Beispiel #1
0
def get_pe_fileinfo(pe, filename):
    # is dll?
    dll = pe.FILE_HEADER.IMAGE_FILE_DLL

    # num sections
    nsec = pe.FILE_HEADER.NumberOfSections

    # timestamp
    tstamp = pe.FILE_HEADER.TimeDateStamp
    try:
        """ return date """
        tsdate = datetime.datetime.fromtimestamp(tstamp)
    except:
        """ return timestamp """
        tsdate = str(tstamp) + " [Invalid date]"

    # get md5, sha1, sha256, imphash

    md5, sha1, sha256, imphash = get_hash(filename)
    hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}

    detected = []

    # directory list
    dirlist = directories.get(pe)

    # digital signature
    for sign in dirlist:
        if sign == "security": detected.append("sign")

    # packer (peid)
    packer = peid.get(pe, userdb)
    if packer: detected.append("packer")

    # mutex
    mutex = apimutex.get(pe, strings_match)
    if mutex: detected.append("mutex")

    # anti debug
    antidbg = apiantidbg.get(pe, strings_match)
    if antidbg: detected.append("antidbg")

    # Xor
    xorcheck = xor.get(filename)
    if xorcheck: detected.append("xor")

    # anti virtual machine
    antivirtualmachine = antivm.get(filename)
    if antivirtualmachine: detected.append("antivm")

    # api alert suspicious
    apialert_info = apialert.get(pe, strings_match)

    # file and url
    fileurl_info = fileurl.get(filename, strings_match)
    file_info = fileurl_info["file"]
    url_info = fileurl_info["url"]
    ip_info = fileurl_info["ip"]
    fuzzing_info = fileurl_info["fuzzing"]

    # meta info
    meta_info = meta.get(pe)

    # import function
    import_function = funcimport.get(pe)

    # export function
    export_function = funcexport.get(pe)

    # sections
    sections_info = sections.get(pe)

    # resources
    resources_info = resources.get(pe)

    # virustotal
    virustotal_info = virustotal.get(md5, strings_match)
    # json으로 반환
    return json.dumps(
        {
            "peframe_ver": help.VERSION,
            "file_type": ftype,
            "file_name": fname,
            "file_size": fsize,
            "hash": hash_info,
            "file_found": file_info,
            "url_found": url_info,
            "ip_found": ip_info,
            "virustotal": virustotal_info,
            "fuzzing": fuzzing_info,
            "pe_info": {
                "import_hash": imphash,
                "compile_time": str(tsdate),
                "dll": dll,
                "sections_number": nsec,
                "xor_info": xorcheck,
                "detected": detected,
                "directories": dirlist,
                "sign_info": cert.get(pe),
                "packer_info": packer,
                "antidbg_info": apiantidbg.get(pe, strings_match),
                "mutex_info": apimutex.get(pe, strings_match),
                "antivm_info": antivirtualmachine,
                "apialert_info": apialert_info,
                "meta_info": meta_info,
                "import_function": import_function,
                "export_function": export_function,
                "sections_info": sections_info,
                "resources_info": resources_info
            }
        },
        indent=4,
        separators=(',', ': '))
Beispiel #2
0
def get_pe_fileinfo(pe, filename):
	# is dll?
	dll = pe.FILE_HEADER.IMAGE_FILE_DLL
	
	# num sections
	nsec = pe.FILE_HEADER.NumberOfSections

	# timestamp
	tstamp = pe.FILE_HEADER.TimeDateStamp
	try:
		""" return date """
		tsdate = datetime.datetime.fromtimestamp(tstamp)
	except:
		""" return timestamp """
		tsdate = str(tstamp) + " [Invalid date]"

	# get md5, sha1, sha256, imphash

	md5, sha1, sha256, imphash = get_hash(filename)
	hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
	
	detected = []

	# directory list
	dirlist = directories.get(pe)
	
	# digital signature
	for sign in dirlist:
		if sign == "security": detected.append("sign")

	# packer (peid)
	packer = peid.get(pe, userdb)
	if packer: detected.append("packer")

	# mutex
	mutex = apimutex.get(pe, strings_match)
	if mutex: detected.append("mutex")

	# anti debug
	antidbg = apiantidbg.get(pe, strings_match)
	if antidbg: detected.append("antidbg")

	# Xor
	xorcheck = xor.get(filename)
	if xorcheck: detected.append("xor")

	# anti virtual machine
	antivirtualmachine = antivm.get(filename)
	if antivirtualmachine: detected.append("antivm")
	
	# api alert suspicious
	apialert_info = apialert.get(pe, strings_match)
	
	# file and url
	fileurl_info = fileurl.get(filename, strings_match)
	file_info = fileurl_info["file"]
	url_info = fileurl_info["url"]
	ip_info = fileurl_info["ip"]
	fuzzing_info = fileurl_info["fuzzing"]
	
	# meta info
	meta_info = meta.get(pe)
	
	# import function
	import_function = funcimport.get(pe)

	# export function
	export_function = funcexport.get(pe)
	
	# sections
	sections_info = sections.get(pe)

	# resources
	resources_info = resources.get(pe)

	# virustotal
	virustotal_info = virustotal.get(md5, strings_match)

	return json.dumps({"peframe_ver": help.VERSION,
						"file_type": ftype,
						"file_name": fname,
						"file_size": fsize,
						"hash": hash_info,
						"file_found": file_info,
						"url_found": url_info,
						"ip_found": ip_info,
						"virustotal": virustotal_info,
						"fuzzing": fuzzing_info,
						"pe_info": {
							"import_hash": imphash,
							"compile_time": str(tsdate),
							"dll": dll,
							"sections_number": nsec, 
							"xor_info": xorcheck, 
							"detected": detected, 
							"directories": dirlist, 
							"sign_info": cert.get(pe), 
							"packer_info": packer, 
							"antidbg_info": apiantidbg.get(pe, strings_match),
							"mutex_info": apimutex.get(pe, strings_match),
							"antivm_info": antivirtualmachine, 
							"apialert_info": apialert_info, 
							"meta_info": meta_info, 
							"import_function": import_function, 
							"export_function": export_function, 
							"sections_info": sections_info,
							"resources_info": resources_info
							}
						}, 
						indent=4, separators=(',', ': '))
Beispiel #3
0
def get(argv, csv):
    if os.path.isdir(argv):
        mal_directory = argv
        for mal in (os.listdir(mal_directory)):
            malware = mal_directory + "/" + mal
            csv.write("\n"+mal+",")
            metadata.get(malware)
            fileheader.get(malware)
            optheader.get(malware)
            sections.get(malware, csv)
            imphash.get(malware, csv)
            imports.get(malware)
            exports.get(malware, csv)
            antidbg.get(malware, csv)
            antivm.get(malware, csv)
            apialert.get(malware, csv)
            codeint.get(malware, csv)
            cfg.get(malware, csv)
            dep.get(malware, csv)
            aslr.get(malware, csv)
            seh.get(malware, csv)
            gs.get(malware, csv)
            tls.get(malware, csv)
            codeint.get(malware, csv)
            dbgts.get(malware, csv)
            url.get(malware, csv)
            manifest.get(malware, csv)
            version.get(malware, csv)
            badstr.get(malware, csv)
            packed.get(malware, csv)
            certificate.get(malware, csv)
            virustotal.get(malware, csv)
            yarar.get(malware, csv)

    else:
        malware = argv
        csv.write("\n"+malware+",")
        metadata.get(malware)
        fileheader.get(malware)
        optheader.get(malware)
        sections.get(malware, csv)
        imphash.get(malware, csv)
        imports.get(malware)
        exports.get(malware, csv)
        antidbg.get(malware, csv)
        antivm.get(malware, csv)
        apialert.get(malware, csv)
        codeint.get(malware, csv)
        cfg.get(malware, csv)
        dep.get(malware, csv)
        aslr.get(malware, csv)
        seh.get(malware, csv)
        gs.get(malware, csv)
        tls.get(malware, csv)
        codeint.get(malware, csv)
        dbgts.get(malware, csv)
        url.get(malware, csv)
        manifest.get(malware, csv)
        version.get(malware, csv)
        badstr.get(malware, csv)
        packed.get(malware, csv)
        certificate.get(malware, csv)
        virustotal.get(malware, csv)
        yarar.get(malware, csv)
Beispiel #4
0
def get(malware, mydoc, progress_bar):
    progress_bar.UpdateBar(0,27)
    
    header.get(mydoc)
    progress_bar.UpdateBar(1,27)
    
    metadata.get(malware, mydoc)
    progress_bar.UpdateBar(2,27)
    progress_bar.UpdateBar(3,27)
    
    optheader.get(malware, mydoc)
    progress_bar.UpdateBar(4,27)
    
    sections.get(malware, mydoc)
    progress_bar.UpdateBar(5,27)
    
    imphash.get(malware, mydoc)
    progress_bar.UpdateBar(6,27)
    
    imports.get(malware, mydoc)
    progress_bar.UpdateBar(7,27)
    
    exports.get(malware, mydoc)
    progress_bar.UpdateBar(8,27)
    
    antidbg.get(malware, mydoc)
    progress_bar.UpdateBar(9,27)
    
    antivm.get(malware, mydoc)
    progress_bar.UpdateBar(10,27)
    
    apialert.get(malware, mydoc)
    progress_bar.UpdateBar(11,27)
    
    codeint.get(malware, mydoc)
    progress_bar.UpdateBar(12,27)
    
    cfg.get(malware, mydoc)
    progress_bar.UpdateBar(13,27)
    
    dep.get(malware, mydoc)
    progress_bar.UpdateBar(14,27)
    
    aslr.get(malware, mydoc)
    progress_bar.UpdateBar(15,27)
    
    seh.get(malware, mydoc)
    progress_bar.UpdateBar(16,27)
    
    gs.get(malware, mydoc)
    progress_bar.UpdateBar(17,27)
    
    tls.get(malware, mydoc)
    progress_bar.UpdateBar(18,27)
    progress_bar.UpdateBar(19,27)

    dbgts.get(malware, mydoc)
    progress_bar.UpdateBar(20,27)

    # url.get(malware, mydoc)
    manifest.get(malware, mydoc)
    progress_bar.UpdateBar(21,27)

    version.get(malware, mydoc)
    progress_bar.UpdateBar(22,27)
    ## badstr.get(malware)

    packed.get(malware, mydoc)
    progress_bar.UpdateBar(23,27)

    ## certificate.get(malware)
    virustotal.get(malware, mydoc)
    progress_bar.UpdateBar(25,27)

    # yarar.get(malware, mydoc)
    progress_bar.UpdateBar(26,27)

    progress_bar.UpdateBar(27,27)