def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) # json으로 반환 return json.dumps( { "peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))
def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) return json.dumps({"peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))