pehash.py

1. #!/usr/bin/python
2. from __future__ import division
3.  
4. import sys
5. import pefile
6. import bitstring
7. import string
8. import bz2
9. import hashlib
10.  
11. if len(sys.argv) < 1:
12.     parser.error("no files specified")
13. try:
14.     exe = pefile.PE(sys.argv[1])
15.  
16.     #image characteristics
17.     img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
18.     #pad to 16 bits
19.     img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
20.     img_chars_xor = img_chars[0:7] ^ img_chars[8:15]
21.  
22.     #start to build pehash
23.     pehash_bin = bitstring.BitArray(img_chars_xor)
24.  
25.     #subsystem -
26.     sub_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Machine))
27.     #pad to 16 bits
28.     sub_chars = bitstring.BitArray(bytes=sub_chars.tobytes())
29.     sub_chars_xor = sub_chars[0:7] ^ sub_chars[8:15]
30.     pehash_bin.append(sub_chars_xor)
31.  
32.     #Stack Commit Size
33.     stk_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfStackCommit))
34.     stk_size_bits = string.zfill(stk_size.bin, 32)
35.     #now xor the bits
36.     stk_size = bitstring.BitArray(bin=stk_size_bits)
37.     stk_size_xor = stk_size[8:15] ^ stk_size[16:23] ^ stk_size[24:31]
38.     #pad to 8 bits
39.     stk_size_xor = bitstring.BitArray(bytes=stk_size_xor.tobytes())
40.     pehash_bin.append(stk_size_xor)
41.  
42.     #Heap Commit Size
43.     hp_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfHeapCommit))
44.     hp_size_bits = string.zfill(hp_size.bin, 32)
45.     #now xor the bits
46.     hp_size = bitstring.BitArray(bin=hp_size_bits)
47.     hp_size_xor = hp_size[8:15] ^ hp_size[16:23] ^ hp_size[24:31]
48.     #pad to 8 bits
49.     hp_size_xor = bitstring.BitArray(bytes=hp_size_xor.tobytes())
50.     pehash_bin.append(hp_size_xor)
51.  
52.     #Section chars
53.     for section in exe.sections:
54.         #virutal address
55.         sect_va =  bitstring.BitArray(hex(section.VirtualAddress))
56.         sect_va = bitstring.BitArray(bytes=sect_va.tobytes())
57.         pehash_bin.append(sect_va)    
58.  
59.         #rawsize
60.         sect_rs =  bitstring.BitArray(hex(section.SizeOfRawData))
61.         sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
62.         sect_rs_bits = string.zfill(sect_rs.bin, 32)
63.         sect_rs = bitstring.BitArray(bin=sect_rs_bits)
64.         sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
65.         sect_rs_bits = sect_rs[8:31]
66.         pehash_bin.append(sect_rs_bits)
67.  
68.         #section chars
69.         sect_chars =  bitstring.BitArray(hex(section.Characteristics))
70.         sect_chars = bitstring.BitArray(bytes=sect_chars.tobytes())
71.         sect_chars_xor = sect_chars[16:23] ^ sect_chars[24:31]
72.         pehash_bin.append(sect_chars_xor)
73.  
74.         #entropy calulation
75.         address = section.VirtualAddress
76.         size = section.SizeOfRawData
77.         raw = exe.write()[address+size:]
78.         if size == 0:
79.             kolmog = bitstring.BitArray(float=1, length=32)
80.             pehash_bin.append(kolmog[0:7])
81.             continue
82.         bz2_raw = bz2.compress(raw)
83.         bz2_size = len(bz2_raw)
84.         #k = round(bz2_size / size, 5)
85.         k = bz2_size / size
86.         kolmog = bitstring.BitArray(float=k, length=32)
87.         pehash_bin.append(kolmog[0:7])
88.  
89.     m = hashlib.sha1()
90.     m.update(pehash_bin.tobytes())
91.     print m.hexdigest()
92.  
93. except:
94.     print "ERROR not PE"