def run(self, objfile): self.key = "PEChecksum" self.score = 0 if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS': returnValue = {} suspicious = False try: pe = PE(data=objfile.file_data) claimed = hex(pe.OPTIONAL_HEADER.CheckSum) actual = hex(pe.generate_checksum()) if actual != claimed: suspicious = True self.score = 10 log.info("Claimed: %s, Actual: %s %s" % (claimed, actual, "[SUSPICIOUS]" if suspicious else "")) returnValue = {'Claimed':claimed, 'Actual':actual, 'Suspicious':suspicious} return returnValue except PEFormatError, e: log.warn("Error - No Portable Executable or MS-DOS: %s" % e)
def run(self, objfile): self.key = "Info" self.score = -1 isProbablyPacked = False returnValue = {} infos = {} infos["ragpicker_version"] = RAGPICKER_VERSION infos["started"] = self.task["started_on"] returnValue["analyse"] = infos infos = {} infos["extension"] = objfile.file_extension() if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS': try: pe = PE(data=objfile.file_data) isProbablyPacked = is_probably_packed(pe) infos["DLL"] = pe.is_dll() infos["EXE"] = pe.is_exe() infos["DRIVER"] = pe.is_driver() infos["isProbablyPacked"] = isProbablyPacked if self.getDigitalSignature(pe): infos["digitalSignature"] = "SignedFile" else: infos["digitalSignature"] = "UnsignedFile" if isProbablyPacked: self.score = 10 except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)
def run(self, objfile): self.extractTypes = self.options.get("extracttypes") try: pe = PE(data=objfile.file.file_data) resources = self.getResources(pe) if objfile.unpacked_file: pe = PE(data=objfile.unpacked_file.file_data) resources = resources + self.getResources(pe) for resource in resources: objfile.add_included_file(resource) except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)
def run(self, objfile): self.key = "PeFile" self.score = 0 returnValue = {} try: pe = PE(data=objfile.file.file_data) returnValue["PeChecksum"] = self.peChecksum(pe) returnValue["PeEntryPoint"] = self.peCheckEP(pe) returnValue["PeTlsCallbacks"] = self.checkTlsCallbacks(pe) returnValue["PeSections"] = self.peSectionInformations(pe) returnValue["Imports"] = self.peImports(pe) returnValue["PeRSRC"] = self.peRSRC(pe) returnValue["PeTimestamp"] = self.peTimestamp(pe) returnValue[ "PeSuspiciousApiFunctions"] = self.peSuspiciousApiFunctions(pe) returnValue["PeCheckAntiDBG"] = self.peCheckAntiDBG(pe) returnValue["PeVersionsInfo"] = self.peVersionInfo(pe) returnValue["PeCheckAntiVM"] = self.peCheckAntiVM( objfile.file.temp_file) # TODO Fehler InvalidDocument bei self.peDebugInformation(pe) # returnValue["PeDebugInformation"] = self.peDebugInformation(pe) except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)
def run(self, objfile): """Gets PEID signatures. @return: matched signatures or None. """ self.key = "PEID" self.score = -1 try: pe = PE(data=objfile.file.file_data) signatures = SignatureDatabase( os.path.join(RAGPICKER_ROOT, 'data', 'peiddb.txt')) match = signatures.match(pe, ep_only=True) if match: log.info("PEID match: %s" % match) self.score = 10 return match except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)
def run(self, objfile): self.key = "Info" self.score = -1 isProbablyPacked = False returnValue = {} infos = {} infos["uuid"] = objfile.get_uuid() infos["ragpicker_version"] = RAGPICKER_VERSION infos["started"] = self.task["started_on"] returnValue["analyse"] = infos infos = {} infos["extension"] = objfile.file.file_extension() if objfile.file.get_type() == 'PE32' or objfile.file.get_type() == 'PE32+' or objfile.file.get_type() == 'MS-DOS': try: pe = PE(data=objfile.file.file_data) isProbablyPacked = is_probably_packed(pe) if pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE: infos["Architecture"] = "32-Bit" elif pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS: infos["Architecture"] = "64-Bit" infos["CPU"] = self.getMaschineType(pe) infos["Subsystem"] = self.getSubsystem(pe) infos["DLL"] = pe.is_dll() infos["EXE"] = pe.is_exe() infos["DRIVER"] = pe.is_driver() infos["isProbablyPacked"] = isProbablyPacked # imphash -> Tracking Malware with Import Hashing (https://www.mandiant.com/blog/tracking-malware-import-hashing) infos["imphash"] = pe.get_imphash() # https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski.pdf infos["pehash"] = self.getPeHash(pe) if self.getDigitalSignature(pe): infos["digitalSignature"] = "SignedFile" else: infos["digitalSignature"] = "UnsignedFile" if isProbablyPacked: self.score = 10 except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)