def run(self, objfile):
     self.key = "PEChecksum"
     self.score = 0
     
     if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS':
         returnValue = {}
         suspicious = False
         
         try:
             pe = PE(data=objfile.file_data)
             
             claimed = hex(pe.OPTIONAL_HEADER.CheckSum)
             actual  = hex(pe.generate_checksum())
             
             if actual != claimed:
                 suspicious = True
                 self.score = 10
                 
             log.info("Claimed: %s, Actual: %s %s" % 
                     (claimed, actual, "[SUSPICIOUS]" if suspicious else ""))
             
             returnValue = {'Claimed':claimed, 
                            'Actual':actual, 
                            'Suspicious':suspicious}
             
             return returnValue
         except PEFormatError, e:
             log.warn("Error - No Portable Executable or MS-DOS: %s" % e)        
예제 #2
0
 def run(self, objfile):
     self.key = "Info"
     self.score = -1
     isProbablyPacked = False
     returnValue = {}
     
     infos = {}
     infos["ragpicker_version"] = RAGPICKER_VERSION
     infos["started"] = self.task["started_on"]                       
     returnValue["analyse"] = infos 
     
     infos = {}
     infos["extension"] = objfile.file_extension()    
     
     if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS':
         try:
             pe = PE(data=objfile.file_data)
             
             isProbablyPacked = is_probably_packed(pe)
             
             infos["DLL"] = pe.is_dll()
             infos["EXE"] = pe.is_exe()
             infos["DRIVER"] = pe.is_driver()
             infos["isProbablyPacked"] = isProbablyPacked
             
             if self.getDigitalSignature(pe):
                 infos["digitalSignature"] = "SignedFile"
             else:
                 infos["digitalSignature"] = "UnsignedFile"
                 
             if isProbablyPacked:
                 self.score = 10
         except PEFormatError, e:
             log.warn("Error - No Portable Executable: %s" % e)         
예제 #3
0
 def run(self, objfile):
     self.extractTypes = self.options.get("extracttypes")
     
     try:
         pe = PE(data=objfile.file.file_data)
         resources = self.getResources(pe)
         
         if objfile.unpacked_file:
             pe = PE(data=objfile.unpacked_file.file_data)
             resources = resources + self.getResources(pe)
         
         for resource in resources:
             objfile.add_included_file(resource)   
     except PEFormatError, e:
         log.warn("Error - No Portable Executable: %s" % e) 
예제 #4
0
    def run(self, objfile):
        self.key = "PeFile"
        self.score = 0
        returnValue = {}

        try:
            pe = PE(data=objfile.file.file_data)

            returnValue["PeChecksum"] = self.peChecksum(pe)
            returnValue["PeEntryPoint"] = self.peCheckEP(pe)
            returnValue["PeTlsCallbacks"] = self.checkTlsCallbacks(pe)
            returnValue["PeSections"] = self.peSectionInformations(pe)
            returnValue["Imports"] = self.peImports(pe)
            returnValue["PeRSRC"] = self.peRSRC(pe)
            returnValue["PeTimestamp"] = self.peTimestamp(pe)
            returnValue[
                "PeSuspiciousApiFunctions"] = self.peSuspiciousApiFunctions(pe)
            returnValue["PeCheckAntiDBG"] = self.peCheckAntiDBG(pe)
            returnValue["PeVersionsInfo"] = self.peVersionInfo(pe)
            returnValue["PeCheckAntiVM"] = self.peCheckAntiVM(
                objfile.file.temp_file)
            # TODO Fehler InvalidDocument bei self.peDebugInformation(pe)
            # returnValue["PeDebugInformation"] = self.peDebugInformation(pe)
        except PEFormatError, e:
            log.warn("Error - No Portable Executable: %s" % e)
예제 #5
0
    def run(self, objfile):
        """Gets PEID signatures.
        @return: matched signatures or None.
        """
        self.key = "PEID"
        self.score = -1

        try:
            pe = PE(data=objfile.file.file_data)
            signatures = SignatureDatabase(
                os.path.join(RAGPICKER_ROOT, 'data', 'peiddb.txt'))
            match = signatures.match(pe, ep_only=True)
            if match:
                log.info("PEID match: %s" % match)
                self.score = 10
            return match
        except PEFormatError, e:
            log.warn("Error - No Portable Executable: %s" % e)
예제 #6
0
 def run(self, objfile):
     self.key = "Info"
     self.score = -1
     isProbablyPacked = False
     returnValue = {}
     
     infos = {}
     infos["uuid"] = objfile.get_uuid()
     infos["ragpicker_version"] = RAGPICKER_VERSION
     infos["started"] = self.task["started_on"]                       
     returnValue["analyse"] = infos 
     
     infos = {}
     infos["extension"] = objfile.file.file_extension()    
     
     if objfile.file.get_type() == 'PE32' or objfile.file.get_type() == 'PE32+' or objfile.file.get_type() == 'MS-DOS':
         try:
             pe = PE(data=objfile.file.file_data)
             
             isProbablyPacked = is_probably_packed(pe)
             
             if pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE:
                 infos["Architecture"] = "32-Bit"
             elif pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS:
                 infos["Architecture"] = "64-Bit"                
             
             infos["CPU"] = self.getMaschineType(pe) 
             infos["Subsystem"] = self.getSubsystem(pe) 
             infos["DLL"] = pe.is_dll()
             infos["EXE"] = pe.is_exe()
             infos["DRIVER"] = pe.is_driver()
             infos["isProbablyPacked"] = isProbablyPacked
             
             # imphash -> Tracking Malware with Import Hashing (https://www.mandiant.com/blog/tracking-malware-import-hashing)
             infos["imphash"] = pe.get_imphash()
             # https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski.pdf
             infos["pehash"] = self.getPeHash(pe)
                             
             if self.getDigitalSignature(pe):
                 infos["digitalSignature"] = "SignedFile"
             else:
                 infos["digitalSignature"] = "UnsignedFile"
                 
             if isProbablyPacked:
                 self.score = 10
         except PEFormatError, e:
             log.warn("Error - No Portable Executable: %s" % e)