def get_fileinfo(filename):
strings_info = json.loads(stringstat.get(filename))
all_strings = strings_info["content"]
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
md5, sha1, sha256 = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
# json으로 반환
return json.dumps(
{
"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": False
},
indent=4,
separators=(',', ': '))
def get_fileinfo(filename):
strings_info = json.loads(stringstat.get(filename))
all_strings = strings_info["content"]
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
md5, sha1, sha256 = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
return json.dumps({"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": False},
indent=4, separators=(',', ': '))
def testName(self):
filelist,arrayUrl = fileurl.get('chrome.exe')
print "FILE LIST"
for elem in filelist:
print elem
print "URL LIST"
print arrayUrl
def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
# json으로 반환
return json.dumps(
{
"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4,
separators=(',', ': '))
def get_pe_fileinfo(pe, filename):
# is dll?
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
# num sections
nsec = pe.FILE_HEADER.NumberOfSections
# timestamp
tstamp = pe.FILE_HEADER.TimeDateStamp
try:
""" return date """
tsdate = datetime.datetime.fromtimestamp(tstamp)
except:
""" return timestamp """
tsdate = str(tstamp) + " [Invalid date]"
# get md5, sha1, sha256, imphash
md5, sha1, sha256, imphash = get_hash(filename)
hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
detected = []
# directory list
dirlist = directories.get(pe)
# digital signature
for sign in dirlist:
if sign == "security": detected.append("sign")
# packer (peid)
packer = peid.get(pe, userdb)
if packer: detected.append("packer")
# mutex
mutex = apimutex.get(pe, strings_match)
if mutex: detected.append("mutex")
# anti debug
antidbg = apiantidbg.get(pe, strings_match)
if antidbg: detected.append("antidbg")
# Xor
xorcheck = xor.get(filename)
if xorcheck: detected.append("xor")
# anti virtual machine
antivirtualmachine = antivm.get(filename)
if antivirtualmachine: detected.append("antivm")
# api alert suspicious
apialert_info = apialert.get(pe, strings_match)
# file and url
fileurl_info = fileurl.get(filename, strings_match)
file_info = fileurl_info["file"]
url_info = fileurl_info["url"]
ip_info = fileurl_info["ip"]
fuzzing_info = fileurl_info["fuzzing"]
# meta info
meta_info = meta.get(pe)
# import function
import_function = funcimport.get(pe)
# export function
export_function = funcexport.get(pe)
# sections
sections_info = sections.get(pe)
# resources
resources_info = resources.get(pe)
# virustotal
virustotal_info = virustotal.get(md5, strings_match)
return json.dumps({"peframe_ver": help.VERSION,
"file_type": ftype,
"file_name": fname,
"file_size": fsize,
"hash": hash_info,
"file_found": file_info,
"url_found": url_info,
"ip_found": ip_info,
"virustotal": virustotal_info,
"fuzzing": fuzzing_info,
"pe_info": {
"import_hash": imphash,
"compile_time": str(tsdate),
"dll": dll,
"sections_number": nsec,
"xor_info": xorcheck,
"detected": detected,
"directories": dirlist,
"sign_info": cert.get(pe),
"packer_info": packer,
"antidbg_info": apiantidbg.get(pe, strings_match),
"mutex_info": apimutex.get(pe, strings_match),
"antivm_info": antivirtualmachine,
"apialert_info": apialert_info,
"meta_info": meta_info,
"import_function": import_function,
"export_function": export_function,
"sections_info": sections_info,
"resources_info": resources_info
}
},
indent=4, separators=(',', ': '))
elif sys.argv[1] == "--fileinfo":
print "Compile Time ", fileinfo.getCompileTime(suspicious_file)
md5 = fileinfo.get_hashes(sys.argv[2])[0]
sha1 = fileinfo.get_hashes(sys.argv[2])[1]
sha256 = fileinfo.get_hashes(sys.argv[2])[2]
print "Hashes MD5 ", md5
print "Hashes SHA 1", sha1
print "Hashes SHA 256", sha256
print "DLL ", fileinfo.getDLL(suspicious_file)
print "File Info name and size ", fileinfo.getFileInfo(sys.argv[2])
print "Number of Sections", fileinfo.getNumberofSections(suspicious_file)
elif sys.argv[1] == "--fileurl":
filelist, arrayUrl = fileurl.get(sys.argv[2])
print " ========= FILE LIST =========="
for elem in filelist:
print """ **************** """ + elem[0] + """****************"""
for e in elem[1]:
print "\t" + e
print " =========== URL LIST ========="
for e in arrayUrl:
print "\t" + e
elif sys.argv[1] == "--import":
for elem in import_function.get(suspicious_file):
print """*******""" + elem[0] + """*******"""
for el in elem[1]:
print el
