def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
# json으로 반환
return json.dumps(
{
"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4,
separators=(',', ': '))
def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
return json.dumps({"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4, separators=(',', ': '))
def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
# "virustotal": virustotal.get_result(
# load_config(
# path_to_file('config-peframe.json', 'config'))['virustotal'],
# gethash(filename)['md5']),
}
hashes = gethash(filename)
fileinfo.update({
"md5": hashes["md5"],
"sha1": hashes["sha1"],
"sha256": hashes["sha256"]
})
# peinfo = {}
# docinfo = {}
#
# fileinfo.update({"docinfo": docinfo})
# fileinfo.update({"peinfo": peinfo})
function_size_list = nucleus.analysis(filename)
if ispe(filename):
pe = pefile.PE(filename)
fileinfo.update({
"imphash":
pe.get_imphash(),
"timestamp":
datetime.utcfromtimestamp(
pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll":
pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase":
pe.OPTIONAL_HEADER.ImageBase,
"entrypoint":
pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior":
yara_check.yara_match_from_file(
path_to_file('antidebug_antivm.yar',
'signatures/yara_plugins/pe'), filename),
"breakpoint":
apialert.get_result(
pe,
load_config(path_to_file('stringsmatch.json',
'signatures'))['breakpoint']),
"metadata":
meta.get(pe),
"function_size":
function_size_list
})
fileinfo.update(headers.get_dos_header(pe))
fileinfo.update(headers.get_file_header(pe))
fileinfo.update(headers.get_optional_header(pe))
fileinfo.update(features.get_result(pe, filename))
sections_dict = sections.get_result(pe)
fileinfo.update({
"section_count": sections_dict["count"],
"section_details": sections_dict["details"]
})
strings_dict = fileurl.get_result(
filename,
load_config(path_to_file('stringsmatch.json', 'signatures')))
fileinfo.update({
"string_file": strings_dict["file"],
"string_url": strings_dict["url"],
"string_ip": strings_dict["ip"],
"string_fuzzing": strings_dict["fuzzing"],
"string_dump": strings_dict["dump"],
"string_count": strings_dict["string_count"],
})
directories_dict = directories.get(pe)
export_df = pd.DataFrame(directories_dict["export"])
if not export_df.empty:
export_df["function"] = export_df["function"].apply(
lambda x: x.decode("utf-8") if not isinstance(x, str) else x)
fileinfo.update({
"import": directories_dict["import"],
"export": export_df.to_dict('records'),
"debug": directories_dict["debug"],
"tls": directories_dict["tls"],
"resources": directories_dict["resources"],
"relocations": directories_dict["relocations"],
"sign": directories_dict["sign"]
})
fileinfo.update({
"yara_plugins":
yara_check.yara_match_from_folder(
path_to_file('pe', 'signatures/yara_plugins'), filename,
['antidebug_antivm.yar'])
})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({
"yara_plugins":
yara_check.yara_match_from_folder(
path_to_file('doc', 'signatures/yara_plugins'), filename)
})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
del fileinfo["e_res"]
del fileinfo["e_res2"]
return fileinfo