def analyze(filename): if not isfile(filename): exit("File not found") dt_start = get_datetime_now() fileinfo = { "version": version(), "filename": filename, "filetype": filetype(filename), "filesize": filesize(filename), "hashes": gethash(filename), "virustotal": virustotal.get_result( load_config( path_to_file('config-peframe.json', 'config'))['virustotal'], gethash(filename)['md5']), "strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))), } peinfo = {} docinfo = {} fileinfo.update({"docinfo": docinfo}) fileinfo.update({"peinfo": peinfo}) if ispe(filename): pe = pefile.PE(filename) peinfo.update({ "imphash": pe.get_imphash(), "timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'), "dll": pe.FILE_HEADER.IMAGE_FILE_DLL, "imagebase": pe.OPTIONAL_HEADER.ImageBase, "entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint, "behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename), "breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']), "directories": directories.get(pe), "features": features.get_result(pe, filename), "sections": sections.get_result(pe), "metadata": meta.get(pe) }) fileinfo.update({"peinfo": peinfo}) fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])}) else: fileinfo.update({"docinfo": macro.get_result(filename)}) fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)}) dt_end = get_datetime_now() fileinfo.update({"time": str(dt_end - dt_start)}) return fileinfo
def analyze(filename): if not isfile(filename): exit("File not found") dt_start = get_datetime_now() fileinfo = { "version": version(), "filename": filename, "filetype": filetype(filename), "filesize": filesize(filename), # "virustotal": virustotal.get_result( # load_config( # path_to_file('config-peframe.json', 'config'))['virustotal'], # gethash(filename)['md5']), } hashes = gethash(filename) fileinfo.update({ "md5": hashes["md5"], "sha1": hashes["sha1"], "sha256": hashes["sha256"] }) # peinfo = {} # docinfo = {} # # fileinfo.update({"docinfo": docinfo}) # fileinfo.update({"peinfo": peinfo}) function_size_list = nucleus.analysis(filename) if ispe(filename): pe = pefile.PE(filename) fileinfo.update({ "imphash": pe.get_imphash(), "timestamp": datetime.utcfromtimestamp( pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'), "dll": pe.FILE_HEADER.IMAGE_FILE_DLL, "imagebase": pe.OPTIONAL_HEADER.ImageBase, "entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint, "behavior": yara_check.yara_match_from_file( path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename), "breakpoint": apialert.get_result( pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']), "metadata": meta.get(pe), "function_size": function_size_list }) fileinfo.update(headers.get_dos_header(pe)) fileinfo.update(headers.get_file_header(pe)) fileinfo.update(headers.get_optional_header(pe)) fileinfo.update(features.get_result(pe, filename)) sections_dict = sections.get_result(pe) fileinfo.update({ "section_count": sections_dict["count"], "section_details": sections_dict["details"] }) strings_dict = fileurl.get_result( filename, load_config(path_to_file('stringsmatch.json', 'signatures'))) fileinfo.update({ "string_file": strings_dict["file"], "string_url": strings_dict["url"], "string_ip": strings_dict["ip"], "string_fuzzing": strings_dict["fuzzing"], "string_dump": strings_dict["dump"], "string_count": strings_dict["string_count"], }) directories_dict = directories.get(pe) export_df = pd.DataFrame(directories_dict["export"]) if not export_df.empty: export_df["function"] = export_df["function"].apply( lambda x: x.decode("utf-8") if not isinstance(x, str) else x) fileinfo.update({ "import": directories_dict["import"], "export": export_df.to_dict('records'), "debug": directories_dict["debug"], "tls": directories_dict["tls"], "resources": directories_dict["resources"], "relocations": directories_dict["relocations"], "sign": directories_dict["sign"] }) fileinfo.update({ "yara_plugins": yara_check.yara_match_from_folder( path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar']) }) else: fileinfo.update({"docinfo": macro.get_result(filename)}) fileinfo.update({ "yara_plugins": yara_check.yara_match_from_folder( path_to_file('doc', 'signatures/yara_plugins'), filename) }) dt_end = get_datetime_now() fileinfo.update({"time": str(dt_end - dt_start)}) del fileinfo["e_res"] del fileinfo["e_res2"] return fileinfo