Advertisement
opexxx

imphash-gen.py

Jun 3rd, 2014
373
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.34 KB | None | 0 0
  1. #!/usr/bin/env python
  2. # -*- coding: iso-8859-1 -*-
  3. # -*- coding: utf-8 -*-
  4. #
  5. # ImpHash Generator
  6. # A Simple PE Import Hash Generator
  7. #
  8. # Florian Roth
  9. # February 2014
  10. # v0.1
  11.  
  12. import os
  13. import sys
  14. import argparse
  15. import traceback
  16. import pefile
  17. import shelve
  18. from hashlib import md5
  19.  
  20. def getFiles(dir, recursive):
  21.     # Recursive
  22.     if recursive:
  23.         for root, directories, files in os.walk (dir, followlinks=False):
  24.             for filename in files:
  25.                 filePath = os.path.join(root,filename)
  26.                 yield filePath
  27.     # Non recursive
  28.     else:
  29.         for filename in os.listdir(dir):
  30.             filePath = os.path.join(dir,filename)
  31.             yield filePath     
  32.  
  33. def createGoodImps(dir, recursive=False):
  34.     imps = []
  35.     for filePath in getFiles(dir, recursive):
  36.         # print filePath
  37.         try:
  38.             p = pefile.PE(filePath)
  39.             imphash = p.get_imphash()
  40.                
  41.             imps.append(imphash)
  42.             sys.stdout.write(".")
  43.            
  44.         except Exception, e:
  45.             # traceback.print_exc()
  46.             pass
  47.  
  48.     return imps
  49.            
  50. def getMd5(filePath):
  51.     md5sum = "-"
  52.     try:
  53.         f = open(filePath, 'rb')
  54.         filedata = f.read()
  55.         f.close()
  56.         # Generate md5
  57.         md5sum = md5(filedata).hexdigest()
  58.         return md5sum
  59.     except Exception, e:
  60.         print traceback.print_exc()
  61.         return "-"
  62.         pass
  63.     return md5sum
  64.            
  65. def parseDir(dir, goodimps, recursive ):
  66.    
  67.     imps = {}
  68.     implist = []
  69.    
  70.     for filePath in getFiles(dir, recursive):
  71.         # print filePath
  72.         try:
  73.             p = pefile.PE(filePath)
  74.             imphash = p.get_imphash()
  75.            
  76.             print "IMP: %s MD5: %s FILE: %s" % ( imphash, getMd5(filePath), filePath )
  77.            
  78.             if imphash in goodimps:
  79.                 print "GOOD IMPS - do not use -------------------------------------------"
  80.            
  81.             # If already known
  82.             if imphash in implist:
  83.                 # Check for imphash in list
  84.                 for file in imps:
  85.                     # print imps[file]," ",imphash
  86.                     if imps[file] == imphash:
  87.                         md5 = getMd5(file)
  88.                         print "   MATCH with MD5: %s FILE: %s" % ( md5, file )
  89.             else:          
  90.                 # Add to list
  91.                 # print "add"
  92.                 implist.append(imphash)
  93.                 # print implist
  94.                
  95.             imps[filePath] = imphash
  96.            
  97.         except Exception, e:
  98.             # traceback.print_exc()
  99.             pass
  100.    
  101.    
  102. def isAscii(b):
  103.     if ord(b)<127 and ord(b)>31 :
  104.         return 1
  105.     return 0
  106.  
  107. def printWelcome():
  108.     print "###############################################################################"
  109.     print " "
  110.     print "  IMPHASH Generator"
  111.     print "  by Florian Roth"
  112.     print "  January 2014"
  113.     print "  Version 0.6.1"
  114.     print " "
  115.     print "###############################################################################"                              
  116.  
  117. # MAIN ################################################################
  118. if __name__ == '__main__':
  119.    
  120.     # Parse Arguments
  121.     parser = argparse.ArgumentParser(description='ImpHash Generator')
  122.     parser.add_argument('-p', help='Path to scan', metavar='path-to-scan', required=True)
  123.     parser.add_argument('-d', help='Imphash Database File (default: goodimps.db)', metavar='dbfile', default="goodimps.db")
  124.     parser.add_argument('-r', action='store_true', default=False, help='recursive scan')   
  125.     parser.add_argument('--createdb', action='store_true', default=False, help='Create good imphashes database')
  126.     parser.add_argument('--updatedb', action='store_true', default=False, help='Update good imphashes database')
  127.     parser.add_argument('--debug', action='store_true', default=False, help='Debug output')
  128.    
  129.     args = parser.parse_args()
  130.    
  131.     # Print Welcome
  132.     printWelcome()
  133.    
  134.     # Create DB with good imphashes
  135.     if args.createdb and args.p:
  136.         imps = createGoodImps(args.p, args.r)
  137.        
  138.         goodimps_shelve = shelve.open(args.d)
  139.         goodimps_shelve["imps"] = imps
  140.         print "New DB item count: %s" % str(len(imps))
  141.         goodimps_shelve.sync()
  142.         goodimps_shelve.close()
  143.  
  144.     # Update DB with good imphashes
  145.     if args.updatedb and args.p:
  146.         imps = createGoodImps(args.p, args.r)
  147.        
  148.         goodimps_shelve = shelve.open(args.d)
  149.         old_imps = goodimps_shelve["imps"]
  150.         print "Old DB item count: %s" % str(len(old_imps))
  151.        
  152.         new_imps = old_imps + imps
  153.        
  154.         goodimps_shelve["imps"] = new_imps
  155.         print "New DB item count: %s" % str(len(new_imps))
  156.        
  157.         goodimps_shelve.sync()
  158.         goodimps_shelve.close()
  159.        
  160.     # Create useful Import hashes
  161.     else:  
  162.         # Read Good Imps
  163.         goodimps_shelve = shelve.open(args.d)
  164.         goodimps = goodimps_shelve["imps"]
  165.        
  166.         print "Reading DB: %s imphashes found" % str(len(goodimps))
  167.  
  168.         # Parse Directory
  169.         parseDir(args.p, goodimps, args.r)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement