def get(filename): strings = "" PEtoStr = open(filename, "rb") for string in stream.get_process(PEtoStr): # add printable string strings += string PEtoStr.close() printable_strings = re.sub(r"[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]", "", strings) return printable_strings
def get(filename): executable_file = open(filename,'rb') arrPeFile = [] # word raw arrURL = [] arrFILE = [] arrFileNames = [] # description , filename for found_str in stream.get_process(executable_file): fname = re.findall("(.+\.([a-z]{2,3}$))+", found_str, re.IGNORECASE | re.MULTILINE) if fname: word = fname[0][0] arrPeFile.append(word) for elem in sorted(set(arrPeFile)): match = re.search(enum.file_url_pattern, elem, re.IGNORECASE) if match and len(elem) > 6: arrURL.append(elem) else : arrFILE.append(elem) xml = XMLParser() file_type_path = getPath(lib.enum.paths.FILE_TYPE) file_type_list= xml.getElementsByTag(file_type_path,'file') for elem in sorted(set(arrFILE)): for file_type in file_type_list: # file_type is list [.zip,{'type':'Compressed'}] matched = re.search(file_type[0]+"$", elem, re.IGNORECASE) #file_type[0] ==> '.zip' file_type[1] ==> {'type':'compressed'} if matched: arrFileNames.append([file_type[1]['type'],elem]) """ arrFileNames -> [ ['Web Page', 'a.php'], ['Binary', 'a.bin'], ['Binary', 'a.bin'], ['Library', 'KERNEL32.DLL'], ['Library', 'xxx.dll'] ] """ filelist =[] if arrFileNames: uniq_descr = [] # uniq description ['Web Page','Binary','Movie','Audio'] [item for item in arrFileNames if item[0] not in uniq_descr and not uniq_descr.append(item[0])] found = {} match = [] for descr in uniq_descr: for elem in arrFileNames: if elem[0] == descr: match.append(elem[1]) found[descr] = match match = [] filelist = found.items() """ 'print found' -> Dictionary {} { 'Binary': ['core_x86.bin', 'dropper_x86.bin'], 'Web Page': ['gate.php'], 'Library': ['IPHLPAPI.DLL', 'WININET.dll'] } 'print found.items()' -> List [] [ ('Binary', ['core_x86.bin', 'dropper_x86.bin']), ('Web Page', ['gate.php']), ('Library', ['IPHLPAPI.DLL', 'WININET.dll']) ] """ return filelist,arrURL