def run(self, objfile): self.key = "PEChecksum" self.score = 0 if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS': returnValue = {} suspicious = False try: pe = PE(data=objfile.file_data) claimed = hex(pe.OPTIONAL_HEADER.CheckSum) actual = hex(pe.generate_checksum()) if actual != claimed: suspicious = True self.score = 10 log.info("Claimed: %s, Actual: %s %s" % (claimed, actual, "[SUSPICIOUS]" if suspicious else "")) returnValue = {'Claimed':claimed, 'Actual':actual, 'Suspicious':suspicious} return returnValue except PEFormatError, e: log.warn("Error - No Portable Executable or MS-DOS: %s" % e)