Example #1
0
def analyze(filename):
	if not isfile(filename):
		exit("File not found")

	dt_start = get_datetime_now()

	fileinfo = {
		"version": version(),
		"filename": filename, 
		"filetype": filetype(filename),
		"filesize": filesize(filename),
		"hashes": gethash(filename),
		"virustotal": virustotal.get_result(
			load_config(
				path_to_file('config-peframe.json', 'config'))['virustotal'], 
			gethash(filename)['md5']),
		"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
		}


	peinfo = {}
	docinfo = {}

	fileinfo.update({"docinfo": docinfo})
	fileinfo.update({"peinfo": peinfo})

	if ispe(filename):
		pe = pefile.PE(filename)
		peinfo.update({
			"imphash": pe.get_imphash(),
			"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
			"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
			"imagebase": pe.OPTIONAL_HEADER.ImageBase,
			"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
			"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
			"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
			"directories": directories.get(pe),
			"features": features.get_result(pe, filename),
			"sections": sections.get_result(pe),
			"metadata": meta.get(pe)
			})
		fileinfo.update({"peinfo": peinfo})
		fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
	else:
		fileinfo.update({"docinfo": macro.get_result(filename)})
		fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})

	dt_end = get_datetime_now()

	fileinfo.update({"time": str(dt_end - dt_start)})

	return fileinfo
Example #2
0
def analyze(filename):
	if not isfile(filename):
		exit("File not found")

	dt_start = get_datetime_now()

	fileinfo = {
		"version": version(),
		"filename": filename, 
		"filetype": filetype(filename),
		"filesize": filesize(filename),
		"hashes": gethash(filename),
		"virustotal": virustotal.get_result(
			load_config(
				path_to_file('config-peframe.json', 'config'))['virustotal'], 
			gethash(filename)['md5']),
		"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
		}


	peinfo = {}
	docinfo = {}

	fileinfo.update({"docinfo": docinfo})
	fileinfo.update({"peinfo": peinfo})

	if ispe(filename):
		pe = pefile.PE(filename)
		peinfo.update({
			"imphash": pe.get_imphash(),
			"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
			"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
			"imagebase": pe.OPTIONAL_HEADER.ImageBase,
			"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
			"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
			"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
			"directories": directories.get(pe),
			"features": features.get_result(pe, filename),
			"sections": sections.get_result(pe),
			"metadata": meta.get(pe)
			})
		fileinfo.update({"peinfo": peinfo})
		fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
	else:
		fileinfo.update({"docinfo": macro.get_result(filename)})
		fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})

	dt_end = get_datetime_now()

	fileinfo.update({"time": str(dt_end - dt_start)})

	return fileinfo
Example #3
0
def get_pe_fileinfo(pe, filename):
    # is dll?
    dll = pe.FILE_HEADER.IMAGE_FILE_DLL

    # num sections
    nsec = pe.FILE_HEADER.NumberOfSections

    # timestamp
    tstamp = pe.FILE_HEADER.TimeDateStamp
    try:
        """ return date """
        tsdate = datetime.datetime.fromtimestamp(tstamp)
    except:
        """ return timestamp """
        tsdate = str(tstamp) + " [Invalid date]"

    # get md5, sha1, sha256, imphash

    md5, sha1, sha256, imphash = get_hash(filename)
    hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}

    detected = []

    # directory list
    dirlist = directories.get(pe)

    # digital signature
    for sign in dirlist:
        if sign == "security": detected.append("sign")

    # packer (peid)
    packer = peid.get(pe, userdb)
    if packer: detected.append("packer")

    # mutex
    mutex = apimutex.get(pe, strings_match)
    if mutex: detected.append("mutex")

    # anti debug
    antidbg = apiantidbg.get(pe, strings_match)
    if antidbg: detected.append("antidbg")

    # Xor
    xorcheck = xor.get(filename)
    if xorcheck: detected.append("xor")

    # anti virtual machine
    antivirtualmachine = antivm.get(filename)
    if antivirtualmachine: detected.append("antivm")

    # api alert suspicious
    apialert_info = apialert.get(pe, strings_match)

    # file and url
    fileurl_info = fileurl.get(filename, strings_match)
    file_info = fileurl_info["file"]
    url_info = fileurl_info["url"]
    ip_info = fileurl_info["ip"]
    fuzzing_info = fileurl_info["fuzzing"]

    # meta info
    meta_info = meta.get(pe)

    # import function
    import_function = funcimport.get(pe)

    # export function
    export_function = funcexport.get(pe)

    # sections
    sections_info = sections.get(pe)

    # resources
    resources_info = resources.get(pe)

    # virustotal
    virustotal_info = virustotal.get(md5, strings_match)
    # json으로 반환
    return json.dumps(
        {
            "peframe_ver": help.VERSION,
            "file_type": ftype,
            "file_name": fname,
            "file_size": fsize,
            "hash": hash_info,
            "file_found": file_info,
            "url_found": url_info,
            "ip_found": ip_info,
            "virustotal": virustotal_info,
            "fuzzing": fuzzing_info,
            "pe_info": {
                "import_hash": imphash,
                "compile_time": str(tsdate),
                "dll": dll,
                "sections_number": nsec,
                "xor_info": xorcheck,
                "detected": detected,
                "directories": dirlist,
                "sign_info": cert.get(pe),
                "packer_info": packer,
                "antidbg_info": apiantidbg.get(pe, strings_match),
                "mutex_info": apimutex.get(pe, strings_match),
                "antivm_info": antivirtualmachine,
                "apialert_info": apialert_info,
                "meta_info": meta_info,
                "import_function": import_function,
                "export_function": export_function,
                "sections_info": sections_info,
                "resources_info": resources_info
            }
        },
        indent=4,
        separators=(',', ': '))
Example #4
0
def get_pe_fileinfo(pe, filename):
	# is dll?
	dll = pe.FILE_HEADER.IMAGE_FILE_DLL
	
	# num sections
	nsec = pe.FILE_HEADER.NumberOfSections

	# timestamp
	tstamp = pe.FILE_HEADER.TimeDateStamp
	try:
		""" return date """
		tsdate = datetime.datetime.fromtimestamp(tstamp)
	except:
		""" return timestamp """
		tsdate = str(tstamp) + " [Invalid date]"

	# get md5, sha1, sha256, imphash

	md5, sha1, sha256, imphash = get_hash(filename)
	hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
	
	detected = []

	# directory list
	dirlist = directories.get(pe)
	
	# digital signature
	for sign in dirlist:
		if sign == "security": detected.append("sign")

	# packer (peid)
	packer = peid.get(pe, userdb)
	if packer: detected.append("packer")

	# mutex
	mutex = apimutex.get(pe, strings_match)
	if mutex: detected.append("mutex")

	# anti debug
	antidbg = apiantidbg.get(pe, strings_match)
	if antidbg: detected.append("antidbg")

	# Xor
	xorcheck = xor.get(filename)
	if xorcheck: detected.append("xor")

	# anti virtual machine
	antivirtualmachine = antivm.get(filename)
	if antivirtualmachine: detected.append("antivm")
	
	# api alert suspicious
	apialert_info = apialert.get(pe, strings_match)
	
	# file and url
	fileurl_info = fileurl.get(filename, strings_match)
	file_info = fileurl_info["file"]
	url_info = fileurl_info["url"]
	ip_info = fileurl_info["ip"]
	fuzzing_info = fileurl_info["fuzzing"]
	
	# meta info
	meta_info = meta.get(pe)
	
	# import function
	import_function = funcimport.get(pe)

	# export function
	export_function = funcexport.get(pe)
	
	# sections
	sections_info = sections.get(pe)

	# resources
	resources_info = resources.get(pe)

	# virustotal
	virustotal_info = virustotal.get(md5, strings_match)

	return json.dumps({"peframe_ver": help.VERSION,
						"file_type": ftype,
						"file_name": fname,
						"file_size": fsize,
						"hash": hash_info,
						"file_found": file_info,
						"url_found": url_info,
						"ip_found": ip_info,
						"virustotal": virustotal_info,
						"fuzzing": fuzzing_info,
						"pe_info": {
							"import_hash": imphash,
							"compile_time": str(tsdate),
							"dll": dll,
							"sections_number": nsec, 
							"xor_info": xorcheck, 
							"detected": detected, 
							"directories": dirlist, 
							"sign_info": cert.get(pe), 
							"packer_info": packer, 
							"antidbg_info": apiantidbg.get(pe, strings_match),
							"mutex_info": apimutex.get(pe, strings_match),
							"antivm_info": antivirtualmachine, 
							"apialert_info": apialert_info, 
							"meta_info": meta_info, 
							"import_function": import_function, 
							"export_function": export_function, 
							"sections_info": sections_info,
							"resources_info": resources_info
							}
						}, 
						indent=4, separators=(',', ': '))
Example #5
0
def analyze(filename):
    if not isfile(filename):
        exit("File not found")

    dt_start = get_datetime_now()

    fileinfo = {
        "version": version(),
        "filename": filename,
        "filetype": filetype(filename),
        "filesize": filesize(filename),
        # "virustotal": virustotal.get_result(
        # 	load_config(
        # 		path_to_file('config-peframe.json', 'config'))['virustotal'],
        # 	gethash(filename)['md5']),
    }

    hashes = gethash(filename)
    fileinfo.update({
        "md5": hashes["md5"],
        "sha1": hashes["sha1"],
        "sha256": hashes["sha256"]
    })

    # peinfo = {}
    # docinfo = {}
    #
    # fileinfo.update({"docinfo": docinfo})
    # fileinfo.update({"peinfo": peinfo})

    function_size_list = nucleus.analysis(filename)

    if ispe(filename):
        pe = pefile.PE(filename)
        fileinfo.update({
            "imphash":
            pe.get_imphash(),
            "timestamp":
            datetime.utcfromtimestamp(
                pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
            "dll":
            pe.FILE_HEADER.IMAGE_FILE_DLL,
            "imagebase":
            pe.OPTIONAL_HEADER.ImageBase,
            "entrypoint":
            pe.OPTIONAL_HEADER.AddressOfEntryPoint,
            "behavior":
            yara_check.yara_match_from_file(
                path_to_file('antidebug_antivm.yar',
                             'signatures/yara_plugins/pe'), filename),
            "breakpoint":
            apialert.get_result(
                pe,
                load_config(path_to_file('stringsmatch.json',
                                         'signatures'))['breakpoint']),
            "metadata":
            meta.get(pe),
            "function_size":
            function_size_list
        })

        fileinfo.update(headers.get_dos_header(pe))
        fileinfo.update(headers.get_file_header(pe))
        fileinfo.update(headers.get_optional_header(pe))
        fileinfo.update(features.get_result(pe, filename))

        sections_dict = sections.get_result(pe)
        fileinfo.update({
            "section_count": sections_dict["count"],
            "section_details": sections_dict["details"]
        })

        strings_dict = fileurl.get_result(
            filename,
            load_config(path_to_file('stringsmatch.json', 'signatures')))
        fileinfo.update({
            "string_file": strings_dict["file"],
            "string_url": strings_dict["url"],
            "string_ip": strings_dict["ip"],
            "string_fuzzing": strings_dict["fuzzing"],
            "string_dump": strings_dict["dump"],
            "string_count": strings_dict["string_count"],
        })

        directories_dict = directories.get(pe)
        export_df = pd.DataFrame(directories_dict["export"])
        if not export_df.empty:
            export_df["function"] = export_df["function"].apply(
                lambda x: x.decode("utf-8") if not isinstance(x, str) else x)

        fileinfo.update({
            "import": directories_dict["import"],
            "export": export_df.to_dict('records'),
            "debug": directories_dict["debug"],
            "tls": directories_dict["tls"],
            "resources": directories_dict["resources"],
            "relocations": directories_dict["relocations"],
            "sign": directories_dict["sign"]
        })

        fileinfo.update({
            "yara_plugins":
            yara_check.yara_match_from_folder(
                path_to_file('pe', 'signatures/yara_plugins'), filename,
                ['antidebug_antivm.yar'])
        })
    else:
        fileinfo.update({"docinfo": macro.get_result(filename)})
        fileinfo.update({
            "yara_plugins":
            yara_check.yara_match_from_folder(
                path_to_file('doc', 'signatures/yara_plugins'), filename)
        })

    dt_end = get_datetime_now()

    fileinfo.update({"time": str(dt_end - dt_start)})
    del fileinfo["e_res"]
    del fileinfo["e_res2"]
    return fileinfo