def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def interactive_mode():
header('Interactive mode (press TAB to show commands)')
help_list = ['?', 'h', 'help', 'ls', 'dir']
drop_list = ['q!', 'exit', 'quit', 'bye']
while 1:
user_input = autocomplete.get_result(
cmd_list, "[peframe]>") #input ("[peframe]> ")
if user_input in help_list:
print(json.dumps(cmd_list, sort_keys=True, indent=4))
elif user_input in drop_list:
print('goodbye!\n')
break
# info
elif user_input == 'info':
get_info()
print('\n')
elif user_input == 'yara_plugins':
yara_plugins_list = []
for items in result['yara_plugins']:
for item in items.values():
yara_plugins_list.append(item)
print(json.dumps(yara_plugins_list, sort_keys=True, indent=4))
elif user_input == 'behavior':
if result['peinfo']:
print(
json.dumps(result['peinfo']['behavior'],
sort_keys=True,
indent=4))
if result['docinfo']:
print(
json.dumps(result['docinfo']['behavior'],
sort_keys=True,
indent=4))
elif user_input == 'virustotal':
try:
vt = virustotal.get_result(peframe.load_config(
peframe.path_to_file('config-peframe.json',
'config'))['virustotal'],
result['hashes']['md5'],
full=True)
if vt['response_code'] == 200:
print(
json.dumps(cmd_list_select['virustotal'],
sort_keys=True,
indent=4))
print('\nUse \'back\' to return')
while 1:
user_input_virustotal = autocomplete.get_result(
cmd_list_select['virustotal'],
"[peframe/virustotal]>")
if user_input_virustotal == 'back':
break
elif user_input_virustotal == 'permalink':
print(vt['results']['permalink'])
elif user_input_virustotal == 'antivirus':
print(
json.dumps(vt['results']['scans'],
sort_keys=True,
indent=4))
elif user_input_virustotal == 'scan_date':
print(vt['results']['scan_date'])
except:
print('VT Query error')
# directories
elif user_input == 'directories':
print(
json.dumps(cmd_list_select['directories'],
sort_keys=True,
indent=4))
print('\nUse \'back\' to return')
while 1:
user_input_directories = autocomplete.get_result(
cmd_list_select['directories'], "[peframe/directories]>")
if user_input_directories == 'back':
break
elif user_input_directories == 'list':
for item in user_input_directories['directories']:
print(item)
elif user_input_directories == 'import':
print(
json.dumps(result['peinfo']['directories']['import'],
sort_keys=True,
indent=4))
elif user_input_directories == 'export':
print(
json.dumps(result['peinfo']['directories']['export'],
sort_keys=True,
indent=4))
elif user_input_directories == 'debug':
print(
json.dumps(result['peinfo']['directories']['debug'],
sort_keys=True,
indent=4))
elif user_input_directories == 'tls':
print(
json.dumps(result['peinfo']['directories']['tls'],
sort_keys=True,
indent=4))
elif user_input_directories == 'resources':
print(
json.dumps(
result['peinfo']['directories']['resources'],
sort_keys=True,
indent=4))
elif user_input_directories == 'relocations':
print(
json.dumps(
result['peinfo']['directories']['relocations'],
sort_keys=True,
indent=4))
elif user_input_directories == 'sign':
print(
json.dumps(result['peinfo']['directories']['sign'],
sort_keys=True,
indent=4))
# sections
elif user_input == 'sections':
print(
json.dumps(cmd_list_select['sections'],
sort_keys=True,
indent=4))
print('\nUse \'back\' to return')
while 1:
user_input_sections = autocomplete.get_result(
cmd_list_select['sections'], "[peframe/sections]>")
if user_input_sections == 'back':
break
elif user_input_sections in cmd_list_select['sections']:
for item in result['peinfo']['sections']['details']:
if item['section_name'] == user_input_sections:
print(json.dumps(item, sort_keys=True, indent=4))
# features
elif user_input == 'features':
print(
json.dumps(cmd_list_select['features'],
sort_keys=True,
indent=4))
print('\nUse \'back\' to return')
while 1:
user_input_features = autocomplete.get_result(
cmd_list_select['features'], "[peframe/features]>")
if user_input_features == 'back':
break
elif user_input_features == 'antidbg':
print(
json.dumps(result['peinfo']['features']['antidbg'],
sort_keys=True,
indent=4))
elif user_input_features == 'antivm':
print(
json.dumps(result['peinfo']['features']['antivm'],
sort_keys=True,
indent=4))
elif user_input_features == 'mutex':
print(
json.dumps(result['peinfo']['features']['mutex'],
sort_keys=True,
indent=4))
elif user_input_features == 'packer':
print(
json.dumps(result['peinfo']['features']['packer'],
sort_keys=True,
indent=4))
elif user_input_features == 'xor':
print(
json.dumps(result['peinfo']['features']['xor'],
sort_keys=True,
indent=4))
elif user_input_features == 'crypto':
print(
json.dumps(result['peinfo']['features']['crypto'],
sort_keys=True,
indent=4))
elif user_input == 'breakpoint':
print(
json.dumps(result['peinfo']['breakpoint'],
sort_keys=True,
indent=4))
elif user_input == 'hashes':
print(json.dumps(result['hashes'], sort_keys=True, indent=4))
elif user_input == 'macro':
print(result['docinfo']['macro'])
elif user_input == 'attributes':
print(
json.dumps(result['docinfo']['attributes'],
sort_keys=True,
indent=4))
elif user_input == 'metadata':
print(
json.dumps(result['peinfo']['metadata'],
sort_keys=True,
indent=4))
# Strings
elif user_input == 'strings':
print(
json.dumps(cmd_list_select['strings'],
sort_keys=True,
indent=4))
print('\nUse \'back\' to return')
while 1:
user_input_strings = autocomplete.get_result(
cmd_list_select['strings'], "[peframe/strings]>")
if user_input_strings == 'back':
break
elif user_input_strings == 'list':
for item in cmd_list_select['strings']:
print(item)
elif user_input_strings in cmd_list_select['strings']:
print(
json.dumps(result['strings'][user_input_strings],
sort_keys=True,
indent=4))
def interactive_mode():
header('Interactive mode (press TAB to show commands)')
help_list = ['?', 'h', 'help', 'ls', 'dir']
drop_list = ['q!', 'exit', 'quit', 'bye']
while 1:
user_input = autocomplete.get_result(cmd_list, "[peframe]>") #input ("[peframe]> ")
if user_input in help_list:
print (json.dumps(cmd_list, sort_keys=True, indent=4))
elif user_input in drop_list:
print ('goodbye!\n')
break
# info
elif user_input == 'info':
get_info()
print ('\n')
elif user_input == 'yara_plugins':
yara_plugins_list = []
for items in result['yara_plugins']:
for item in items.values():
yara_plugins_list.append(item)
print (json.dumps(yara_plugins_list, sort_keys=True, indent=4))
elif user_input == 'behavior':
if result['peinfo']:
print (json.dumps(result['peinfo']['behavior'], sort_keys=True, indent=4))
if result['docinfo']:
print (json.dumps(result['docinfo']['behavior'], sort_keys=True, indent=4))
elif user_input == 'virustotal':
try:
vt = virustotal.get_result(peframe.load_config(peframe.path_to_file('config-peframe.json', 'config'))['virustotal'],
result['hashes']['md5'], full=True)
if vt['response_code'] == 200:
print (json.dumps(cmd_list_select['virustotal'], sort_keys=True, indent=4))
print ('\nUse \'back\' to return')
while 1:
user_input_virustotal = autocomplete.get_result(cmd_list_select['virustotal'], "[peframe/virustotal]>")
if user_input_virustotal == 'back':
break
elif user_input_virustotal == 'permalink':
print (vt['results']['permalink'])
elif user_input_virustotal == 'antivirus':
print (json.dumps(vt['results']['scans'], sort_keys=True, indent=4))
elif user_input_virustotal == 'scan_date':
print (vt['results']['scan_date'])
except:
print ('VT Query error')
# directories
elif user_input == 'directories':
print (json.dumps(cmd_list_select['directories'], sort_keys=True, indent=4))
print ('\nUse \'back\' to return')
while 1:
user_input_directories = autocomplete.get_result(cmd_list_select['directories'], "[peframe/directories]>")
if user_input_directories == 'back':
break
elif user_input_directories == 'list':
for item in user_input_directories['directories']:
print (item)
elif user_input_directories == 'import':
print (json.dumps(result['peinfo']['directories']['import'], sort_keys=True, indent=4))
elif user_input_directories == 'export':
print (json.dumps(result['peinfo']['directories']['export'], sort_keys=True, indent=4))
elif user_input_directories == 'debug':
print (json.dumps(result['peinfo']['directories']['debug'], sort_keys=True, indent=4))
elif user_input_directories == 'tls':
print (json.dumps(result['peinfo']['directories']['tls'], sort_keys=True, indent=4))
elif user_input_directories == 'resources':
print (json.dumps(result['peinfo']['directories']['resources'], sort_keys=True, indent=4))
elif user_input_directories == 'relocations':
print (json.dumps(result['peinfo']['directories']['relocations'], sort_keys=True, indent=4))
elif user_input_directories == 'sign':
print (json.dumps(result['peinfo']['directories']['sign'], sort_keys=True, indent=4))
# sections
elif user_input == 'sections':
print (json.dumps(cmd_list_select['sections'], sort_keys=True, indent=4))
print ('\nUse \'back\' to return')
while 1:
user_input_sections = autocomplete.get_result(cmd_list_select['sections'], "[peframe/sections]>")
if user_input_sections == 'back':
break
elif user_input_sections in cmd_list_select['sections']:
for item in result['peinfo']['sections']['details']:
if item['section_name'] == user_input_sections:
print (json.dumps(item, sort_keys=True, indent=4))
# features
elif user_input == 'features':
print (json.dumps(cmd_list_select['features'], sort_keys=True, indent=4))
print ('\nUse \'back\' to return')
while 1:
user_input_features = autocomplete.get_result(cmd_list_select['features'], "[peframe/features]>")
if user_input_features == 'back':
break
elif user_input_features == 'antidbg':
print (json.dumps(result['peinfo']['features']['antidbg'], sort_keys=True, indent=4))
elif user_input_features == 'antivm':
print (json.dumps(result['peinfo']['features']['antivm'], sort_keys=True, indent=4))
elif user_input_features == 'mutex':
print (json.dumps(result['peinfo']['features']['mutex'], sort_keys=True, indent=4))
elif user_input_features == 'packer':
print (json.dumps(result['peinfo']['features']['packer'], sort_keys=True, indent=4))
elif user_input_features == 'xor':
print (json.dumps(result['peinfo']['features']['xor'], sort_keys=True, indent=4))
elif user_input_features == 'crypto':
print (json.dumps(result['peinfo']['features']['crypto'], sort_keys=True, indent=4))
elif user_input == 'breakpoint':
print (json.dumps(result['peinfo']['breakpoint'], sort_keys=True, indent=4))
elif user_input == 'hashes':
print (json.dumps(result['hashes'], sort_keys=True, indent=4))
elif user_input == 'macro':
print (result['docinfo']['macro'])
elif user_input == 'attributes':
print (json.dumps(result['docinfo']['attributes'], sort_keys=True, indent=4))
elif user_input == 'metadata':
print (json.dumps(result['peinfo']['metadata'], sort_keys=True, indent=4))
# Strings
elif user_input == 'strings':
print (json.dumps(cmd_list_select['strings'], sort_keys=True, indent=4))
print ('\nUse \'back\' to return')
while 1:
user_input_strings = autocomplete.get_result(cmd_list_select['strings'], "[peframe/strings]>")
if user_input_strings == 'back':
break
elif user_input_strings == 'list':
for item in cmd_list_select['strings']:
print (item)
elif user_input_strings in cmd_list_select['strings']:
print (json.dumps(result['strings'][user_input_strings], sort_keys=True, indent=4))
