def process(self, data):
pe = PE(data=data, fast_load=True)
pe.parse_data_directories(directories=[IMAGE_DIRECTORY_ENTRY_IMPORT])
th = pe.get_imphash()
if not th:
raise ValueError('no import directory.')
return th.encode(self.codec) if self.args.text else bytes.fromhex(th)
def analyze(self,data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS":[]}
pe = PE(data["Location"]["File"])
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe,ep)
sig = section.get_data(ep, 12)
singinhex = "".join("{:02x}".format(x) for x in sig)
data["PE"]["General"] = { "PE Type" : self.what_type(pe),
"Entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":section.Name.decode("utf-8",errors="ignore").strip("\00"),
"Header checksum": hex(pe.OPTIONAL_HEADER.CheckSum),
"Verify checksum": hex(pe.generate_checksum()),
"Match checksum":pe.verify_checksum(),
"Sig":singinhex,
"imphash":pe.get_imphash(),
"warning":pe.get_warnings() if len(pe.get_warnings())> 0 else "None",
"Timestamp":datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S')}
data["PE"]["Characteristics"] = self.get_characteristics(pe)
data["PE"]["Singed"],data["PE"]["SignatureExtracted"] = self.check_if_singed(pe)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe)
data["PE"]["Sections"] = self.get_sections(pe)
data["PE"]["Dlls"] = self.get_dlls(pe)
data["PE"]["Resources"],data["PE"]["Manifest"],data["ICONS"]["ICONS"] = self.get_recourse(pe)
data["PE"]["Imported functions"] = self.get_imported_functions(pe)
data["PE"]["Exported functions"] = self.get_exported_functions(pe)
add_description("WinApis",data["PE"]["Imported functions"],"Function")
add_description("ManHelp",data["PE"]["Imported functions"],"Function")
add_description("WinDlls",data["PE"]["Dlls"],"Dll")
add_description("WinSections",data["PE"]["Sections"],"Section")
add_description("WinResources",data["PE"]["Resources"],"Resource")
get_words(data,data["Location"]["File"])
def _algorithm(self, data):
pe = PE(data=data, fast_load=True)
pe.parse_data_directories(directories=[IMAGE_DIRECTORY_ENTRY_IMPORT])
th = pe.get_imphash()
if not th:
raise ValueError('no import directory.')
return bytes.fromhex(th)
def _add_pe_info(self):
parsed_pe = PE(data=self._content)
self._add_vs_info(parsed_pe)
self._add_file_property('pe', 'imphash', parsed_pe.get_imphash())
self._add_file_property(
'pe', 'compilation',
datetime.utcfromtimestamp(
parsed_pe.FILE_HEADER.TimeDateStamp).isoformat())
def get_imphash(self, pe: pefile.PE) -> str:
"""Gets imphash.
@return: imphash string or None.
"""
if not pe:
return None
try:
return pe.get_imphash()
except AttributeError:
return None
def analyze(self, data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS": []}
pe_info = PE(data["Location"]["File"])
ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe_info, ep_info)
singinhex = "UnKnown"
en_section_name = "UnKnown"
sig_instructions = "UnKnown"
with ignore_excpetion(Exception):
sig = section.get_data(ep_info, 52)
singinhex = "".join("{:02x}".format(x) for x in sig)
r2p = r2open("-", flags=['-2'])
r2p.cmd("e anal.timeout = 5")
temp_sig_instructions = r2p.cmd(
"pad {}".format(singinhex)).split("\n")[:8]
sig_instructions = "\n".join(temp_sig_instructions)
with ignore_excpetion(Exception):
en_section_name = section.Name.decode("utf-8",
errors="ignore").strip("\00")
data["PE"]["General"] = {
"PE Type":
self.what_type(pe_info),
"Entrypoint":
pe_info.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":
en_section_name,
"Header checksum":
hex(pe_info.OPTIONAL_HEADER.CheckSum),
"Verify checksum":
hex(pe_info.generate_checksum()),
"Match checksum":
pe_info.verify_checksum(),
"Sig":
singinhex,
"imphash":
pe_info.get_imphash(),
"warning":
pe_info.get_warnings()
if len(pe_info.get_warnings()) > 0 else "None",
"Timestamp":
datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime(
'%Y-%m-%d %H:%M:%S')
}
data["PE"]["Characteristics"] = self.get_characteristics(pe_info)
data["PE"]["Singed"], data["PE"][
"SignatureExtracted"] = self.check_if_singed(pe_info)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info)
data["PE"]["Sections"] = self.get_sections(pe_info)
data["PE"]["Dlls"] = self.get_dlls(pe_info)
data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][
"ICONS"] = self.get_recourse(pe_info)
data["PE"]["Imported functions"] = self.get_imported_functions(pe_info)
data["PE"]["Exported functions"] = self.get_exported_functions(pe_info)
data["PE"]["Entrypoint"] = sig_instructions
add_description("WinApis", data["PE"]["Imported functions"],
"Function")
add_description("ManHelp", data["PE"]["Imported functions"],
"Function")
add_description("WinDlls", data["PE"]["Dlls"], "Dll")
add_description("WinSections", data["PE"]["Sections"], "Section")
add_description("WinResources", data["PE"]["Resources"], "Resource")
get_words(data, data["Location"]["File"])
