def do_aaa(self, args):
"""Analyze absolutely all: Show a collection of stats about the current sample"""
print("\x1b[31mFile analysis:\x1b[0m")
print_cols([
("YARA:", ", ".join(map(str, yara_matches))),
("Chosen unpacker:", unpacker.__class__.__name__),
("Allowed sections:", ', '.join(unpacker.allowed_sections)),
("End of unpacking stub:",
f"0x{endaddr:02x}" if endaddr != sys.maxsize else "unknown"),
("Section hopping detection:",
"active" if section_hopping_control else "inactive"),
("Write+Exec detection:",
"active" if write_execute_control else "inactive")
])
print("\n\x1b[31mPE stats:\x1b[0m")
print_cols([("Declared virtual memory size:",
f"0x{virtualmemorysize:02x}", "", ""),
("Actual loaded image size:", f"0x{len(loaded):02x}",
"", ""),
("Image base address:", f"0x{BASE_ADDR:02x}", "", ""),
("Mapped stack space:", f"0x{STACK_ADDR:02x}", "-",
f"0x{STACK_ADDR + STACK_SIZE:02x}"),
("Mapped hook space:", f"0x{HOOK_ADDR:02x}", "-",
f"0x{HOOK_ADDR + 0x1000:02x}")])
self.do_i("i")
print("\n\x1b[31mRegister status:\x1b[0m")
self.do_i("r")
def print_imports(args):
lines_static = []
lines_dynamic = []
for addr, name in apicall_handler.hooks.items():
try:
module = apicall_handler.module_for_function[name]
except KeyError:
module = "?"
if name in imports:
lines_static += [(f"0x{addr:02x}", name, module)]
else:
lines_dynamic += [(f"0x{addr:02x}", name, module)]
print("\n\x1b[31mStatic imports:\x1b[0m")
print_cols(lines_static)
print("\n\x1b[31mDynamic imports:\x1b[0m")
print_cols(lines_dynamic)
def print_stats():
duration = time() - start
hours, rest = divmod(duration, 3600)
minutes, seconds = divmod(rest, 60)
print(f"\x1b[31mTime wasted emulating:\x1b[0m {int(hours):02} h {int(minutes):02} min {int(seconds):02} s")
print("\x1b[31mAPI calls:\x1b[0m")
print_cols([(name, amount) for name, amount in api_calls.items()])
print("\n\x1b[31mInstructions executed in sections:\x1b[0m")
print_cols([(name, amount) for name, amount in sections_executed.items()])
print("\n\x1b[31mRead accesses:\x1b[0m")
print_cols([(name, amount) for name, amount in sections_read.items()])
print("\n\x1b[31mWrite accesses:\x1b[0m")
print_cols([(name, amount) for name, amount in sections_written.items()])
def print_allocs(self):
print("Currently allocated:")
lines = []
for start, end in self.allocated_chunks:
lines += [(hex(start), "-", hex(end))]
print_cols(lines)
def init_sample(show_fortune=True):
global sample, unpacker, yara_matches, startaddr, endaddr, allowed_addr_ranges, section_hopping_control, write_execute_control
global sections_executed, sections_read, sections_written
try:
histfile = ".unpacker_history"
if not os.path.exists(histfile):
open(histfile, "w+").close()
with open(histfile) as f:
known_samples = f.read().splitlines()[:10] + ["New sample..."]
print("Your options for today:\n")
lines = []
for i, s in enumerate(known_samples):
if s == "New sample...":
lines += [(f"\t[{i}]", "\x1b[33mNew sample...\x1b[0m", "")]
else:
packer, name = s.split(";")
lines += [(f"\t[{i}]", f"\x1b[34m{packer}:\x1b[0m", name)]
print_cols(lines)
print()
success = False
while not success:
try:
id = int(input("Enter the option ID: "))
except ValueError:
print("Error parsing ID")
continue
if 0 <= id < len(known_samples) - 1:
sample = known_samples[id].split(";")[1]
success = True
elif id == len(known_samples) - 1:
sample = input("Please enter the path to the file: ")
if not os.path.isfile(sample):
print(f"Not a valid file!")
else:
success = True
else:
print(f"Invalid ID. Allowed range: 0 - {len(known_samples) - 1}")
try:
unpacker, yara_matches = get_unpacker(sample)
except RuntimeError as e:
print(e)
success = False
continue
startaddr = unpacker.get_entrypoint()
endaddr, _ = unpacker.get_tail_jump()
write_execute_control = unpacker.write_execute_control
if show_fortune:
with open("fortunes") as f:
fortunes = f.read().splitlines()
print(f"\n\x1b[31m{choice(fortunes)}\x1b[0m\n")
else:
print("")
with open(histfile, "w") as f:
f.writelines("\n".join(sorted(set([f"{yara_matches[-1]};{sample}"] + known_samples[:-1]))))
allowed_addr_ranges = unpacker.get_allowed_addr_ranges()
if not allowed_addr_ranges:
section_hopping_control = False
except EOFError:
with open("fortunes") as f:
fortunes = f.read().splitlines()
print(f"\n\x1b[31m{choice(fortunes)}\x1b[0m\n")
sys.exit(0)