Advertisement
opexxx

peframe.py

May 1st, 2014
320
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 11.72 KB | None | 0 0
  1. #!/usr/bin/env python
  2.  
  3. # PEframe
  4. #
  5. # PEframe is free software: you can redistribute it and/or modify
  6. # it under the terms of the GNU General Public License as published by
  7. # the Free Software Foundation, either version 3 of the License, or
  8. # (at your option) any later version.
  9. #
  10. # PEframe is distributed in the hope that it will be useful,
  11. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13. # GNU General Public License for more details.
  14. #
  15. # You should have received a copy of the GNU General Public License
  16. # along with PEframe. If not, see <http://www.gnu.org/licenses/>.
  17.  
  18. import os, sys
  19. import time, datetime
  20.  
  21. sys.path.insert(0, 'modules')
  22.  
  23. try:
  24.     import pecore
  25. except ImportError:
  26.     print '[!] pecore not found.'
  27.     sys.exit(0)
  28.  
  29. # INFORMATION
  30. NAME        = "PEframe"
  31. VERSION     = "3.0 rc2"
  32. AUTHOR      = "Author: Gianni 'guelfoweb' Amato"
  33. GITHUB      = "Github: https://github.com/guelfoweb/peframe"
  34. INFO        = NAME+" v."+VERSION+" - Open Source Project\n"+AUTHOR+"\n"+GITHUB
  35.  
  36. def show_hash(filename):
  37.     hashcode = pecore.get_hash(filename)
  38.     md5      = hashcode[0]
  39.     sha1     = hashcode[1]
  40.     print "Hash MD5".ljust(18), md5
  41.     print "Hash SAH1".ljust(18), sha1
  42.  
  43. def show_info(filename):
  44.     info = pecore.get_info(filename)
  45.     name = info[0]
  46.     size = info[1]
  47.     time = datetime.datetime.fromtimestamp(info[2])
  48.     dll  = info[3]
  49.     sect = info[4]
  50.     print "File Name".ljust(18), str(name)
  51.     print "File Size".ljust(18), str(size), "byte"
  52.     print "Compile Time".ljust(18), str(time)
  53.     if dll:
  54.         print "DLL".ljust(18), "Yes"
  55.     else:
  56.         print "DLL".ljust(18), "No"
  57.     print "Sections".ljust(18), str(sect)
  58.  
  59. def check_packer(filename):
  60.     peid = pecore.check_peid(filename)
  61.     if peid:
  62.         print "Packer".ljust(18), "Yes"
  63.     else:
  64.         print "Packer".ljust(18), "No"
  65.  
  66. def show_packer(filename):
  67.     peid = pecore.check_peid(filename)
  68.     if peid != None:
  69.         len_peid = len(peid)
  70.         print "\nPacker matched [" + str(len_peid) + "]"
  71.         print "-"*60
  72.         for i in range(0, len_peid):
  73.             print "Packer".ljust(18), peid[i][0]
  74.  
  75. def check_antidbg(filename):
  76.     antidbg = pecore.get_apiantidbg(filename)
  77.     if antidbg:
  78.         print "Anti Debug".ljust(18), "Yes"
  79.         return True
  80.     else:
  81.         print "Anti Debug".ljust(18), "No"
  82.         return False
  83.  
  84. def show_antidbg(filename):
  85.     antidbg = pecore.get_apiantidbg(filename)
  86.     if antidbg:
  87.         len_antidbg = len(antidbg)
  88.         print "\nAnti Debug discovered [" + str(len_antidbg) + "]"
  89.         print "-"*60
  90.         for i in range(0, len_antidbg):
  91.             print "Anti Debug".ljust(18),antidbg[i]
  92.  
  93. def check_antivm(filename):
  94.     antivm = pecore.check_antivm(filename)
  95.     if antivm:
  96.         print 'Anti VM'.ljust(18), "Yes"
  97.     else:
  98.         print 'Anti VM'.ljust(18), "No"
  99.  
  100. def show_antivm(filename):
  101.     antivm = pecore.check_antivm(filename)
  102.     if antivm:
  103.         len_antivm = len(antivm)
  104.         print "\nAnti VM Trick discovered [" + str(len_antivm) + "]"
  105.         print "-"*60
  106.         for i in range(0, len_antivm):
  107.             print 'Trick'.ljust(18), antivm[i]
  108.  
  109. def show_suspicious(filename):
  110.     apialert = pecore.get_apialert(filename)
  111.     if apialert:
  112.         len_apialert = len(apialert)
  113.         print "\nSuspicious API discovered [" + str(len_apialert) + "]"
  114.         print "-"*60
  115.         for i in range(0, len_apialert):
  116.             print 'Function'.ljust(18), apialert[i]
  117.  
  118. def show_secsuspicious(filename):
  119.     secsuspicious = pecore.get_sectionsalert(filename)
  120.     if secsuspicious:
  121.         len_secsuspicious = len(secsuspicious)
  122.         print "\nSuspicious Sections discovered [" + str(len_secsuspicious) + "]"
  123.         print "-"*60
  124.         for i in range(0, len_secsuspicious):
  125.             print 'Section'.ljust(18),secsuspicious[i][0]
  126.             print 'Hash MD5'.ljust(18),secsuspicious[i][1]
  127.             print 'Hash SHA-1'.ljust(18),secsuspicious[i][2]
  128.            
  129. def show_fileurl(filename):
  130.     getfileurl = pecore.get_fileurl(filename)
  131.     if getfileurl:
  132.         len_url  = len(getfileurl[0])
  133.         len_file = len(getfileurl[1])
  134.         if len_file > 0:
  135.             print "\nFile name discovered [" + str(len_file) + "]"
  136.             print "-"*60
  137.             for i in range(0, len_file):
  138.                 print getfileurl[1][i][0].ljust(18), getfileurl[1][i][1]
  139.         if len_url > 0:
  140.             print "\nUrl discovered [" + str(len_url) + "]"
  141.             print "-"*60
  142.             for i in range(0, len_url):
  143.                 print 'Url'.ljust(18), getfileurl[0][i]
  144.                
  145. def show_meta(filename):
  146.     spl = []
  147.     meta = pecore.get_meta(filename)
  148.     if meta:
  149.         len_meta = len(meta)
  150.         print "\nMeta data found [" + str(len_meta) + "]"
  151.         print "-"*60
  152.         for i in range(0, len_meta):
  153.             spl.append(meta[i].split(':'))
  154.         for i in range(0, len_meta):
  155.             print str(spl[i][0]).ljust(18), str(spl[i][1])
  156.                
  157. def show_sections(filename):
  158.     sections = pecore.get_sections(filename)
  159.     if sections:
  160.         len_sections = len(sections)
  161.         print "\nSections discovered [" + str(len_sections) + "]"
  162.         print "-"*60
  163.         for i in range(0, len_sections):
  164.             print '\nSection'.ljust(18), sections[i][0]
  165.             print 'Hash MD5'.ljust(18), sections[i][1]
  166.             print 'Hash SHA-1'.ljust(18), sections[i][2]       
  167.             print 'VirtualAddress'.ljust(18), sections[i][4]
  168.             print 'VirtualSize'.ljust(18), sections[i][5]
  169.             print 'SizeofRawData'.ljust(18), sections[i][6]
  170.             suspicious = sections[i][3]
  171.             if suspicious:
  172.                 print 'Suspicious'.ljust(18), "Yes"
  173.             else:
  174.                 print 'Suspicious'.ljust(18), "No"
  175.  
  176. def show_imported_functions(filename):
  177.     imported = pecore.get_imported_functions(filename)
  178.     arrayDll = []
  179.     if imported:
  180.         len_imported = len(imported)
  181.         for i in range(0, len_imported):
  182.             arrayDll.append(imported[i][0])
  183.         dllfound = set(arrayDll)
  184.         print "\nImported [" + str(len(dllfound)) +"] DLL and [" + str(len_imported) + "] Functions"
  185.         print "-"*60
  186.         for i in range(0, len_imported):
  187.             dll      = imported[i][0]
  188.             address  = imported[i][1]
  189.             function = imported[i][2]
  190.             print dll.ljust(18),address,function
  191.  
  192. def show_exported_functions(filename):
  193.     exported = pecore.get_exported_functions(filename)
  194.     arrayDll = []
  195. #   print exported
  196.     if exported:
  197.         len_imported = len(exported)
  198.         for i in range(0, len_exported):
  199.             arrayDll.append(exported[i][0])
  200.         dllfound = set(arrayDll)
  201.         print "\nExported [" + str(len(dllfound)) +"] DLL and [" + str(len_exported) + "] Functions"
  202.         print "-"*60
  203.         for i in range(0, len_exported):
  204.             dll      = exported[i][0]
  205.             address  = exported[i][1]
  206.             function = exported[i][2]
  207.             print dll.ljust(18),address,function
  208.  
  209. def show_directory(filename):
  210.     imports    = pecore.get_import(filename)
  211.     exports    = pecore.get_export(filename)
  212.     resources  = pecore.get_resource(filename)
  213.     debugs     = pecore.get_debug(filename)
  214.     tls        = pecore.get_tls(filename)
  215.     relocation = pecore.get_basereloc(filename)
  216.  
  217.     dirlist   = []
  218.    
  219.     if imports:
  220.         dirlist.append("Import")
  221.     if exports:
  222.         dirlist.append("Export")
  223.     if resources:
  224.         dirlist.append("Resource")
  225.     if debugs:
  226.         dirlist.append("Debug")
  227.     if tls:
  228.         dirlist.append("TLS")
  229.     if relocation:
  230.         dirlist.append("Relocation")
  231.  
  232.     print "Directory".ljust(18), ", ".join(dirlist)
  233.            
  234.  
  235. def show_dump(filename):
  236.     dump = pecore.get_dump(filename)
  237.     print dump
  238.  
  239. def show_resource_dump(filename, directory):
  240.     if directory == "import":
  241.         imports = pecore.get_import(filename)
  242.         if imports:
  243.             print "\nDirectory dump for " + directory.upper() + " raw data"
  244.             print "-"*60
  245.             print imports
  246.     if directory == "export":
  247.         exports = pecore.get_export(filename)
  248.         print "\nDirectory dump for " + directory.upper() + " raw data"
  249.         print "-"*60
  250.         print exports
  251.     if directory == "resource":
  252.         resources = pecore.get_resource(filename)
  253.         if resources:
  254.             print "\nDirectory dump for " + directory.upper() + " raw data"
  255.             print "-"*60
  256.             print resources
  257.     if directory == "debug":
  258.         debugs = pecore.get_debug(filename)
  259.         if debugs:
  260.             print "\nDirectory dump for " + directory.upper() + " raw data"
  261.             print "-"*60
  262.             print debugs
  263.     if directory == "tls":
  264.         tlss = pecore.get_tls(filename)
  265.         if tlss:
  266.             print "\nDirectory dump for " + directory.upper() + " raw data"
  267.             print "-"*60
  268.             print tlss
  269.     if directory == "relocation":
  270.         relocations = pecore.get_basereloc(filename)
  271.         if relocations:
  272.             print "\nDirectory dump for " + directory.upper() + " raw data"
  273.             print "-"*60
  274.             print relocations
  275.  
  276. def show_strings(filename):
  277.     strings = pecore.get_strings(filename)
  278.     if(strings):
  279.         for string in strings:
  280.             print string
  281.  
  282. def check_isfile(filename):
  283.     isfile = os.path.isfile(filename)
  284.     if not isfile:
  285.         print "File not found:", filename
  286.         sys.exit(0)
  287.     ispe = pecore.is_pe(filename)
  288.     if not ispe:
  289.         print "No PE file:", filename
  290.         sys.exit(0)
  291.  
  292. def autoanalysis(filename):
  293.     print "\nShort information"
  294.     print "-"*60
  295.     show_info(filename)
  296.     show_hash(filename)
  297.     check_packer(filename)
  298.     check_antidbg(filename)
  299.     check_antivm(filename)
  300.     show_directory(filename)
  301.  
  302.     show_packer(filename)
  303.     show_antidbg(filename)
  304.     show_antivm(filename)
  305.     show_suspicious(filename)
  306.     show_secsuspicious(filename)
  307.     show_fileurl(filename)
  308.     show_meta(filename)
  309.  
  310. #   show_sections(filename)
  311. #   show_imported_functions(filename)
  312. #   show_exported_functions(filename)
  313. #   show_dump(filename)
  314. #   show_strings(filename)
  315. #   show_resource_dump(filename, "resource")
  316.  
  317. def help():
  318.     print INFO
  319.     print
  320.     print "Usage"
  321.     print "".ljust(4), "peframe.py malware.exe"
  322.     print "".ljust(4), "peframe.py [--option] malware.exe"
  323.     print
  324.     print "Option"
  325.     print "".ljust(4), "--import".ljust(14), "Imported function and dll"
  326.     print "".ljust(4), "--export".ljust(14), "Exported function and dll"
  327.     print
  328.     print "".ljust(4), "--dir-import".ljust(14), "Import directory"
  329.     print "".ljust(4), "--dir-export".ljust(14), "Export directory"
  330.     print "".ljust(4), "--dir-resource".ljust(14), "Resource directory"
  331.     print "".ljust(4), "--dir-debug".ljust(14), "Debug directory"
  332.     print "".ljust(4), "--dir-tls".ljust(14), "TLS directory"
  333.     print "".ljust(4), "--dir-reloc".ljust(14), "Relocation directory"
  334.     print
  335.     print "".ljust(4), "--strings".ljust(14), "Get all strings"
  336.     print "".ljust(4), "--sections".ljust(14), "Sections information"
  337.     print "".ljust(4), "--dump".ljust(14), "Dump all information"
  338.  
  339.     sys.exit(0)
  340.  
  341. #______________________MAIN______________________
  342.  
  343. # Help
  344. if len(sys.argv) == 1 or len(sys.argv) > 3:
  345.     help()
  346.  
  347. # Auto Analysis
  348. if len(sys.argv) == 2:
  349.     filename = sys.argv[1]
  350.     check_isfile(filename)
  351.     autoanalysis(filename)
  352.  
  353. # Options
  354. if len(sys.argv) == 3:
  355.     option   = sys.argv[1]
  356.     filename = sys.argv[2]
  357.     check_isfile(filename)
  358.  
  359.     if option == "--info":
  360.         show_info(filename); sys.exit(0)
  361.     elif option == "--hash":
  362.         show_hash(filename); sys.exit(0)
  363.     elif option == "--peid":
  364.         show_packer(filename); sys.exit(0)     
  365.     elif option == "--antidbg":
  366.         show_antidbg(filename); sys.exit(0)
  367.     elif option == "--antivm":
  368.         show_antivm(filename); sys.exit(0)
  369.     elif option == "--suspicious":
  370.         show_suspicious(filename); sys.exit(0)
  371.     elif option == "--secsuspicious":
  372.         show_secsuspicious(filename); sys.exit(0)
  373.     elif option == "--fileurl":
  374.         show_fileurl(filename); sys.exit(0)
  375.     elif option == "--meta":
  376.         show_meta(filename); sys.exit(0)
  377.     elif option == "--import":
  378.         show_imported_functions(filename); sys.exit(0)
  379.     elif option == "--export":
  380.         show_exported_functions(filename); sys.exit(0)
  381.     elif option == "--dir-import":
  382.         show_resource_dump(filename, "import"); sys.exit(0)
  383.     elif option == "--dir-export":
  384.         show_resource_dump(filename, "export"); sys.exit(0)
  385.     elif option == "--dir-resource":
  386.         show_resource_dump(filename, "resource"); sys.exit(0)
  387.     elif option == "--dir-debug":
  388.         show_resource_dump(filename, "debug"); sys.exit(0)
  389.     elif option == "--dir-tls":
  390.         show_resource_dump(filename, "tls"); sys.exit(0)
  391.     elif option == "--dir-reloc":
  392.         show_resource_dump(filename, "relocation"); sys.exit(0)
  393.     elif option == "--strings":
  394.         show_strings(filename); sys.exit(0)
  395.     elif option == "--sections":
  396.         show_sections(filename); sys.exit(0)
  397.     elif option == "--dump":
  398.         show_dump(filename); sys.exit(0)
  399.     else:
  400.         help()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement