Aplicație în Python de analiză a aplicațiilor de tipul executabil portabil (PE)
0RST PE-Analyzer este o aplicație simplă scrisă în python bazată pe câteva biblioteci prin intermediul căreia poți simplifica analiza un executabil portabil, obținând astfel informațiile de bază din acesta. Un exemplu de output al aplicației:
RST PE-Analyzer firefox.exe Size: 275568 bytes MD5: 93e28799430480cce0ab3d961e5312ad DLL: False EXE: True Driver: False Machine: 0x14c (0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 ) OEP: 0x2478 Compile time: 2013-12-05 19:22:27 Digital Signature: Yes C:\Python27\firefox.exe: Verified: Signed Signing date: 9:34 PM 12/5/2013 Publisher: Mozilla Corporation Description: Firefox Product: Firefox Prod version: 26.0 File version: 26.0 MachineType: 32-bit Binary Version: 26.0.0.5087 Original Name: firefox.exe Internal Name: Firefox Copyright: ©Firefox and Mozilla Developers; available under the MPL 2 license. Comments: VT detection: 0/48 VT link: https://www.virustotal.com/file/0c722b9aaf4f2ee3265f92f1498c6b64fffbb3e37d2136fae8584dcd7d23c06d/analysis/ Sigcheck v2.01 - File version and signature viewer Copyright (C) 2004-2013 Mark Russinovich Sysinternals - www.sysinternals.com Packed: True (Entropy score decision) PEiD Signature: None Sections: .text 0x1000 0x1a7a 7168 .rdata 0x3000 0xfb4 4096 .data 0x4000 0x4bc 512 .rsrc 0x5000 0x3d9c8 252416 .reloc 0x43000 0x644 2048 Imported: KERNEL32.dll 0x403000 SetEnvironmentVariableW 0x403004 ExpandEnvironmentStringsW 0x403008 GetEnvironmentVariableW 0x40300c GetModuleFileNameW 0x403010 MultiByteToWideChar 0x403014 GetTickCount 0x403018 GetProcAddress 0x40301c GetModuleHandleW 0x403020 QueryPerformanceFrequency 0x403024 GetFileAttributesW 0x403028 WideCharToMultiByte 0x40302c GetProcessIoCounters 0x403030 GetCurrentProcess 0x403034 SetDllDirectoryW 0x403038 UnhandledExceptionFilter 0x40303c TerminateProcess 0x403040 GetCurrentProcessId 0x403044 GetCurrentThreadId 0x403048 QueryPerformanceCounter 0x40304c DecodePointer 0x403050 SetUnhandledExceptionFilter 0x403054 EncodePointer 0x403058 HeapSetInformation 0x40305c InterlockedCompareExchange 0x403060 Sleep 0x403064 InterlockedExchange 0x403068 IsDebuggerPresent 0x40306c CreateFileW 0x403070 CloseHandle 0x403074 SetFilePointerEx 0x403078 ReadFile 0x40307c FreeLibrary 0x403080 LoadLibraryExW 0x403084 GetLastError 0x403088 GetSystemTimeAsFileTime USER32.dll 0x403138 MessageBoxW MSVCR100.dll 0x403090 __wgetmainargs 0x403094 _cexit 0x403098 _exit 0x40309c _XcptFilter 0x4030a0 _amsg_exit 0x4030a4 __winitenv 0x4030a8 _initterm 0x4030ac _initterm_e 0x4030b0 _configthreadlocale 0x4030b4 __setusermatherr 0x4030b8 _commode 0x4030bc _fmode 0x4030c0 __set_app_type 0x4030c4 _vsnprintf_s 0x4030c8 ?terminate@@YAXXZ 0x4030cc _unlock 0x4030d0 __dllonexit 0x4030d4 _lock 0x4030d8 _onexit 0x4030dc _except_handler4_common 0x4030e0 _invoke_watson 0x4030e4 _controlfp_s 0x4030e8 _crt_debugger_hook 0x4030ec memset 0x4030f0 memcpy 0x4030f4 strcat 0x4030f8 fgets 0x4030fc strlen 0x403100 ??3@YAXPAX@Z 0x403104 fclose 0x403108 _wfopen 0x40310c ??2@YAPAXI@Z 0x403110 strcpy 0x403114 getenv 0x403118 _snprintf 0x40311c _stricmp 0x403120 wcslen 0x403124 ??_V@YAXPAX@Z 0x403128 strrchr 0x40312c exit 0x403130 _putenv Exported: PE instance has no attribute 'DIRECTORY_ENTRY_EXPORT'
Cerințe minime
1. python 2.7
2. http://code.google.com/p/pefile/
3. UserDB.TXT https://code.google.com/p/reverse-en…ame=UserDB.TXT
4. sigcheck.exe
5. conexiune la internet pentru a verifica hash-ul pe virustotal
# fișierele UserDB.TXT, sigcheck.exe trebuie puse în același director cu scriptul
Cum salvezi output-ul intr-un fisier?
python Script.py PEfile >save.txt
Codul sursa
import sys
import os
import hashlib
import re
import subprocess
import time
import pefile
import peutils
print "\tRST PE-Analyzer https://rstforums.com"
try:
signatures = peutils.SignatureDatabase('UserDB.TXT')
except:
print "Lipseste fisierul cu semnaturi: UserDB.TXT"
sys.exit()
if len(sys.argv) != 2:
print """
Utilizare: python Script.py executabil"""
sys.exit()
else:
try:
pe = pefile.PE(sys.argv[1])
except Exception, e: print e
def hashfile(afile, blocksize=65536):
handle = open(afile, "rb")
temp = hashlib.md5()
while True:
data = handle.read(blocksize)
if not data:
break
temp.update(data)
return temp.hexdigest()
print str(sys.argv[1])
print "Size: ", os.path.getsize(sys.argv[1]), "bytes"
print "MD5: ", hashfile(sys.argv[1])
print "DLL: ", pe.is_dll()
print "EXE: ", pe.is_exe()
print "Driver: ", pe.is_driver()
print "Machine: ", hex(pe.FILE_HEADER.Machine) , "(0x014c =I386, 0x0200 = IA64, 0x8664 = AMD64 )"
print "OEP: ", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
epoch = pe.FILE_HEADER.TimeDateStamp
print "Compile time: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(epoch))
ds = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
print "Digital Signature: ", "No" if ds == 0 else "Yes"
if ds == ds : # ds!= 0 to use sigcheck only file is signed
try:
cmnd = os.getcwd() + "\\" + "sigcheck.exe -a -vt " + str(sys.argv[1])
p = subprocess.Popen(cmnd,stderr=subprocess.PIPE,stdout=subprocess.PIPE,shell=True)
(stdout, stderr) = p.communicate()
print stdout
print stderr
except Exception, e: print e
print "Packed: ", peutils.is_probably_packed(pe), " (Entropy score decision)"
matches = signatures.match_all(pe, ep_only = True)
print "PEiD Signature: ", matches
print "Sections: "
for section in pe.sections:
print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData
print "Imported: "
pe.parse_data_directories()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print "\t", entry.dll
for imp in entry.imports:
print '\t\t', hex(imp.address), imp.name
print "Exported: "
try:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal
except Exception, e: print "\t", e
Mai multe detalii aici.
