Last active
September 12, 2018 03:22
-
-
Save joenorton8014/8132a94543c841c893f99e58c928eef0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| # Inspriation from here - https://malwology.com/2018/08/24/python-for-malware-analysis-getting-started/ | |
| # Dictionary of packer sections and descriptions. | |
| # Taken from here: http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ | |
| packer_dict = {".aspack":"Aspack packer", \ | |
| ".adata":"Aspack packer/Armadillo packer", \ | |
| "ASPack":"Aspack packer", \ | |
| ".ASPack":"ASPAck Protector", \ | |
| ".boom":"The Boomerang List Builder (config+exe xored with a single byte key 0x77)", \ | |
| ".ccg":"CCG Packer (Chinese Packer)", \ | |
| ".charmve":"Added by the PIN tool", \ | |
| "BitArts":"Crunch 2.0 Packer", \ | |
| "DAStub":"DAStub Dragon Armor protector", \ | |
| "!EPack":"Epack packer", \ | |
| "FSG!":"FSG packer (not a section name, but a good identifier)", \ | |
| ".gentee":"Gentee installer", \ | |
| "kkrunchy":"kkrunchy Packer", \ | |
| ".mackt":"ImpRec-created section", \ | |
| ".MaskPE":"MaskPE Packer", \ | |
| "MEW":"MEW packer", \ | |
| ".MPRESS1":"Mpress Packer", \ | |
| ".MPRESS2":"Mpress Packer", \ | |
| ".neolite":"Neolite Packer", \ | |
| ".neolit":"Neolite Packer", \ | |
| ".nsp1":"NsPack packer", \ | |
| ".nsp0":"NsPack packer", \ | |
| ".nsp2":"NsPack packer", \ | |
| "nsp1":"NsPack packer", \ | |
| "nsp0":"NsPack packer", \ | |
| "nsp2":"NsPack packer", \ | |
| ".packed":"RLPack Packer (first section)", \ | |
| "pebundle":"PEBundle Packer", \ | |
| "PEBundle":"PEBundle Packer", \ | |
| "PEC2TO":"PECompact packer", \ | |
| "PECompact2":"PECompact packer (not a section name, but a good identifier)", \ | |
| "PEC2":"PECompact packer", \ | |
| "pec1":"PECompact packer", \ | |
| "pec2":"PECompact packer", \ | |
| "PEC2MO":"PECompact packer", \ | |
| "PELOCKnt":"PELock Protector", \ | |
| ".perplex":"Perplex PE-Protector", \ | |
| "PESHiELD":"PEShield Packer", \ | |
| ".petite":"Petite Packer", \ | |
| ".pinclie":"Added by the PIN tool", \ | |
| "ProCrypt":"ProCrypt Packer", \ | |
| ".RLPack":"RLPack Packer (second section)", \ | |
| ".rmnet":"Ramnit virus marker", \ | |
| "RCryptor":"RPCrypt Packer", \ | |
| ".RPCrypt":"RPCrypt Packer", \ | |
| ".seau":"SeauSFX Packer", \ | |
| ".sforce3":"StarForce Protection", \ | |
| ".spack":"Simple Pack (by bagie)", \ | |
| ".svkp":"SVKP packer", \ | |
| "Themida":"Themida Packer", \ | |
| ".Themida":"Themida Packer", \ | |
| ".taz":"Some version os PESpin", \ | |
| ".tsuarch":"TSULoader", \ | |
| ".tsustub":"TSULoader", \ | |
| ".packed":"Unknown Packer", \ | |
| "PEPACK!!":"Pepack", \ | |
| ".Upack":"Upack packer", \ | |
| ".ByDwing":"Upack Packer", \ | |
| "UPX0":"UPX packer", \ | |
| "UPX1":"UPX packer", \ | |
| "UPX2":"UPX packer", \ | |
| "UPX!":"UPX packer", \ | |
| ".UPX0":"UPX Packer", \ | |
| ".UPX1":"UPX Packer", \ | |
| ".UPX2":"UPX Packer", \ | |
| ".vmp0":"VMProtect packer", \ | |
| ".vmp1":"VMProtect packer", \ | |
| ".vmp2":"VMProtect packer", \ | |
| "VProtect":"Vprotect Packer", \ | |
| ".winapi":"Added by API Override tool", \ | |
| "WinLicen":"WinLicense (Themida) Protector", \ | |
| "_winzip_":"WinZip Self-Extractor", \ | |
| ".WWPACK":"WWPACK Packer", \ | |
| ".yP":"Y0da Protector", \ | |
| ".y0da":"Y0da Protector"} | |
| common_sections_dict = {".00cfg":"Control Flow Guard CFG section added by newer versions of Visual Studio", \ | |
| ".apiset":"a section present inside the apisetschema.dll", \ | |
| ".arch":"Alpha-architecture section", \ | |
| ".autoload_text":"cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.", \ | |
| ".bindat":"Binary data also used by one of the downware installers based on LUA", \ | |
| ".bootdat":"section that can be found inside Visual Studio files; contains palette entries", \ | |
| ".bss":"Uninitialized Data Section", \ | |
| ".BSS":"Uninitialized Data Section", \ | |
| ".buildid":"gcc/cygwin; Contains debug information if overlaps with debug directory", \ | |
| ".CLR_UEF":".CLR Unhandled Exception Handler section; see https://github.com/dotnet/coreclr/blob/master/src/vm/excep.h", \ | |
| ".code":"Code Section", \ | |
| ".cormeta":".CLR Metadata Section", \ | |
| ".complua":"Binary data, most likely compiled LUA also used by one of the downware installers based on LUA", \ | |
| ".CRT":"Initialized Data Section C RunTime", \ | |
| ".cygwin_dll_common":"cygwin section containing flags representing Cygwin’s capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time", \ | |
| ".data":"Data Section", \ | |
| ".DATA":"Data Section", \ | |
| ".data1":"Data Section", \ | |
| ".data2":"Data Section", \ | |
| ".data3":"Data Section", \ | |
| ".debug":"Debug info Section", \ | |
| ".debug$F":"Debug info Section Visual C++ version <7.0", \ | |
| ".debug$P":"Debug info Section Visual C++ debug information precompiled information", \ | |
| ".debug$S":"Debug info Section Visual C++ debug information symbolic information", \ | |
| ".debug$T":"Debug info Section Visual C++ debug information type information", \ | |
| ".drectve ":"directive section temporary, linker removes it after processing it; should not appear in a final PE image", \ | |
| ".didat":"Delay Import Section", \ | |
| ".didata":"Delay Import Section", \ | |
| ".edata":"Export Data Section", \ | |
| ".eh_fram":"gcc/cygwin; Exception Handler Frame section", \ | |
| ".export":"Alternative Export Data Section", \ | |
| ".fasm":"FASM flat Section", \ | |
| ".flat":"FASM flat Section", \ | |
| ".gfids":"section added by new Visual Studio 14.0; purpose unknown", \ | |
| ".giats":"section added by new Visual Studio 14.0; purpose unknown", \ | |
| ".gljmp":"section added by new Visual Studio 14.0; purpose unknown", \ | |
| ".glue_7t":"ARMv7 core glue functions thumb mode", \ | |
| ".glue_7":"ARMv7 core glue functions 32-bit ARM mode", \ | |
| ".idata":"Initialized Data Section Borland", \ | |
| ".idlsym":"IDL Attributes registered SEH", \ | |
| ".impdata":"Alternative Import data section", \ | |
| ".itext":"Code Section Borland", \ | |
| ".ndata":"Nullsoft Installer section", \ | |
| ".orpc":"Code section inside rpcrt4.dll", \ | |
| ".pdata":"Exception Handling Functions Section PDATA records", \ | |
| ".rdata":"Read-only initialized Data Section MS and Borland", \ | |
| ".reloc":"Relocations Section", \ | |
| ".rodata":"Read-only Data Section", \ | |
| ".rsrc":"Resource section", \ | |
| ".sbss":"GP-relative Uninitialized Data Section", \ | |
| ".script":"Section containing script", \ | |
| ".shared":"Shared section", \ | |
| ".sdata":"GP-relative Initialized Data Section", \ | |
| ".srdata":"GP-relative Read-only Data Section", \ | |
| ".stab":"Created by Haskell compiler GHC", \ | |
| ".stabstr":"Created by Haskell compiler GHC", \ | |
| ".sxdata":"Registered Exception Handlers Section", \ | |
| ".text":"Code Section", \ | |
| ".text0":"Alternative Code Section", \ | |
| ".text1":"Alternative Code Section", \ | |
| ".text2":"Alternative Code Section", \ | |
| ".text3":"Alternative Code Section", \ | |
| ".textbss":"Section used by incremental linking", \ | |
| ".tls":"Thread Local Storage Section", \ | |
| ".tls$":"Thread Local Storage Section", \ | |
| ".udata":"Uninitialized Data Section", \ | |
| ".vsdata":"GP-relative Initialized Data", \ | |
| ".xdata":"Exception Information Section", \ | |
| ".wixburn":"Wix section; see https://github.com/wixtoolset/wix3/blob/develop/src/burn/stub/StubSection.cpp", \ | |
| ".wpp_sf ":"section that is most likely related to WPP Windows software trace PreProcessor; not sure how it is used though; the code inside the section is just a bunch of routines that call FastWppTraceMessage that in turn calls EtwTraceMessage", \ | |
| "BSS":"Uninitialized Data Section Borland", \ | |
| "CODE":"Code Section Borland", \ | |
| "DATA":"Data Section Borland", \ | |
| "DGROUP":"Legacy data group section", \ | |
| "edata":"Export Data Section", \ | |
| "idata":"Initialized Data Section C RunTime", \ | |
| "INIT":"INIT section drivers", \ | |
| "minATL":"Section that can be found inside some ARM PE files; purpose unknown; .exe files on Windows 10 also include this section as well; its purpose is unknown, but it contains references to ___pobjectentryfirst,___pobjectentrymid,___pobjectentrylast pointers used by Microsoft::WRL::Details::ModuleBase::… methods described e.g. here, and also referenced by .pdb symbols; so, looks like it is being used internally by Windows Runtime C++ Template Library WRL which is a successor of Active Template Library ATL; further research needed", \ | |
| "PAGE":"PAGE section drivers", \ | |
| "rdata":"Read-only Data Section", \ | |
| "sdata":"Initialized Data Section", \ | |
| "shared":"Shared section", \ | |
| "Shared":"Shared section", \ | |
| "testdata":"section containing test data can be found inside Visual Studio files", \ | |
| "text":"Alternative Code Section"} | |
| file = pefile.PE("/root/Documents/Malware/day4/brbbot.exe") | |
| print('######################################################################') | |
| print('EXE or DLL?') | |
| print('######################################################################') | |
| # Check if file is exe or dll: | |
| data_is_file_exe = file.is_exe() | |
| print("Is file exe?: " + str(data_is_file_exe)) | |
| data_is_file_dll = file.is_dll() | |
| print("Is file dll? : " + str(data_is_file_dll)) | |
| print('\n\n\n') | |
| print('######################################################################') | |
| print('DLLs Called') | |
| print('######################################################################') | |
| # Print DLLs called: | |
| for item in file.DIRECTORY_ENTRY_IMPORT: | |
| print(item.dll) | |
| print('\n\n\n') | |
| print('######################################################################') | |
| print('Import Address Table') | |
| print('######################################################################') | |
| print('=========================================================') | |
| print('ImpHash: ' + str(file.get_imphash())) | |
| print('=========================================================') | |
| for item in file.DIRECTORY_ENTRY_IMPORT: | |
| print('=========================================================') | |
| print('DLL Name: ' + str(item.dll)) | |
| print('=========================================================') | |
| print('===================') | |
| print('APIs Called: ') | |
| print('===================') | |
| for i in item.imports: | |
| print(str(i.name)) | |
| print('=========================================================') | |
| # Create dictionary of file attributes: | |
| file_dump_dict = file.dump_dict() | |
| for sections in file_dump_dict['PE Sections']: | |
| section_name = sections['Name']['Value'].split("\\")[0] | |
| print(section_name) | |
| print('\n\n\n') | |
| print('######################################################################') | |
| print('Section Overview') | |
| print('######################################################################') | |
| # Get file sections: | |
| print('===================') | |
| print('File Section Information') | |
| print('===================') | |
| print('------------------------------------') | |
| print('Name\t\tDescription\t\tSection Type') | |
| print('------------------------------------') | |
| for sections in file_dump_dict['PE Sections']: | |
| section_name = sections['Name']['Value'].split("\\")[0] | |
| if section_name in common_sections_dict.keys(): | |
| section_type = "Common" | |
| section_description = common_sections_dict[section_name] | |
| elif section_name in packer_dict.keys(): | |
| section_type = "Packed Section" | |
| section_description = packer_dict[section_name] | |
| else: | |
| section_type = "Unknown" | |
| section_description = "Not found" | |
| print(section_name + "\t\t" + section_description + "\t\t" + section_type) | |
| # Print section name and fileoffset | |
| print('------------------------------------') | |
| print('Name\t\tOffset\t\tSHA256') | |
| print('------------------------------------') | |
| for stuff in file_dump_dict['PE Sections']: | |
| print( stuff['Name']['Value'].split("\\")[0] + "\t\t" + str(stuff['Name']['FileOffset']) + "\t\t" + str(stuff['SHA256'])) | |
| # Parsing Warnings: | |
| print('===================') | |
| print('Parsing Warnings') | |
| print('===================') | |
| if 'Parsing Warnings' in file_dump_dict.keys(): | |
| for warnings in file_dump_dict['Parsing Warnings']: | |
| print("Warning: " + warnings) | |
| else: | |
| print('No parsing warnings') | |
| print('\n\n\n') | |
| print('######################################################################') | |
| print('Detailed Section Info') | |
| print('######################################################################') | |
| # Terse parse through PE Sections in dump_dict: | |
| interesting_keys = ['Name' , 'Structure' , 'Flags' , 'Entropy', 'MD5' , 'SHA1' , 'SHA256' , 'SHA256' , 'SHA512'] | |
| for stuff in file_dump_dict['PE Sections']: | |
| print('=========================================================') | |
| print(stuff['Name']['Value'].split("\\")[0]) | |
| print('=========================================================') | |
| for data_i_want in interesting_keys: | |
| if data_i_want in stuff.keys(): | |
| print(data_i_want) | |
| data_im_parsing = stuff[data_i_want] | |
| if type(data_im_parsing) == list: | |
| for item in data_im_parsing: | |
| print(item) | |
| print("\n") | |
| elif type(data_im_parsing) == dict: | |
| for k2 in data_im_parsing: | |
| print(k2 + ": " + str(data_im_parsing[k2])) | |
| print("\n") | |
| else: | |
| print(str(stuff[data_i_want]) + "\n") | |
| """ | |
| # Parse through dump_dict: | |
| for k in file_dump_dict: | |
| print('===================') | |
| print(k) | |
| print('===================') | |
| for things in file_dump_dict[k]: | |
| print(things) | |
| print('===================') | |
| # Parse through PE Sections in dump_dict: | |
| for stuff in file_dump_dict['PE Sections']: | |
| print('=========================================================') | |
| print(stuff['Name']['Value'].split("\\")[0]) | |
| print('=========================================================') | |
| for k in stuff: | |
| print(k + ":") | |
| data_im_parsing = stuff[k] | |
| if type(data_im_parsing) == list: | |
| for item in data_im_parsing: | |
| print(item) | |
| print("\n") | |
| elif type(data_im_parsing) == dict: | |
| for k2 in data_im_parsing: | |
| print(k2 + ": " + str(data_im_parsing[k2])) | |
| print("\n") | |
| else: | |
| print(str(stuff[k]) + "\n") | |
| """ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment