Islem BOUZENIA islem-esi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pip install pefile |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pip install yara-python |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import yara | |
| #Path to the folder containing downloaded files in the first part | |
| rules_path = 'path/to/the/folder/containing/downloaded/rules' | |
| #Read files | |
| peid_rules = yara.compile(rules_path + 'peid.yar') | |
| packer_rules = yara.compile(rules_path + 'packer.yar') | |
| crypto_rules = yara.compile(rules_path + 'crypto.yar') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #first, let's define the list of packers/cryptors we want to detect | |
| packers = ['AHTeam', 'Armadillo', 'Stelth', 'yodas', 'ASProtect', 'ACProtect', 'PEnguinCrypt', | |
| 'UPX', 'Safeguard', 'VMProtect', 'Vprotect', 'WinLicense', 'Themida', 'WinZip', 'WWPACK', | |
| 'Y0da', 'Pepack', 'Upack', 'TSULoader' | |
| 'SVKP', 'Simple', 'StarForce', 'SeauSFX', 'RPCrypt', 'Ramnit', | |
| 'RLPack', 'ProCrypt', 'Petite', 'PEShield', 'Perplex', | |
| 'PELock', 'PECompact', 'PEBundle', 'RLPack', 'NsPack', 'Neolite', | |
| 'Mpress', 'MEW', 'MaskPE', 'ImpRec', 'kkrunchy', 'Gentee', 'FSG', 'Epack', | |
| 'DAStub', 'Crunch', 'CCG', 'Boomerang', 'ASPAck', 'Obsidium','Ciphator', | |
| 'Phoenix', 'Thoreador', 'QinYingShieldLicense', 'Stones', 'CrypKey', 'VPacker', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #don't forget this | |
| import pefile | |
| #first, let's get the list of sections names used by packers/cryptors | |
| packers_sections = { | |
| #The packer/protector/tools section names/keywords | |
| '.aspack': 'Aspack packer', | |
| '.adata': 'Aspack packer/Armadillo packer', | |
| 'ASPack': 'Aspack packer', | |
| '.ASPack': 'ASPAck Protector', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pip install pefile | |
| pip install capstone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from capstone import * | |
| from capstone.x86 import * | |
| import pefile |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #the function takes two arguments, both are fetched from the exe file using | |
| #pefile. the first one is the list of all sections. The second one is the | |
| #address of the first instruction in the program | |
| def get_main_code_section(sections, base_of_code): | |
| addresses = [] | |
| #get addresses of all sections | |
| for section in sections: | |
| addresses.append(section.VirtualAddress) | |
| #if the address of section corresponds to the first instruction then |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def fine_disassemble(exe): | |
| #get main code section | |
| main_code = get_main_code_section(exe.sections, exe.OPTIONAL_HEADER.BaseOfCode) | |
| #define architecutre of the machine | |
| md = Cs(CS_ARCH_X86, CS_MODE_32) | |
| md.detail = True | |
| last_address = 0 | |
| last_size = 0 | |
| #Beginning of code section | |
| begin = main_code.PointerToRawData |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| exe_file_path = 'path/to/exe/file' | |
| try: | |
| #parse exe file | |
| exe = pefile.PE(exe_file_path) | |
| try: | |
| #call the function we created earlier | |
| fine_disassemble(exe) | |
| except: | |
| print('something is wrong with this exe file') |
OlderNewer