def run(self, objfile): self.key = "Info" self.score = -1 isProbablyPacked = False returnValue = {} infos = {} infos["ragpicker_version"] = RAGPICKER_VERSION infos["started"] = self.task["started_on"] returnValue["analyse"] = infos infos = {} infos["extension"] = objfile.file_extension() if objfile.get_type() == 'PE32' or objfile.get_type() == 'MS-DOS': try: pe = PE(data=objfile.file_data) isProbablyPacked = is_probably_packed(pe) infos["DLL"] = pe.is_dll() infos["EXE"] = pe.is_exe() infos["DRIVER"] = pe.is_driver() infos["isProbablyPacked"] = isProbablyPacked if self.getDigitalSignature(pe): infos["digitalSignature"] = "SignedFile" else: infos["digitalSignature"] = "UnsignedFile" if isProbablyPacked: self.score = 10 except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)
def run(self, objfile): self.key = "Info" self.score = -1 isProbablyPacked = False returnValue = {} infos = {} infos["uuid"] = objfile.get_uuid() infos["ragpicker_version"] = RAGPICKER_VERSION infos["started"] = self.task["started_on"] returnValue["analyse"] = infos infos = {} infos["extension"] = objfile.file.file_extension() if objfile.file.get_type() == 'PE32' or objfile.file.get_type() == 'PE32+' or objfile.file.get_type() == 'MS-DOS': try: pe = PE(data=objfile.file.file_data) isProbablyPacked = is_probably_packed(pe) if pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE: infos["Architecture"] = "32-Bit" elif pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS: infos["Architecture"] = "64-Bit" infos["CPU"] = self.getMaschineType(pe) infos["Subsystem"] = self.getSubsystem(pe) infos["DLL"] = pe.is_dll() infos["EXE"] = pe.is_exe() infos["DRIVER"] = pe.is_driver() infos["isProbablyPacked"] = isProbablyPacked # imphash -> Tracking Malware with Import Hashing (https://www.mandiant.com/blog/tracking-malware-import-hashing) infos["imphash"] = pe.get_imphash() # https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski.pdf infos["pehash"] = self.getPeHash(pe) if self.getDigitalSignature(pe): infos["digitalSignature"] = "SignedFile" else: infos["digitalSignature"] = "UnsignedFile" if isProbablyPacked: self.score = 10 except PEFormatError, e: log.warn("Error - No Portable Executable: %s" % e)