def metadata_subject_overview():
if SUBJECT.is_exe() is True:
print_('Binary "%s" is an EXE' % ORIG_FILE)
if SUBJECT.is_dll() is True:
print_('Binary "%s" is a DLL' % ORIG_FILE)
flagged = False
if peutils.is_probably_packed(SUBJECT) is True:
print_('Binary is possibly packed!')
flagged = True
if peutils.is_suspicious(SUBJECT) is True:
print_('Binary is suspicious!')
flagged = True
if flagged is False:
print_('Binary appears to be normal')
print_('Address of Entry Point: 0x%08x' %
SUBJECT.OPTIONAL_HEADER.AddressOfEntryPoint)
misc_generate_checksum()
misc_verify_checksum()
print_('Sections:')
for section in SUBJECT.sections:
print_('\tRVA: 0x%08x - Name: %s - %i bytes' %
(section.VirtualAddress, section.Name.strip('\x00'),
section.SizeOfRawData))
print_('Imports from:')
for entry in SUBJECT.DIRECTORY_ENTRY_IMPORT:
count = 0
for i in entry.imports:
count += 1
print_('\t%s -> %i functions' % (entry.dll, count))
def metadata_subject_overview():
if SUBJECT.is_exe() is True:
print_('Binary "%s" is an EXE' % ORIG_FILE)
if SUBJECT.is_dll() is True:
print_('Binary "%s" is a DLL' % ORIG_FILE)
flagged = False
if peutils.is_probably_packed(SUBJECT) is True:
print_('Binary is possibly packed!')
flagged = True
if peutils.is_suspicious(SUBJECT) is True:
print_('Binary is suspicious!')
flagged = True
if flagged is False:
print_('Binary appears to be normal')
print_('Address of Entry Point: 0x%08x' %
SUBJECT.OPTIONAL_HEADER.AddressOfEntryPoint)
misc_generate_checksum()
misc_verify_checksum()
print_('Sections:')
for section in SUBJECT.sections:
print_('\tRVA: 0x%08x - Name: %s - %i bytes' %
(section.VirtualAddress, section.Name.strip('\x00'),
section.SizeOfRawData))
print_('Imports from:')
for entry in SUBJECT.DIRECTORY_ENTRY_IMPORT:
count = 0
for i in entry.imports:
count += 1
print_('\t%s -> %i functions' % (entry.dll, count))
def _is_suspicious(self, pe) -> Union[bool, None]:
"""
Check if the payload is suspicious
"""
try:
return peutils.is_suspicious(pe)
except:
return None
def is_suspicious(self):
"""
Check if the payload is suspicious
"""
try:
return peutils.is_suspicious(self.pe)
except:
return None
def is_suspicious(self):
"""
Check if the payload is suspicious
"""
try:
return peutils.is_suspicious(self.pe)
except:
return None
def peid(self):
pe_matches = dict()
userdb_file_dir_path = path.join(MALICE_ROOT, 'data', 'UserDB.TXT')
signatures = peutils.SignatureDatabase(userdb_file_dir_path)
packer = []
matches = signatures.match_all(self.pe, ep_only=True)
if matches:
map(packer.append, [s[0] for s in matches])
pe_matches["peid_signature_match"] = packer
pe_matches["is_probably_packed"] = peutils.is_probably_packed(self.pe)
pe_matches["is_suspicious"] = peutils.is_suspicious(self.pe)
pe_matches["is_valid"] = peutils.is_valid(self.pe)
return pe_matches
def peid(self):
pe_matches = dict()
userdb_file_dir_path = path.join(MALICE_ROOT, 'data', 'UserDB.TXT')
signatures = peutils.SignatureDatabase(userdb_file_dir_path)
packer = []
matches = signatures.match_all(self.pe, ep_only=True)
if matches:
map(packer.append, [s[0] for s in matches])
pe_matches["peid_signature_match"] = packer
pe_matches["is_probably_packed"] = peutils.is_probably_packed(self.pe)
pe_matches["is_suspicious"] = peutils.is_suspicious(self.pe)
pe_matches["is_valid"] = peutils.is_valid(self.pe)
return pe_matches
def _build_peid_matches(self, scan_result): import peutils pe_matches = dict() UserDB_FILE_DIR_PATH = path.join(path.dirname(__file__), 'file', 'UserDB.TXT') signatures = peutils.SignatureDatabase(UserDB_FILE_DIR_PATH) packer = [] matches = signatures.match_all(scan_result, ep_only=True) if matches: map(packer.append, [s[0] for s in matches]) pe_matches["peid_signature_match"] = packer pe_matches["is_probably_packed"] = peutils.is_probably_packed(scan_result) pe_matches["is_suspicious"] = peutils.is_suspicious(scan_result) pe_matches["is_valid"] = peutils.is_valid(scan_result) return pe_matches
def _build_peid_matches(self, scan_result):
import peutils
pe_matches = dict()
UserDB_FILE_DIR_PATH = path.join(path.dirname(__file__), 'file',
'../pe/data/UserDB.TXT')
signatures = peutils.SignatureDatabase(UserDB_FILE_DIR_PATH)
packer = []
matches = signatures.match_all(scan_result, ep_only=True)
if matches:
map(packer.append, [s[0] for s in matches])
pe_matches["peid_signature_match"] = packer
pe_matches["is_probably_packed"] = peutils.is_probably_packed(
scan_result)
pe_matches["is_suspicious"] = peutils.is_suspicious(scan_result)
pe_matches["is_valid"] = peutils.is_valid(scan_result)
return pe_matches
