Пример #1
0
    def do_peinfo(self, line):
        try:
            l = line.split(" ")
            if (l[0] == ""):
                self.help_peinfo()
            else:
                id, size = get_id_size(line)
                response, size = CTCore.get_response_and_size(id, "all")
                name = CTCore.get_name(id)

                print "Displaying PE info of object {} ({}) [{} bytes]:".format(id, name, size)
                if len(l) > 1 and l[1].lower() == "-p":
                    print "Checking for packers..."
                    pescan = PEScanner(response, '', peid_sigs="userdb.txt")
                else:
                    pescan = PEScanner(response, '', '')

                out = pescan.collect()
                print '\n'.join(out)
        except Exception,e:
            print str(e)
Пример #2
0
    def do_peinfo(self, line):
        try:
            l = line.split(" ")
            if (l[0] == ""):
                self.help_peinfo()
            else:
                id, size = get_id_size(line)
                response, size = CTCore.get_response_and_size(id, "all")
                name = CTCore.get_name(id)

                print "Displaying PE info of object {} ({}) [{} bytes]:".format(
                    id, name, size)
                if len(l) > 1 and l[1].lower() == "-p":
                    print "Checking for packers..."
                    pescan = PEScanner(response, '', peid_sigs="userdb.txt")
                else:
                    pescan = PEScanner(response, '', '')

                out = pescan.collect()
                print '\n'.join(out)
        except Exception, e:
            print str(e)
Пример #3
0
def analyze(vm, sample, rdir, inetsim):
    '''
    vm:      a VMwareAuto object
    sample:  path to malware sample to analyze
    rdir:    report directory
    '''
    
    # scan the sample with our PEScanner module
    printhdr('Submission Details')
    pescan = PEScanner([sample])
    pescan.collect()

    # submit the sample to VT and print results
    printhdr('Antivirus Results')
    vt = VirusTotal(sample)
    detects = vt.submit()
    for key,val in detects.items():
        print "  %s => %s" % (key, val)

    # revert the VM to its clean snapshot 
    vm.revert(snapname)
    vm.start()
    time.sleep(15)
    
    # set the credentials for tasks in the guest VM
    vm.setuser(user, passwd)

    # copy the malware sample to the VM's hard drive
    dst = 'C:\\%s' % os.path.basename(sample)
    vm.copytovm(sample, dst)

    # start a packet capture on the host
    pcap = analysis.TShark(rdir + '/file.pcap')
    pcap.start('eth0', guest_ip)
    
    # start INetSim for simulated Internet. Comment  
    # out these lines to allow the malware sample
    if inetsim:
        inet = analysis.INetSim(rdir)
        inet.start()

    # execute the malware in the guest VM, let it run 
    # for one minute 
    vm.winexec(dst)
    time.sleep(60)
    
    # take a screen shot of the guest VM's desktop
    vm.scrshot(rdir + '/shot.bmp')
    
    # suspend the VM 
    vm.suspend()
    
    # stop INetSim and print the captured logfiles 
    if inetsim:
        inet.stop()
        logs = inet.read()
        if len(logs):
            printhdr('Inetsim Logs')
            print logs

    # stop TShark and print the traffic statistics 
    printhdr('Network Traffic')
    pcap.stop()
    print pcap.read()
    
    printhdr('Memory Analysis')
    vol = analysis.Volatility(vm.findmem())
    print vol.pslist()
    print vol.conns()
    print vol.sockets()
    print vol.hooks()
    print vol.malfind('/data/yara.rules', rdir + '/mal')
Пример #4
0
def analyze(file):
    """
    filename, size, type, md5, sha1, ssdeep, timestamp, Entry Point, CRC, packers, flag on suspicious EP sections, yara, clamav, TLS callbacks, resource section, imports, suspicious IAT alerts, sections w/ virtual adddress, size, entropy, version info
    """ 
    pescan = PEScanner([file], yrules, peid)
    pescan.collect(verb)
Пример #5
0
def analyze(file):
    """
    filename, size, type, md5, sha1, ssdeep, timestamp, Entry Point, CRC, packers, flag on suspicious EP sections, yara, clamav, TLS callbacks, resource section, imports, suspicious IAT alerts, sections w/ virtual adddress, size, entropy, version info
    """
    pescan = PEScanner([file], yrules, peid)
    pescan.collect(verb)