Jump to content
Usr6

[RST] PE-Analyzer (Python)

Recommended Posts

Posted

Output:


RST PE-Analyzer
firefox.exe
Size: 275568 bytes
MD5: 93e28799430480cce0ab3d961e5312ad
DLL: False
EXE: True
Driver: False
Machine: 0x14c (0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )
OEP: 0x2478
Compile time: 2013-12-05 19:22:27
Digital Signature: Yes
C:\Python27\firefox.exe:

Verified: Signed

Signing date: 9:34 PM 12/5/2013

Publisher: Mozilla Corporation

Description: Firefox

Product: Firefox

Prod version: 26.0

File version: 26.0

MachineType: 32-bit

Binary Version: 26.0.0.5087

Original Name: firefox.exe

Internal Name: Firefox

Copyright: ©Firefox and Mozilla Developers; available under the MPL 2 license.

Comments:

VT detection: 0/48

VT link: https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/




Sigcheck v2.01 - File version and signature viewer

Copyright (C) 2004-2013 Mark Russinovich

Sysinternals - www.sysinternals.com




Packed: True (Entropy score decision)
PEiD Signature: None
Sections:
.text 0x1000 0x1a7a 7168
.rdata 0x3000 0xfb4 4096
.data 0x4000 0x4bc 512
.rsrc 0x5000 0x3d9c8 252416
.reloc 0x43000 0x644 2048
Imported:
KERNEL32.dll
0x403000 SetEnvironmentVariableW
0x403004 ExpandEnvironmentStringsW
0x403008 GetEnvironmentVariableW
0x40300c GetModuleFileNameW
0x403010 MultiByteToWideChar
0x403014 GetTickCount
0x403018 GetProcAddress
0x40301c GetModuleHandleW
0x403020 QueryPerformanceFrequency
0x403024 GetFileAttributesW
0x403028 WideCharToMultiByte
0x40302c GetProcessIoCounters
0x403030 GetCurrentProcess
0x403034 SetDllDirectoryW
0x403038 UnhandledExceptionFilter
0x40303c TerminateProcess
0x403040 GetCurrentProcessId
0x403044 GetCurrentThreadId
0x403048 QueryPerformanceCounter
0x40304c DecodePointer
0x403050 SetUnhandledExceptionFilter
0x403054 EncodePointer
0x403058 HeapSetInformation
0x40305c InterlockedCompareExchange
0x403060 Sleep
0x403064 InterlockedExchange
0x403068 IsDebuggerPresent
0x40306c CreateFileW
0x403070 CloseHandle
0x403074 SetFilePointerEx
0x403078 ReadFile
0x40307c FreeLibrary
0x403080 LoadLibraryExW
0x403084 GetLastError
0x403088 GetSystemTimeAsFileTime
USER32.dll
0x403138 MessageBoxW
MSVCR100.dll
0x403090 __wgetmainargs
0x403094 _cexit
0x403098 _exit
0x40309c _XcptFilter
0x4030a0 _amsg_exit
0x4030a4 __winitenv
0x4030a8 _initterm
0x4030ac _initterm_e
0x4030b0 _configthreadlocale
0x4030b4 __setusermatherr
0x4030b8 _commode
0x4030bc _fmode
0x4030c0 __set_app_type
0x4030c4 _vsnprintf_s
0x4030c8 ?terminate@@YAXXZ
0x4030cc _unlock
0x4030d0 __dllonexit
0x4030d4 _lock
0x4030d8 _onexit
0x4030dc _except_handler4_common
0x4030e0 _invoke_watson
0x4030e4 _controlfp_s
0x4030e8 _crt_debugger_hook
0x4030ec memset
0x4030f0 memcpy
0x4030f4 strcat
0x4030f8 fgets
0x4030fc strlen
0x403100 ??3@YAXPAX@Z
0x403104 fclose
0x403108 _wfopen
0x40310c ??2@YAPAXI@Z
0x403110 strcpy
0x403114 getenv
0x403118 _snprintf
0x40311c _stricmp
0x403120 wcslen
0x403124 ??_V@YAXPAX@Z
0x403128 strrchr
0x40312c exit
0x403130 _putenv
Exported:
PE instance has no attribute 'DIRECTORY_ENTRY_EXPORT'

Cerinte minime:

1. python 2.7

2. pefile pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

3. UserDB.TXT https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT

4. sigcheck.exe Sigcheck

5. conexiune la internet pentru a verifica hash-ul pe virustotal

# fisierele UserDB.TXT, sigcheck.exe trebuie puse in acelasi director cu scriptul

Pentru salvarea outputului intr-un fisier:


python Script.py PEfile >save.txt

Source Code:


import sys
import os
import hashlib
import re
import subprocess
import time
import pefile
import peutils

print "\tRST PE-Analyzer https://rstforums.com"
try:
signatures = peutils.SignatureDatabase('UserDB.TXT')
except:
print "Lipseste fisierul cu semnaturi: UserDB.TXT"
sys.exit()

if len(sys.argv) != 2:
print """
Utilizare: python Script.py executabil"""

sys.exit()
else:
try:
pe = pefile.PE(sys.argv[1])
except Exception, e: print e

def hashfile(afile, blocksize=65536):
handle = open(afile, "rb")
temp = hashlib.md5()
while True:
data = handle.read(blocksize)
if not data:
break
temp.update(data)
return temp.hexdigest()

print str(sys.argv[1])

print "Size: ", os.path.getsize(sys.argv[1]), "bytes"

print "MD5: ", hashfile(sys.argv[1])

print "DLL: ", pe.is_dll()
print "EXE: ", pe.is_exe()
print "Driver: ", pe.is_driver()
print "Machine: ", hex(pe.FILE_HEADER.Machine) , "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )"
print "OEP: ", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)

epoch = pe.FILE_HEADER.TimeDateStamp
print "Compile time: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch))

ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
print "Digital Signature: ", "No" if ds == 0 else "Yes"
if ds == ds : # ds!= 0 to use sigcheck only file is signed
try:
cmnd = os.getcwd() + "\\" + "sigcheck.exe -a -vt " + str(sys.argv[1])
p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True)
(stdout, stderr) = p.communicate()
print stdout
print stderr
except Exception, e: print e

print "Packed: ", peutils.is_probably_packed(pe), " (Entropy score decision)"

matches = signatures.match_all(pe, ep_only = True)
print "PEiD Signature: ", matches

print "Sections: "
for section in pe.sections:
print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData

print "Imported: "
pe.parse_data_directories()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print "\t", entry.dll
for imp in entry.imports:
print '\t\t', hex(imp.address), imp.name

print "Exported: "
try:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal
except Exception, e: print "\t", e

Scriptul de mai sus contine si bucati de cod copiate din alte parti:

UsageExamples - pefile - Usage examples of pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

PEiDSignatures - pefile - Using PEiD signatures - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

  • Upvote 4
Posted

Du-ti bre de acilea :)).

Te gasisi tu repede sa faci ceva bun? Al dracului... adica vrei sa ajungi exemplu?

Pffff... nice. Bravo, alea alea. Asta este ceea ce ar trebui sa conteze. Nu criticile pe topicuri de genul prezentari, nu vanzarea unui prapadit de ceva cu 2 euroi...

Felicitari!

Posted

Update

printre altele:

- ofera o mica descriere a functiilor api importate, pentru cele care nu exista in dictionarul local se ofera un link de cautare pe msdn

- tipareste output-ul si intr-un fisier txt (numelefisierului analizat + txt)

Output:


RST PE-Analyzer
Usr6
rstforums.com
firefox.exe
Size: 275568 bytes
EXE: Yes
Machine: 0x14c(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )
OEP: 0x2478
Compile time: 2013-12-05 19:22:27
Digital Signature: Yes
c:\Python27\firefox.exe:
Verified: Signed
Signing date: 9:34 PM 12/5/2013
Publisher: Mozilla Corporation
Description: Firefox
Product: Firefox
Prod version: 26.0
File version: 26.0
MachineType: 32-bit
Binary Version: 26.0.0.5087
Original Name: firefox.exe
Internal Name: Firefox
Copyright: ©Firefox and Mozilla Developers; available under the MPL 2 license.
Comments:
MD5: 1EEA6C1B35191DC177EA83672B9C3FC0
SHA1: AC69FA1DF07CEEC14178428F6416B27CF57CEA26
PESHA1: 17FF37178BE1A4F6240D84BD54E27C74F3F95B29
SHA256: 0C722B9AAF4F2EE3265F92F1498C6B64FFFBB3E37D2136FAE8584DCD7D23C06D
VT detection: 0/50
VT link: https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/

Packed: Yes (Entropy score decision)
PEiD Signature: No
Sections:
.text 0x1000 0x1a7a 7168
.rdata 0x3000 0xfb4 4096
.data 0x4000 0x4bc 512
.rsrc 0x5000 0x3d9c8 252416
.reloc 0x43000 0x644 2048
Imported:
KERNEL32.dll
0x403000 SetEnvironmentVariableW --- http://social.msdn.microsoft.com/Search/en-US?query=SetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403004 ExpandEnvironmentStringsW --- http://social.msdn.microsoft.com/Search/en-US?query=ExpandEnvironmentStringsW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403008 GetEnvironmentVariableW --- http://social.msdn.microsoft.com/Search/en-US?query=GetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40300c GetModuleFileNameW --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleFileNameW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403010 MultiByteToWideChar --- http://social.msdn.microsoft.com/Search/en-US?query=MultiByteToWideChar&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403014 GetTickCount --- Sleep / check if debug
0x403018 GetProcAddress --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcAddress&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40301c GetModuleHandleW --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleHandleW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403020 QueryPerformanceFrequency --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceFrequency&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403024 GetFileAttributesW --- http://social.msdn.microsoft.com/Search/en-US?query=GetFileAttributesW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403028 WideCharToMultiByte --- http://social.msdn.microsoft.com/Search/en-US?query=WideCharToMultiByte&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40302c GetProcessIoCounters --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcessIoCounters&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403030 GetCurrentProcess --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcess&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403034 SetDllDirectoryW --- http://social.msdn.microsoft.com/Search/en-US?query=SetDllDirectoryW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403038 UnhandledExceptionFilter --- http://social.msdn.microsoft.com/Search/en-US?query=UnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40303c TerminateProcess --- exact
0x403040 GetCurrentProcessId --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcessId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403044 GetCurrentThreadId --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentThreadId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403048 QueryPerformanceCounter --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceCounter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40304c DecodePointer --- http://social.msdn.microsoft.com/Search/en-US?query=DecodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403050 SetUnhandledExceptionFilter --- http://social.msdn.microsoft.com/Search/en-US?query=SetUnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403054 EncodePointer --- http://social.msdn.microsoft.com/Search/en-US?query=EncodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403058 HeapSetInformation --- http://social.msdn.microsoft.com/Search/en-US?query=HeapSetInformation&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40305c InterlockedCompareExchange --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedCompareExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403060 Sleep --- http://social.msdn.microsoft.com/Search/en-US?query=Sleep&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403064 InterlockedExchange --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403068 IsDebuggerPresent --- check debugger
0x40306c CreateFileW --- http://social.msdn.microsoft.com/Search/en-US?query=CreateFileW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403070 CloseHandle --- http://social.msdn.microsoft.com/Search/en-US?query=CloseHandle&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403074 SetFilePointerEx --- http://social.msdn.microsoft.com/Search/en-US?query=SetFilePointerEx&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403078 ReadFile --- http://social.msdn.microsoft.com/Search/en-US?query=ReadFile&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40307c FreeLibrary --- http://social.msdn.microsoft.com/Search/en-US?query=FreeLibrary&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403080 LoadLibraryExW --- http://social.msdn.microsoft.com/Search/en-US?query=LoadLibraryExW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403084 GetLastError --- http://social.msdn.microsoft.com/Search/en-US?query=GetLastError&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403088 GetSystemTimeAsFileTime --- http://social.msdn.microsoft.com/Search/en-US?query=GetSystemTimeAsFileTime&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
USER32.dll
0x403138 MessageBoxW --- http://social.msdn.microsoft.com/Search/en-US?query=MessageBoxW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
MSVCR100.dll
0x403090 __wgetmainargs --- http://social.msdn.microsoft.com/Search/en-US?query=__wgetmainargs&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403094 _cexit --- http://social.msdn.microsoft.com/Search/en-US?query=_cexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403098 _exit --- http://social.msdn.microsoft.com/Search/en-US?query=_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40309c _XcptFilter --- http://social.msdn.microsoft.com/Search/en-US?query=_XcptFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030a0 _amsg_exit --- http://social.msdn.microsoft.com/Search/en-US?query=_amsg_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030a4 __winitenv --- http://social.msdn.microsoft.com/Search/en-US?query=__winitenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030a8 _initterm --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030ac _initterm_e --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm_e&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030b0 _configthreadlocale --- http://social.msdn.microsoft.com/Search/en-US?query=_configthreadlocale&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030b4 __setusermatherr --- http://social.msdn.microsoft.com/Search/en-US?query=__setusermatherr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030b8 _commode --- http://social.msdn.microsoft.com/Search/en-US?query=_commode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030bc _fmode --- http://social.msdn.microsoft.com/Search/en-US?query=_fmode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030c0 __set_app_type --- http://social.msdn.microsoft.com/Search/en-US?query=__set_app_type&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030c4 _vsnprintf_s --- http://social.msdn.microsoft.com/Search/en-US?query=_vsnprintf_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030c8 ?terminate@@YAXXZ --- http://social.msdn.microsoft.com/Search/en-US?query=?terminate@@YAXXZ&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030cc _unlock --- http://social.msdn.microsoft.com/Search/en-US?query=_unlock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030d0 __dllonexit --- http://social.msdn.microsoft.com/Search/en-US?query=__dllonexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030d4 _lock --- http://social.msdn.microsoft.com/Search/en-US?query=_lock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030d8 _onexit --- http://social.msdn.microsoft.com/Search/en-US?query=_onexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030dc _except_handler4_common --- http://social.msdn.microsoft.com/Search/en-US?query=_except_handler4_common&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030e0 _invoke_watson --- http://social.msdn.microsoft.com/Search/en-US?query=_invoke_watson&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030e4 _controlfp_s --- http://social.msdn.microsoft.com/Search/en-US?query=_controlfp_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030e8 _crt_debugger_hook --- http://social.msdn.microsoft.com/Search/en-US?query=_crt_debugger_hook&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030ec memset --- http://social.msdn.microsoft.com/Search/en-US?query=memset&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030f0 memcpy --- http://social.msdn.microsoft.com/Search/en-US?query=memcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030f4 strcat --- http://social.msdn.microsoft.com/Search/en-US?query=strcat&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030f8 fgets --- http://social.msdn.microsoft.com/Search/en-US?query=fgets&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x4030fc strlen --- http://social.msdn.microsoft.com/Search/en-US?query=strlen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403100 ??3@YAXPAX@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??3@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403104 fclose --- http://social.msdn.microsoft.com/Search/en-US?query=fclose&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403108 _wfopen --- http://social.msdn.microsoft.com/Search/en-US?query=_wfopen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40310c ??2@YAPAXI@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??2@YAPAXI@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403110 strcpy --- http://social.msdn.microsoft.com/Search/en-US?query=strcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403114 getenv --- http://social.msdn.microsoft.com/Search/en-US?query=getenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403118 _snprintf --- http://social.msdn.microsoft.com/Search/en-US?query=_snprintf&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40311c _stricmp --- http://social.msdn.microsoft.com/Search/en-US?query=_stricmp&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403120 wcslen --- http://social.msdn.microsoft.com/Search/en-US?query=wcslen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403124 ??_V@YAXPAX@Z --- http://social.msdn.microsoft.com/Search/en-US?query=??_V@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403128 strrchr --- http://social.msdn.microsoft.com/Search/en-US?query=strrchr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x40312c exit --- http://social.msdn.microsoft.com/Search/en-US?query=exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
0x403130 _putenv --- http://social.msdn.microsoft.com/Search/en-US?query=_putenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
Exported:

Source code:

import sys

import os

import hashlib

import re

import subprocess

import time

import pefile

import peutils

try:

signatures = peutils.SignatureDatabase('UserDB.TXT')

except:

print "Lipseste fisierul cu semnaturi: UserDB.TXT"

sys.exit()

if len(sys.argv) != 2:

print "Utilizare: python Script.py PEfile"

sys.exit()

else:

try:

filename = str(sys.argv[1])

pe = pefile.PE(filename)

except Exception, e: print e

knowledge = {"TerminateProcess": "exact",

"GetTickCount":"Sleep / check if debug",

"IsDebuggerPresent":"check debugger",

"CheckRemoteDebuggerPresent":" check debugger",

"etc": "etc"

}

msdna = 'http://social.msdn.microsoft.com/Search/en-US?query='

msdnb = '&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false'

def prnt(text_to_print):

if text_to_print != "None":

file_to_print = str(filename) + ".txt"

file_to_print = open(file_to_print, "a")

print text_to_print

file_to_print.write(str(text_to_print) + "\n")

file_to_print.close()

prnt("\tRST PE-Analyzer \n\t\tUsr6 \n\trstforums.com")

prnt(filename)

prnt("Size: " + str(os.path.getsize(filename)) + " bytes")

prnt("DLL: " + "Yes" if pe.is_dll() else "None")

prnt("EXE: " + "Yes" if pe.is_exe() else "None")

prnt("Driver: " + "Yes" if pe.is_driver() else "None")

prnt("Machine: " + str(hex(pe.FILE_HEADER.Machine)) + "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )")

prnt("OEP: " + str(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)))

epoch = pe.FILE_HEADER.TimeDateStamp

prnt("Compile time: " +str(time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch))))

ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress

ds = "No" if ds == 0 else "Yes"

prnt("Digital Signature: " + ds)

try:

cmnd = os.getcwd() + "\\" + "sigcheck.exe -q -a -h -vt -vn " + filename

p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True)

(stdout, stderr) = p.communicate()

prnt(re.sub(r"\r\n", r"\n", stdout))

#print stderr

except Exception, e: print e

packed = "Yes" if peutils.is_probably_packed(pe) else "No"

prnt("Packed: " + packed + "\t(Entropy score decision)")

matches = "Yes" if signatures.match_all(pe, ep_only = True) else "No"

prnt("PEiD Signature: " + matches)

prnt("Sections: ")

for section in pe.sections:

prnt("\t" + str(section.Name.strip("\x00")) + " " + str(hex(section.VirtualAddress)) + " " + str(hex(section.Misc_VirtualSize)) + " " + str(section.SizeOfRawData))

prnt("Imported: ")

pe.parse_data_directories()

for entry in pe.DIRECTORY_ENTRY_IMPORT:

prnt("\t" + str(entry.dll))

for imp in entry.imports:

if imp.name in knowledge.keys():

prnt('\t\t' + str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + str(knowledge[imp.name]))

else :

print '\t\t', hex(imp.address), imp.name

file_to_print = str(filename) + ".txt"

file_to_print = open(file_to_print, "a")

file_to_print.write('\t\t'+str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + msdna + str(imp.name) + msdnb + "\n")

file_to_print.close()

prnt("Exported: ")

try:

for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:

prnt("\t" + str(hex(pe.OPTIONAL_HEADER.ImageBase + exp.address)) +" "+ str(exp.name) +" "+ str(exp.ordinal))

except Exception, e: print "\t", e

Se ofera cineva voluntar sa faca un "mini db" txt cu functii api si o scurta descriere?

ex:

IsDebuggerPresent:check debugger

Posted (edited)

da, cand voi avea un txt cu api + utilizare le va incarca direct din fisier, momentan knowledge e populat doar pt a testa cum functioneaza

pentru a utiliza un db extern (knowledge.txt)

inlocuiesti :

knowledge = {"TerminateProcess": "exact",

"GetTickCount":"Sleep / check if debug",

"IsDebuggerPresent":"check debugger",

"CheckRemoteDebuggerPresent":" check debugger",

"etc": "etc"

}

cu :

knowledge = {}

try:

temp = open("knowledge.txt", "r")

except Exception, e:

print e

sys.exit()

for line in temp:

line = line.strip("\n").split(":")

if line[0] not in knowledge.keys():

knowledge[line[0]]= line[1]

Edited by Usr6

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...