action='store_true', required=False) parser.add_argument("-s", "--strings", help="export all strings", action='store_true', required=False) args = parser.parse_args() filename = args.file result = peframe.analyze(filename) if args.xorsearch: print( json.dumps(features.get_xor(filename, search_string=str.encode(args.xorsearch)), sort_keys=True, indent=4)) sys.exit() if args.json: print(json.dumps(result, sort_keys=True, indent=4)) sys.exit() if args.strings: print('\n'.join(result['strings']['dump'])) sys.exit() align = 16 cmd_list = ['info', 'strings', 'exit', 'virustotal'] cmd_list_select = {}
def main(): parser = argparse.ArgumentParser( prog='peframe', description='Tool for static malware analysis.', epilog=show_config(), formatter_class=RawTextHelpFormatter) parser.add_argument("file", help="sample to analyze") parser.add_argument("-v", "--version", action='version', version='%(prog)s ' + str(__version__)) parser.add_argument("-i", "--interactive", help="join in interactive mode", action='store_true', required=False) parser.add_argument("-x", "--xorsearch", help="search xored string", required=False) parser.add_argument("-j", "--json", help="export short report in JSON", action='store_true', required=False) parser.add_argument("-s", "--strings", help="export all strings", action='store_true', required=False) args = parser.parse_args() filename = args.file result = peframe.analyze(filename) if args.xorsearch: print( json.dumps(features.get_xor(filename, search_string=str.encode( args.xorsearch)), sort_keys=True, indent=4)) return 1 if args.json: print(json.dumps(result, sort_keys=True, indent=4)) return 1 if args.strings: print('\n'.join(result['strings']['dump'])) return 1 cmd_list, cmd_list_select = get_info(result) if args.interactive: return interactive_mode(result, cmd_list, cmd_list_select) if result['yara_plugins']: header('Yara Plugins') for item in result['yara_plugins']: for k, v in item.items(): print(v.replace('_', ' ')) if result['docinfo']: if result['docinfo']['behavior']: header('Behavior') for k, v in result['docinfo']['behavior'].items(): print(k.ljust(ALIGN, ' '), v) if result['docinfo']['attributes']: header('Attributes') for item in result['docinfo']['attributes']: print(item) if result['peinfo']: if result['peinfo']['behavior']: header('Behavior') for item in result['peinfo']['behavior']: print(item.replace('_', ' ')) if result['peinfo']['features']['crypto']: header('Crypto') for item in result['peinfo']['features']['crypto']: print(item.replace('_', ' ')) if result['peinfo']['features']['packer']: header('Packer') for item in result['peinfo']['features']['packer']: print(item.replace('_', ' ')) if result['peinfo']['features']['xor']: header('Xor') for k, v in result['peinfo']['features']['xor'].items(): print(str(k).ljust(ALIGN, ' '), v) if result['peinfo']['features']['mutex']: header('Mutex Api') for item in result['peinfo']['features']['mutex']: print(item) if result['peinfo']['features']['antidbg']: header('Anti Debug') for item in result['peinfo']['features']['antidbg']: print(item) if result['peinfo']['features']['antivm']: header('Anti VM') for item in result['peinfo']['features']['antivm']: print(item) if result['peinfo']['sections']: header('Sections Suspicious') found = False for item in result['peinfo']['sections']['details']: if item['entropy'] > 6: print(item['section_name'].ljust(ALIGN, ' '), str(item['entropy'])[:4]) found = True if not found: print('For each section the value of entropy is less than 6') if result['peinfo']['metadata']: header('Metadata') for k, v in result['peinfo']['metadata'].items(): print(k.ljust(ALIGN, ' '), v[0:63]) if result['peinfo']['directories']['import']: header('Import function') for k, v in result['peinfo']['directories']['import'].items(): print(k.ljust(ALIGN, ' '), len(v)) if result['peinfo']['directories']['export']: header('Export function') detect = [] for item in result['peinfo']['directories']['export']: detect.append(item) print("export".ljust(ALIGN, ' '), detect) if result['peinfo']['directories']['sign']: header('Signature') for k, v in result['peinfo']['directories']['sign'][ 'details'].items(): if k != 'hash': print(k.ljust(ALIGN, ' '), v) if result['peinfo']['breakpoint']: header('Possibile Breakpoint') for item in result['peinfo']['breakpoint']: print(item) if result['strings']: if result['strings']['ip']: header('Ip Address') for item in result['strings']['ip']: print(item) if result['strings']['url']: header('Url') for item in result['strings']['url']: print(item) if result['strings']['file']: header('File') for k, v in result['strings']['file'].items(): print(k.ljust(ALIGN, ' '), v) if result['strings']['fuzzing']: header('Fuzzing') for k, v in result['strings']['fuzzing'].items(): print(k)