def get_fileinfo(filename): strings_info = json.loads(stringstat.get(filename)) all_strings = strings_info["content"] # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] md5, sha1, sha256 = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} # virustotal virustotal_info = virustotal.get(md5, strings_match) # json으로 반환 return json.dumps( { "peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": False }, indent=4, separators=(',', ': '))
def get_fileinfo(filename): strings_info = json.loads(stringstat.get(filename)) all_strings = strings_info["content"] # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] md5, sha1, sha256 = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} # virustotal virustotal_info = virustotal.get(md5, strings_match) return json.dumps({"peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": False}, indent=4, separators=(',', ': '))
def testName(self): filelist,arrayUrl = fileurl.get('chrome.exe') print "FILE LIST" for elem in filelist: print elem print "URL LIST" print arrayUrl
def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) # json으로 반환 return json.dumps( { "peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))
def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) return json.dumps({"peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))
elif sys.argv[1] == "--fileinfo": print "Compile Time ", fileinfo.getCompileTime(suspicious_file) md5 = fileinfo.get_hashes(sys.argv[2])[0] sha1 = fileinfo.get_hashes(sys.argv[2])[1] sha256 = fileinfo.get_hashes(sys.argv[2])[2] print "Hashes MD5 ", md5 print "Hashes SHA 1", sha1 print "Hashes SHA 256", sha256 print "DLL ", fileinfo.getDLL(suspicious_file) print "File Info name and size ", fileinfo.getFileInfo(sys.argv[2]) print "Number of Sections", fileinfo.getNumberofSections(suspicious_file) elif sys.argv[1] == "--fileurl": filelist, arrayUrl = fileurl.get(sys.argv[2]) print " ========= FILE LIST ==========" for elem in filelist: print """ **************** """ + elem[0] + """****************""" for e in elem[1]: print "\t" + e print " =========== URL LIST =========" for e in arrayUrl: print "\t" + e elif sys.argv[1] == "--import": for elem in import_function.get(suspicious_file): print """*******""" + elem[0] + """*******""" for el in elem[1]: print el