def output_file(self, outdir, data): """Place the data into a file.""" log = logging.getLogger('Mastiff.Plugins.' + self.name) try: out_file = open(outdir + os.sep + "metadata.txt",'w') out_file.write('PDF Metadata\n\n') for key in data.keys(): out_file.write('{0:25}\t{1}\n'.format(key, printable_str(data[key])) ) except IOError, err: log.error('Write error: %s', err) return False
def output_file_quick(self, outdir, pe): """Output short, useful information on file.""" log = logging.getLogger('Mastiff.Plugins.' + self.name + '.quick') try: outfile = open(outdir + os.sep + 'peinfo-quick.txt', 'w') outfile.write('PE Header Information\n\n') outfile.write('Quick Info:\n\n') try: outfile.write('TimeDateStamp: %s\n' % time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp))) except ValueError: outfile.write('TimeDataStamp: Invalid Time %x\n' % (pe.FILE_HEADER.TimeDateStamp)) outfile.write('Subsystem: %s\n' % pefile.SUBSYSTEM_TYPE[pe.OPTIONAL_HEADER.Subsystem]) outfile.write(self._dump_section_headers(pe)) # any parsing warnings (often related to packers outfile.write('\nParser Warnings:\n') for warning in pe.get_warnings(): outfile.write('- ' + warning + '\n') # file info - thx to Ero Carrera for sample code # http://blog.dkbza.org/2007/02/pefile-parsing-version-information-from.html outfile.write('\nFile Information:\n') if hasattr(pe, "FileInfo"): for fileinfo in pe.FileInfo: if fileinfo.Key == 'StringFileInfo': for string_entry in fileinfo.StringTable: for entry in string_entry.entries.items(): outfile.write("{0:20}:\t{1:40}\n".format(printable_str(entry[0]), \ printable_str(entry[1]))) if fileinfo.Key == 'VarFileInfo': for var in fileinfo.Var: outfile.write("{0:20}:\t{1:40}\n".format(printable_str(var.entry.items()[0][0]), printable_str(var.entry.items()[0][1]))) else: outfile.write('No file information present.\n') # imports outfile.write('\nImports:\n') if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"): outfile.write('{0:20}\t{1:30}\t{2:10}\n'.format('DLL', 'API', 'Address')) outfile.write('-'*70 + '\n') for entry in pe.DIRECTORY_ENTRY_IMPORT: for imp in entry.imports: outfile.write('{0:20}\t{1:30}\t{2:10}\n'.format(entry.dll, imp.name, hex(imp.address))) else: outfile.write('No imports.\n') # exports outfile.write('\nExports:\n') if hasattr(pe, "DIRECTORY_ENTRY_EXPORT"): outfile.write('{0:20}\t{1:10}\t{2:10}\n'.format('Name', 'Address', 'Ordinal')) outfile.write('-'*50 + '\n') for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: outfile.write('{0:20}\t{1:10}\t{2:10}\n'.format(exp.name, \ hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),\ exp.ordinal)) else: outfile.write('No Exports.\n') outfile.close() except IOError, err: log.error('Cannot write to peinfo.txt: %s' % err) return False
def output_file_quick(self, outdir, pe): """Output short, useful information on file.""" log = logging.getLogger('Mastiff.Plugins.' + self.name + '.quick') try: outfile = open(outdir + os.sep + 'peinfo-quick.txt', 'w') outfile.write('PE Header Information\n\n') outfile.write('Quick Info:\n\n') try: outfile.write( 'TimeDateStamp: %s\n' % time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp))) except ValueError: outfile.write('TimeDataStamp: Invalid Time %x\n' % (pe.FILE_HEADER.TimeDateStamp)) outfile.write('Subsystem: %s\n' % pefile.SUBSYSTEM_TYPE[pe.OPTIONAL_HEADER.Subsystem]) outfile.write(self._dump_section_headers(pe)) # any parsing warnings (often related to packers outfile.write('\nParser Warnings:\n') for warning in pe.get_warnings(): outfile.write('- ' + warning + '\n') # file info - thx to Ero Carrera for sample code # http://blog.dkbza.org/2007/02/pefile-parsing-version-information-from.html outfile.write('\nFile Information:\n') if hasattr(pe, "FileInfo"): for fileinfo in pe.FileInfo: if fileinfo.Key == 'StringFileInfo': for string_entry in fileinfo.StringTable: for entry in string_entry.entries.items(): outfile.write("{0:20}:\t{1:40}\n".format(printable_str(entry[0]), \ printable_str(entry[1]))) if fileinfo.Key == 'VarFileInfo': try: for var in fileinfo.Var: outfile.write("{0:20}:\t{1:40}\n".format( printable_str(var.entry.items()[0][0]), printable_str(var.entry.items()[0][1]))) except: # there are times when a VarFileInfo structure may be present, but empty pass else: outfile.write('No file information present.\n') # imports outfile.write('\nImports:\n') if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"): outfile.write('{0:20}\t{1:30}\t{2:10}\n'.format( 'DLL', 'API', 'Address')) outfile.write('-' * 70 + '\n') for entry in pe.DIRECTORY_ENTRY_IMPORT: for imp in entry.imports: outfile.write('{0:20}\t{1:30}\t{2:10}\n'.format( entry.dll, imp.name, hex(imp.address))) else: outfile.write('No imports.\n') # exports outfile.write('\nExports:\n') if hasattr(pe, "DIRECTORY_ENTRY_EXPORT"): outfile.write('{0:20}\t{1:10}\t{2:10}\n'.format( 'Name', 'Address', 'Ordinal')) outfile.write('-' * 50 + '\n') for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: outfile.write('{0:20}\t{1:10}\t{2:10}\n'.format(exp.name, \ hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),\ exp.ordinal)) else: outfile.write('No Exports.\n') outfile.close() except IOError, err: log.error('Cannot write to peinfo.txt: %s' % err) return False