Advertisement
opexxx

pehash.py

Feb 4th, 2014
326
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.20 KB | None | 0 0
  1. #!/usr/bin/python
  2. from __future__ import division
  3.  
  4. import sys
  5. import pefile
  6. import bitstring
  7. import string
  8. import bz2
  9. import hashlib
  10.  
  11. if len(sys.argv) < 1:
  12.     parser.error("no files specified")
  13. try:
  14.     exe = pefile.PE(sys.argv[1])
  15.  
  16.     #image characteristics
  17.     img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
  18.     #pad to 16 bits
  19.     img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
  20.     img_chars_xor = img_chars[0:7] ^ img_chars[8:15]
  21.  
  22.     #start to build pehash
  23.     pehash_bin = bitstring.BitArray(img_chars_xor)
  24.  
  25.     #subsystem -
  26.     sub_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Machine))
  27.     #pad to 16 bits
  28.     sub_chars = bitstring.BitArray(bytes=sub_chars.tobytes())
  29.     sub_chars_xor = sub_chars[0:7] ^ sub_chars[8:15]
  30.     pehash_bin.append(sub_chars_xor)
  31.  
  32.     #Stack Commit Size
  33.     stk_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfStackCommit))
  34.     stk_size_bits = string.zfill(stk_size.bin, 32)
  35.     #now xor the bits
  36.     stk_size = bitstring.BitArray(bin=stk_size_bits)
  37.     stk_size_xor = stk_size[8:15] ^ stk_size[16:23] ^ stk_size[24:31]
  38.     #pad to 8 bits
  39.     stk_size_xor = bitstring.BitArray(bytes=stk_size_xor.tobytes())
  40.     pehash_bin.append(stk_size_xor)
  41.  
  42.     #Heap Commit Size
  43.     hp_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfHeapCommit))
  44.     hp_size_bits = string.zfill(hp_size.bin, 32)
  45.     #now xor the bits
  46.     hp_size = bitstring.BitArray(bin=hp_size_bits)
  47.     hp_size_xor = hp_size[8:15] ^ hp_size[16:23] ^ hp_size[24:31]
  48.     #pad to 8 bits
  49.     hp_size_xor = bitstring.BitArray(bytes=hp_size_xor.tobytes())
  50.     pehash_bin.append(hp_size_xor)
  51.  
  52.     #Section chars
  53.     for section in exe.sections:
  54.         #virutal address
  55.         sect_va =  bitstring.BitArray(hex(section.VirtualAddress))
  56.         sect_va = bitstring.BitArray(bytes=sect_va.tobytes())
  57.         pehash_bin.append(sect_va)    
  58.  
  59.         #rawsize
  60.         sect_rs =  bitstring.BitArray(hex(section.SizeOfRawData))
  61.         sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
  62.         sect_rs_bits = string.zfill(sect_rs.bin, 32)
  63.         sect_rs = bitstring.BitArray(bin=sect_rs_bits)
  64.         sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
  65.         sect_rs_bits = sect_rs[8:31]
  66.         pehash_bin.append(sect_rs_bits)
  67.  
  68.         #section chars
  69.         sect_chars =  bitstring.BitArray(hex(section.Characteristics))
  70.         sect_chars = bitstring.BitArray(bytes=sect_chars.tobytes())
  71.         sect_chars_xor = sect_chars[16:23] ^ sect_chars[24:31]
  72.         pehash_bin.append(sect_chars_xor)
  73.  
  74.         #entropy calulation
  75.         address = section.VirtualAddress
  76.         size = section.SizeOfRawData
  77.         raw = exe.write()[address+size:]
  78.         if size == 0:
  79.             kolmog = bitstring.BitArray(float=1, length=32)
  80.             pehash_bin.append(kolmog[0:7])
  81.             continue
  82.         bz2_raw = bz2.compress(raw)
  83.         bz2_size = len(bz2_raw)
  84.         #k = round(bz2_size / size, 5)
  85.         k = bz2_size / size
  86.         kolmog = bitstring.BitArray(float=k, length=32)
  87.         pehash_bin.append(kolmog[0:7])
  88.  
  89.     m = hashlib.sha1()
  90.     m.update(pehash_bin.tobytes())
  91.     print m.hexdigest()
  92.  
  93. except:
  94.     print "ERROR not PE"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement