def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
"hashes": gethash(filename),
"virustotal": virustotal.get_result(
load_config(
path_to_file('config-peframe.json', 'config'))['virustotal'],
gethash(filename)['md5']),
"strings": fileurl.get_result(filename, load_config(path_to_file('stringsmatch.json', 'signatures'))),
}
peinfo = {}
docinfo = {}
fileinfo.update({"docinfo": docinfo})
fileinfo.update({"peinfo": peinfo})
if ispe(filename):
pe = pefile.PE(filename)
peinfo.update({
"imphash": pe.get_imphash(),
"timestamp": datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll": pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase": pe.OPTIONAL_HEADER.ImageBase,
"entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior": yara_check.yara_match_from_file(path_to_file('antidebug_antivm.yar', 'signatures/yara_plugins/pe'), filename),
"breakpoint": apialert.get_result(pe, load_config(path_to_file('stringsmatch.json', 'signatures'))['breakpoint']),
"directories": directories.get(pe),
"features": features.get_result(pe, filename),
"sections": sections.get_result(pe),
"metadata": meta.get(pe)
})
fileinfo.update({"peinfo": peinfo})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('pe', 'signatures/yara_plugins'), filename, ['antidebug_antivm.yar'])})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({"yara_plugins": yara_check.yara_match_from_folder(path_to_file('doc', 'signatures/yara_plugins'), filename)})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
return fileinfo
def analyze(filename):
if not isfile(filename):
exit("File not found")
dt_start = get_datetime_now()
fileinfo = {
"version": version(),
"filename": filename,
"filetype": filetype(filename),
"filesize": filesize(filename),
# "virustotal": virustotal.get_result(
# load_config(
# path_to_file('config-peframe.json', 'config'))['virustotal'],
# gethash(filename)['md5']),
}
hashes = gethash(filename)
fileinfo.update({
"md5": hashes["md5"],
"sha1": hashes["sha1"],
"sha256": hashes["sha256"]
})
# peinfo = {}
# docinfo = {}
#
# fileinfo.update({"docinfo": docinfo})
# fileinfo.update({"peinfo": peinfo})
function_size_list = nucleus.analysis(filename)
if ispe(filename):
pe = pefile.PE(filename)
fileinfo.update({
"imphash":
pe.get_imphash(),
"timestamp":
datetime.utcfromtimestamp(
pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S'),
"dll":
pe.FILE_HEADER.IMAGE_FILE_DLL,
"imagebase":
pe.OPTIONAL_HEADER.ImageBase,
"entrypoint":
pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"behavior":
yara_check.yara_match_from_file(
path_to_file('antidebug_antivm.yar',
'signatures/yara_plugins/pe'), filename),
"breakpoint":
apialert.get_result(
pe,
load_config(path_to_file('stringsmatch.json',
'signatures'))['breakpoint']),
"metadata":
meta.get(pe),
"function_size":
function_size_list
})
fileinfo.update(headers.get_dos_header(pe))
fileinfo.update(headers.get_file_header(pe))
fileinfo.update(headers.get_optional_header(pe))
fileinfo.update(features.get_result(pe, filename))
sections_dict = sections.get_result(pe)
fileinfo.update({
"section_count": sections_dict["count"],
"section_details": sections_dict["details"]
})
strings_dict = fileurl.get_result(
filename,
load_config(path_to_file('stringsmatch.json', 'signatures')))
fileinfo.update({
"string_file": strings_dict["file"],
"string_url": strings_dict["url"],
"string_ip": strings_dict["ip"],
"string_fuzzing": strings_dict["fuzzing"],
"string_dump": strings_dict["dump"],
"string_count": strings_dict["string_count"],
})
directories_dict = directories.get(pe)
export_df = pd.DataFrame(directories_dict["export"])
if not export_df.empty:
export_df["function"] = export_df["function"].apply(
lambda x: x.decode("utf-8") if not isinstance(x, str) else x)
fileinfo.update({
"import": directories_dict["import"],
"export": export_df.to_dict('records'),
"debug": directories_dict["debug"],
"tls": directories_dict["tls"],
"resources": directories_dict["resources"],
"relocations": directories_dict["relocations"],
"sign": directories_dict["sign"]
})
fileinfo.update({
"yara_plugins":
yara_check.yara_match_from_folder(
path_to_file('pe', 'signatures/yara_plugins'), filename,
['antidebug_antivm.yar'])
})
else:
fileinfo.update({"docinfo": macro.get_result(filename)})
fileinfo.update({
"yara_plugins":
yara_check.yara_match_from_folder(
path_to_file('doc', 'signatures/yara_plugins'), filename)
})
dt_end = get_datetime_now()
fileinfo.update({"time": str(dt_end - dt_start)})
del fileinfo["e_res"]
del fileinfo["e_res2"]
return fileinfo