def metadata_subject_overview(): if SUBJECT.is_exe() is True: print_('Binary "%s" is an EXE' % ORIG_FILE) if SUBJECT.is_dll() is True: print_('Binary "%s" is a DLL' % ORIG_FILE) flagged = False if peutils.is_probably_packed(SUBJECT) is True: print_('Binary is possibly packed!') flagged = True if peutils.is_suspicious(SUBJECT) is True: print_('Binary is suspicious!') flagged = True if flagged is False: print_('Binary appears to be normal') print_('Address of Entry Point: 0x%08x' % SUBJECT.OPTIONAL_HEADER.AddressOfEntryPoint) misc_generate_checksum() misc_verify_checksum() print_('Sections:') for section in SUBJECT.sections: print_('\tRVA: 0x%08x - Name: %s - %i bytes' % (section.VirtualAddress, section.Name.strip('\x00'), section.SizeOfRawData)) print_('Imports from:') for entry in SUBJECT.DIRECTORY_ENTRY_IMPORT: count = 0 for i in entry.imports: count += 1 print_('\t%s -> %i functions' % (entry.dll, count))
def _is_suspicious(self, pe) -> Union[bool, None]: """ Check if the payload is suspicious """ try: return peutils.is_suspicious(pe) except: return None
def is_suspicious(self): """ Check if the payload is suspicious """ try: return peutils.is_suspicious(self.pe) except: return None
def peid(self): pe_matches = dict() userdb_file_dir_path = path.join(MALICE_ROOT, 'data', 'UserDB.TXT') signatures = peutils.SignatureDatabase(userdb_file_dir_path) packer = [] matches = signatures.match_all(self.pe, ep_only=True) if matches: map(packer.append, [s[0] for s in matches]) pe_matches["peid_signature_match"] = packer pe_matches["is_probably_packed"] = peutils.is_probably_packed(self.pe) pe_matches["is_suspicious"] = peutils.is_suspicious(self.pe) pe_matches["is_valid"] = peutils.is_valid(self.pe) return pe_matches
def _build_peid_matches(self, scan_result): import peutils pe_matches = dict() UserDB_FILE_DIR_PATH = path.join(path.dirname(__file__), 'file', 'UserDB.TXT') signatures = peutils.SignatureDatabase(UserDB_FILE_DIR_PATH) packer = [] matches = signatures.match_all(scan_result, ep_only=True) if matches: map(packer.append, [s[0] for s in matches]) pe_matches["peid_signature_match"] = packer pe_matches["is_probably_packed"] = peutils.is_probably_packed(scan_result) pe_matches["is_suspicious"] = peutils.is_suspicious(scan_result) pe_matches["is_valid"] = peutils.is_valid(scan_result) return pe_matches
def _build_peid_matches(self, scan_result): import peutils pe_matches = dict() UserDB_FILE_DIR_PATH = path.join(path.dirname(__file__), 'file', '../pe/data/UserDB.TXT') signatures = peutils.SignatureDatabase(UserDB_FILE_DIR_PATH) packer = [] matches = signatures.match_all(scan_result, ep_only=True) if matches: map(packer.append, [s[0] for s in matches]) pe_matches["peid_signature_match"] = packer pe_matches["is_probably_packed"] = peutils.is_probably_packed( scan_result) pe_matches["is_suspicious"] = peutils.is_suspicious(scan_result) pe_matches["is_valid"] = peutils.is_valid(scan_result) return pe_matches