示例#1
0
 def analyze(self,data):
     '''
     start analyzing exe logic, add descriptions and get words and wordsstripped from the file 
     '''
     data["PE"] = deepcopy(self.datastruct)
     data["ICONS"] = {"ICONS":[]}
     pe = PE(data["Location"]["File"])
     ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
     section = self.find_entry_point_function(pe,ep)
     sig = section.get_data(ep, 12)
     singinhex = "".join("{:02x}".format(x) for x in sig)
     data["PE"]["General"] = {   "PE Type" : self.what_type(pe),
                                 "Entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
                                 "Entrypoint Section":section.Name.decode("utf-8",errors="ignore").strip("\00"),
                                 "Header checksum": hex(pe.OPTIONAL_HEADER.CheckSum),
                                 "Verify checksum": hex(pe.generate_checksum()),
                                 "Match checksum":pe.verify_checksum(),
                                 "Sig":singinhex,
                                 "imphash":pe.get_imphash(),
                                 "warning":pe.get_warnings() if len(pe.get_warnings())> 0 else "None",
                                 "Timestamp":datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S')}
     data["PE"]["Characteristics"] = self.get_characteristics(pe)
     data["PE"]["Singed"],data["PE"]["SignatureExtracted"] = self.check_if_singed(pe)
     data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe)
     data["PE"]["Sections"] = self.get_sections(pe)
     data["PE"]["Dlls"] = self.get_dlls(pe)
     data["PE"]["Resources"],data["PE"]["Manifest"],data["ICONS"]["ICONS"] = self.get_recourse(pe)
     data["PE"]["Imported functions"] = self.get_imported_functions(pe)
     data["PE"]["Exported functions"] = self.get_exported_functions(pe)
     add_description("WinApis",data["PE"]["Imported functions"],"Function")
     add_description("ManHelp",data["PE"]["Imported functions"],"Function")
     add_description("WinDlls",data["PE"]["Dlls"],"Dll")
     add_description("WinSections",data["PE"]["Sections"],"Section")
     add_description("WinResources",data["PE"]["Resources"],"Resource")
     get_words(data,data["Location"]["File"])
示例#2
0
 def analyze(self, data):
     '''
     start analyzing exe logic, add descriptions and get words and wordsstripped from the file
     '''
     data["PE"] = deepcopy(self.datastruct)
     data["ICONS"] = {"ICONS": []}
     pe_info = PE(data["Location"]["File"])
     ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint
     section = self.find_entry_point_function(pe_info, ep_info)
     singinhex = "UnKnown"
     en_section_name = "UnKnown"
     sig_instructions = "UnKnown"
     with ignore_excpetion(Exception):
         sig = section.get_data(ep_info, 52)
         singinhex = "".join("{:02x}".format(x) for x in sig)
         r2p = r2open("-", flags=['-2'])
         r2p.cmd("e anal.timeout = 5")
         temp_sig_instructions = r2p.cmd(
             "pad {}".format(singinhex)).split("\n")[:8]
         sig_instructions = "\n".join(temp_sig_instructions)
     with ignore_excpetion(Exception):
         en_section_name = section.Name.decode("utf-8",
                                               errors="ignore").strip("\00")
     data["PE"]["General"] = {
         "PE Type":
         self.what_type(pe_info),
         "Entrypoint":
         pe_info.OPTIONAL_HEADER.AddressOfEntryPoint,
         "Entrypoint Section":
         en_section_name,
         "Header checksum":
         hex(pe_info.OPTIONAL_HEADER.CheckSum),
         "Verify checksum":
         hex(pe_info.generate_checksum()),
         "Match checksum":
         pe_info.verify_checksum(),
         "Sig":
         singinhex,
         "imphash":
         pe_info.get_imphash(),
         "warning":
         pe_info.get_warnings()
         if len(pe_info.get_warnings()) > 0 else "None",
         "Timestamp":
         datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime(
             '%Y-%m-%d %H:%M:%S')
     }
     data["PE"]["Characteristics"] = self.get_characteristics(pe_info)
     data["PE"]["Singed"], data["PE"][
         "SignatureExtracted"] = self.check_if_singed(pe_info)
     data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info)
     data["PE"]["Sections"] = self.get_sections(pe_info)
     data["PE"]["Dlls"] = self.get_dlls(pe_info)
     data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][
         "ICONS"] = self.get_recourse(pe_info)
     data["PE"]["Imported functions"] = self.get_imported_functions(pe_info)
     data["PE"]["Exported functions"] = self.get_exported_functions(pe_info)
     data["PE"]["Entrypoint"] = sig_instructions
     add_description("WinApis", data["PE"]["Imported functions"],
                     "Function")
     add_description("ManHelp", data["PE"]["Imported functions"],
                     "Function")
     add_description("WinDlls", data["PE"]["Dlls"], "Dll")
     add_description("WinSections", data["PE"]["Sections"], "Section")
     add_description("WinResources", data["PE"]["Resources"], "Resource")
     get_words(data, data["Location"]["File"])