def _get_peid_signatures(self):
"""Gets PEID signatures.
@return: matched signatures or None.
"""
if not self.pe:
return None
try:
sig_path = os.path.join(CUCKOO_ROOT, "data",
"peutils", "UserDB.TXT")
signatures = peutils.SignatureDatabase(sig_path)
return signatures.match_all(self.pe, ep_only=True)
except:
return None
def __init__(self, data, yara_rules=None, peid_sigs=None):
self.pedata = data
# initialize YARA rules if provided
if yara_rules and sys.modules.has_key('yara'):
self.rules = yara.compile(yara_rules)
else:
self.rules = None
# initialize PEiD signatures if provided
if peid_sigs:
self.sigs = peutils.SignatureDatabase(peid_sigs)
else:
self.sigs = None
def peid(self):
pe_matches = dict()
userdb_file_dir_path = path.join(path.dirname(__file__), 'data',
'UserDB.TXT')
signatures = peutils.SignatureDatabase(userdb_file_dir_path)
packer = []
matches = signatures.match_all(self.pe, ep_only=True)
if matches:
map(packer.append, [s[0] for s in matches])
pe_matches["peid_signature_match"] = packer
pe_matches["is_probably_packed"] = peutils.is_probably_packed(self.pe)
pe_matches["is_suspicious"] = peutils.is_suspicious(self.pe)
pe_matches["is_valid"] = peutils.is_valid(self.pe)
return pe_matches
def main_s(pe, ch, f, name):
exescan = ExeScan(pe, name)
# store reports in folders
#if os.path.exists(MD5):
# report_name = str(MD5)+".txt"
# report_name = os.path.join(MD5,report_name)
#else:
# os.mkdir(MD5)
# report_name = str(MD5)+".txt"
# report_name = os.path.join(MD5,report_name)
#handle = open(report_name,'a')
strings = f.readlines()
#print(strings)
#sys.exit(0)
mf = open("API.txt", "r")
MALAPI = mf.readlines()
signature = peutils.SignatureDatabase("userdb.txt")
check = signature.match_all(pe, ep_only=True)
#exescan.header()
#exescan.importtab()
#exescan.exporttab()
#exescan.anomalis()
exescan.malapi(MALAPI, strings)
#stx.StringE()
#if ch == "-i":
# exescan.base(check)
# exescan.importtab()
# exescan.exporttab()
#elif ch == "-b":
# exescan.base(check)
#elif ch == "-m":
# exescan.base(check)
# exescan.malapi(MALAPI,strings)
#elif ch == "-p":
# exescan.base(check)
# exescan.header()
#elif ch == "-a":
# exescan.base(check)
# exescan.anomalis()
# exescan.malapi(MALAPI,strings)
# stx.StringE()
#else:
# print()
mf.close()
#handle.close()
return MD5
def POE(logdir, target, logging, debug):
newlogentry = ''
full_dump = ''
matches = ''
output = logdir + 'FullDump.txt'
signaturedb = '/opt/static/UserDB.txt'
if (logging == True):
LOG = logger()
FI = fileio()
SIG = peutils.SignatureDatabase(signaturedb)
PEX = pefile.PE(target.filename)
if (logging == True):
newlogentry = 'PEiD Signature (...if signature database present):'
LOG.WriteLog(logdir, target.filename, newlogentry)
if (signaturedb != ''):
matches = SIG.match_all(PEX, ep_only=True)
print '[*] Signature Matches: ' + str(matches)
if (logging == True):
newlogentry = 'Signature: ' + '<strong>' + str(
matches) + '</strong>'
LOG.WriteLog(logdir, target.filename, newlogentry)
newlogentry = 'Sample Attribute Sections:'
LOG.WriteLog(logdir, target.filename, newlogentry)
for section in PEX.sections:
if (debug == True):
print '[DEBUG] ' + section.Name + ' Virtual Address: ' + str(
hex(section.VirtualAddress)) + ' Virtual Size: ' + str(
hex(section.Misc_VirtualSize)) + ' Raw Data Size: ' + str(
section.SizeOfRawData)
try:
for entry in PEX.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if (debug == True):
print '[DEBUG] imp address and name: ' + str(
hex(imp.address)) + str(imp.name)
except Exception, e:
print '[-] Unable to process DIRECTORY_ENTRY_IMPORT object: ', e
if (logging == True):
newlogentry = 'Unable to process DIRECTORY_ENTRY_IMPORT object'
LOG.WriteLog(logdir, target.filename, newlogentry)
def analyze(self):
with open(
'./../tools/peid/db_signatures.txt',
encoding="ISO-8859-1",
) as f:
try:
sig_data = f.read()
signatures = peutils.SignatureDatabase(data=sig_data)
pe = pefile.PE(self.malware.path)
matches = signatures.match(pe, ep_only=True)
return matches
except Exception as e:
print(e)
return 'error'
def __init__(self, files, yara_rules=None, peid_sigs=None):
self.files = files
# initialize YARA rules if provided
if yara_rules and sys.modules.has_key('yara'):
self.rules = yara.compile(yara_rules)
else:
self.rules = None
# initialize PEiD signatures if provided
if peid_sigs:
self.sigs = peutils.SignatureDatabase(peid_sigs)
else:
self.sigs = None
print("PEiD no inicializado")
def get_signatures():
userdb_path = None
for path_attempt in ['/usr/share/viper/peid/UserDB.TXT', os.path.join(VIPER_ROOT, 'data/peid/UserDB.TXT')]:
if os.path.exists(path_attempt):
userdb_path = path_attempt
break
if not userdb_path:
return
with open(userdb_path, 'rt', encoding='ISO-8859-1') as f:
sig_data = f.read()
signatures = peutils.SignatureDatabase(data=sig_data)
return signatures
def _build_peid_matches(self, scan_result):
import peutils
pe_matches = dict()
UserDB_FILE_DIR_PATH = path.join(path.dirname(__file__), 'file',
'../pe/data/UserDB.TXT')
signatures = peutils.SignatureDatabase(UserDB_FILE_DIR_PATH)
packer = []
matches = signatures.match_all(scan_result, ep_only=True)
if matches:
map(packer.append, [s[0] for s in matches])
pe_matches["peid_signature_match"] = packer
pe_matches["is_probably_packed"] = peutils.is_probably_packed(
scan_result)
pe_matches["is_suspicious"] = peutils.is_suspicious(scan_result)
pe_matches["is_valid"] = peutils.is_valid(scan_result)
return pe_matches
def packer_detect(self):
""" attempt to detect the packer used """
if self.pe != False:
signatures = peutils.SignatureDatabase(self.userdb)
matches = signatures.match_all(self.pe, ep_only=True)
result = ''
if matches != None:
for match in matches:
m = ','.join(match)
result = result+m
return result
else:
return None
else:
return None
def peid_load():
try:
# todo: allow user's peid db
# db_file = args.db instead of ''
# or maybe do this in main and pass as arg
db_file = ''
if db_file == '':
db_file = os.path.join(os.path.abspath(os.path.dirname(__file__)),
'userdb.txt')
if os.path.exists(db_file):
return peutils.SignatureDatabase(db_file)
else:
print('problem loading peid database file')
return
except:
print('problem loading peid database file')
return
def Main():
global oLogger
try:
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
except:
pass
oParser = optparse.OptionParser(usage='usage: %prog [options] [file/directory]\nEnvironment variable for options: PECHECK_OPTIONS\n' + __description__, version='%prog ' + __version__)
oParser.add_option('-d', '--db', default='', help='the PeID user db file, default userdb.txt in same directory as pecheck')
oParser.add_option('-s', '--scan', action='store_true', default=False, help='scan folder')
oParser.add_option('-e', '--entropy', type=float, default=7.0, help='the minimum entropy value for a file to be listed in scan mode (default 7.0)')
oParser.add_option('-y', '--yara', help="YARA rule-file, @file or directory to check streams (YARA search doesn't work with -s option)")
oParser.add_option('--yarastrings', action='store_true', default=False, help='Print YARA strings')
oParser.add_option('-g', '--getdata', type=str, default='', help='Get data from the PE file (example 0x1234,0x100)')
oParser.add_option('-D', '--dump', action='store_true', default=False, help='perform dump')
oParser.add_option('-x', '--hexdump', action='store_true', default=False, help='perform hex dump')
oParser.add_option('-a', '--asciidump', action='store_true', default=False, help='perform ascii dump')
oParser.add_option('-S', '--strings', action='store_true', default=False, help='perform strings dump')
oParser.add_option('-o', '--overview', type=str, default='', help='Accepted value: r for overview of resources')
(options, args) = oParser.parse_args(GetArgumentsUpdatedWithEnvironmentVariable('PECHECK_OPTIONS'))
if len(args) > 1 or options.overview != '' and options.overview != 'r':
oParser.print_help()
print('')
print(' Source code put in the public domain by Didier Stevens, no Copyright')
print(' Use at your own risk')
print(' https://DidierStevens.com')
return
else:
try:
dbfile = options.db
if dbfile == '':
dbfile = os.path.join(os.path.dirname(sys.argv[0]), 'userdb.txt')
signatures = peutils.SignatureDatabase(dbfile)
except:
signatures = None
if len(args) == 0:
SingleFile('', signatures, options)
elif options.scan:
oLogger = CSVLogger('pecheck', ('Filename', 'Entropy', 'Sections', 'Executable sections', 'Executable and writable sections', 'Size AuthentiCode', 'Stored CRC', 'Calculated CRC', 'CRC anomaly', 'Compile date', 'CompanyName', 'ProductName', 'MD5'))
ScanFiles(args[0], signatures, options.entropy)
else:
SingleFile(args[0], signatures, options)
def matchSignatures(pe):
peid = peutils.SignatureDatabase('peid_sigs/userdb.txt')
matches = peid.match(pe, ep_only=True)
if matches is None:
print "\t[!] Nothing found, scanning more than ep..."
matches = peid.match(pe, ep_only=False)
print "[*] Found:"
if matches is not None:
if len(matches) == 1:
print "\t" + str(matches)
else:
for match in matches:
print "\t" + str(match[0]) + "\t" + str(match[1])
else:
print "\tNo Matches"
def get_packer_signature(pe, userdb):
print('==========get packer signatures=================')
packer_name = ""
sig = peutils.SignatureDatabase(userdb)
a = sig.generate_section_signatures(pe, userdb)
matches = sig.match_all(pe, ep_only=True)
arr = []
if matches is None:
print('')
elif matches:
print(matches)
for i in matches:
#print("pacekr_siganature i is : ", i)
if i not in arr:
arr.append(i)
return arr
def __init__(self, files, peid_sigs=None):
self.files = files
# initialize YARA rules if provided
# initialize PEiD signatures if provided
if peid_sigs:
try:
self.sigs = peutils.SignatureDatabase(peid_sigs)
except:
self.sigs = None
else:
self.sigs = None
# initialize python magic (file identification)
# magic interface on python <= 2.6 is different than python >= 2.6
if 'magic' in sys.modules:
if sys.version_info <= (2, 6):
self.ms = magic.open(magic.MAGIC_NONE)
self.ms.load()
def activate(self, stoq):
self.stoq = stoq
parser = argparse.ArgumentParser()
parser = StoqArgs(parser)
worker_opts = parser.add_argument_group("Plugin Options")
worker_opts.add_argument("-r",
"--peidrules",
dest="peidrules",
help="Path to peid rules file")
options = parser.parse_args(self.stoq.argv[2:])
super().activate(options=options)
self.signatures = peutils.SignatureDatabase(self.peidrules)
return True
def do_pkinfo(self, args):
"""
Get pe's packer info
Usage:
pkinfo file
"""
argv = self.checkargs(args, 1)
if argv == None: return
fn = argv[0]
if not os.path.isfile(fn):
print "*invalid* file : %s" % fn
return
pe = pefile.PE(fn)
sig = peutils.SignatureDatabase( SIG_FILE )
pk = sig.match(pe)
print "[pkinfo] %s : %s" % (fn, pk)
def each(self, target):
self.results = dict()
try:
# lief analysis
binary = lief.parse(target)
binary_dict = json.loads(lief.to_json(binary), parse_int=str)
self.results.update(binary_dict)
# packet detect using pefile (PEiD sigs)
# sig file obtained here https://github.com/erocarrera/pefile/blob/wiki/PEiDSignatures.md
# named after date downloaded & added to FAME
signatures = peutils.SignatureDatabase(PE_ID_SIGS_FILE)
pe = pefile.PE(target, fast_load=True)
matches = signatures.match(pe, ep_only=True)
packer_dict = {'packers': matches}
self.results.update(packer_dict)
except:
self.log('error', traceback.print_exc())
return True
def __init__(
self,
host,
port,
user,
password,
threshold=40,
secure=False,
filepath=None,
filename=None,
folder_path=None,
):
"""Connects to neo4j database, loads options and set connectors.
@raise CuckooReportError: if unable to connect.
"""
self.threshold = int(threshold)
self.graph = Graph(host=host,
user=user,
password=password,
secure=secure,
port=port)
self.filepath = filepath
self.filename = filename
self.folder_path = folder_path
self.scout = ApiScout()
self.scout.setBaseAddress(0)
self.scout.loadWinApi1024(
os.path.abspath(os.path.join(os.path.dirname(__file__))) + os.sep +
"data" + os.sep + "winapi1024v1.txt")
self.magictest = magic.Magic(uncompress=True)
CWD = os.path.abspath(os.path.dirname(__file__))
USERDB = os.path.join(CWD, os.path.normpath("data/UserDB.TXT"))
with open(USERDB, "rt") as f:
sig_data = f.read()
self.signatures = peutils.SignatureDatabase(data=sig_data)
if self.folder_path:
self.files = self.get_files(folder_path)
def worker(folder):
print("Start {}".format(folder))
_n = 0
_m = 0
list_all = os.listdir(folder)#该文件夹下所有病毒文件
list_f_info = []
for f in list_all:
if len(f) == 64:#如果是病毒文件
sha256 = str(f)
f = folder + f
#print(f)
str_cmd = "file {}".format(f)
f_type = os.popen(str_cmd).read().strip().split("/")[-1]
f_type = f_type.split(":")[-1]
if f_type.find("PE32") != -1:#找到了
_n +=1
try:
pe = pefile.PE(f)
except AttributeError as e:
print(e)
check = None
except pefile.PEFormatError as e:
print(f)
print(e)
check = None
else:
signature = peutils.SignatureDatabase("userdb.txt")
check = signature.match_all(pe,ep_only = True)
if check:
_m +=1
f_info = sha256 + "," + str(check)
#print(f_info)
list_f_info.append(f_info)
f_csv = folder + "f_pack_info.csv"
with open(f_csv, "w") as f:
for item in list_f_info:
f.write("{}\n".format(item))
print("Finished {}: {}".format(folder, len(list_f_info)))
return {_n:_m}
def main_s(pe, ch, f, name):
global handle
exescan = ExeScan(pe, name)
(MD5, SHA1, SHA256, data) = exescan.hashes()
# store reports in folders
if os.path.exists(MD5):
report_name = str(MD5) + ".txt"
report_name = os.path.join(MD5, report_name)
else:
os.mkdir(MD5)
report_name = str(MD5) + ".txt"
report_name = os.path.join(MD5, report_name)
handle = open(report_name, 'a')
greet()
log("\n\n[+] File: %s" % name)
log("\n\t[*] MD5 : %s" % MD5)
log("\t[*] SHA-1 : %s" % SHA1)
log("\t[*] SHA-256 : %s" % SHA256)
# check file type (exe, dll)
if pe.is_exe():
log("\n[+] File Type: EXE")
elif pe.is_dll():
log("\n[+] File Type: DLL")
strings = f.readlines()
mf = open("API.txt", "r")
MALAPI = mf.readlines()
signature = peutils.SignatureDatabase("userdb.txt")
check = signature.match_all(pe, ep_only=True)
if ch == "-i":
exescan.base(check)
exescan.importtab()
exescan.exporttab()
else:
print()
mf.close()
handle.close()
return config.error
def checkPacker(pyew, doprint=True, args=None):
""" Check if the PE file is packed """
if pyew.pe is None:
return
sig = peutils.SignatureDatabase(
os.path.join(os.path.dirname(__file__), "UserDB.TXT"))
matches = sig.match_all(pyew.pe, ep_only=True)
if not matches:
if doprint:
print "***No match"
return
if doprint:
for match in matches:
print "".join(match)
if len(matches) == 0:
if doprint:
print "***No match"
return
return matches
def peid(self, args, file, opts):
try:
pe = pefile.PE(file.file_path) # pylint: disable=invalid-name, no-member
userdb_path = path.join(path.dirname(__file__), 'userdb.txt')
sigs = peutils.SignatureDatabase(userdb_path)
except Exception as err:
raise error.CommandWarning('unable to parse with pefile: %s' % err)
try:
matches = sigs.match_all(pe, ep_only=True)
except Exception:
raise error.CommandWarning('error matching peid signatures')
# Matches returns a list of lists, hence the stupid indexing
output = []
if not matches:
pass
elif len(matches) == 1:
output += [str(matches[0][0])]
else:
for match in matches:
output += [match[0]]
return output
def analyze(self, filepath=None, data=None, sigs=None):
self.filepath = filepath
self.data = data
self.pe = None
if sigs:
self.sigs = peutils.SignatureDatabase(sigs)
else:
self.sigs = None
if (self.filepath and self.data is not None) or \
(self.filepath is None and self.data is None):
log.error("either filepath ({0}) ".format(self.filepath) +
"and data ({0}) should be set".format(self.data))
return None
elif self.filepath and not os.path.exists(self.filepath):
log.error("file {0} does not exist".format(self.filepath))
return None
try:
if self.filepath is not None:
self.pe = pefile.PE(self.filepath)
elif self.data is not None:
self.pe = pefile.PE(data=self.data)
except pefile.PEFormatError:
return None
results = {}
results["peid_signatures"] = self._get_peid_signatures()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exports"] = self._get_exported_symbols()
results["pe_sections"] = self._get_sections()
results["pe_resources"] = self._get_resources()
results["pe_versioninfo"] = self._get_versioninfo()
nb_dll = len([x for x in results["pe_imports"] if x.get("dll")])
results["imported_dll_count"] = nb_dll
return results
print 'yara-python is not installed, see http://code.google.com/p/yara-project/'
has_res = 0 # For Suspecious Resources
high_entropy = 0 # checking for high entropy sections
has_ep_out = 0 # cheks Entry point for bad entries
has_antivm = 0 # antivm checks
has_kernelmode_imports = 0 # ntoskernel imports
has_antidbg = 0 # anti_dbg_imp
good_ep_sections = ['.text', '.code', 'CODE', 'INIT', 'PAGE']
anti_dbg_imp = ['NtQueryInformationProcess', 'NtSetInformationThread',
'IsDebuggerPresent', 'CheckRemoteDebugger']
kernel_loads = [] # for holding kernel32 imports
sigs = peutils.SignatureDatabase(peid)
def check_antidbg(pe):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
if (entry.dll == "ntdll.dll"):
for imp in entry.imports:
for i in anti_dbg_imp:
if(imp.name == i):
has_antidbg = 1
def check_kernel_mode(pe):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
if (entry.dll == "ntoskrnl.exe"):
has_kernelmode_imports = 1
def __init__(aSelf, aPatternFile):
with open(aPatternFile, "rt", encoding="utf8") as db:
aSelf._sig = peutils.SignatureDatabase(data=db.read())
if fl.read(2) == "MZ":
print full_filename + " is an executable"
pe = pefile.PE(full_filename)
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
fnname = str(imp.name)
if re.match('^Crypt', fnname):
print '\t', entry.dll, hex(
imp.address), imp.name
i = 1
else:
i = 0
pass
if i == 0:
print "No Crypt dll's found in IAT, perhaps packed or benign\n"
signatures = peutils.SignatureDatabase('userdb.txt')
matches = signatures.match_all(pe, ep_only=True)
print "Likely packers:\n"
print matches
print "Running Scan on " + full_filename + "for Crypto Constants...\n"
cmd = ['C:\Python27\signsrch\signsrch.exe', full_filename]
res = subprocess.Popen(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
j = 0
while True:
text = res.stdout.readline()
if not text:
break
if "offset" in text:
j = 1
def main():
version = "1.5"
parser = ArgumentParser(description="Used to check PEid databases against files in Python")
parser.add_argument("-D", "--database",
dest="alt_db", help="use alternate signature database DB", metavar="DB")
parser.add_argument("-J", "--JSON",
dest="json_out", help="print terse output as JSON", action="store_true")
parser.add_argument("-P", "--peid",
dest="peid", help="print PEiD matches", action="store_true")
parser.add_argument("-V", "--version",
dest="version", help="show version number", default=False, action="store_true")
parser.add_argument("-a", "--all",
dest="show_all", help="show all PE info", default=False, action="store_true")
parser.add_argument("-d", "--disasm",
dest="disasm", help="disassemble the first X bytes after EP", metavar="X", type=int)
parser.add_argument("-e", "--extract-sig",
dest="extract_sig", help="extracts the digital signature", default=False, action="store_true")
parser.add_argument("-m", "--all-matches",
dest="show_matches", help="show all signature matches", default=False, action="store_true")
parser.add_argument("-p", "--pretty-print",
dest="pretty_print", help="pretty print JSON document", default=False, action="store_true")
parser.add_argument("-t", "--terse",
dest="terse", help="give a short listing of various PE properties", default=False, action="store_true")
parser.add_argument("files", nargs='+', help='Files to analyze')
args = parser.parse_args()
if args.version:
print "Packerid.py version ",version,"\n Copyright (c) 2007, Jim Clausing, forked by Sconzo"
sys.exit(0)
if args.alt_db and (args.peid | args.show_all | args.show_matches):
signatures = peutils.SignatureDatabase(args.alt_db)
elif (args.peid | args.show_all | args.show_matches):
signatures = peutils.SignatureDatabase('/usr/local/etc/userdb.txt')
json_out = False
if args.json_out:
json_out = True
file_json = {}
for file in vars(args)['files']:
j_output = {}
try:
pe = pefile.PE(file)
except Exception as e:
sys.stderr.write("[*] Error with %s - %s\n" %(file, str(e)))
continue
if not args.terse:
if args.show_all|args.show_matches:
matches = signatures.match_all(pe, ep_only = True)
t = []
if matches == None or len(matches) == 0:
if not json_out: print "None"
else:
t = set()
for m in matches:
t.add(m[0])
if json_out: j_output['PEid'] = t
else: print "\t" + ", ".join(t)
elif args.peid:
matches = signatures.match(pe, ep_only = True)
if matches == None:
if not json_out: print "None"
else:
if json_out: j_output['PEid'] = matches[0]
else: print matches[0]
if args.show_all:
print pe.dump_info()
if args.terse:
if args.peid:
matches = signatures.match_all(pe, ep_only = True)
if matches == None or len(matches) == 0:
if json_out: j_output['PEiD'] = ["None"]
else: print "PEiD\n\tNone"
else:
t = set()
for m in matches:
t.add(m[0])
if json_out: j_output['PEiD'] = t
else: print "PEiD\n\t" + ", ".join(t)
if json_out:
j_output['Entry Point Address'] = hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
j_output['Image Base Address'] = hex(pe.OPTIONAL_HEADER.ImageBase)
j_output['Linker Version'] = {}
j_output['Linker Version']['Major'] = pe.OPTIONAL_HEADER.MajorLinkerVersion
j_output['Linker Version']['Minor'] = pe.OPTIONAL_HEADER.MinorLinkerVersion
j_output['OS Version'] = {}
j_output['OS Version']['Major'] = pe.OPTIONAL_HEADER.MajorOperatingSystemVersion
j_output['OS Version']['Minor'] = pe.OPTIONAL_HEADER.MinorOperatingSystemVersion
else:
print "Entry Point Address\n\t%s" %(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint))
print "Image Base Address\n\t%s" %(hex(pe.OPTIONAL_HEADER.ImageBase))
print "Linker Version\n\t%d.%d" %(pe.OPTIONAL_HEADER.MajorLinkerVersion,pe.OPTIONAL_HEADER.MinorLinkerVersion)
print "OS Version\n\t%d.%d" %(pe.OPTIONAL_HEADER.MajorOperatingSystemVersion,pe.OPTIONAL_HEADER.MinorOperatingSystemVersion)
if pe.FILE_HEADER.Machine == 0x14c:
if json_out: j_output['Machine'] = 'x86'
else: print "Machine\n\tx86"
elif pe.FILE_HEADER.Machine == 0x14d:
if json_out: j_output['Machine'] = '486'
else: print "Machine\n\t486"
elif pe.FILE_HEADER.Machine == 0x14e:
if json_out: j_output['Machine'] = 'Pentium'
else: print "Machine\n\tPentium"
elif pe.FILE_HEADER.Machine == 0x0200:
if json_out: j_output['Machine'] = 'AMD64 only'
else: print "Machine\n\tAMD64 only\n"
elif pe.FILE_HEADER.Machine == 0x8664:
if json_out: j_output['Machine'] = '64b'
else: print "Machine\n\t64b"
else:
if json_out: j_output['Machine'] = 'Unknown'
else: print "Machine\n\tUnknown"
try:
if json_out: j_output['Compile Time'] = "%s UTC" %(time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)))
else: print 'Compile Time\n\t%s UTC' %(time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)))
except ValueError, e:
if json_out: j_output['Compile Time'] = "Invalid Time" %(time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)))
else: print 'Compile Time\n\tInvalid Time' %(time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)))
try:
if json_out: j_output['Checksum'] = pe.IMAGE_OPTIONAL_HEADER.CheckSum
else: print "Checksum\t%s" %(pe.IMAGE_OPTIONAL_HEADER.CheckSum)
except AttributeError as e:
pass
if not json_out:
print "Sections"
section_info = {}
for section in pe.sections:
name = ""
# occasionally a nul sneaks in, don't print from the nul to eos
if "\0" in section.Name:
nul = section.Name.index("\0")
name = section.Name[:nul]
if json_out:
section_info[name] = {}
section_info[name]['VirtualAddress'] = hex(section.VirtualAddress)
section_info[name]['VirtualSize'] = hex(section.Misc_VirtualSize)
section_info[name]['RawDataSize'] = hex(section.SizeOfRawData)
else: print "\t%s %s %s %s" %(name, hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData)
if json_out: j_output['Sections'] = section_info
if not json_out:
print "Imports"
try:
import_info = {}
for entry in pe.DIRECTORY_ENTRY_IMPORT:
if not json_out: print "\t" + entry.dll
import_info[entry.dll] = {}
for imp in entry.imports:
if json_out:
import_info[entry.dll]['address'] = imp.address
if imp.ordinal == None: import_info[entry.dll]['name'] = imp.name
else: import_info[entry.dll]['ordinal'] = imp.ordinal
else: print '\t\t%s %s' %(hex(imp.address), (imp.name if imp.ordinal == None else "("+str(imp.ordinal)+")"))
if len(import_info) > 0:
j_output['Imports'] = import_info
except AttributeError as e:
if not json_out: print "\tNone"
if not json_out:
print "Exports"
try:
export_info = {}
if len(pe.DIRECTORY_ENTRY_EXPORT.symbols) > 0:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if json_out:
export_info[exp.name] = {}
export_info[exp.name]['address'] = hex(exp.address)
export_info[exp.name]['ordinal'] = exp.ordinal
else: print '\t\t%s %s (%s)' %(hex(exp.address), exp.name, exp.ordinal)
j_output['Exports'] = export_info
else:
print "\tNone"
except AttributeError as e:
print "\tNone"
sig_info = get_sig(file, pe, args.extract_sig)
if sig_info:
if json_out:
j_output['Signature'] = sig_info
else:
print "Digital Signature\n\t%s" + "\n\t".join(sig_info)
if args.disasm and not json_out:
print "Dissassembly"
if args.disasm:
asm = []
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
ep_ava = ep+pe.OPTIONAL_HEADER.ImageBase
data = pe.get_memory_mapped_image()[ep:ep+args.disasm]
#
# Determine if the file is 32bit or 64bit
#
mode = CS_MODE_32
if pe.OPTIONAL_HEADER.Magic == 0x20b:
mode = CS_MODE_64
md = Cs(CS_ARCH_X86, mode)
for (address, size, mnemonic, op_str) in md.disasm_lite(data, 0x1000):
if json_out:
t = {}
t['address'] = address
t['mnemonic'] = mnemonic
t['op_str'] = op_str
asm.append(t)
else:
if args.terse:
print "\t0x%x:\t%s\t%s" %(address, mnemonic, op_str)
else:
print "0x%x:\t%s\t%s" %(address, mnemonic, op_str)
if json_out:
j_output['Disassembly'] = asm
file_json[file] = j_output
dest="version",
help="show version number",
default=False,
action="store_true")
(options, args) = parser.parse_args()
if options.version:
print "Packerid.py version ", version, "\n Copyright (c) 2007, Jim Clausing"
sys.exit(0)
if len(args) < 1:
parser.error("no files specified")
if options.alt_db:
signatures = peutils.SignatureDatabase(options.alt_db)
else:
signatures = peutils.SignatureDatabase('/usr/local/etc/userdb.txt')
for file in args:
try:
pe = pefile.PE(file)
except:
print file, ": ### ERROR ###"
continue
if options.show_all | options.show_matches:
matches = signatures.match_all(pe, ep_only=True)
else:
matches = signatures.match(pe, ep_only=True)
def main_s(pe, ch, f, name):
#global handle
filesize = os.stat(name).st_size
filesize = filesize / 1024
filesize = str(filesize) + "KB"
atime = os.stat(name).st_atime
mtime = os.stat(name).st_mtime
ctime = os.stat(name).st_ctime
dateArray = datetime.datetime.fromtimestamp(atime)
atime = dateArray.strftime("%Y--%m--%d %H:%M:%S")
dateArray = datetime.datetime.fromtimestamp(mtime)
mtime = dateArray.strftime("%Y--%m--%d %H:%M:%S")
dateArray = datetime.datetime.fromtimestamp(ctime)
ctime = dateArray.strftime("%Y--%m--%d %H:%M:%S")
exescan = ExeScan(pe, name)
(MD5, SHA1, SHA256, data) = exescan.hashes()
stx = StringAndThreat(MD5, data)
# store reports in folders
#if os.path.exists(MD5):
# report_name = str(MD5)+".txt"
# report_name = os.path.join(MD5,report_name)
#else:
# os.mkdir(MD5)
# report_name = str(MD5)+".txt"
# report_name = os.path.join(MD5,report_name)
#handle = open(report_name,'a')
greet()
log("\n\n[+] 文件名 : %s" % name)
log("\n\t[*] MD5 : %s" % MD5)
log("\t[*] SHA-1 : %s" % SHA1)
log("\t[*] SHA-256 : %s" % SHA256)
log("\t[*] 文件访问时间 : %s" % atime)
log("\t[*] 文件内容修改时间 : %s" % mtime)
#log("\t[*] 文件属性修改时间 : %s" % ctime)
log("\t[*] 文件大小 : %s" % filesize)
#check file type (exe, dll)
if pe.is_exe():
log("\n[+] 文件类型: EXE")
elif pe.is_dll():
log("\n[+] 文件类型: DLL")
else:
log("\n 不是PE文件结构")
return 2
strings = f.readlines()
mf = open("API.txt", "r")
MALAPI = mf.readlines()
signature = peutils.SignatureDatabase("userdb.txt")
check = signature.match_all(pe, ep_only=True)
exescan.base(check)
#exescan.header()
#exescan.importtab()
#exescan.exporttab()
exescan.malapi(MALAPI, strings)
exescan.anomalis()
#stx.StringE()
#if ch == "-i":
# exescan.base(check)
# exescan.importtab()
# exescan.exporttab()
#elif ch == "-b":
# exescan.base(check)
#elif ch == "-m":
# exescan.base(check)
# exescan.malapi(MALAPI,strings)
#elif ch == "-p":
# exescan.base(check)
# exescan.header()
#elif ch == "-a":
# exescan.base(check)
# exescan.anomalis()
# exescan.malapi(MALAPI,strings)
# stx.StringE()
#else:
# print()
mf.close()
#handle.close()
return MD5
