Python - PE file info extract (un fel de PEiD)

[Usr6]

Am adunat cateva bucati de cod din wiki-ul pefile (UsageExamples - pefile - Usage examples of pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting, PEiDSignatures - pefile - Using PEiD signatures - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting) intr-un script, astfel incat la executia lui sa apara un output gen:

Size: 541927bytes
MD5: c8260d9531fef36ce1a0369cdb08c39b
OEP: 0x48ef89
Packed: True
PEiD Signature: [['UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']]
Sections: 
	UPX0 0x1000 0x413000 0
	UPX1 0x414000 0x7c000 506880
	.rsrc 0x490000 0x6000 24064
Imported: 
	KERNEL32.DLL
		0x895b74 LoadLibraryA
		0x895b78 GetProcAddress
		0x895b7c VirtualProtect
		0x895b80 VirtualAlloc
		0x895b84 VirtualFree
		0x895b88 ExitProcess
	user32.dll
		0x895b90 MessageBoxA

DB-ul cu semnaturi PEiD poate fi descarcat de aici: https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT , fisierul "UserDB.TXT" trebuie sa fie in acelasi director cu scriptul python. E de la sine inteles ca pentru a putea fi utilizat este necesar sa aveti instalat pefile

utilizare:

python RST-PEiD.py PEfile

Codul sursa:

import sys
import os
import hashlib
import re
import pefile
import peutils

try:
  signatures = peutils.SignatureDatabase('UserDB.TXT')
except:
	print "Lipseste fisierul cu semnaturi: UserDB.TXT"
	sys.exit()

if len(sys.argv) != 2:
  print """\tRST PEiD file info:\n
Utilizare: python Script.py executabil""" 
  sys.exit()
else:
  pe = pefile.PE(sys.argv[1])

def hashfile(afile, blocksize=65536):
  handle = open(afile, "rb")
  temp = hashlib.md5()
  while True:
    data = handle.read(blocksize)
    if not data:
    	break
    temp.update(data)
    return temp.hexdigest()

print str(sys.argv[1])

print "Size: " + str(os.path.getsize(sys.argv[1])) + "bytes"

print "MD5: " + hashfile(sys.argv[1])

print "OEP: " + str(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint))

print "Packed(Entropy): " + str(peutils.is_probably_packed(pe))

matches = signatures.match_all(pe, ep_only = True)
print "PEiD Signature: " + str(matches)  

print "Sections: "
for section in pe.sections:
  print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData

print "Imported: "
pe.parse_data_directories()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
  print "\t", entry.dll
  for imp in entry.imports:
    print '\t\t', hex(imp.address), imp.name

#print "Exported: "
#for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
#  print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal

Daca se plictiseste cineva, poate sa-i adauge si verificarea/extragerea semnaturii digitale