[RST] PE-Analyzer (Python)

Usr6 · January 20, 2014

Output:


	RST PE-Analyzer
firefox.exe
Size:  275568 bytes
MD5:  93e28799430480cce0ab3d961e5312ad
DLL:  False
EXE:  True
Driver:  False
Machine:  0x14c (0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )
OEP:  0x2478
Compile time:  2013-12-05 19:22:27
Digital Signature:  Yes
C:\Python27\firefox.exe:

	Verified:	Signed

	Signing date:	9:34 PM 12/5/2013

	Publisher:	Mozilla Corporation

	Description:	Firefox

	Product:	Firefox

	Prod version:	26.0

	File version:	26.0

	MachineType:	32-bit

	Binary Version:	26.0.0.5087

	Original Name:	firefox.exe

	Internal Name:	Firefox

	Copyright:	©Firefox and Mozilla Developers; available under the MPL 2 license.

	Comments:	

	VT detection:	0/48

	VT link:	https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/




Sigcheck v2.01 - File version and signature viewer

Copyright (C) 2004-2013 Mark Russinovich

Sysinternals - www.sysinternals.com




Packed:  True  (Entropy score decision)
PEiD Signature:  None
Sections: 
	.text 0x1000 0x1a7a 7168
	.rdata 0x3000 0xfb4 4096
	.data 0x4000 0x4bc 512
	.rsrc 0x5000 0x3d9c8 252416
	.reloc 0x43000 0x644 2048
Imported: 
	KERNEL32.dll
		0x403000 SetEnvironmentVariableW
		0x403004 ExpandEnvironmentStringsW
		0x403008 GetEnvironmentVariableW
		0x40300c GetModuleFileNameW
		0x403010 MultiByteToWideChar
		0x403014 GetTickCount
		0x403018 GetProcAddress
		0x40301c GetModuleHandleW
		0x403020 QueryPerformanceFrequency
		0x403024 GetFileAttributesW
		0x403028 WideCharToMultiByte
		0x40302c GetProcessIoCounters
		0x403030 GetCurrentProcess
		0x403034 SetDllDirectoryW
		0x403038 UnhandledExceptionFilter
		0x40303c TerminateProcess
		0x403040 GetCurrentProcessId
		0x403044 GetCurrentThreadId
		0x403048 QueryPerformanceCounter
		0x40304c DecodePointer
		0x403050 SetUnhandledExceptionFilter
		0x403054 EncodePointer
		0x403058 HeapSetInformation
		0x40305c InterlockedCompareExchange
		0x403060 Sleep
		0x403064 InterlockedExchange
		0x403068 IsDebuggerPresent
		0x40306c CreateFileW
		0x403070 CloseHandle
		0x403074 SetFilePointerEx
		0x403078 ReadFile
		0x40307c FreeLibrary
		0x403080 LoadLibraryExW
		0x403084 GetLastError
		0x403088 GetSystemTimeAsFileTime
	USER32.dll
		0x403138 MessageBoxW
	MSVCR100.dll
		0x403090 __wgetmainargs
		0x403094 _cexit
		0x403098 _exit
		0x40309c _XcptFilter
		0x4030a0 _amsg_exit
		0x4030a4 __winitenv
		0x4030a8 _initterm
		0x4030ac _initterm_e
		0x4030b0 _configthreadlocale
		0x4030b4 __setusermatherr
		0x4030b8 _commode
		0x4030bc _fmode
		0x4030c0 __set_app_type
		0x4030c4 _vsnprintf_s
		0x4030c8 ?terminate@@YAXXZ
		0x4030cc _unlock
		0x4030d0 __dllonexit
		0x4030d4 _lock
		0x4030d8 _onexit
		0x4030dc _except_handler4_common
		0x4030e0 _invoke_watson
		0x4030e4 _controlfp_s
		0x4030e8 _crt_debugger_hook
		0x4030ec memset
		0x4030f0 memcpy
		0x4030f4 strcat
		0x4030f8 fgets
		0x4030fc strlen
		0x403100 ??3@YAXPAX@Z
		0x403104 fclose
		0x403108 _wfopen
		0x40310c ??2@YAPAXI@Z
		0x403110 strcpy
		0x403114 getenv
		0x403118 _snprintf
		0x40311c _stricmp
		0x403120 wcslen
		0x403124 ??_V@YAXPAX@Z
		0x403128 strrchr
		0x40312c exit
		0x403130 _putenv
Exported: 
	PE instance has no attribute 'DIRECTORY_ENTRY_EXPORT'

Cerinte minime:

1. python 2.7

2. pefile pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

3. UserDB.TXT https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT

4. sigcheck.exe Sigcheck

5. conexiune la internet pentru a verifica hash-ul pe virustotal

# fisierele UserDB.TXT, sigcheck.exe trebuie puse in acelasi director cu scriptul

Pentru salvarea outputului intr-un fisier:


python Script.py PEfile >save.txt

Source Code:


import sys 
import os
import hashlib
import re
import subprocess
import time
import pefile
import peutils

print "\tRST PE-Analyzer https://rstforums.com"
try:
  signatures = peutils.SignatureDatabase('UserDB.TXT')
except:
	print "Lipseste fisierul cu semnaturi: UserDB.TXT"
	sys.exit()

if len(sys.argv) != 2:
  print """  
  Utilizare: python Script.py executabil""" 

  sys.exit()
else:
  try:
    pe = pefile.PE(sys.argv[1])
  except Exception, e: print e

def hashfile(afile, blocksize=65536):
  handle = open(afile, "rb")
  temp = hashlib.md5()
  while True:
    data = handle.read(blocksize)
    if not data:
    	break
    temp.update(data)
    return temp.hexdigest()

print str(sys.argv[1])

print "Size: ", os.path.getsize(sys.argv[1]),  "bytes"

print "MD5: ", hashfile(sys.argv[1])

print "DLL: ", pe.is_dll()
print "EXE: ", pe.is_exe()
print "Driver: ", pe.is_driver()
print "Machine: ", hex(pe.FILE_HEADER.Machine) , "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )"
print "OEP: ", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)

epoch = pe.FILE_HEADER.TimeDateStamp
print "Compile time: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch))

ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
print "Digital Signature: ", "No" if ds == 0 else "Yes"   
if ds == ds : # ds!= 0 to use sigcheck only file is signed 
  try:
    cmnd = os.getcwd() + "\\" + "sigcheck.exe -a -vt " + str(sys.argv[1])
    p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True)
    (stdout, stderr) = p.communicate()
    print stdout
    print stderr
  except Exception, e: print e

print "Packed: ", peutils.is_probably_packed(pe), " (Entropy score decision)"

matches = signatures.match_all(pe, ep_only = True)
print "PEiD Signature: ", matches  

print "Sections: "
for section in pe.sections:
  print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData

print "Imported: "
pe.parse_data_directories()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
  print "\t", entry.dll
  for imp in entry.imports:
    print '\t\t', hex(imp.address), imp.name

print "Exported: "
try:
  for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
    print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal
except Exception, e: print "\t", e

Scriptul de mai sus contine si bucati de cod copiate din alte parti:

UsageExamples - pefile - Usage examples of pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

PEiDSignatures - pefile - Using PEiD signatures - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting

Nytro · January 20, 2014

Asa mai merge.

tedeus · January 20, 2014

Du-ti bre de acilea :)) .

Te gasisi tu repede sa faci ceva bun? Al dracului... adica vrei sa ajungi exemplu?

Pffff... nice. Bravo, alea alea. Asta este ceea ce ar trebui sa conteze. Nu criticile pe topicuri de genul prezentari, nu vanzarea unui prapadit de ceva cu 2 euroi...

Felicitari!

Maximus · January 20, 2014

Felicitari, +like +rep

GarryOne · January 20, 2014

Bravo, foarte util.

playfun · January 20, 2014

Poti sa ii faci si o mica descriere, intrebuintarea lui ?

Usr6 · January 20, 2014

:)) pai, au pornit astia o conspiratie impotriva mea. DOVEZI CLARE aici: https://rstforums.com/forum/326-fun-stuff-319.rst#post516048 cum un Administrator al acestui forum zice rele de mine

Multumesc

Usr6 · January 29, 2014

Update

printre altele:

- ofera o mica descriere a functiilor api importate, pentru cele care nu exista in dictionarul local se ofera un link de cautare pe msdn

- tipareste output-ul si intr-un fisier txt (numelefisierului analizat + txt)

Output:


	RST PE-Analyzer 
		Usr6 
	rstforums.com
firefox.exe
Size: 275568 bytes
EXE: Yes
Machine: 0x14c(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )
OEP: 0x2478
Compile time: 2013-12-05 19:22:27
Digital Signature: Yes
c:\Python27\firefox.exe:
	Verified:	Signed
	Signing date:	9:34 PM 12/5/2013
	Publisher:	Mozilla Corporation
	Description:	Firefox
	Product:	Firefox
	Prod version:	26.0
	File version:	26.0
	MachineType:	32-bit
	Binary Version:	26.0.0.5087
	Original Name:	firefox.exe
	Internal Name:	Firefox
	Copyright:	©Firefox and Mozilla Developers; available under the MPL 2 license.
	Comments:	
	MD5:	1EEA6C1B35191DC177EA83672B9C3FC0
	SHA1:	AC69FA1DF07CEEC14178428F6416B27CF57CEA26
	PESHA1:	17FF37178BE1A4F6240D84BD54E27C74F3F95B29
	SHA256:	0C722B9AAF4F2EE3265F92F1498C6B64FFFBB3E37D2136FAE8584DCD7D23C06D
	VT detection:	0/50
	VT link:	https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/

Packed: Yes	(Entropy score decision)
PEiD Signature: No
Sections: 
	.text 0x1000 0x1a7a 7168
	.rdata 0x3000 0xfb4 4096
	.data 0x4000 0x4bc 512
	.rsrc 0x5000 0x3d9c8 252416
	.reloc 0x43000 0x644 2048
Imported: 
	KERNEL32.dll
		0x403000 SetEnvironmentVariableW		 --- http://social.msdn.microsoft.com/Search/en-US?query=SetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403004 ExpandEnvironmentStringsW		 --- http://social.msdn.microsoft.com/Search/en-US?query=ExpandEnvironmentStringsW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403008 GetEnvironmentVariableW		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetEnvironmentVariableW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40300c GetModuleFileNameW		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleFileNameW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403010 MultiByteToWideChar		 --- http://social.msdn.microsoft.com/Search/en-US?query=MultiByteToWideChar&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403014 GetTickCount		 --- Sleep / check if debug
		0x403018 GetProcAddress		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcAddress&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40301c GetModuleHandleW		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetModuleHandleW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403020 QueryPerformanceFrequency		 --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceFrequency&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403024 GetFileAttributesW		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetFileAttributesW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403028 WideCharToMultiByte		 --- http://social.msdn.microsoft.com/Search/en-US?query=WideCharToMultiByte&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40302c GetProcessIoCounters		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetProcessIoCounters&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403030 GetCurrentProcess		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcess&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403034 SetDllDirectoryW		 --- http://social.msdn.microsoft.com/Search/en-US?query=SetDllDirectoryW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403038 UnhandledExceptionFilter		 --- http://social.msdn.microsoft.com/Search/en-US?query=UnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40303c TerminateProcess		 --- exact
		0x403040 GetCurrentProcessId		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentProcessId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403044 GetCurrentThreadId		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetCurrentThreadId&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403048 QueryPerformanceCounter		 --- http://social.msdn.microsoft.com/Search/en-US?query=QueryPerformanceCounter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40304c DecodePointer		 --- http://social.msdn.microsoft.com/Search/en-US?query=DecodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403050 SetUnhandledExceptionFilter		 --- http://social.msdn.microsoft.com/Search/en-US?query=SetUnhandledExceptionFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403054 EncodePointer		 --- http://social.msdn.microsoft.com/Search/en-US?query=EncodePointer&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403058 HeapSetInformation		 --- http://social.msdn.microsoft.com/Search/en-US?query=HeapSetInformation&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40305c InterlockedCompareExchange		 --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedCompareExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403060 Sleep		 --- http://social.msdn.microsoft.com/Search/en-US?query=Sleep&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403064 InterlockedExchange		 --- http://social.msdn.microsoft.com/Search/en-US?query=InterlockedExchange&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403068 IsDebuggerPresent		 --- check debugger
		0x40306c CreateFileW		 --- http://social.msdn.microsoft.com/Search/en-US?query=CreateFileW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403070 CloseHandle		 --- http://social.msdn.microsoft.com/Search/en-US?query=CloseHandle&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403074 SetFilePointerEx		 --- http://social.msdn.microsoft.com/Search/en-US?query=SetFilePointerEx&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403078 ReadFile		 --- http://social.msdn.microsoft.com/Search/en-US?query=ReadFile&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40307c FreeLibrary		 --- http://social.msdn.microsoft.com/Search/en-US?query=FreeLibrary&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403080 LoadLibraryExW		 --- http://social.msdn.microsoft.com/Search/en-US?query=LoadLibraryExW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403084 GetLastError		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetLastError&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403088 GetSystemTimeAsFileTime		 --- http://social.msdn.microsoft.com/Search/en-US?query=GetSystemTimeAsFileTime&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
	USER32.dll
		0x403138 MessageBoxW		 --- http://social.msdn.microsoft.com/Search/en-US?query=MessageBoxW&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
	MSVCR100.dll
		0x403090 __wgetmainargs		 --- http://social.msdn.microsoft.com/Search/en-US?query=__wgetmainargs&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403094 _cexit		 --- http://social.msdn.microsoft.com/Search/en-US?query=_cexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403098 _exit		 --- http://social.msdn.microsoft.com/Search/en-US?query=_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40309c _XcptFilter		 --- http://social.msdn.microsoft.com/Search/en-US?query=_XcptFilter&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030a0 _amsg_exit		 --- http://social.msdn.microsoft.com/Search/en-US?query=_amsg_exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030a4 __winitenv		 --- http://social.msdn.microsoft.com/Search/en-US?query=__winitenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030a8 _initterm		 --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030ac _initterm_e		 --- http://social.msdn.microsoft.com/Search/en-US?query=_initterm_e&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030b0 _configthreadlocale		 --- http://social.msdn.microsoft.com/Search/en-US?query=_configthreadlocale&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030b4 __setusermatherr		 --- http://social.msdn.microsoft.com/Search/en-US?query=__setusermatherr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030b8 _commode		 --- http://social.msdn.microsoft.com/Search/en-US?query=_commode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030bc _fmode		 --- http://social.msdn.microsoft.com/Search/en-US?query=_fmode&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030c0 __set_app_type		 --- http://social.msdn.microsoft.com/Search/en-US?query=__set_app_type&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030c4 _vsnprintf_s		 --- http://social.msdn.microsoft.com/Search/en-US?query=_vsnprintf_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030c8 ?terminate@@YAXXZ		 --- http://social.msdn.microsoft.com/Search/en-US?query=?terminate@@YAXXZ&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030cc _unlock		 --- http://social.msdn.microsoft.com/Search/en-US?query=_unlock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030d0 __dllonexit		 --- http://social.msdn.microsoft.com/Search/en-US?query=__dllonexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030d4 _lock		 --- http://social.msdn.microsoft.com/Search/en-US?query=_lock&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030d8 _onexit		 --- http://social.msdn.microsoft.com/Search/en-US?query=_onexit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030dc _except_handler4_common		 --- http://social.msdn.microsoft.com/Search/en-US?query=_except_handler4_common&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030e0 _invoke_watson		 --- http://social.msdn.microsoft.com/Search/en-US?query=_invoke_watson&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030e4 _controlfp_s		 --- http://social.msdn.microsoft.com/Search/en-US?query=_controlfp_s&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030e8 _crt_debugger_hook		 --- http://social.msdn.microsoft.com/Search/en-US?query=_crt_debugger_hook&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030ec memset		 --- http://social.msdn.microsoft.com/Search/en-US?query=memset&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030f0 memcpy		 --- http://social.msdn.microsoft.com/Search/en-US?query=memcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030f4 strcat		 --- http://social.msdn.microsoft.com/Search/en-US?query=strcat&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030f8 fgets		 --- http://social.msdn.microsoft.com/Search/en-US?query=fgets&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x4030fc strlen		 --- http://social.msdn.microsoft.com/Search/en-US?query=strlen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403100 ??3@YAXPAX@Z		 --- http://social.msdn.microsoft.com/Search/en-US?query=??3@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403104 fclose		 --- http://social.msdn.microsoft.com/Search/en-US?query=fclose&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403108 _wfopen		 --- http://social.msdn.microsoft.com/Search/en-US?query=_wfopen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40310c ??2@YAPAXI@Z		 --- http://social.msdn.microsoft.com/Search/en-US?query=??2@YAPAXI@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403110 strcpy		 --- http://social.msdn.microsoft.com/Search/en-US?query=strcpy&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403114 getenv		 --- http://social.msdn.microsoft.com/Search/en-US?query=getenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403118 _snprintf		 --- http://social.msdn.microsoft.com/Search/en-US?query=_snprintf&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40311c _stricmp		 --- http://social.msdn.microsoft.com/Search/en-US?query=_stricmp&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403120 wcslen		 --- http://social.msdn.microsoft.com/Search/en-US?query=wcslen&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403124 ??_V@YAXPAX@Z		 --- http://social.msdn.microsoft.com/Search/en-US?query=??_V@YAXPAX@Z&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403128 strrchr		 --- http://social.msdn.microsoft.com/Search/en-US?query=strrchr&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x40312c exit		 --- http://social.msdn.microsoft.com/Search/en-US?query=exit&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
		0x403130 _putenv		 --- http://social.msdn.microsoft.com/Search/en-US?query=_putenv&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false
Exported:

Source code:

import sys

import os

import hashlib

import re

import subprocess

import time

import pefile

import peutils

try:

signatures = peutils.SignatureDatabase('UserDB.TXT')

except:

print "Lipseste fisierul cu semnaturi: UserDB.TXT"

sys.exit()

if len(sys.argv) != 2:

print "Utilizare: python Script.py PEfile"

sys.exit()

else:

try:

filename = str(sys.argv[1])

pe = pefile.PE(filename)

except Exception, e: print e

knowledge = {"TerminateProcess": "exact",

"GetTickCount":"Sleep / check if debug",

"IsDebuggerPresent":"check debugger",

"CheckRemoteDebuggerPresent":" check debugger",

"etc": "etc"

}

msdna = 'http://social.msdn.microsoft.com/Search/en-US?query='

msdnb = '&emptyWatermark=true&searchButtonTooltip=Search%20MSDN&ac=4#refinementChanges=117&pageNumber=1&showMore=false'

def prnt(text_to_print):

if text_to_print != "None":

file_to_print = str(filename) + ".txt"

file_to_print = open(file_to_print, "a")

print text_to_print

file_to_print.write(str(text_to_print) + "\n")

file_to_print.close()

prnt("\tRST PE-Analyzer \n\t\tUsr6 \n\trstforums.com")

prnt(filename)

prnt("Size: " + str(os.path.getsize(filename)) + " bytes")

prnt("DLL: " + "Yes" if pe.is_dll() else "None")

prnt("EXE: " + "Yes" if pe.is_exe() else "None")

prnt("Driver: " + "Yes" if pe.is_driver() else "None")

prnt("Machine: " + str(hex(pe.FILE_HEADER.Machine)) + "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )")

prnt("OEP: " + str(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)))

epoch = pe.FILE_HEADER.TimeDateStamp

prnt("Compile time: " +str(time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch))))

ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress

ds = "No" if ds == 0 else "Yes"

prnt("Digital Signature: " + ds)

try:

cmnd = os.getcwd() + "\\" + "sigcheck.exe -q -a -h -vt -vn " + filename

p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True)

(stdout, stderr) = p.communicate()

prnt(re.sub(r"\r\n", r"\n", stdout))

#print stderr

except Exception, e: print e

packed = "Yes" if peutils.is_probably_packed(pe) else "No"

prnt("Packed: " + packed + "\t(Entropy score decision)")

matches = "Yes" if signatures.match_all(pe, ep_only = True) else "No"

prnt("PEiD Signature: " + matches)

prnt("Sections: ")

for section in pe.sections:

prnt("\t" + str(section.Name.strip("\x00")) + " " + str(hex(section.VirtualAddress)) + " " + str(hex(section.Misc_VirtualSize)) + " " + str(section.SizeOfRawData))

prnt("Imported: ")

pe.parse_data_directories()

for entry in pe.DIRECTORY_ENTRY_IMPORT:

prnt("\t" + str(entry.dll))

for imp in entry.imports:

if imp.name in knowledge.keys():

prnt('\t\t' + str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + str(knowledge[imp.name]))

else :

print '\t\t', hex(imp.address), imp.name

file_to_print = str(filename) + ".txt"

file_to_print = open(file_to_print, "a")

file_to_print.write('\t\t'+str(hex(imp.address)) +" "+ str(imp.name) + str('\t\t --- ') + msdna + str(imp.name) + msdnb + "\n")

file_to_print.close()

prnt("Exported: ")

try:

for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:

prnt("\t" + str(hex(pe.OPTIONAL_HEADER.ImageBase + exp.address)) +" "+ str(exp.name) +" "+ str(exp.ordinal))

except Exception, e: print "\t", e

Se ofera cineva voluntar sa faca un "mini db" txt cu functii api si o scurta descriere?

ex:

IsDebuggerPresent:check debugger

em · January 29, 2014

Adica de completat vectorul knowledge? Ala nu era mai bine sa fie populat dintr-un fisier extern? knowledge.txt ?

Usr6 · January 29, 2014

da, cand voi avea un txt cu api + utilizare le va incarca direct din fisier, momentan knowledge e populat doar pt a testa cum functioneaza

pentru a utiliza un db extern (knowledge.txt)

inlocuiesti :

knowledge = {"TerminateProcess": "exact",

"GetTickCount":"Sleep / check if debug",

"IsDebuggerPresent":"check debugger",

"CheckRemoteDebuggerPresent":" check debugger",

"etc": "etc"

}

cu :

knowledge = {}

try:

temp = open("knowledge.txt", "r")

except Exception, e:

print e

sys.exit()

for line in temp:

line = line.strip("\n").split(":")

if line[0] not in knowledge.keys():

knowledge[line[0]]= line[1]

Edited January 29, 2014 by Usr6

Sign In

[RST] PE-Analyzer (Python)

Recommended Posts

Usr6

Nytro

tedeus

Maximus

GarryOne

playfun

Usr6

Usr6

em

Usr6

Join the conversation

Browse

Activity

Pages