def upx_unpack(self, file_data, CAPE_output): unpacked_file = upx_harness(file_data) if unpacked_file and os.path.exists(unpacked_file): for unpacked_hit in File(unpacked_file).get_yara(category="CAPE"): if unpacked_hit["name"] == 'UPX': # Failed to unpack log.info("CAPE: Failed to unpack UPX") os.unlink(unpacked_file) break if not os.path.exists(self.CAPE_path): os.makedirs(self.CAPE_path) newname = os.path.join(self.CAPE_path, os.path.basename(unpacked_file)) shutil.move(unpacked_file, newname) #infofd = open(newname + "_info.txt", "a") #infofd.write(os.path.basename(unpacked_file) + "\n") #infofd.close() # Recursive process of unpacked file upx_extract = self.process_file(newname, CAPE_output, True, {}) if upx_extract["type"]: upx_extract["cape_type"] = "UPX-extracted " type_strings = upx_extract["type"].split() if type_strings[0] in ("PE32+", "PE32"): upx_extract["cape_type"] += pe_map[type_strings[0]] if type_strings[2][0] == "(DLL)": upx_extract["cape_type"] += "DLL" else: upx_extract["cape_type"] += "executable"
def upx_unpack(self, file_data): unpacked_file = upx_harness(file_data) if unpacked_file and os.path.exists(unpacked_file): for unpacked_hit in File(unpacked_file).get_yara(category="CAPE"): if unpacked_hit["name"] == "UPX": # Failed to unpack log.info("CAPE: Failed to unpack UPX") break if not os.path.exists(self.CAPE_path): os.makedirs(self.CAPE_path) newname = os.path.join(self.CAPE_path, os.path.basename(unpacked_file)) if os.path.exists(unpacked_file): shutil.move(unpacked_file, newname) # Recursive process of unpacked file upx_extract = self.process_file(newname, True, {}) if upx_extract and upx_extract["type"]: upx_extract["cape_type"] = "UPX-extracted " type_strings = upx_extract["type"].split() if type_strings[0] in ("PE32+", "PE32"): upx_extract["cape_type"] += pe_map[type_strings[0]] if type_strings[2][0] == "(DLL)": upx_extract["cape_type"] += "DLL" else: upx_extract["cape_type"] += "executable"