def process(self):
Processor.process(self)
self._addModule(PEFileModule())
self._addModule(MetaDataModule())
self._addPlugIn(SectionsPlug.SectionsPlug())
self._executeAllPlugIns()
return self.metadata_to_store
def process(self):
Processor.process(self)
self._addModule(PEFileModule())
self._addModule(MetaDataModule())
self._addPlugIn(ImportsPlug.ImportsPlug())
self._addPlugIn(EntropyPlug.EntropyPlug())
self._addPlugIn(SectionsPlug.SectionsPlug())
self._addPlugIn(ResourceEntriesPlug.ResourceEntriesPlug())
self._addPlugIn(CheckEPSectionPlug.CheckEPSectionPlug())
#self._addPlugIn(CRCCheckPlug.CRCCheckPlug())
self._addPlugIn(TimeStampPlug.TimeStampPlug())
self._addPlugIn(HeadersPlug.HeadersPlug())
self._addPlugIn(VersionInfoPlug.VersionInfoPlug())
self._addPlugIn(ChildOfPlug.ChildOfPlug())
self._addPlugIn(CypherPlug.CypherPlug())
self._addPlugIn(PackerVersionPlug.PackerVersionPlug())
self._addPlugIn(AVAnalysisPlug.AVAnalysisPlug())
self._addPlugIn(CheckPackerPlug.CheckPackerPlug())
#self._addPlugIn(TestPlug.TestPlug())
self._addPlugIn(AddImportsToTreePlug.AddImportsToTreePlug())
self._addPlugIn(ExportsPlug.ExportsPlug())
self._addPlugIn(CertficatePlug.CertficatePlug())
self._addPlugIn(StringPlug.StringPlug())
self._executeAllPlugIns()
return self.metadata_to_store
def process(self):
imports=self.sample.getLastValue("particular_header.imports")
if(imports==None ):return "no_imports"
if(len(imports)==0):return "no_imports"
mdc=self._getLibrary(MetaDataModule().getName())
if(mdc==None):return "not_added"
if(mdc.writeImportsTree(imports)==0):
return "added"
else:
return "not_added"
def process(self):
ret={}
data=""
pelib=self._getLibrary(PEFileModule().getName())
if(pelib==None):data=self.sample.getBinary()
else:
for section in pelib.sections:
data=data+section.get_data()
regexp='[A-Za-z0-9/\-:.,_$&@=?%()[\]<> ]{4,}'
strings=re.findall(regexp,data)
aux={}
for s in strings:
aux[repr(s).lower()]=True
unique_strings=[]
for k in aux:
unique_strings.append(k)
mdc=self._getLibrary(MetaDataModule().getName())
if(mdc==None):return ret
searchUsed={}
imports=self.sample.getLastValue("particular_header.imports")
if(imports!=None ):
for i in imports:
searchUsed[i["lib"]]=True
for f in i["functions"]:
searchUsed[f]=True
exports=self.sample.getLastValue("particular_header.exports.symbols")
if(exports!=None ):
#print("No exports")
for i in exports:
searchUsed[i["name"]]=True
if(hasattr(i,"forwarder_dll") and hasattr(i,"forwarder_function")):
searchUsed[i["forwarder_dll"]]=True
searchUsed[i["forwarder_function"]]=True
version_p=self.sample.getLastValue("particular_header.version.string_file_info")
if(version_p!=None ):
for k in version_p.keys():
searchUsed["'"+str(version_p[k])+"'"]=True
raw=[]
hidden=[]
email=[]
url=[]
ip_l=[]
dll=[]
domain=[]
interesting=[]
registry=[]
for s in unique_strings:
#viendo si declara el import o no
#print(s)
#print(searchUsed.get(repr(s).lower()))
#raw_input()
if(searchUsed.get(s)==True): continue
raw.append(s)
#buscando si es un import o no
r=mdc.searchImportByName(s)
if(r!=None):
hidden.append(s)
continue
evaluado=eval(s)
#buscando dll
r=mdc.searchDllByName(s)
if(r!=None):
dll.append(s)
continue
#buscando cosas nombres de archivos
types=["exe","dll","bat","sys","htm","html","js","jar","jpg",
"png","vb","scr","pif","chm","zip","rar","cab","pdf",
"doc","docx","ppt","pptx","xls","xlsx","swf","gif","pdb","cpp"]
salir=False
for pat in types:
if(s.find("."+pat)!=-1):
interesting.append(s)
salir=True
break
if salir: continue
#buscando email
if(validators.email(evaluado)):
email.append(s)
continue
#buscando url
if(validators.url(evaluado)):
url.append(s)
continue
#buscando ip
if(validators.ipv4(evaluado)): #or validators.ipv6(evaluado)):
ip_l.append(s)
continue
#buscando registry
if(s.find("HKLM\\")!=-1 or s.find("HKCU\\")!=-1 ):
registry.append(s)
continue
#buscando dominios
if(validators.domain(evaluado)):
domain.append(s)
continue
ret["raw_strings"]=sorted(raw)
if(len(hidden)>0):ret["hidden_imports"]=sorted(hidden)
if(len(email)>0):ret["emails"]=sorted(email)
if(len(url)>0):ret["urls"]=sorted(url)
if(len(ip_l)>0):ret["ips"]=sorted(ip_l)
if(len(dll)>0):ret["hidden_dll"]=sorted(dll)
if(len(domain)>0):ret["domains"]=sorted(domain)
if(len(interesting)>0):ret["interesting"]=sorted(interesting)
if(len(registry)>0):ret["registry"]=sorted(registry)
return ret