation

A simple crossplatform heuristic PE-analyzer

• Host: GitHub
• URL: https://github.com/dosx-dev/pe-litescan
• Owner: DosX-dev
• License: mit
• Created: 2024-06-03T15:34:05.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-06-16T16:36:40.000Z (12 months ago)
• Last Synced: 2025-05-07T04:58:24.332Z (about 1 month ago)
• Topics: aot, csharp, detect, detector, engine, entropy, hacktoberfest, heuristic, linux, malware-analysis, malware-research, packer, pentest, program-analysis, reverse-engineering, scanner, static-analysis
• Language: C#
• Homepage: https://dosx.su
• Size: 67.4 KB
• Stars: 218
• Watchers: 2
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# PELS analyzer

**PE-LiteScan** (or **PELS**) is a simple heuristic analyzer for common PE-anomalies, specifically focusing on the detection of packers and protectors. Designed for Windows and Linux.

> **[Download for Windows/Linux x64](https://github.com/DosX-dev/PE-LiteScan/releases/tag/Builds)**

![](pics/pic.png)

# Using

> **Windows**

> ```

> PE-LiteScan-windows.exe "file_to_check.exe"

> ```

> **Linux**

> ```

> ./PE-LiteScan-linux "file_to_check.exe"

> ```

# Detection types

| Detection Type              | Description                                                                 |

|-----------------------------|-----------------------------------------------------------------------------|

| `LAST_SECTION_ENTRYPOINT`   | The entry point is located in the last section of the file.                 |

| `NO_TEXT_SECTION`           | The `.text` section is missing from the PE file.                            |

| `STRANGE_OVERLAY`           | Compressed data found in the overlay section of the file.                   |

| `HIGH_ENTROPY`              | High entropy detected, indicating possible packed data.                     |

| `NET_ANTI_ILDASM`           | The `.NET` binary has the `SuppressIldasmAttribute` attribute.              |

| `PUSHAL_AT_ENTRY`           | Strange entry point detected (e.g., starts with `PUSHAL` instruction).      |

| `CUSTOM_DOS_STUB`           | Unusual DOS stub found in the PE file.                                      |

| `IMPORT_TABLE_MISSING`      | The import table is missing from the PE file.                               |

| `SECTIONS_LIKE_%s`          | Section names match known packer signatures (e.g., `UPX`, `VMProtect`).     |

| `SECTION_%d_HIGH_ENTROPY`   | Section contains compressed data.                                           |

| `WEIRD_%d_SECTION_NAME`     | Section looks very strange.                                                 |

# To do

 * More signatures for .NET

> Powered by `PeNet` library.