def BasicAnalyzer(analyzeFile):
print(f"{infoS} Analyzing: {green}{analyzeFile}{white}")
fileType = str(pr.magic_file(analyzeFile))
# Windows Analysis
if "Windows Executable" in fileType or ".msi" in fileType or ".dll" in fileType or ".exe" in fileType:
print(f"{infoS} Target OS: {green}Windows{white}\n")
command = f"python3 Modules/winAnalyzer.py {analyzeFile}"
os.system(command)
# Linux Analysis
elif "ELF" in fileType:
print(f"{infoS} Target OS: {green}Linux{white}\n")
command = f"readelf -a {analyzeFile} > Modules/elves.txt"
os.system(command)
command = f"python3 Modules/linAnalyzer.py {analyzeFile}"
os.system(command)
# MacOSX Analysis
elif "Mach-O" in fileType:
print(f"{infoS} Target OS: {green}OSX{white}\n")
command = f"python3 Modules/osXAnalyzer.py {analyzeFile}"
os.system(command)
# Android Analysis
elif "PK" in fileType or "Android" in fileType:
print(f"{infoS} Target OS: {green}Android{white}\n")
command = f"python3 Modules/apkAnalyzer.py {analyzeFile}"
os.system(command)
else:
print(f"{infoS} File Type: {green}Non Executable{white}\n")
command = f"python3 Modules/nonExecAnalyzer.py {analyzeFile}"
os.system(command)
def BasicAnalyzer(analyzeFile):
print(f"{infoS} Analyzing: {green}{analyzeFile}{white}")
fileType = str(pr.magic_file(analyzeFile))
# Windows Analysis
if "Windows Executable" in fileType or ".msi" in fileType or ".dll" in fileType or ".exe" in fileType:
print(f"{infoS} Target OS: {green}Windows{white}\n")
command = f"python3 Modules/winAnalyzer.py {analyzeFile}"
os.system(command)
# Linux Analysis
elif "ELF" in fileType:
print(f"{infoS} Target OS: {green}Linux{white}\n")
command = f"readelf -a {analyzeFile} > Modules/elves.txt"
os.system(command)
command = f"python3 Modules/linAnalyzer.py {analyzeFile}"
os.system(command)
# MacOSX Analysis
elif "Mach-O" in fileType:
print(f"{infoS} Target OS: {green}OSX{white}\n")
command = f"python3 Modules/osXAnalyzer.py {analyzeFile}"
os.system(command)
# Android Analysis
elif "PK" in fileType and "Java archive" in fileType:
print(f"{infoS} Target OS: {green}Android{white}\n")
command = f"python3 Modules/apkAnalyzer.py {analyzeFile}"
os.system(command)
else:
print(
f"{errorS} File type not supported. Make sure you are analyze executable files or document files."
)
print(
f"{errorS} If you want to scan document files try {green}--docs{white} argument."
)
sys.exit(1)
def test_magic_file(self):
"""File identification with magic_file |"""
self.assertEqual(puremagic.magic_file(TGA_FILE)[0].extension, ".tga")
open("test_empty_file", "w").close()
try:
self.assertRaises(ValueError, puremagic.magic_file, "test_empty_file")
finally:
os.unlink("test_empty_file")
def test_magic_file(self):
"""File identification with magic_file |"""
self.assertEqual(puremagic.magic_file(TGA_FILE)[0][0], ".tga")
open("test_empty_file", "w").close()
try:
self.assertRaises(ValueError, puremagic.magic_file, "test_empty_file")
finally:
os.unlink("test_empty_file")
def _categorise_binary(fpath):
info = puremagic.magic_file(fpath)
mimetype = None
for item in info:
guess = item[1]
if guess != u"":
mimetype = guess
return mimetype
def detect_mime_type(clazz, filename):
'Detect the mime type for file.'
filename = file_check.check_file(filename)
import puremagic
rv = puremagic.magic_file(filename)
if not rv:
return None
return clazz._find_mime_type(rv)
def BasicAnalyzer(analyzeFile):
print(f"{infoS} Analyzing: {green}{analyzeFile}{white}")
fileType = str(pr.magic_file(analyzeFile))
# Windows Analysis
if "Windows Executable" in fileType or ".msi" in fileType or ".dll" in fileType or ".exe" in fileType:
print(f"{infoS} Target OS: {green}Windows{white}\n")
command = f"python3 {sc0pe_path}/Modules/winAnalyzer.py {analyzeFile}"
os.system(command)
# Linux Analysis
elif "ELF" in fileType:
print(f"{infoS} Target OS: {green}Linux{white}\n")
command = f"readelf -a {analyzeFile} > elves.txt"
os.system(command)
command = f"python3 {sc0pe_path}/Modules/linAnalyzer.py {analyzeFile}"
os.system(command)
# MacOSX Analysis
elif "Mach-O" in fileType:
print(f"{infoS} Target OS: {green}OSX{white}\n")
command = f"python3 {sc0pe_path}/Modules/osXAnalyzer.py {analyzeFile}"
os.system(command)
# Android Analysis
elif "PK" in fileType and "Java archive" in fileType:
look = pyaxmlparser.APK(analyzeFile)
if look.is_valid_APK() == True:
print(f"{infoS} Target OS: {green}Android{white}")
command = f"apkid -j {args.file} > apkid.json"
os.system(command)
command = f"python3 {sc0pe_path}/Modules/apkAnalyzer.py {analyzeFile}"
os.system(command)
if os.path.exists("apkid.json"):
os.remove("apkid.json")
# APP Security
choice = str(
input(
f"\n{infoS} Do you want to check target app\'s security? This process will take a while.[Y/n]: "
))
if choice == "Y" or choice == "y":
os.system(f"python3 {sc0pe_path}/Modules/apkSecCheck.py")
else:
pass
else:
print(
f"{errorS} Qu1cksc0pe doesn\'t support archive analysis for now ;)"
)
sys.exit(1)
else:
print(
f"{errorS} File type not supported. Make sure you are analyze executable files or document files."
)
print(
f"{errorS} If you want to scan document files try {green}--docs{white} argument."
)
sys.exit(1)
def get_mimetype(fpath):
"""Return mimetype of a file."""
try:
possibilities = puremagic.magic_file(fpath)
except ValueError: # File is empty.
return "unknown/unknown"
if len(possibilities) > 0:
return possibilities[0].mime_type
else:
return "unknown/unknown"
def is_filetype(filename=None, search_str=None):
"""
Applies magic byte (header) inspection to determine if of search file type.
"""
if not search_str:
return False
results = puremagic.magic_file(filename)
for result in results:
if search_str.lower() in result.name.lower():
return True
return False
def _puremagic_media_type_of_file(file_path):
array_of_type_arrays = puremagic.magic_file(file_path)
types = list(map(lambda x: x[1], array_of_type_arrays))
types = list(filter(lambda x: x and x != '', types))
if len(types) == 0:
return None
media_type = types[0]
if media_type == 'application/x-ipynb+json': # All JSON files are not Jupiter notebooks
media_type = 'application/json'
elif media_type == 'application/x-gzip': # deprecated
media_type = 'application/gzip'
return media_type
def _media_type_from_magic(file_path):
"""
Use puremagic to generate a media-type for the file, then correct its mistakes.
"""
types = puremagic.magic_file(file_path)
if len(types) == 0:
return 'application/octet-stream'
media_type = types[0][1]
if media_type == 'application/x-ipynb+json': # All JSON files are not Jupiter notebooks
if file_path.endswith('.json'):
media_type = 'application/json'
elif media_type == 'application/x-gzip': # deprecated
media_type = 'application/gzip'
return media_type
def ExecutableCheck(fileName):
exe_indicator = 0
try:
magicNums = list(pr.magic_file(fileName))
for mag in range(0, len(magicNums)):
if magicNums[mag].confidence >= 0.4:
if "executable" in str(
magicNums[mag].name) or "Executable" in str(
magicNums[mag].name):
exe_indicator += 1
if exe_indicator != 0:
return True
else:
return False
except:
pass
def extension_file(path: str):
"""
Check the enconding format based on the magic number
if file has no magic number we simply use extension.
More advance analytics of file content is needed, potentially
extendind to a lib like libmagic
Args:
path (str): File path
Returns:
file_extension_given: str: extension of encoding data
magic_data : dic : any magic data information available including
magic number : byte
mime_type: str
name : str
"""
file_extension_given = os.path.splitext(path)[1]
format_file = puremagic.magic_file(path)
if len(format_file) > 0:
if format_file[0].confidence < 0.5:
print("poor confidence")
magicdata = {
"byte_match": None,
"mime_type": None,
"name": None,
}
return file_extension_given, magicdata
else:
magicdata = {
"byte_match": "{}".format(format_file[0].byte_match),
"mime_type": format_file[0].mime_type,
"name": format_file[0].name,
}
return format_file[0].extension, magicdata
else:
magicdata = {
"byte_match": None,
"mime_type": None,
"name": None,
}
return file_extension_given, magicdata
def MagicParser(targetFile):
# Defining table
resTable = PrettyTable()
# Magic byte parsing
resCounter = 0
resTable.field_names = [f"File Extension", "Names", "Byte Matches", "Confidence"]
resourceList = list(pr.magic_file(targetFile))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.8:
resCounter += 1
if extrExt == '':
resTable.add_row([f"{red}No Extension{white}", f"{red}{extrNam}{white}", f"{red}{extrByt}{white}", f"{red}{resourceList[res].confidence}{white}"])
else:
resTable.add_row([f"{red}{extrExt}{white}", f"{red}{extrNam}{white}", f"{red}{extrByt}{white}", f"{red}{resourceList[res].confidence}{white}"])
if len(resourceList) != 0:
print(resTable)
def generate_preview(filepath: str, max_size=390) -> str:
""" Detect filetype and generate a human readable text preview
Detects filetype and returns a string if there is a compatible text
preview method available. For text files, the preview will be the first
`max_size` characters. For other file types, a selection of their
metadata could be shown.
"""
filetype = ""
excerpt = ""
extension = get_file_extension(filepath)
try:
my_file = puremagic.magic_file(filepath)
if my_file:
filetype = " ".join(str(i) for i in next(itertools.chain(my_file)))
except Exception as e:
print("FILETYPE_DETECTION_ERROR:", e) # DEBUG
pass
# TODO: Check if there is a specific file preview method
#print('EXT:', extension) # DEBUG
#print('TYPE:', filetype) # DEBUG
if extension in SUPPORTED_TYPES['text']:
excerpt = generic_text_preview(filepath, max_size)
elif extension in SUPPORTED_TYPES['image']:
excerpt = "[Text preview for image files not implemented yet.]"
elif extension in SUPPORTED_TYPES['pdf']:
excerpt = "[Text preview for PDF files not implemented yet.]"
else:
excerpt = generic_binary_preview(filepath, max_size)
if excerpt:
return f"Format: {filetype}\n{excerpt}"
else:
return f"Format: {filetype}\n[No preview available for this file.]"
def mime_type(self):
if self._mime_type:
return self._mime_type
else:
if self.auto_detect_mime_type:
if self.path and os.path.isfile(self.path) \
and os.access(self.path, os.R_OK):
m = find_mime_type_recursive(
puremagic.magic_file(self.path))
if m:
return m
else:
logger.warning(
"Can't detect mime type of file '%s'. Using default mime type: %s"
% (self.path, self.default_mime_type))
return self.default_mime_type
elif not self.path and self.body:
try:
m = find_mime_type_recursive(
puremagic.magic_string(self.body))
except PureError:
m = None
if m:
return m
else:
logger.warning(
"Can't detect mime type of body. Using default mime type: %s"
% self.default_mime_type)
return self.default_mime_type
else:
logger.warning(
"File '%s' isn't readable. Skipping mime type auto detection, using default mime type: %s"
% (self.path, self.default_mime_type))
return self.default_mime_type
else:
return self.default_mime_type
for val in detector[key]:
if val in allStrings:
print(
f"{foundS} Possible programming language: {green}{key}{white}\n"
)
indicator += 1
sys.exit(0)
if indicator == 0:
print(f"{errorS} Programming language couldn\'t detected :(\n")
sys.exit(1)
# Execution
indmag = 0
try:
magicNums = list(pr.magic_file(fileName))
for mag in range(0, len(magicNums)):
if magicNums[mag].confidence >= 0.4:
if "executable" in str(magicNums[mag].name) or "Executable" in str(
magicNums[mag].name):
indmag += 1
LanguageDetect()
else:
pass
else:
pass
if indmag == 0:
print(f"{errorS} Please scan executable files.\n")
sys.exit(1)
except:
pass
def isELF(file):
b = puremagic.magic_file(file)
for x in b:
if 'ELF' in x[-2]:
return True
def Analyzer():
allFuncs = 0
tables = PrettyTable()
secTable = PrettyTable()
segTable = PrettyTable()
resTable = PrettyTable()
statistics = PrettyTable()
for key in dictArr:
for elem in dictArr[key]:
if elem in allStrings:
if elem != "":
Categs[key].append(elem)
allFuncs +=1
for key in Categs:
if Categs[key] != []:
if key == "Information Gathering" or key == "System/Persistence" or key == "Cryptography":
print(f"\n{yellow}[{red}!{yellow}]__WARNING__[{red}!{yellow}]{white}")
# Printing zone
tables.field_names = [f"Functions or Strings about {green}{key}{white}"]
for i in Categs[key]:
if i == "":
pass
else:
tables.add_row([f"{red}{i}{white}"])
# Threat score
if key == "Networking":
scoreDict[key] += 1
elif key == "File":
scoreDict[key] += 1
elif key == "Process":
scoreDict[key] += 1
elif key == "Memory Management":
scoreDict[key] += 1
elif key == "Information Gathering":
scoreDict[key] += 1
elif key == "System/Persistence":
scoreDict[key] += 1
elif key == "Cryptography":
scoreDict[key] += 1
elif key == "Other/Unknown":
scoreDict[key] += 1
else:
pass
print(tables)
tables.clear_rows()
# Gathering sections and segments
secTable.field_names = [f"{green}Sections{white}"]
segTable.field_names = [f"{green}Segments{white}"]
# Sections
sec_indicator = 0
for se1 in sections:
if se1 in allThings:
if se1 != "":
secTable.add_row([f"{red}{se1}{white}"])
sec_indicator += 1
if sec_indicator != 0:
print(secTable)
# Segments
seg_indicator = 0
for se2 in segments:
if se2 in allThings:
if se2 != "":
segTable.add_row([f"{red}{se2}{white}"])
seg_indicator += 1
if seg_indicator != 0:
print(segTable)
# Resource scanner zone
resCounter = 0
resTable.field_names = [f"Extracted File Extensions", "Names", "Byte Matches", "Confidence"]
resourceList = list(pr.magic_file(fileName))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.4:
resCounter += 1
if extrExt == '':
resTable.add_row([f"{red}No Extension{white}", f"{red}{extrNam}{white}", f"{red}{extrByt}{white}", f"{red}{resourceList[res].confidence}{white}"])
else:
resTable.add_row([f"{red}{extrExt}{white}", f"{red}{extrNam}{white}", f"{red}{extrByt}{white}", f"{red}{resourceList[res].confidence}{white}"])
if len(resourceList) != 0:
print(resTable)
# Statistics zone
print(f"\n{green}->{white} Statistics for: {green}{fileName}{white}")
# Printing zone
statistics.field_names = ["Categories", "Number of Functions"]
statistics.add_row([f"{green}All Functions{white}", f"{green}{allFuncs}{white}"])
for key in scoreDict:
if scoreDict[key] == 0:
pass
else:
if key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
statistics.add_row([f"{yellow}{key}{white}", f"{red}{scoreDict[key]}{white}"])
else:
statistics.add_row([f"{white}{key}", f"{scoreDict[key]}{white}"])
print(statistics)
# Warning about obfuscated file
if allFuncs < 10:
print(f"\n{errorS} This file might be obfuscated or encrypted. Try {green}--packer{white} to scan this file for packers.\n")
sys.exit(0)
def Analyzer():
threatScore = 0
allFuncs = 0
tables = PrettyTable()
dllTable = PrettyTable()
resTable = PrettyTable()
statistics = PrettyTable()
# categorizing extracted strings
for key in regdict:
for el in regdict[key]:
if el in allStrings:
if el != "":
dictCateg[key].append(el)
allFuncs += 1
# printing categorized strings
for key in dictCateg:
if dictCateg[key] != []:
# More important categories
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
print(
f"\n{yellow}[{red}!{yellow}]__WARNING__[{red}!{yellow}]{white}"
)
# Printing zone
tables.field_names = [
f"Functions or Strings about {green}{key}{white}"
]
for i in dictCateg[key]:
if i == "":
pass
else:
tables.add_row([f"{red}{i}{white}"])
# Calculating threat score
if key == "Registry":
threatScore += 4
scoreDict[key] += 1
elif key == "File":
threatScore += 4
scoreDict[key] += 1
elif key == "Networking/Web":
threatScore += 6
scoreDict[key] += 1
elif key == "Keyboard/Keylogging":
threatScore += 7
scoreDict[key] += 1
elif key == "Process":
threatScore += 5
scoreDict[key] += 1
elif key == "Memory Management":
threatScore += 5
scoreDict[key] += 1
elif key == "Dll/Resource Handling":
threatScore += 6
scoreDict[key] += 1
elif key == "Evasion/Bypassing":
threatScore += 9
scoreDict[key] += 1
elif key == "System/Persistence":
threatScore += 9
scoreDict[key] += 1
elif key == "COMObject":
threatScore += 4
scoreDict[key] += 1
elif key == "Cryptography":
threatScore += 9
scoreDict[key] += 1
elif key == "Information Gathering":
threatScore += 7
scoreDict[key] += 1
elif key == "Other/Unknown":
threatScore += 1
scoreDict[key] += 1
else:
pass
print(tables)
tables.clear_rows()
# gathering extracted dll files
handleDll = []
dllTable.field_names = [f"Extracted {green}DLL{white} Strings"]
for dl in allStrings:
if dl in dllArray:
if dl != "":
handleDll.append(dl)
# Removing duplicates and printing
if handleDll != []:
handleDll = list(dict.fromkeys(handleDll))
for ne in handleDll:
dllTable.add_row([f"{red}{ne}{white}"])
print(dllTable)
# Resource scanner zone
resCounter = 0
resTable.field_names = [
f"Extracted File Extensions", "Names", "Byte Matches", "Confidence"
]
resourceList = list(pr.magic_file(fileName))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.4:
resCounter += 1
if extrExt == '':
resTable.add_row([
f"{red}No Extension{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
else:
resTable.add_row([
f"{red}{extrExt}{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
if len(resourceList) != 0:
print(resTable)
# Statistics zone
print(f"\n{green}->{white} Statistics for: {green}{fileName}{white}")
# printing all function statistics
statistics.field_names = ["Categories", "Number of Functions or Strings"]
statistics.add_row(
[f"{green}All Functions{white}", f"{green}{allFuncs}{white}"])
for key in scoreDict:
if scoreDict[key] == 0:
pass
else:
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
statistics.add_row(
[f"{yellow}{key}{white}", f"{red}{scoreDict[key]}{white}"])
else:
statistics.add_row(
[f"{white}{key}", f"{scoreDict[key]}{white}"])
print(statistics)
# Warning about obfuscated file
if allFuncs < 10:
print(
f"\n{errorS} This file might be obfuscated or encrypted. Try {green}--packer{white} to scan this file for packers."
)
print(
f"{errorS} You can also use {green}--hashscan{white} to scan this file.\n"
)
sys.exit(0)
# score table
print(
f"\n{errorS} ATTENTION: There might be false positives in threat scaling system."
)
# score conditions
if threatScore < 30:
print(f"{thLevel}: {green}Clean{white}.\n")
elif threatScore >= 30 and threatScore <= 200:
print(
f"{errorS} Attention: Use {green}--vtFile{white} argument to scan that file with VirusTotal. Do not trust that file."
)
print(f"{thLevel}: {yellow}Suspicious{white}.\n")
else:
print(f"{thLevel}: {red}Potentially Malicious{white}.\n")
def Analyzer():
# Creating tables
allFuncs = 0
tables = PrettyTable()
dllTable = PrettyTable()
resTable = PrettyTable()
statistics = PrettyTable()
# Gathering information about sections
pe = pf.PE(fileName)
print(f"{infoS} Informations about Sections")
print("-" * 40)
for sect in pe.sections:
print(sect.Name.decode().rstrip('\x00') + "\n|\n|---- Virtual Size: " +
hex(sect.Misc_VirtualSize) + "\n|\n|---- Virtual Address: " +
hex(sect.VirtualAddress) + "\n|\n|---- Size of Raw Data: " +
hex(sect.SizeOfRawData) + "\n|\n|---- Pointer to Raw Data: " +
hex(sect.PointerToRawData) + "\n|\n|---- Characteristics: " +
hex(sect.Characteristics) + "\n")
print("-" * 40)
# categorizing extracted strings
for key in regdict:
for el in regdict[key]:
if el in allStrings:
if el != "":
dictCateg[key].append(el)
allFuncs += 1
# printing categorized strings
for key in dictCateg:
if dictCateg[key] != []:
# More important categories
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
print(
f"\n{yellow}[{red}!{yellow}]__WARNING__[{red}!{yellow}]{white}"
)
# Printing zone
tables.field_names = [
f"Functions or Strings about {green}{key}{white}"
]
for i in dictCateg[key]:
if i == "":
pass
else:
tables.add_row([f"{red}{i}{white}"])
# Logging for summary table
if key == "Registry":
scoreDict[key] += 1
elif key == "File":
scoreDict[key] += 1
elif key == "Networking/Web":
scoreDict[key] += 1
elif key == "Keyboard/Keylogging":
scoreDict[key] += 1
elif key == "Process":
scoreDict[key] += 1
elif key == "Memory Management":
scoreDict[key] += 1
elif key == "Dll/Resource Handling":
scoreDict[key] += 1
elif key == "Evasion/Bypassing":
scoreDict[key] += 1
elif key == "System/Persistence":
scoreDict[key] += 1
elif key == "COMObject":
scoreDict[key] += 1
elif key == "Cryptography":
scoreDict[key] += 1
elif key == "Information Gathering":
scoreDict[key] += 1
elif key == "Other/Unknown":
scoreDict[key] += 1
else:
pass
print(tables)
tables.clear_rows()
# gathering extracted dll files
dllTable.field_names = [f"Linked {green}DLL{white} Files"]
for items in pe.DIRECTORY_ENTRY_IMPORT:
dlStr = str(items.dll.decode())
dllTable.add_row([f"{red}{dlStr}{white}"])
print(dllTable)
# Resource scanner zone
resCounter = 0
resTable.field_names = [
f"Extracted File Extensions", "Names", "Byte Matches", "Confidence"
]
resourceList = list(pr.magic_file(fileName))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.4:
resCounter += 1
if extrExt == '':
resTable.add_row([
f"{red}No Extension{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
else:
resTable.add_row([
f"{red}{extrExt}{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
if len(resourceList) != 0:
print(resTable)
# Statistics zone
print(f"\n{green}->{white} Statistics for: {green}{fileName}{white}")
# printing all function statistics
statistics.field_names = ["Categories", "Number of Functions or Strings"]
statistics.add_row(
[f"{green}All Functions{white}", f"{green}{allFuncs}{white}"])
for key in scoreDict:
if scoreDict[key] == 0:
pass
else:
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
statistics.add_row(
[f"{yellow}{key}{white}", f"{red}{scoreDict[key]}{white}"])
else:
statistics.add_row(
[f"{white}{key}", f"{scoreDict[key]}{white}"])
print(statistics)
# Warning about obfuscated file
if allFuncs < 20:
print(
f"\n{errorS} This file might be obfuscated or encrypted. Try {green}--packer{white} to scan this file for packers."
)
print(
f"{errorS} You can also use {green}--hashscan{white} to scan this file.\n"
)
sys.exit(0)
# Specifying target folder
elif con_command == "set target-folder":
foldername = str(
input(f"{foundS} Enter full path of target folder: "))
if os.path.isdir(foldername):
with open(".target-folder.txt", "w") as tfolder:
tfolder.write(foldername)
else:
print(f"{errorS} Please enter a correct folder.")
# Windows analysis
elif con_command == "analyze windows":
if os.path.exists(".target-file.txt"):
filename = open(".target-file.txt", "r").read()
print(f"\n{infoS} Analyzing: {green}{filename}{white}")
fileType = str(pr.magic_file(filename))
if "Windows Executable" in fileType or ".msi" in fileType or ".dll" in fileType or ".exe" in fileType:
print(f"{infoS} Target OS: {green}Windows{white}\n")
command = f"python3 {sc0pe_path}/Modules/winAnalyzer.py {filename}"
os.system(command)
else:
print(
f"{errorS} You must specify target file with {green}set target-file{white} command."
)
# Linux Analysis
elif con_command == "analyze linux":
if os.path.exists(".target-file.txt"):
filename = open(".target-file.txt", "r").read()
print(f"\n{infoS} Analyzing: {green}{filename}{white}")
fileType = str(pr.magic_file(filename))
def test_file_field():
tmp_file = tempfile.mktemp()
tmp_path = str(tmp_file)
with open(tmp_path, 'w') as f:
f.write("this is a test")
f.close()
gif_content = b'R0lGODlhHgAcAPcAAAAAAAEBAQMDAwUFBQYGBgcHBwkJCQoKCg0NDQ4ODhERERISEhMTExQUFBUVFRYWFhgYGBoaGhwcHB4eHh8fHyMjIyYmJicnJygoKCkpKSoqKisrKy4uLi8vLzAwMDExMTMzMzQ0NDU1NTg4ODk5OTo6Ojs7Oz09PT4+PkBAQEFBQUJCQkNDQ0REREVFRUZGRkdHR0lJSUpKSkxMTE5OTlBQUFFRUVJSUlNTU1RUVFVVVVZWVldXV1hYWFlZWVxcXF9fX2BgYGFhYWJiYmNjY2RkZGVlZWdnZ2hoaGlpaWpqamtra2xsbG1tbW5ubnFxcXJycnNzc3R0dHV1dXZ2dnd3d3h4eHl5eXp6ent7e3x8fH19fX5+fn9/f4CAgIKCgoODg4SEhIWFhYaGhoiIiImJiYqKioyMjI2NjY6Ojo+Pj5CQkJKSkpOTk5SUlJWVlZaWlpiYmJmZmZycnJ2dnZ6enqCgoKOjo6SkpKampqioqK6urrOzs7m5ubu7u8XFxdXV1QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAAAeABwAAAj+AAEIHEhwYIQGADYsKMiwIcMHcTIAgNPHocWGRaoIjAFIxMWPAreYKdEgR5knID82QdPCiI4dGlNalPHDA4kLS1bItAghhQ07QkAo2GlxRJsncHwQtUgiD9IrApY2FMGHi5wvUaUWLIGnChsyBrQW9GDHCRY1DsQSxHDnShQwFAoGkCqBjhMlayyoHfjAzZYneULsFZigy5ggdlQMBrDgSBYmZl4shmBEyA03RBY3kHImjR4hiydwqeLnj43FBciI2fOnx14hVpDsCJIkTY0aMVwsHcBDzZk6OoR4wcEjSpw5KYiCeCOi55IubIDksMABCJUDO1PUoQEAARUYG5Q2LBEIhEmCnQ7C7OigQcuWE1BmlPgwpMZSGFOmODGSgwWUIkh08QMDUlWAwgkEDARCCiZg11BAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPgogPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4KICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIi8+CiA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgo8P3hwYWNrZXQgZW5kPSJyIj8+Af/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCgkIBwYFBAMCAQAAOw=='
tmp_gif_file = tempfile.mktemp()
tmp_gif_path = str(tmp_gif_file)
with open(tmp_gif_path, 'bw') as f:
f.write(base64.b64decode(gif_content))
f.close()
m = puremagic.magic_file(tmp_gif_path)
assert find_mime_type_recursive(m) == 'image/gif'
jpg_content = b'/9j/4QlQaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjYtYzEzOCA3OS4xNTk4MjQsIDIwMTYvMDkvMTQtMDE6MDk6MDEgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiLz4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8P3hwYWNrZXQgZW5kPSJ3Ij8+/+0ALFBob3Rvc2hvcCAzLjAAOEJJTQQlAAAAAAAQ1B2M2Y8AsgTpgAmY7PhCfv/bAIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD/90ABAAE/+4ADkFkb2JlAGTAAAAAAf/AABEIABwAHgMAEQABEQECEQH/xABfAAEBAQADAAAAAAAAAAAAAAAJCwUDBwgBAQAAAAAAAAAAAAAAAAAAAAAQAAEEAgICAwADAAAAAAAAAAQCAwUGAQcACAkREhMUFSMyEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMAAAERAhEAPwCf/wABDeiGuKFuWJ7B6hkIwsvbmxKpRYXVcmBF1uTNgIoS6sTezJUdy2kAwkIhmDixclSGSgXmAMEN/qYZefXgMnyRkUcrsyYuo0WP1pODa81zEbUpURWwahFRO0q7Wx65YDB63FBgQ8ZI2SMiQJWVwE0kF6aOMeHytlxDig8EcD//0J//AAE+8QEw3E93KqyrDWXZzWO8oERLrbTyXDD9TWxYzGGXnG2nXCHB/rRjOf8ASsZx6zjGcBj+WoEhvvDsaeIYaHXeKnqW6pQw628OpE3q6p4+0dbSlI+t1QuVfHGVfFWcp95zj3kDZ4H/0Z//AAGC8avWe7Q+y9ZdjbWRVI2nEDWt6vUUi2jg7iu8IZGyNRFudGoTbgcvO1Ia2FfmILaLEdQ2KU838kM+1h3X5bOvB+1t7X7b+jWIZGvNR6focPM0i0WyHD3OyPSY78Nwm11MkxyWtcdBHPEYIkR1vYyOE4v2pKUqWAJcD//Sn/8AATjTPaK7Vvr4JZiavr+3WfreLIUrU1guMRNy5sDUthSLzdjr5ArNjBh5OMdatRiG0PCq+KFpTnKsITjAc+wuyNpnutcbsBuo0CBvVvritDn22CjrEzLg6vDVKiE1qI/kLRJAgjS6YlCyf6V+nnXVs4aU5nPAMDgf/9k='
tmp_jpg_file = tempfile.mktemp()
tmp_jpg_path = str(tmp_jpg_file)
with open(tmp_jpg_path, 'bw') as f:
f.write(base64.b64decode(jpg_content))
f.close()
m = puremagic.magic_file(tmp_jpg_path)
assert find_mime_type_recursive(m) == 'image/jpeg'
png_content = b'iVBORw0KGgoAAAANSUhEUgAAAB4AAAAcCAYAAAB2+A+pAAABS2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPgogPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4KICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIi8+CiA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgo8P3hwYWNrZXQgZW5kPSJyIj8+IEmuOgAAA09JREFUSIm1lk1LMl0YgK9pdNQZR0FFsxSCMApJidCFRIsI2gW1bdU/eX9F1K7/YCDRJoKgDyQKQhCkRSFTlmN+jV85z6L3fVb14vQ83nAWw5xzXdznvs+cATCtjqmpKTMQCJiAGY/HTZ/PZ5mB1QXBYNDc3983FxYWTMDc29szj4+PLYsnsBibm5s8PDxQKBQAyGazRCIRUqmUJY5lcTgcxu/3k8lkCAQCKIrC0dERKysr4xXXajVEUUSWZba2thAEgXw+jyRJljg2q+JSqYSu67y+vtJqtahWq6yvr3N9fW2JIwL/WFnQaDSQJIlwOMzOzg7D4ZB8Pk+hUKDT6YzMsbzVmqbR6XRYW1vj9vaWVCrF3Nwcuq5b4lgWAwiCgN/v//08MzODKIrjFw8GA1RVRVVVRFHE5XJZZvxIbLfbeX9/p9vt0u12kSTJclf/SNxutxkMBhiGgaZpOBwO3G73+MWdTgdRFFEUhW63S7PZRJblL+cKgvD3xM1mk16vR6vVwjAMVFXF4XB8Odc0zb8n7vV6GIaB1+vF4XAQDAbxeDyWGD/e6kqlgsvlQtd1er0eqqqOX2yz2dA0jVarhdvt5uXlBbvdPn6xJEkMh0PK5TLlchlZlolGo5YYli8J+PyAeL1eJicnmZiYIBAIMBwOLTF+lLEsy8iyTKVSYXFxkWg0Sq1WG7/4+fkZWZbxeDw0Gg2Ab4/TdyHw74/XKLG7u0soFKJWq1GtVpFlGZfLRSwW4+zsDIBut8tgMODk5OR/WSPV2G63s729TSKR4OPjg7m5OXK5HIIgEAqFOD8/x+FwEIlEiMVi2Gw2+v0+p6enfyZOJBKsrq5yeHjI4+Mj8/PzxONxAoEAPp8Pt9tNq9Uim83idDpZWloinU5zdXVFu93+kjlSjVVVxeVyEQ6H0TSNfD6PoihcXFxwcHCAoiiEQiGKxSJ3d3fA50Vis32f10gZ39/fUy6XcTqdJJNJ+v0+kiSRTqdpt9s4nU6KxSKZTAbDMBBFkaenJ+r1+rfMkZtrY2ODRCIBfDaQYRjouo6u6ySTSer1OjabjVAoRKlUIpfL8fb29udigNnZWaanpzFNk8vLS3q93u93y8vLqKpKv9/n5ubm29r+F78AmGZ4Lz2bZYkAAAAASUVORK5CYII='
tmp_png_file = tempfile.mktemp()
tmp_png_path = str(tmp_png_file)
with open(tmp_png_path, 'bw') as f:
f.write(base64.b64decode(png_content))
f.close()
m = puremagic.magic_file(tmp_png_path)
assert find_mime_type_recursive(m) == 'image/png'
b = FileField()
b.path = tmp_path
d = b.to_dict()
assert len(d) == 3
assert d['Body'] == b'this is a test'
assert d['Name'] == os.path.basename(tmp_path)
assert d['MimeType'] == 'text/plain'
b = FileField(name='test.txt', path=tmp_path, mime_type='weird/odd')
d = b.to_dict()
assert len(d) == 3
assert d['Name'] == 'test.txt'
assert d['Body'] == b'this is a test'
assert d['MimeType'] == 'weird/odd'
b = FileField(name='test.txt', mime_type='empty/body')
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'test.txt'
assert d['Body'] == bytes()
assert d['MimeType'] == 'empty/body'
b = FileField(path=tmp_path)
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == os.path.basename(tmp_path)
assert d['Body'] == b'this is a test'
assert d['MimeType'] == 'text/plain'
b = FileField(name='some.txt', body=b'custom body')
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'some.txt'
assert d['Body'] == b'custom body'
assert d['MimeType'] == 'text/plain'
b = FileField(name='some.txt',
body=b'custom body',
mime_type='custom/mime')
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'some.txt'
assert d['Body'] == b'custom body'
assert d['MimeType'] == 'custom/mime'
b = FileField({
'name': 'some1.txt',
'body': b'custom1 body',
'mime_type': 'custom/mime1'
})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'some1.txt'
assert d['Body'] == b'custom1 body'
assert d['MimeType'] == 'custom/mime1'
b = FileField({
'Name': 'some2.txt',
'Body': b'custom2 body',
'MimeType': 'custom/mime2'
})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'some2.txt'
assert d['Body'] == b'custom2 body'
assert d['MimeType'] == 'custom/mime2'
b = FileField({'path': tmp_path})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == os.path.basename(tmp_path)
assert d['Body'] == b'this is a test'
assert d['MimeType'] == 'text/plain'
b = FileField({'Path': tmp_gif_path, 'Name': 'file.gif'})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'file.gif'
assert d['Body'] == base64.b64decode(gif_content)
assert d['MimeType'] == 'image/gif'
b = FileField({'Path': tmp_jpg_path, 'Name': 'file.jpg'})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'file.jpg'
assert d['Body'] == base64.b64decode(jpg_content)
assert d['MimeType'] == 'image/jpeg'
b = FileField({'path': tmp_png_path, 'Name': 'file.png'})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'file.png'
assert d['Body'] == base64.b64decode(png_content)
assert d['MimeType'] == 'image/png'
b = FileField({
'path': tmp_png_path,
'Name': 'file.png',
'MimeType': 'custom/mime'
})
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'file.png'
assert d['Body'] == base64.b64decode(png_content)
assert d['MimeType'] == 'custom/mime'
b = FileField(tmp_png_path)
d = b.to_dict()
d = b.value
assert len(d) == 3
assert len(d['Name']) > 0
assert d['Body'] == base64.b64decode(png_content)
assert d['MimeType'] == 'image/png'
b = FileField(base64.b64decode(gif_content))
d = b.to_dict()
d = b.value
assert len(d) == 3
assert d['Name'] == 'Filename'
assert d['Body'] == base64.b64decode(gif_content)
assert d['MimeType'] == 'image/gif'
def Analyzer():
# Creating tables
allFuncs = 0
tables = PrettyTable()
peStatistics = PrettyTable()
dllTable = PrettyTable()
resTable = PrettyTable()
statistics = PrettyTable()
# categorizing extracted strings
for win_api in allStrings:
for key in regdict:
if win_api[0] in regdict[key]:
if win_api[0] != "":
dictCateg[key].append(win_api)
allFuncs += 1
# printing categorized strings
import_indicator = 0
for key in dictCateg:
if dictCateg[key] != []:
# More important categories
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
print(
f"\n{yellow}[{red}!{yellow}]__WARNING__[{red}!{yellow}]{white}"
)
# Printing zone
tables.field_names = [
f"Functions or Strings about {green}{key}{white}", "Address"
]
for func in dictCateg[key]:
if func[0] == "":
pass
else:
tables.add_row(
[f"{red}{func[0]}{white}", f"{red}{func[1]}{white}"])
import_indicator += 1
# Logging for summary table
if key == "Registry":
scoreDict[key] += 1
elif key == "File":
scoreDict[key] += 1
elif key == "Networking/Web":
scoreDict[key] += 1
elif key == "Keyboard/Keylogging":
scoreDict[key] += 1
elif key == "Process":
scoreDict[key] += 1
elif key == "Memory Management":
scoreDict[key] += 1
elif key == "Dll/Resource Handling":
scoreDict[key] += 1
elif key == "Evasion/Bypassing":
scoreDict[key] += 1
elif key == "System/Persistence":
scoreDict[key] += 1
elif key == "COMObject":
scoreDict[key] += 1
elif key == "Cryptography":
scoreDict[key] += 1
elif key == "Information Gathering":
scoreDict[key] += 1
elif key == "Other/Unknown":
scoreDict[key] += 1
else:
pass
print(tables)
tables.clear_rows()
# If there is no function imported in target executable
if import_indicator == 0:
print(f"{errorS} There is no function/API imports found.")
print(
f"{magenta}>>{white} Try '{green}--packer{white}' or '{green}--lang{white}' to see additional info about target file.\n"
)
# gathering extracted dll files
try:
dllTable.field_names = [f"Linked {green}DLL{white} Files"]
for items in binaryfile.DIRECTORY_ENTRY_IMPORT:
dlStr = str(items.dll.decode())
dllTable.add_row([f"{red}{dlStr}{white}"])
print(dllTable)
except:
pass
# Yara rule match
print(f"\n{infoS} Performing YARA rule matching...")
WindowsYara(target_file=fileName)
# Resource scanner zone
print(f"\n{infoS} Performing magic number analysis...")
resCounter = 0
resTable.field_names = [
f"File Extensions", "Names", "Byte Matches", "Confidence"
]
resourceList = list(pr.magic_file(fileName))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.4:
resCounter += 1
if extrExt == '':
resTable.add_row([
f"{red}No Extension{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
else:
resTable.add_row([
f"{red}{extrExt}{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
if len(resourceList) != 0:
print(resTable)
# Assembly and pe structure analysis zone
print(
f"\n{infoS} Performing PE file structure and assembly code analysis...\n"
)
# Gathering information about sections
peStatistics.field_names = [
"Section Name", "Virtual Size", "Virtual Address", "Size Of Raw Data",
"Pointer to Raw Data", "Entropy"
]
pe = pf.PE(fileName)
# Parsing timedatestamp data
mydict = pe.dump_dict()
tempstr = mydict["FILE_HEADER"]["TimeDateStamp"]["Value"][11:].replace(
"[", "")
datestamp = tempstr.replace("]", "")
# Parsing sections
for sect in pe.sections:
if sect.get_entropy() >= 7:
peStatistics.add_row([
sect.Name.decode().rstrip('\x00'),
hex(sect.Misc_VirtualSize),
hex(sect.VirtualAddress),
hex(sect.SizeOfRawData),
hex(sect.PointerToRawData),
f"{red}{sect.get_entropy()}{white} (Possible obfuscation!!)"
])
else:
peStatistics.add_row([
sect.Name.decode().rstrip('\x00'),
hex(sect.Misc_VirtualSize),
hex(sect.VirtualAddress),
hex(sect.SizeOfRawData),
hex(sect.PointerToRawData),
sect.get_entropy()
])
print(f"{magenta}>>{white} Time Date Stamp: {green}{datestamp}{white}")
print(peStatistics)
# Statistics zone
print(f"\n{green}->{white} Statistics for: {green}{fileName}{white}")
# printing all function statistics
statistics.field_names = ["Categories", "Number of Functions or Strings"]
statistics.add_row(
[f"{green}All Functions{white}", f"{green}{allFuncs}{white}"])
for key in scoreDict:
if scoreDict[key] == 0:
pass
else:
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
statistics.add_row(
[f"{yellow}{key}{white}", f"{red}{scoreDict[key]}{white}"])
else:
statistics.add_row(
[f"{white}{key}", f"{scoreDict[key]}{white}"])
print(statistics)
# Warning about obfuscated file
if allFuncs < 20:
print(
f"\n{errorS} This file might be obfuscated or encrypted. Try {green}--packer{white} to scan this file for packers."
)
print(
f"{errorS} You can also use {green}--hashscan{white} to scan this file.\n"
)
sys.exit(0)
def test_magic_file(self):
"""File identification with magic_file |"""
self.assertEqual(puremagic.magic_file(TGA_FILE)[1][0][0], ".tga")
def puremagic_mimetype(url):
return puremagic.magic_file(url)[0].mime_type
