def do_peinfo(self, line):
try:
l = line.split(" ")
if (l[0] == ""):
self.help_peinfo()
else:
id, size = get_id_size(line)
response, size = CTCore.get_response_and_size(id, "all")
name = CTCore.get_name(id)
print "Displaying PE info of object {} ({}) [{} bytes]:".format(id, name, size)
if len(l) > 1 and l[1].lower() == "-p":
print "Checking for packers..."
pescan = PEScanner(response, '', peid_sigs="userdb.txt")
else:
pescan = PEScanner(response, '', '')
out = pescan.collect()
print '\n'.join(out)
except Exception,e:
print str(e)
def do_peinfo(self, line):
try:
l = line.split(" ")
if (l[0] == ""):
self.help_peinfo()
else:
id, size = get_id_size(line)
response, size = CTCore.get_response_and_size(id, "all")
name = CTCore.get_name(id)
print "Displaying PE info of object {} ({}) [{} bytes]:".format(
id, name, size)
if len(l) > 1 and l[1].lower() == "-p":
print "Checking for packers..."
pescan = PEScanner(response, '', peid_sigs="userdb.txt")
else:
pescan = PEScanner(response, '', '')
out = pescan.collect()
print '\n'.join(out)
except Exception, e:
print str(e)
def analyze(vm, sample, rdir, inetsim):
'''
vm: a VMwareAuto object
sample: path to malware sample to analyze
rdir: report directory
'''
# scan the sample with our PEScanner module
printhdr('Submission Details')
pescan = PEScanner([sample])
pescan.collect()
# submit the sample to VT and print results
printhdr('Antivirus Results')
vt = VirusTotal(sample)
detects = vt.submit()
for key,val in detects.items():
print " %s => %s" % (key, val)
# revert the VM to its clean snapshot
vm.revert(snapname)
vm.start()
time.sleep(15)
# set the credentials for tasks in the guest VM
vm.setuser(user, passwd)
# copy the malware sample to the VM's hard drive
dst = 'C:\\%s' % os.path.basename(sample)
vm.copytovm(sample, dst)
# start a packet capture on the host
pcap = analysis.TShark(rdir + '/file.pcap')
pcap.start('eth0', guest_ip)
# start INetSim for simulated Internet. Comment
# out these lines to allow the malware sample
if inetsim:
inet = analysis.INetSim(rdir)
inet.start()
# execute the malware in the guest VM, let it run
# for one minute
vm.winexec(dst)
time.sleep(60)
# take a screen shot of the guest VM's desktop
vm.scrshot(rdir + '/shot.bmp')
# suspend the VM
vm.suspend()
# stop INetSim and print the captured logfiles
if inetsim:
inet.stop()
logs = inet.read()
if len(logs):
printhdr('Inetsim Logs')
print logs
# stop TShark and print the traffic statistics
printhdr('Network Traffic')
pcap.stop()
print pcap.read()
printhdr('Memory Analysis')
vol = analysis.Volatility(vm.findmem())
print vol.pslist()
print vol.conns()
print vol.sockets()
print vol.hooks()
print vol.malfind('/data/yara.rules', rdir + '/mal')
def analyze(file):
"""
filename, size, type, md5, sha1, ssdeep, timestamp, Entry Point, CRC, packers, flag on suspicious EP sections, yara, clamav, TLS callbacks, resource section, imports, suspicious IAT alerts, sections w/ virtual adddress, size, entropy, version info
"""
pescan = PEScanner([file], yrules, peid)
pescan.collect(verb)
def analyze(file):
"""
filename, size, type, md5, sha1, ssdeep, timestamp, Entry Point, CRC, packers, flag on suspicious EP sections, yara, clamav, TLS callbacks, resource section, imports, suspicious IAT alerts, sections w/ virtual adddress, size, entropy, version info
"""
pescan = PEScanner([file], yrules, peid)
pescan.collect(verb)