def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
# json으로 반환
return json.dumps(
{
"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4,
separators=(',', ': '))
def get(argv, csv):
if os.path.isdir(argv):
mal_directory = argv
for mal in (os.listdir(mal_directory)):
malware = mal_directory + "/" + mal
csv.write("\n"+mal+",")
metadata.get(malware)
fileheader.get(malware)
optheader.get(malware)
sections.get(malware, csv)
imphash.get(malware, csv)
imports.get(malware)
exports.get(malware, csv)
antidbg.get(malware, csv)
antivm.get(malware, csv)
apialert.get(malware, csv)
codeint.get(malware, csv)
cfg.get(malware, csv)
dep.get(malware, csv)
aslr.get(malware, csv)
seh.get(malware, csv)
gs.get(malware, csv)
tls.get(malware, csv)
codeint.get(malware, csv)
dbgts.get(malware, csv)
url.get(malware, csv)
manifest.get(malware, csv)
version.get(malware, csv)
badstr.get(malware, csv)
packed.get(malware, csv)
certificate.get(malware, csv)
virustotal.get(malware, csv)
yarar.get(malware, csv)
else:
malware = argv
csv.write("\n"+malware+",")
metadata.get(malware)
fileheader.get(malware)
optheader.get(malware)
sections.get(malware, csv)
imphash.get(malware, csv)
imports.get(malware)
exports.get(malware, csv)
antidbg.get(malware, csv)
antivm.get(malware, csv)
apialert.get(malware, csv)
codeint.get(malware, csv)
cfg.get(malware, csv)
dep.get(malware, csv)
aslr.get(malware, csv)
seh.get(malware, csv)
gs.get(malware, csv)
tls.get(malware, csv)
codeint.get(malware, csv)
dbgts.get(malware, csv)
url.get(malware, csv)
manifest.get(malware, csv)
version.get(malware, csv)
badstr.get(malware, csv)
packed.get(malware, csv)
certificate.get(malware, csv)
virustotal.get(malware, csv)
yarar.get(malware, csv)
def testName(self):
pe = PE.get('chrome.exe')
for section in sections.get(pe):
# test = section[0].translate(None, '\x00')
print section
def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
return json.dumps({"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4, separators=(',', ': '))
def get(malware, mydoc, progress_bar):
progress_bar.UpdateBar(0,27)
header.get(mydoc)
progress_bar.UpdateBar(1,27)
metadata.get(malware, mydoc)
progress_bar.UpdateBar(2,27)
progress_bar.UpdateBar(3,27)
optheader.get(malware, mydoc)
progress_bar.UpdateBar(4,27)
sections.get(malware, mydoc)
progress_bar.UpdateBar(5,27)
imphash.get(malware, mydoc)
progress_bar.UpdateBar(6,27)
imports.get(malware, mydoc)
progress_bar.UpdateBar(7,27)
exports.get(malware, mydoc)
progress_bar.UpdateBar(8,27)
antidbg.get(malware, mydoc)
progress_bar.UpdateBar(9,27)
antivm.get(malware, mydoc)
progress_bar.UpdateBar(10,27)
apialert.get(malware, mydoc)
progress_bar.UpdateBar(11,27)
codeint.get(malware, mydoc)
progress_bar.UpdateBar(12,27)
cfg.get(malware, mydoc)
progress_bar.UpdateBar(13,27)
dep.get(malware, mydoc)
progress_bar.UpdateBar(14,27)
aslr.get(malware, mydoc)
progress_bar.UpdateBar(15,27)
seh.get(malware, mydoc)
progress_bar.UpdateBar(16,27)
gs.get(malware, mydoc)
progress_bar.UpdateBar(17,27)
tls.get(malware, mydoc)
progress_bar.UpdateBar(18,27)
progress_bar.UpdateBar(19,27)
dbgts.get(malware, mydoc)
progress_bar.UpdateBar(20,27)
# url.get(malware, mydoc)
manifest.get(malware, mydoc)
progress_bar.UpdateBar(21,27)
version.get(malware, mydoc)
progress_bar.UpdateBar(22,27)
## badstr.get(malware)
packed.get(malware, mydoc)
progress_bar.UpdateBar(23,27)
## certificate.get(malware)
virustotal.get(malware, mydoc)
progress_bar.UpdateBar(25,27)
# yarar.get(malware, mydoc)
progress_bar.UpdateBar(26,27)
progress_bar.UpdateBar(27,27)
print """*******""" + elem[0] + """*******"""
for el in elem[1]:
print el
elif sys.argv[1] == "--meta":
for elem in meta.get(suspicious_file):
print elem
elif sys.argv[1] == "--packer":
packers = packer.get(suspicious_file)
print packers
elif sys.argv[1] == "--suspicious_api":
list = suspicious_api.get(suspicious_file)
print list
elif sys.argv[1] == "--sections":
for section in sections.get(suspicious_file):
print section
elif sys.argv[1] == "--strings":
print strings.get(sys.argv[2])
elif sys.argv[1] == "--suspicious_sections":
print suspicious_sections.get(suspicious_file)
elif sys.argv[1] == "--help":
print Help.help()
elif sys.argv[1] == "--scan":
virusto = analyzePattern.analyzeInstance()
virusto.configuration(sys.argv[2])
report = analyzePattern.getReport(virusto)
analyzePattern.get(report, displayMode="default")
else:
