action='store_true',
required=False)
parser.add_argument("-s",
"--strings",
help="export all strings",
action='store_true',
required=False)
args = parser.parse_args()
filename = args.file
result = peframe.analyze(filename)
if args.xorsearch:
print(
json.dumps(features.get_xor(filename,
search_string=str.encode(args.xorsearch)),
sort_keys=True,
indent=4))
sys.exit()
if args.json:
print(json.dumps(result, sort_keys=True, indent=4))
sys.exit()
if args.strings:
print('\n'.join(result['strings']['dump']))
sys.exit()
align = 16
cmd_list = ['info', 'strings', 'exit', 'virustotal']
cmd_list_select = {}
def main():
parser = argparse.ArgumentParser(
prog='peframe',
description='Tool for static malware analysis.',
epilog=show_config(),
formatter_class=RawTextHelpFormatter)
parser.add_argument("file", help="sample to analyze")
parser.add_argument("-v",
"--version",
action='version',
version='%(prog)s ' + str(__version__))
parser.add_argument("-i",
"--interactive",
help="join in interactive mode",
action='store_true',
required=False)
parser.add_argument("-x",
"--xorsearch",
help="search xored string",
required=False)
parser.add_argument("-j",
"--json",
help="export short report in JSON",
action='store_true',
required=False)
parser.add_argument("-s",
"--strings",
help="export all strings",
action='store_true',
required=False)
args = parser.parse_args()
filename = args.file
result = peframe.analyze(filename)
if args.xorsearch:
print(
json.dumps(features.get_xor(filename,
search_string=str.encode(
args.xorsearch)),
sort_keys=True,
indent=4))
return 1
if args.json:
print(json.dumps(result, sort_keys=True, indent=4))
return 1
if args.strings:
print('\n'.join(result['strings']['dump']))
return 1
cmd_list, cmd_list_select = get_info(result)
if args.interactive:
return interactive_mode(result, cmd_list, cmd_list_select)
if result['yara_plugins']:
header('Yara Plugins')
for item in result['yara_plugins']:
for k, v in item.items():
print(v.replace('_', ' '))
if result['docinfo']:
if result['docinfo']['behavior']:
header('Behavior')
for k, v in result['docinfo']['behavior'].items():
print(k.ljust(ALIGN, ' '), v)
if result['docinfo']['attributes']:
header('Attributes')
for item in result['docinfo']['attributes']:
print(item)
if result['peinfo']:
if result['peinfo']['behavior']:
header('Behavior')
for item in result['peinfo']['behavior']:
print(item.replace('_', ' '))
if result['peinfo']['features']['crypto']:
header('Crypto')
for item in result['peinfo']['features']['crypto']:
print(item.replace('_', ' '))
if result['peinfo']['features']['packer']:
header('Packer')
for item in result['peinfo']['features']['packer']:
print(item.replace('_', ' '))
if result['peinfo']['features']['xor']:
header('Xor')
for k, v in result['peinfo']['features']['xor'].items():
print(str(k).ljust(ALIGN, ' '), v)
if result['peinfo']['features']['mutex']:
header('Mutex Api')
for item in result['peinfo']['features']['mutex']:
print(item)
if result['peinfo']['features']['antidbg']:
header('Anti Debug')
for item in result['peinfo']['features']['antidbg']:
print(item)
if result['peinfo']['features']['antivm']:
header('Anti VM')
for item in result['peinfo']['features']['antivm']:
print(item)
if result['peinfo']['sections']:
header('Sections Suspicious')
found = False
for item in result['peinfo']['sections']['details']:
if item['entropy'] > 6:
print(item['section_name'].ljust(ALIGN, ' '),
str(item['entropy'])[:4])
found = True
if not found:
print('For each section the value of entropy is less than 6')
if result['peinfo']['metadata']:
header('Metadata')
for k, v in result['peinfo']['metadata'].items():
print(k.ljust(ALIGN, ' '), v[0:63])
if result['peinfo']['directories']['import']:
header('Import function')
for k, v in result['peinfo']['directories']['import'].items():
print(k.ljust(ALIGN, ' '), len(v))
if result['peinfo']['directories']['export']:
header('Export function')
detect = []
for item in result['peinfo']['directories']['export']:
detect.append(item)
print("export".ljust(ALIGN, ' '), detect)
if result['peinfo']['directories']['sign']:
header('Signature')
for k, v in result['peinfo']['directories']['sign'][
'details'].items():
if k != 'hash':
print(k.ljust(ALIGN, ' '), v)
if result['peinfo']['breakpoint']:
header('Possibile Breakpoint')
for item in result['peinfo']['breakpoint']:
print(item)
if result['strings']:
if result['strings']['ip']:
header('Ip Address')
for item in result['strings']['ip']:
print(item)
if result['strings']['url']:
header('Url')
for item in result['strings']['url']:
print(item)
if result['strings']['file']:
header('File')
for k, v in result['strings']['file'].items():
print(k.ljust(ALIGN, ' '), v)
if result['strings']['fuzzing']:
header('Fuzzing')
for k, v in result['strings']['fuzzing'].items():
print(k)