peframe.py

1. #!/usr/bin/env python
2.  
3. # PEframe
4. #
5. # PEframe is free software: you can redistribute it and/or modify
6. # it under the terms of the GNU General Public License as published by
7. # the Free Software Foundation, either version 3 of the License, or
8. # (at your option) any later version.
9. #
10. # PEframe is distributed in the hope that it will be useful,
11. # but WITHOUT ANY WARRANTY; without even the implied warranty of
12. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13. # GNU General Public License for more details.
14. #
15. # You should have received a copy of the GNU General Public License
16. # along with PEframe. If not, see <http://www.gnu.org/licenses/>.
17.  
18. import os, sys
19. import time, datetime
20.  
21. sys.path.insert(0, 'modules')
22.  
23. try:
24.     import pecore
25. except ImportError:
26.     print '[!] pecore not found.'
27.     sys.exit(0)
28.  
29. # INFORMATION
30. NAME        = "PEframe"
31. VERSION     = "3.0 rc2"
32. AUTHOR      = "Author: Gianni 'guelfoweb' Amato"
33. GITHUB      = "Github: https://github.com/guelfoweb/peframe"
34. INFO        = NAME+" v."+VERSION+" - Open Source Project\n"+AUTHOR+"\n"+GITHUB
35.  
36. def show_hash(filename):
37.     hashcode = pecore.get_hash(filename)
38.     md5      = hashcode[0]
39.     sha1     = hashcode[1]
40.     print "Hash MD5".ljust(18), md5
41.     print "Hash SAH1".ljust(18), sha1
42.  
43. def show_info(filename):
44.     info = pecore.get_info(filename)
45.     name = info[0]
46.     size = info[1]
47.     time = datetime.datetime.fromtimestamp(info[2])
48.     dll  = info[3]
49.     sect = info[4]
50.     print "File Name".ljust(18), str(name)
51.     print "File Size".ljust(18), str(size), "byte"
52.     print "Compile Time".ljust(18), str(time)
53.     if dll:
54.         print "DLL".ljust(18), "Yes"
55.     else:
56.         print "DLL".ljust(18), "No"
57.     print "Sections".ljust(18), str(sect)
58.  
59. def check_packer(filename):
60.     peid = pecore.check_peid(filename)
61.     if peid:
62.         print "Packer".ljust(18), "Yes"
63.     else:
64.         print "Packer".ljust(18), "No"
65.  
66. def show_packer(filename):
67.     peid = pecore.check_peid(filename)
68.     if peid != None:
69.         len_peid = len(peid)
70.         print "\nPacker matched [" + str(len_peid) + "]"
71.         print "-"*60
72.         for i in range(0, len_peid):
73.             print "Packer".ljust(18), peid[i][0]
74.  
75. def check_antidbg(filename):
76.     antidbg = pecore.get_apiantidbg(filename)
77.     if antidbg:
78.         print "Anti Debug".ljust(18), "Yes"
79.         return True
80.     else:
81.         print "Anti Debug".ljust(18), "No"
82.         return False
83.  
84. def show_antidbg(filename):
85.     antidbg = pecore.get_apiantidbg(filename)
86.     if antidbg:
87.         len_antidbg = len(antidbg)
88.         print "\nAnti Debug discovered [" + str(len_antidbg) + "]"
89.         print "-"*60
90.         for i in range(0, len_antidbg):
91.             print "Anti Debug".ljust(18),antidbg[i]
92.  
93. def check_antivm(filename):
94.     antivm = pecore.check_antivm(filename)
95.     if antivm:
96.         print 'Anti VM'.ljust(18), "Yes"
97.     else:
98.         print 'Anti VM'.ljust(18), "No"
99.  
100. def show_antivm(filename):
101.     antivm = pecore.check_antivm(filename)
102.     if antivm:
103.         len_antivm = len(antivm)
104.         print "\nAnti VM Trick discovered [" + str(len_antivm) + "]"
105.         print "-"*60
106.         for i in range(0, len_antivm):
107.             print 'Trick'.ljust(18), antivm[i]
108.  
109. def show_suspicious(filename):
110.     apialert = pecore.get_apialert(filename)
111.     if apialert:
112.         len_apialert = len(apialert)
113.         print "\nSuspicious API discovered [" + str(len_apialert) + "]"
114.         print "-"*60
115.         for i in range(0, len_apialert):
116.             print 'Function'.ljust(18), apialert[i]
117.  
118. def show_secsuspicious(filename):
119.     secsuspicious = pecore.get_sectionsalert(filename)
120.     if secsuspicious:
121.         len_secsuspicious = len(secsuspicious)
122.         print "\nSuspicious Sections discovered [" + str(len_secsuspicious) + "]"
123.         print "-"*60
124.         for i in range(0, len_secsuspicious):
125.             print 'Section'.ljust(18),secsuspicious[i][0]
126.             print 'Hash MD5'.ljust(18),secsuspicious[i][1]
127.             print 'Hash SHA-1'.ljust(18),secsuspicious[i][2]
128.            
129. def show_fileurl(filename):
130.     getfileurl = pecore.get_fileurl(filename)
131.     if getfileurl:
132.         len_url  = len(getfileurl[0])
133.         len_file = len(getfileurl[1])
134.         if len_file > 0:
135.             print "\nFile name discovered [" + str(len_file) + "]"
136.             print "-"*60
137.             for i in range(0, len_file):
138.                 print getfileurl[1][i][0].ljust(18), getfileurl[1][i][1]
139.         if len_url > 0:
140.             print "\nUrl discovered [" + str(len_url) + "]"
141.             print "-"*60
142.             for i in range(0, len_url):
143.                 print 'Url'.ljust(18), getfileurl[0][i]
144.                
145. def show_meta(filename):
146.     spl = []
147.     meta = pecore.get_meta(filename)
148.     if meta:
149.         len_meta = len(meta)
150.         print "\nMeta data found [" + str(len_meta) + "]"
151.         print "-"*60
152.         for i in range(0, len_meta):
153.             spl.append(meta[i].split(':'))
154.         for i in range(0, len_meta):
155.             print str(spl[i][0]).ljust(18), str(spl[i][1])
156.                
157. def show_sections(filename):
158.     sections = pecore.get_sections(filename)
159.     if sections:
160.         len_sections = len(sections)
161.         print "\nSections discovered [" + str(len_sections) + "]"
162.         print "-"*60
163.         for i in range(0, len_sections):
164.             print '\nSection'.ljust(18), sections[i][0]
165.             print 'Hash MD5'.ljust(18), sections[i][1]
166.             print 'Hash SHA-1'.ljust(18), sections[i][2]       
167.             print 'VirtualAddress'.ljust(18), sections[i][4]
168.             print 'VirtualSize'.ljust(18), sections[i][5]
169.             print 'SizeofRawData'.ljust(18), sections[i][6]
170.             suspicious = sections[i][3]
171.             if suspicious:
172.                 print 'Suspicious'.ljust(18), "Yes"
173.             else:
174.                 print 'Suspicious'.ljust(18), "No"
175.  
176. def show_imported_functions(filename):
177.     imported = pecore.get_imported_functions(filename)
178.     arrayDll = []
179.     if imported:
180.         len_imported = len(imported)
181.         for i in range(0, len_imported):
182.             arrayDll.append(imported[i][0])
183.         dllfound = set(arrayDll)
184.         print "\nImported [" + str(len(dllfound)) +"] DLL and [" + str(len_imported) + "] Functions"
185.         print "-"*60
186.         for i in range(0, len_imported):
187.             dll      = imported[i][0]
188.             address  = imported[i][1]
189.             function = imported[i][2]
190.             print dll.ljust(18),address,function
191.  
192. def show_exported_functions(filename):
193.     exported = pecore.get_exported_functions(filename)
194.     arrayDll = []
195. #   print exported
196.     if exported:
197.         len_imported = len(exported)
198.         for i in range(0, len_exported):
199.             arrayDll.append(exported[i][0])
200.         dllfound = set(arrayDll)
201.         print "\nExported [" + str(len(dllfound)) +"] DLL and [" + str(len_exported) + "] Functions"
202.         print "-"*60
203.         for i in range(0, len_exported):
204.             dll      = exported[i][0]
205.             address  = exported[i][1]
206.             function = exported[i][2]
207.             print dll.ljust(18),address,function
208.  
209. def show_directory(filename):
210.     imports    = pecore.get_import(filename)
211.     exports    = pecore.get_export(filename)
212.     resources  = pecore.get_resource(filename)
213.     debugs     = pecore.get_debug(filename)
214.     tls        = pecore.get_tls(filename)
215.     relocation = pecore.get_basereloc(filename)
216.  
217.     dirlist   = []
218.    
219.     if imports:
220.         dirlist.append("Import")
221.     if exports:
222.         dirlist.append("Export")
223.     if resources:
224.         dirlist.append("Resource")
225.     if debugs:
226.         dirlist.append("Debug")
227.     if tls:
228.         dirlist.append("TLS")
229.     if relocation:
230.         dirlist.append("Relocation")
231.  
232.     print "Directory".ljust(18), ", ".join(dirlist)
233.            
234.  
235. def show_dump(filename):
236.     dump = pecore.get_dump(filename)
237.     print dump
238.  
239. def show_resource_dump(filename, directory):
240.     if directory == "import":
241.         imports = pecore.get_import(filename)
242.         if imports:
243.             print "\nDirectory dump for " + directory.upper() + " raw data"
244.             print "-"*60
245.             print imports
246.     if directory == "export":
247.         exports = pecore.get_export(filename)
248.         print "\nDirectory dump for " + directory.upper() + " raw data"
249.         print "-"*60
250.         print exports
251.     if directory == "resource":
252.         resources = pecore.get_resource(filename)
253.         if resources:
254.             print "\nDirectory dump for " + directory.upper() + " raw data"
255.             print "-"*60
256.             print resources
257.     if directory == "debug":
258.         debugs = pecore.get_debug(filename)
259.         if debugs:
260.             print "\nDirectory dump for " + directory.upper() + " raw data"
261.             print "-"*60
262.             print debugs
263.     if directory == "tls":
264.         tlss = pecore.get_tls(filename)
265.         if tlss:
266.             print "\nDirectory dump for " + directory.upper() + " raw data"
267.             print "-"*60
268.             print tlss
269.     if directory == "relocation":
270.         relocations = pecore.get_basereloc(filename)
271.         if relocations:
272.             print "\nDirectory dump for " + directory.upper() + " raw data"
273.             print "-"*60
274.             print relocations
275.  
276. def show_strings(filename):
277.     strings = pecore.get_strings(filename)
278.     if(strings):
279.         for string in strings:
280.             print string
281.  
282. def check_isfile(filename):
283.     isfile = os.path.isfile(filename)
284.     if not isfile:
285.         print "File not found:", filename
286.         sys.exit(0)
287.     ispe = pecore.is_pe(filename)
288.     if not ispe:
289.         print "No PE file:", filename
290.         sys.exit(0)
291.  
292. def autoanalysis(filename):
293.     print "\nShort information"
294.     print "-"*60
295.     show_info(filename)
296.     show_hash(filename)
297.     check_packer(filename)
298.     check_antidbg(filename)
299.     check_antivm(filename)
300.     show_directory(filename)
301.  
302.     show_packer(filename)
303.     show_antidbg(filename)
304.     show_antivm(filename)
305.     show_suspicious(filename)
306.     show_secsuspicious(filename)
307.     show_fileurl(filename)
308.     show_meta(filename)
309.  
310. #   show_sections(filename)
311. #   show_imported_functions(filename)
312. #   show_exported_functions(filename)
313. #   show_dump(filename)
314. #   show_strings(filename)
315. #   show_resource_dump(filename, "resource")
316.  
317. def help():
318.     print INFO
319.     print
320.     print "Usage"
321.     print "".ljust(4), "peframe.py malware.exe"
322.     print "".ljust(4), "peframe.py [--option] malware.exe"
323.     print
324.     print "Option"
325.     print "".ljust(4), "--import".ljust(14), "Imported function and dll"
326.     print "".ljust(4), "--export".ljust(14), "Exported function and dll"
327.     print
328.     print "".ljust(4), "--dir-import".ljust(14), "Import directory"
329.     print "".ljust(4), "--dir-export".ljust(14), "Export directory"
330.     print "".ljust(4), "--dir-resource".ljust(14), "Resource directory"
331.     print "".ljust(4), "--dir-debug".ljust(14), "Debug directory"
332.     print "".ljust(4), "--dir-tls".ljust(14), "TLS directory"
333.     print "".ljust(4), "--dir-reloc".ljust(14), "Relocation directory"
334.     print
335.     print "".ljust(4), "--strings".ljust(14), "Get all strings"
336.     print "".ljust(4), "--sections".ljust(14), "Sections information"
337.     print "".ljust(4), "--dump".ljust(14), "Dump all information"
338.  
339.     sys.exit(0)
340.  
341. #______________________MAIN______________________
342.  
343. # Help
344. if len(sys.argv) == 1 or len(sys.argv) > 3:
345.     help()
346.  
347. # Auto Analysis
348. if len(sys.argv) == 2:
349.     filename = sys.argv[1]
350.     check_isfile(filename)
351.     autoanalysis(filename)
352.  
353. # Options
354. if len(sys.argv) == 3:
355.     option   = sys.argv[1]
356.     filename = sys.argv[2]
357.     check_isfile(filename)
358.  
359.     if option == "--info":
360.         show_info(filename); sys.exit(0)
361.     elif option == "--hash":
362.         show_hash(filename); sys.exit(0)
363.     elif option == "--peid":
364.         show_packer(filename); sys.exit(0)     
365.     elif option == "--antidbg":
366.         show_antidbg(filename); sys.exit(0)
367.     elif option == "--antivm":
368.         show_antivm(filename); sys.exit(0)
369.     elif option == "--suspicious":
370.         show_suspicious(filename); sys.exit(0)
371.     elif option == "--secsuspicious":
372.         show_secsuspicious(filename); sys.exit(0)
373.     elif option == "--fileurl":
374.         show_fileurl(filename); sys.exit(0)
375.     elif option == "--meta":
376.         show_meta(filename); sys.exit(0)
377.     elif option == "--import":
378.         show_imported_functions(filename); sys.exit(0)
379.     elif option == "--export":
380.         show_exported_functions(filename); sys.exit(0)
381.     elif option == "--dir-import":
382.         show_resource_dump(filename, "import"); sys.exit(0)
383.     elif option == "--dir-export":
384.         show_resource_dump(filename, "export"); sys.exit(0)
385.     elif option == "--dir-resource":
386.         show_resource_dump(filename, "resource"); sys.exit(0)
387.     elif option == "--dir-debug":
388.         show_resource_dump(filename, "debug"); sys.exit(0)
389.     elif option == "--dir-tls":
390.         show_resource_dump(filename, "tls"); sys.exit(0)
391.     elif option == "--dir-reloc":
392.         show_resource_dump(filename, "relocation"); sys.exit(0)
393.     elif option == "--strings":
394.         show_strings(filename); sys.exit(0)
395.     elif option == "--sections":
396.         show_sections(filename); sys.exit(0)
397.     elif option == "--dump":
398.         show_dump(filename); sys.exit(0)
399.     else:
400.         help()