def check_file(self, filename):
self.current_file = filename
pyew = CPyew(batch=True, plugins=True)
pyew.codeanalysis = True
pyew.deepcodeanalysis = self.deep
try:
pyew.loadFile(filename)
except:
raise Exception("Error loading file: %s" % str(sys.exc_info()[1]))
if pyew.format not in ["PE", "ELF", "BOOT", "BIOS"]:
sys.stderr.write("[INFO] Ignoring non supported executable file\n")
sys.stderr.flush()
return
program_stats = pyew.program_stats
md5_hash = md5(pyew.getBuffer()).hexdigest()
if self.check_or_update(md5_hash, program_stats):
print "[OK] Test %s (%s)" % (filename, md5_hash)
else:
msg = "[FAILED] *** Test %s (%s)"
print msg % (filename, md5_hash)
self.show_reason(program_stats)
def check_file(self, filename):
self.current_file = filename
pyew = CPyew(batch=True, plugins=True)
pyew.codeanalysis = True
pyew.deepcodeanalysis = self.deep
try:
pyew.loadFile(filename)
except:
raise Exception("Error loading file: %s" % str(sys.exc_info()[1]))
if pyew.format not in ["PE", "ELF", "BOOT", "BIOS"]:
sys.stderr.write("[INFO] Ignoring non supported executable file\n")
sys.stderr.flush()
return
program_stats = pyew.program_stats
md5_hash = md5(pyew.getBuffer()).hexdigest()
if self.check_or_update(md5_hash, program_stats):
print "[OK] Test %s (%s)" % (filename, md5_hash)
else:
msg = "[FAILED] *** Test %s (%s)"
print msg % (filename, md5_hash)
self.show_reason(program_stats)
def checkMebroot(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except:
print "ERROR loading file %s" % path
return
if pyew.format == "PE":
# Get 6 bytes at offset 0xB8
if pyew.getBytes(0xB8, 6) != "Rich;\x2E":
return
printData(pyew, path, "Mebroot downloader")
print
def checkMebroot(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except:
print "ERROR loading file %s" % path
return
if pyew.format == "PE":
# Get 6 bytes at offset 0xB8
if pyew.getBytes(0xB8, 6) != "Rich;\x2E":
return
printData(pyew, path, "Mebroot downloader")
print
def entryPointCalls(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except KeyboardInterrupt:
print "Abort"
sys.exit(0)
except:
print "ERROR loading file %s" % path
return
if pyew.format != "PE":
return
calls = []
# Get the disassembl of the first 100 lines
l = pyew.disasm(pyew.ep,
processor=pyew.processor,
type=pyew.type,
lines=100,
bsize=1600)
for i in l:
mnem = str(i.mnemonic)
# Is it a direct or indirect jump or call?
if mnem == "CALL" or mnem.startswith("J") or mnem.startswith("LOOP"):
operands = str(i.operands).replace("[", "").replace("]", "")
try:
if pyew.imports.has_key(int(operands, 16)):
x = pyew.imports[int(operands, 16)]
if x not in calls:
calls.append(x)
except:
pass
if len(calls) > 0:
printData(pyew, path, "Library calls at Entry Point")
print "Library Calls:", ",".join(calls)
print
def checkAntidebug(path):
t = time.time()
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except KeyboardInterrupt:
print "Abort"
sys.exit(0)
except:
print "ERROR loading file %s" % path
return
if pyew.format not in ["PE", "ELF"]:
return
if len(pyew.antidebug) > 0:
print
printData(pyew, path, pyew.antidebug)
print "Time to analyze %f" % (time.time() - t)
print
def checkAntidebug(path):
t = time.time()
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except KeyboardInterrupt:
print "Abort"
sys.exit(0)
except:
print "ERROR loading file %s" % path
return
if pyew.format not in ["PE", "ELF"]:
return
if len(pyew.antidebug) > 0:
print
printData(pyew, path, pyew.antidebug)
print "Time to analyze %f" % (time.time() - t)
print
def entryPointCalls(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except KeyboardInterrupt:
print "Abort"
sys.exit(0)
except:
print "ERROR loading file %s" % path
return
if pyew.format != "PE":
return
calls = []
# Get the disassembl of the first 100 lines
l = pyew.disasm(pyew.ep, processor=pyew.processor, type=pyew.type, lines=100, bsize=1600)
for i in l:
mnem = str(i.mnemonic)
# Is it a direct or indirect jump or call?
if mnem == "CALL" or mnem.startswith("J") or mnem.startswith("LOOP"):
operands = str(i.operands).replace("[", "").replace("]", "")
try:
if pyew.imports.has_key(int(operands, 16)):
x = pyew.imports[int(operands, 16)]
if x not in calls:
calls.append(x)
except:
pass
if len(calls) > 0:
printData(pyew, path, "Library calls at Entry Point")
print "Library Calls:", ",".join(calls)
print
def checkMnemonics(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except:
print "ERROR loading file %s" % path
return
# Is it a PE file?
if pyew.format == "PE":
# The most common x86 mnemonics
commons = ["PUSH", "MOV", "SUB", "ADD", "LEA", "CALL", "JMP", "JZ", "JNZ", \
"OR", "XOR", "NOT", "POP", "AND", "TEST", "JL", "JG", "JE", \
"JLE", "CMP", "LEAVE", "RET", "NOP", "PUSHF", "POPF", "INC", \
"INT 3", "DEC", "PUSHA", "POPA"]
try:
# Get the 30 first mnemonics
mnems = pyew.GetMnems(pyew.ep, 30)
except:
print "ERROR scanning file %s" % path
return
ret = []
for x in mnems:
if x not in commons and x not in ret:
ret.append(x)
if len(ret) > 0:
printData(pyew, path, "Uncommon mnemonics")
print "Mnemonics:", ",".join(ret)
print
# Seek to the entry point
pyew.seek(pyew.ep)
# Hexdump the first 64 bytes at the entry point
print pyew.hexdump(pyew.buf, length=16, bsize=64)
def checkMnemonics(path):
pyew = CPyew(batch=True)
pyew.codeanalysis = True
try:
pyew.loadFile(path)
except:
print "ERROR loading file %s" % path
return
# Is it a PE file?
if pyew.format == "PE":
# The most common x86 mnemonics
commons = ["PUSH", "MOV", "SUB", "ADD", "LEA", "CALL", "JMP", "JZ", "JNZ", \
"OR", "XOR", "NOT", "POP", "AND", "TEST", "JL", "JG", "JE", \
"JLE", "CMP", "LEAVE", "RET", "NOP", "PUSHF", "POPF", "INC", \
"INT 3", "DEC", "PUSHA", "POPA"]
try:
# Get the 30 first mnemonics
mnems = pyew.GetMnems(pyew.ep, 30)
except:
print "ERROR scanning file %s" % path
return
ret = []
for x in mnems:
if x not in commons and x not in ret:
ret.append(x)
if len(ret) > 0:
printData(pyew, path, "Uncommon mnemonics")
print "Mnemonics:", ",".join(ret)
print
# Seek to the entry point
pyew.seek(pyew.ep)
# Hexdump the first 64 bytes at the entry point
print pyew.hexdump(pyew.buf, length=16, bsize=64)
def analyse(self, path):
filename = path
t = time.time()
buf = open(filename, "rb").read()
sha1_hash = sha1(buf).hexdigest()
if self.file_exists(sha1_hash):
log("Already existing file %s..." % sha1_hash)
return ANALYSIS_ALREADY
pyew = CPyew(batch=True)
pyew.analysis_timeout = 300
pyew.codeanalysis = True
pyew.deepcodeanalysis = True
try:
pyew.loadFile(path)
load_error = False
except KeyboardInterrupt:
log("Abort")
return ANALYSIS_FAILED
except:
log("ERROR loading file %s" % path)
load_error = True
if not load_error:
if pyew.format not in ["PE", "ELF", "bootsector"]:
if pyew.format not in ["PDF", "OLE2"]:
log("Not a known executable/document format")
load_error = True
if load_error:
return ANALYSIS_FAILED
primes = []
total_functions = len(pyew.function_stats)
if not load_error and total_functions > 0:
nodes = []
edges = []
ccs = []
callgraph = 1
for x in pyew.function_stats:
nodes.append(pyew.function_stats[x][0])
edges.append(pyew.function_stats[x][1])
cc = pyew.function_stats[x][2]
ccs.append(cc)
prime = self.primes_table[cc]
callgraph *= prime
primes.append(prime)
avg_nodes = abs(sum(nodes) / total_functions)
avg_edges = abs(sum(edges) / total_functions)
avg_ccs = abs(sum(ccs) / total_functions)
elif load_error:
total_functions = avg_nodes = avg_edges = avg_ccs = -1
callgraph = -1
msg = "%d-%d-%d-%d" % (total_functions, avg_nodes, avg_edges, avg_ccs)
log("File analysed %s, callgraph signature %s" % (msg, callgraph))
log("Time to analyze %f" % (time.time() - t))
callgraph = str(callgraph)
primes = ",".join(map(str, primes))
desc = self.get_description(buf)
self.db.insert("samples", filename=filename, callgraph=callgraph, \
hash=sha1_hash, total_functions=total_functions, \
format=pyew.format, primes=primes, description=desc,\
analysis_date=time.asctime())
return ANALYSIS_SUCCESS
import sys
from pyew_core import CPyew
pyew = CPyew(batch=True)
pyew.codeanalysis = True
pyew.loadFile('/home/versa/malware1')
#pyew.loadFromBuffer('/home/versa/malware1')
print pyew.antidebug
check = pyew.plugins["url"](pyew)
pyew.plugins["sc"](pyew)
pyew.plugins["packer"](pyew)
from pyew_core import CPyew
import sys
import hashlib
pyew = CPyew(batch=True)
pyew.codeanalysis = True
pyew.deepcodeanalysis = True
path = sys.argv[1]
print path
d = open(path, 'rb').read()
md5 = hashlib.md5(d).hexdigest()
whitelist = set()
pyew.loadFile(path)
print 'loaded', len(pyew.functions), 'function'
for offset, function in pyew.functions.iteritems():
whitelist.add(offset)
for basic_block in function.basic_blocks:
for instruction in basic_block.instructions:
if instruction.mnemonic == 'CALL':
whitelist.add(int(instruction.offset + instruction.size))
f = open(md5, 'w')
f.write(path + '\n')
for offset in sorted(whitelist):
f.write('%d - %x\n' % (offset, offset))
f.close()