Пример #1
0
def get_pe_fileinfo(pe, filename):
    # is dll?
    dll = pe.FILE_HEADER.IMAGE_FILE_DLL

    # num sections
    nsec = pe.FILE_HEADER.NumberOfSections

    # timestamp
    tstamp = pe.FILE_HEADER.TimeDateStamp
    try:
        """ return date """
        tsdate = datetime.datetime.fromtimestamp(tstamp)
    except:
        """ return timestamp """
        tsdate = str(tstamp) + " [Invalid date]"

    # get md5, sha1, sha256, imphash

    md5, sha1, sha256, imphash = get_hash(filename)
    hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}

    detected = []

    # directory list
    dirlist = directories.get(pe)

    # digital signature
    for sign in dirlist:
        if sign == "security": detected.append("sign")

    # packer (peid)
    packer = peid.get(pe, userdb)
    if packer: detected.append("packer")

    # mutex
    mutex = apimutex.get(pe, strings_match)
    if mutex: detected.append("mutex")

    # anti debug
    antidbg = apiantidbg.get(pe, strings_match)
    if antidbg: detected.append("antidbg")

    # Xor
    xorcheck = xor.get(filename)
    if xorcheck: detected.append("xor")

    # anti virtual machine
    antivirtualmachine = antivm.get(filename)
    if antivirtualmachine: detected.append("antivm")

    # api alert suspicious
    apialert_info = apialert.get(pe, strings_match)

    # file and url
    fileurl_info = fileurl.get(filename, strings_match)
    file_info = fileurl_info["file"]
    url_info = fileurl_info["url"]
    ip_info = fileurl_info["ip"]
    fuzzing_info = fileurl_info["fuzzing"]

    # meta info
    meta_info = meta.get(pe)

    # import function
    import_function = funcimport.get(pe)

    # export function
    export_function = funcexport.get(pe)

    # sections
    sections_info = sections.get(pe)

    # resources
    resources_info = resources.get(pe)

    # virustotal
    virustotal_info = virustotal.get(md5, strings_match)
    # json으로 반환
    return json.dumps(
        {
            "peframe_ver": help.VERSION,
            "file_type": ftype,
            "file_name": fname,
            "file_size": fsize,
            "hash": hash_info,
            "file_found": file_info,
            "url_found": url_info,
            "ip_found": ip_info,
            "virustotal": virustotal_info,
            "fuzzing": fuzzing_info,
            "pe_info": {
                "import_hash": imphash,
                "compile_time": str(tsdate),
                "dll": dll,
                "sections_number": nsec,
                "xor_info": xorcheck,
                "detected": detected,
                "directories": dirlist,
                "sign_info": cert.get(pe),
                "packer_info": packer,
                "antidbg_info": apiantidbg.get(pe, strings_match),
                "mutex_info": apimutex.get(pe, strings_match),
                "antivm_info": antivirtualmachine,
                "apialert_info": apialert_info,
                "meta_info": meta_info,
                "import_function": import_function,
                "export_function": export_function,
                "sections_info": sections_info,
                "resources_info": resources_info
            }
        },
        indent=4,
        separators=(',', ': '))
Пример #2
0
def get_pe_fileinfo(pe, filename):
	# is dll?
	dll = pe.FILE_HEADER.IMAGE_FILE_DLL
	
	# num sections
	nsec = pe.FILE_HEADER.NumberOfSections

	# timestamp
	tstamp = pe.FILE_HEADER.TimeDateStamp
	try:
		""" return date """
		tsdate = datetime.datetime.fromtimestamp(tstamp)
	except:
		""" return timestamp """
		tsdate = str(tstamp) + " [Invalid date]"

	# get md5, sha1, sha256, imphash

	md5, sha1, sha256, imphash = get_hash(filename)
	hash_info = {"md5": md5, "sha1": sha1, "sha256": sha256}
	
	detected = []

	# directory list
	dirlist = directories.get(pe)
	
	# digital signature
	for sign in dirlist:
		if sign == "security": detected.append("sign")

	# packer (peid)
	packer = peid.get(pe, userdb)
	if packer: detected.append("packer")

	# mutex
	mutex = apimutex.get(pe, strings_match)
	if mutex: detected.append("mutex")

	# anti debug
	antidbg = apiantidbg.get(pe, strings_match)
	if antidbg: detected.append("antidbg")

	# Xor
	xorcheck = xor.get(filename)
	if xorcheck: detected.append("xor")

	# anti virtual machine
	antivirtualmachine = antivm.get(filename)
	if antivirtualmachine: detected.append("antivm")
	
	# api alert suspicious
	apialert_info = apialert.get(pe, strings_match)
	
	# file and url
	fileurl_info = fileurl.get(filename, strings_match)
	file_info = fileurl_info["file"]
	url_info = fileurl_info["url"]
	ip_info = fileurl_info["ip"]
	fuzzing_info = fileurl_info["fuzzing"]
	
	# meta info
	meta_info = meta.get(pe)
	
	# import function
	import_function = funcimport.get(pe)

	# export function
	export_function = funcexport.get(pe)
	
	# sections
	sections_info = sections.get(pe)

	# resources
	resources_info = resources.get(pe)

	# virustotal
	virustotal_info = virustotal.get(md5, strings_match)

	return json.dumps({"peframe_ver": help.VERSION,
						"file_type": ftype,
						"file_name": fname,
						"file_size": fsize,
						"hash": hash_info,
						"file_found": file_info,
						"url_found": url_info,
						"ip_found": ip_info,
						"virustotal": virustotal_info,
						"fuzzing": fuzzing_info,
						"pe_info": {
							"import_hash": imphash,
							"compile_time": str(tsdate),
							"dll": dll,
							"sections_number": nsec, 
							"xor_info": xorcheck, 
							"detected": detected, 
							"directories": dirlist, 
							"sign_info": cert.get(pe), 
							"packer_info": packer, 
							"antidbg_info": apiantidbg.get(pe, strings_match),
							"mutex_info": apimutex.get(pe, strings_match),
							"antivm_info": antivirtualmachine, 
							"apialert_info": apialert_info, 
							"meta_info": meta_info, 
							"import_function": import_function, 
							"export_function": export_function, 
							"sections_info": sections_info,
							"resources_info": resources_info
							}
						}, 
						indent=4, separators=(',', ': '))