def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) # json으로 반환 return json.dumps( { "peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))
def get_pe_fileinfo(pe, filename): # is dll? dll = pe.FILE_HEADER.IMAGE_FILE_DLL # num sections nsec = pe.FILE_HEADER.NumberOfSections # timestamp tstamp = pe.FILE_HEADER.TimeDateStamp try: """ return date """ tsdate = datetime.datetime.fromtimestamp(tstamp) except: """ return timestamp """ tsdate = str(tstamp) + " [Invalid date]" # get md5, sha1, sha256, imphash md5, sha1, sha256, imphash = get_hash(filename) hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256} detected = [] # directory list dirlist = directories.get(pe) # digital signature for sign in dirlist: if sign == "security": detected.append("sign") # packer (peid) packer = peid.get(pe, userdb) if packer: detected.append("packer") # mutex mutex = apimutex.get(pe, strings_match) if mutex: detected.append("mutex") # anti debug antidbg = apiantidbg.get(pe, strings_match) if antidbg: detected.append("antidbg") # Xor xorcheck = xor.get(filename) if xorcheck: detected.append("xor") # anti virtual machine antivirtualmachine = antivm.get(filename) if antivirtualmachine: detected.append("antivm") # api alert suspicious apialert_info = apialert.get(pe, strings_match) # file and url fileurl_info = fileurl.get(filename, strings_match) file_info = fileurl_info["file"] url_info = fileurl_info["url"] ip_info = fileurl_info["ip"] fuzzing_info = fileurl_info["fuzzing"] # meta info meta_info = meta.get(pe) # import function import_function = funcimport.get(pe) # export function export_function = funcexport.get(pe) # sections sections_info = sections.get(pe) # resources resources_info = resources.get(pe) # virustotal virustotal_info = virustotal.get(md5, strings_match) return json.dumps({"peframe_ver": help.VERSION, "file_type": ftype, "file_name": fname, "file_size": fsize, "hash": hash_info, "file_found": file_info, "url_found": url_info, "ip_found": ip_info, "virustotal": virustotal_info, "fuzzing": fuzzing_info, "pe_info": { "import_hash": imphash, "compile_time": str(tsdate), "dll": dll, "sections_number": nsec, "xor_info": xorcheck, "detected": detected, "directories": dirlist, "sign_info": cert.get(pe), "packer_info": packer, "antidbg_info": apiantidbg.get(pe, strings_match), "mutex_info": apimutex.get(pe, strings_match), "antivm_info": antivirtualmachine, "apialert_info": apialert_info, "meta_info": meta_info, "import_function": import_function, "export_function": export_function, "sections_info": sections_info, "resources_info": resources_info } }, indent=4, separators=(',', ': '))
def get(argv, csv): if os.path.isdir(argv): mal_directory = argv for mal in (os.listdir(mal_directory)): malware = mal_directory + "/" + mal csv.write("\n"+mal+",") metadata.get(malware) fileheader.get(malware) optheader.get(malware) sections.get(malware, csv) imphash.get(malware, csv) imports.get(malware) exports.get(malware, csv) antidbg.get(malware, csv) antivm.get(malware, csv) apialert.get(malware, csv) codeint.get(malware, csv) cfg.get(malware, csv) dep.get(malware, csv) aslr.get(malware, csv) seh.get(malware, csv) gs.get(malware, csv) tls.get(malware, csv) codeint.get(malware, csv) dbgts.get(malware, csv) url.get(malware, csv) manifest.get(malware, csv) version.get(malware, csv) badstr.get(malware, csv) packed.get(malware, csv) certificate.get(malware, csv) virustotal.get(malware, csv) yarar.get(malware, csv) else: malware = argv csv.write("\n"+malware+",") metadata.get(malware) fileheader.get(malware) optheader.get(malware) sections.get(malware, csv) imphash.get(malware, csv) imports.get(malware) exports.get(malware, csv) antidbg.get(malware, csv) antivm.get(malware, csv) apialert.get(malware, csv) codeint.get(malware, csv) cfg.get(malware, csv) dep.get(malware, csv) aslr.get(malware, csv) seh.get(malware, csv) gs.get(malware, csv) tls.get(malware, csv) codeint.get(malware, csv) dbgts.get(malware, csv) url.get(malware, csv) manifest.get(malware, csv) version.get(malware, csv) badstr.get(malware, csv) packed.get(malware, csv) certificate.get(malware, csv) virustotal.get(malware, csv) yarar.get(malware, csv)
def get(malware, mydoc, progress_bar): progress_bar.UpdateBar(0,27) header.get(mydoc) progress_bar.UpdateBar(1,27) metadata.get(malware, mydoc) progress_bar.UpdateBar(2,27) progress_bar.UpdateBar(3,27) optheader.get(malware, mydoc) progress_bar.UpdateBar(4,27) sections.get(malware, mydoc) progress_bar.UpdateBar(5,27) imphash.get(malware, mydoc) progress_bar.UpdateBar(6,27) imports.get(malware, mydoc) progress_bar.UpdateBar(7,27) exports.get(malware, mydoc) progress_bar.UpdateBar(8,27) antidbg.get(malware, mydoc) progress_bar.UpdateBar(9,27) antivm.get(malware, mydoc) progress_bar.UpdateBar(10,27) apialert.get(malware, mydoc) progress_bar.UpdateBar(11,27) codeint.get(malware, mydoc) progress_bar.UpdateBar(12,27) cfg.get(malware, mydoc) progress_bar.UpdateBar(13,27) dep.get(malware, mydoc) progress_bar.UpdateBar(14,27) aslr.get(malware, mydoc) progress_bar.UpdateBar(15,27) seh.get(malware, mydoc) progress_bar.UpdateBar(16,27) gs.get(malware, mydoc) progress_bar.UpdateBar(17,27) tls.get(malware, mydoc) progress_bar.UpdateBar(18,27) progress_bar.UpdateBar(19,27) dbgts.get(malware, mydoc) progress_bar.UpdateBar(20,27) # url.get(malware, mydoc) manifest.get(malware, mydoc) progress_bar.UpdateBar(21,27) version.get(malware, mydoc) progress_bar.UpdateBar(22,27) ## badstr.get(malware) packed.get(malware, mydoc) progress_bar.UpdateBar(23,27) ## certificate.get(malware) virustotal.get(malware, mydoc) progress_bar.UpdateBar(25,27) # yarar.get(malware, mydoc) progress_bar.UpdateBar(26,27) progress_bar.UpdateBar(27,27)