Ejemplo n.º 1
0
 def run(self, objfile):
     self.key = "Info"
     self.score = -1
     isProbablyPacked = False
     returnValue = {}
     
     infos = {}
     infos["ragpicker_version"] = RAGPICKER_VERSION
     infos["started"] = self.task["started_on"]                       
     returnValue["analyse"] = infos 
     
     infos = {}
     infos["extension"] = objfile.file_extension()    
     
     if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS':
         try:
             pe = PE(data=objfile.file_data)
             
             isProbablyPacked = is_probably_packed(pe)
             
             infos["DLL"] = pe.is_dll()
             infos["EXE"] = pe.is_exe()
             infos["DRIVER"] = pe.is_driver()
             infos["isProbablyPacked"] = isProbablyPacked
             
             if self.getDigitalSignature(pe):
                 infos["digitalSignature"] = "SignedFile"
             else:
                 infos["digitalSignature"] = "UnsignedFile"
                 
             if isProbablyPacked:
                 self.score = 10
         except PEFormatError, e:
             log.warn("Error - No Portable Executable: %s" % e)         
Ejemplo n.º 2
0
 def run(self, objfile):
     self.key = "Info"
     self.score = -1
     isProbablyPacked = False
     returnValue = {}
     
     infos = {}
     infos["uuid"] = objfile.get_uuid()
     infos["ragpicker_version"] = RAGPICKER_VERSION
     infos["started"] = self.task["started_on"]                       
     returnValue["analyse"] = infos 
     
     infos = {}
     infos["extension"] = objfile.file.file_extension()    
     
     if objfile.file.get_type() == 'PE32' or objfile.file.get_type() == 'PE32+' or objfile.file.get_type() == 'MS-DOS':
         try:
             pe = PE(data=objfile.file.file_data)
             
             isProbablyPacked = is_probably_packed(pe)
             
             if pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE:
                 infos["Architecture"] = "32-Bit"
             elif pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS:
                 infos["Architecture"] = "64-Bit"                
             
             infos["CPU"] = self.getMaschineType(pe) 
             infos["Subsystem"] = self.getSubsystem(pe) 
             infos["DLL"] = pe.is_dll()
             infos["EXE"] = pe.is_exe()
             infos["DRIVER"] = pe.is_driver()
             infos["isProbablyPacked"] = isProbablyPacked
             
             # imphash -> Tracking Malware with Import Hashing (https://www.mandiant.com/blog/tracking-malware-import-hashing)
             infos["imphash"] = pe.get_imphash()
             # https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski.pdf
             infos["pehash"] = self.getPeHash(pe)
                             
             if self.getDigitalSignature(pe):
                 infos["digitalSignature"] = "SignedFile"
             else:
                 infos["digitalSignature"] = "UnsignedFile"
                 
             if isProbablyPacked:
                 self.score = 10
         except PEFormatError, e:
             log.warn("Error - No Portable Executable: %s" % e)