hopefully fix #4

malice-plugins · Dec 1, 2018 · b15e892 · b15e892
1 parent 3d20339
commit b15e892
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 55 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
diff --git a/Makefile b/Makefile
@@ -3,6 +3,7 @@ ORG=malice
 NAME=pescan
 CATEGORY=exe
 VERSION=$(shell cat VERSION)
+FLAGS?=
 
 MALWARE?=tests/malware
 EXTRACT?=/malware/tests/dump
@@ -12,7 +13,7 @@ all: build size tag test_all
 
 .PHONY: build
 build:
-	docker build -t $(ORG)/$(NAME):$(VERSION) .
+	docker build $(FLAGS) -t $(ORG)/$(NAME):$(VERSION) .
 
 .PHONY: size
 size:

diff --git a/docs/SAMPLE.md b/docs/SAMPLE.md
@@ -2,23 +2,24 @@
 
 #### Header
 
- - **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`
- - **Compilation Timestamp:** `2006-11-30 09:20:34`
- - **Entry Point:** `0x5a46`
- - **Contained Sections:** `4`
+- **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`
+- **Compilation Timestamp:** `2006-11-30 09:20:34`
+- **Entry Point:** `0x5a46`
+- **Contained Sections:** `4`
 
 #### Sections
 
-| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
-|------|-----------------|--------------|----------|---------|-----|
-| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |
-| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |
-| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |
-| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |
+| Name   | Virtual Address | Virtual Size | Raw Size | Entropy | MD5                              |
+| ------ | --------------- | ------------ | -------- | ------- | -------------------------------- |
+| .text  | 0x1000          | 0x4bfe       | 20480    | 5.99    | 9062ff3acdff9ac80cd9f97a0df42383 |
+| .rdata | 0x6000          | 0xc44        | 4096     | 3.29    | 28c9e7872eb9d0a20a1d953382722735 |
+| .data  | 0x7000          | 0x17b0       | 4096     | 4.04    | c38a0453ad319c9cd8b1760baf57a528 |
+| .rsrc  | 0x9000          | 0x15d0       | 8192     | 4.50    | 0d4522a26417d45c33759d2a6375a55f |
 
 #### Imports
 
 ##### `KERNEL32.DLL`
+
 - GetStartupInfoA
 - GetModuleHandleA
 - CreatePipe
@@ -75,6 +76,7 @@
 - CreateThread
 
 ##### `ADVAPI32.dll`
+
 - RegCloseKey
 - RegSetValueExA
 - RegQueryValueExA
@@ -93,30 +95,32 @@
 - RegEnumValueA
 
 ##### `MPR.dll`
+
 - WNetCloseEnum
 - WNetOpenEnumA
 - WNetEnumResourceA
 
 ##### `MSVCRT.dll`
-- _except_handler3
-- __set_app_type
-- __p__fmode
-- __p__commode
-- _adjust_fdiv
-- __setusermatherr
-- _initterm
-- __getmainargs
-- _acmdln
+
+- \_except_handler3
+- \_\_set_app_type
+- **p**fmode
+- **p**commode
+- \_adjust_fdiv
+- \_\_setusermatherr
+- \_initterm
+- \_\_getmainargs
+- \_acmdln
 - exit
-- _XcptFilter
-- _exit
+- \_XcptFilter
+- \_exit
 - swprintf
 - fwrite
 - fopen
 - fseek
 - fread
 - fclose
-- _strnicmp
+- \_strnicmp
 - strcmp
 - sprintf
 - memcpy
@@ -132,17 +136,19 @@
 - strcpy
 - strcat
 - malloc
-- _EH_prolog
-- __CxxFrameHandler
+- \_EH_prolog
+- \_\_CxxFrameHandler
 - rename
-- _controlfp
+- \_controlfp
 - free
-- _itoa
+- \_itoa
 
 ##### `SHLWAPI.dll`
+
 - SHDeleteKeyA
 
 ##### `WS2_32.dll`
+
 - gethostname
 - gethostbyname
 - WSAGetLastError
@@ -159,30 +165,31 @@
 - WSACleanup
 - ioctlsocket
 
-
 #### Resources
 
-| SHA-256 | Size | Entropy | File Type | Type | Language |
-|---------|------|---------|-----------|------|----------|
-| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |
-| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |
-| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |
+| SHA-256                                                          | Size   | Entropy | File Type | Type          | Language                           |
+| ---------------------------------------------------------------- | ------ | ------- | --------- | ------------- | ---------------------------------- |
+| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52    | None      | RT_ICON       | Chinese-People's Republic of China |
+| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14   | 1.78    | None      | RT_GROUP_ICON | Chinese-People's Republic of China |
+| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c  | 3.47    | None      | RT_VERSION    | Chinese-People's Republic of China |
 
 #### File Version Information
 
- - **Copyright:** `(C) Microsoft Corporation. All rights reserved.`
- - **Product:** `Microsoft(R) Windows(R) Operating System`
- - **Description:** `Internet Explorer`
- - **Original Name:** `IEXPLORE.EXE`
- - **Internal Name:** `iexplore`
- - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`
+- **Copyright:** `(C) Microsoft Corporation. All rights reserved.`
+- **Product:** `Microsoft(R) Windows(R) Operating System`
+- **Description:** `Internet Explorer`
+- **Original Name:** `IEXPLORE.EXE`
+- **Internal Name:** `iexplore`
+- **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`
 
 #### Signature Info
+
 ##### Signature Verification
+
 > No file signature data found
 
 #### PEiD
+
 - `Armadillo v1.71`
 - `Microsoft Visual C++ v5.0/v6.0 (MFC)`
 - `Microsoft Visual C++`
-
diff --git a/docs/elastic.json b/docs/elastic.json
@@ -1,5 +1,5 @@
 {
-  "took": 90,
+  "took": 94,
   "timed_out": false,
   "_shards": {
     "total": 5,
@@ -17,7 +17,7 @@
         "_id": "befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408",
         "_score": 1,
         "_source": {
-          "scan_date": "2018-12-01T16:39:47.260990",
+          "scan_date": "2018-12-01T17:10:34.396593",
           "plugins": {
             "exe": {
               "pescan": {
@@ -40,7 +40,7 @@
                   "Microsoft Visual C++ v5.0/v6.0 (MFC)",
                   "Microsoft Visual C++"
                 ],
-                "markdown": "### pescan\n\n#### Header\n\n - **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`\n - **Compilation Timestamp:** `2006-11-30 09:20:34`\n - **Entry Point:** `0x5a46`\n - **Contained Sections:** `4`\n\n#### Sections\n\n| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |\n|------|-----------------|--------------|----------|---------|-----|\n| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |\n| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |\n| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |\n| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |\n\n#### Imports\n\n##### `KERNEL32.DLL`\n- GetStartupInfoA\n- GetModuleHandleA\n- CreatePipe\n- PeekNamedPipe\n- ReadFile\n- CreateProcessA\n- MultiByteToWideChar\n- GlobalAlloc\n- GlobalFree\n- GetLocalTime\n- RemoveDirectoryA\n- FindNextFileA\n- FindFirstFileA\n- GetFileTime\n- SetFileTime\n- FindClose\n- GetPriorityClass\n- OpenProcess\n- GetCurrentProcess\n- DuplicateHandle\n- GetLastError\n- LocalFree\n- CreateToolhelp32Snapshot\n- Process32First\n- Process32Next\n- GetLogicalDriveStringsA\n- GetDriveTypeA\n- GetVolumeInformationA\n- GetComputerNameA\n- CreateFileA\n- GetFileSize\n- WriteFile\n- LoadLibraryA\n- GetProcAddress\n- FreeLibrary\n- GetVersionExA\n- GetSystemDefaultLangID\n- OpenMutexA\n- CreateMutexA\n- CloseHandle\n- lstrcmpiA\n- ExitProcess\n- SetEvent\n- WaitForSingleObject\n- Sleep\n- DeleteFileA\n- CopyFileA\n- GetWindowsDirectoryA\n- GetModuleFileNameA\n- CreateDirectoryA\n- GetFileAttributesA\n- SetFileAttributesA\n- CreateEventA\n- CreateThread\n\n##### `ADVAPI32.dll`\n- RegCloseKey\n- RegSetValueExA\n- RegQueryValueExA\n- RegCreateKeyExA\n- RegDeleteValueA\n- RegOpenKeyExA\n- SetSecurityInfo\n- SetEntriesInAclA\n- AdjustTokenPrivileges\n- LookupPrivilegeValueA\n- GetTokenInformation\n- OpenProcessToken\n- GetUserNameA\n- LookupAccountSidA\n- RegEnumKeyExA\n- RegEnumValueA\n\n##### `MPR.dll`\n- WNetCloseEnum\n- WNetOpenEnumA\n- WNetEnumResourceA\n\n##### `MSVCRT.dll`\n- _except_handler3\n- __set_app_type\n- __p__fmode\n- __p__commode\n- _adjust_fdiv\n- __setusermatherr\n- _initterm\n- __getmainargs\n- _acmdln\n- exit\n- _XcptFilter\n- _exit\n- swprintf\n- fwrite\n- fopen\n- fseek\n- fread\n- fclose\n- _strnicmp\n- strcmp\n- sprintf\n- memcpy\n- strstr\n- strchr\n- atoi\n- memset\n- strlen\n- strrchr\n- time\n- srand\n- rand\n- strcpy\n- strcat\n- malloc\n- _EH_prolog\n- __CxxFrameHandler\n- rename\n- _controlfp\n- free\n- _itoa\n\n##### `SHLWAPI.dll`\n- SHDeleteKeyA\n\n##### `WS2_32.dll`\n- gethostname\n- gethostbyname\n- WSAGetLastError\n- inet_ntoa\n- inet_addr\n- socket\n- htons\n- connect\n- select\n- send\n- closesocket\n- recv\n- WSAStartup\n- WSACleanup\n- ioctlsocket\n\n\n#### Resources\n\n| SHA-256 | Size | Entropy | File Type | Type | Language |\n|---------|------|---------|-----------|------|----------|\n| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |\n| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |\n| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |\n\n#### File Version Information\n\n - **Copyright:** `(C) Microsoft Corporation. All rights reserved.`\n - **Product:** `Microsoft(R) Windows(R) Operating System`\n - **Description:** `Internet Explorer`\n - **Original Name:** `IEXPLORE.EXE`\n - **Internal Name:** `iexplore`\n - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`\n\n#### Signature Info\n##### Signature Verification\n> No file signature data found\n\n#### PEiD\n- `Armadillo v1.71`\n- `Microsoft Visual C++ v5.0/v6.0 (MFC)`\n- `Microsoft Visual C++`\n",
+                "markdown": "### pescan\n\n#### Header\n\n- **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`\n- **Compilation Timestamp:** `2006-11-30 09:20:34`\n- **Entry Point:** `0x5a46`\n- **Contained Sections:** `4`\n\n#### Sections\n\n| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |\n|------|-----------------|--------------|----------|---------|-----|\n| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |\n| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |\n| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |\n| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |\n\n#### Imports\n\n##### `KERNEL32.DLL`\n- GetStartupInfoA\n- GetModuleHandleA\n- CreatePipe\n- PeekNamedPipe\n- ReadFile\n- CreateProcessA\n- MultiByteToWideChar\n- GlobalAlloc\n- GlobalFree\n- GetLocalTime\n- RemoveDirectoryA\n- FindNextFileA\n- FindFirstFileA\n- GetFileTime\n- SetFileTime\n- FindClose\n- GetPriorityClass\n- OpenProcess\n- GetCurrentProcess\n- DuplicateHandle\n- GetLastError\n- LocalFree\n- CreateToolhelp32Snapshot\n- Process32First\n- Process32Next\n- GetLogicalDriveStringsA\n- GetDriveTypeA\n- GetVolumeInformationA\n- GetComputerNameA\n- CreateFileA\n- GetFileSize\n- WriteFile\n- LoadLibraryA\n- GetProcAddress\n- FreeLibrary\n- GetVersionExA\n- GetSystemDefaultLangID\n- OpenMutexA\n- CreateMutexA\n- CloseHandle\n- lstrcmpiA\n- ExitProcess\n- SetEvent\n- WaitForSingleObject\n- Sleep\n- DeleteFileA\n- CopyFileA\n- GetWindowsDirectoryA\n- GetModuleFileNameA\n- CreateDirectoryA\n- GetFileAttributesA\n- SetFileAttributesA\n- CreateEventA\n- CreateThread\n\n##### `ADVAPI32.dll`\n- RegCloseKey\n- RegSetValueExA\n- RegQueryValueExA\n- RegCreateKeyExA\n- RegDeleteValueA\n- RegOpenKeyExA\n- SetSecurityInfo\n- SetEntriesInAclA\n- AdjustTokenPrivileges\n- LookupPrivilegeValueA\n- GetTokenInformation\n- OpenProcessToken\n- GetUserNameA\n- LookupAccountSidA\n- RegEnumKeyExA\n- RegEnumValueA\n\n##### `MPR.dll`\n- WNetCloseEnum\n- WNetOpenEnumA\n- WNetEnumResourceA\n\n##### `MSVCRT.dll`\n- _except_handler3\n- __set_app_type\n- __p__fmode\n- __p__commode\n- _adjust_fdiv\n- __setusermatherr\n- _initterm\n- __getmainargs\n- _acmdln\n- exit\n- _XcptFilter\n- _exit\n- swprintf\n- fwrite\n- fopen\n- fseek\n- fread\n- fclose\n- _strnicmp\n- strcmp\n- sprintf\n- memcpy\n- strstr\n- strchr\n- atoi\n- memset\n- strlen\n- strrchr\n- time\n- srand\n- rand\n- strcpy\n- strcat\n- malloc\n- _EH_prolog\n- __CxxFrameHandler\n- rename\n- _controlfp\n- free\n- _itoa\n\n##### `SHLWAPI.dll`\n- SHDeleteKeyA\n\n##### `WS2_32.dll`\n- gethostname\n- gethostbyname\n- WSAGetLastError\n- inet_ntoa\n- inet_addr\n- socket\n- htons\n- connect\n- select\n- send\n- closesocket\n- recv\n- WSAStartup\n- WSACleanup\n- ioctlsocket\n\n\n#### Resources\n\n| SHA-256 | Size | Entropy | File Type | Type | Language |\n|---------|------|---------|-----------|------|----------|\n| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |\n| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |\n| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |\n\n#### File Version Information\n\n - **Copyright:** `(C) Microsoft Corporation. All rights reserved.`\n - **Product:** `Microsoft(R) Windows(R) Operating System`\n - **Description:** `Internet Explorer`\n - **Original Name:** `IEXPLORE.EXE`\n - **Internal Name:** `iexplore`\n - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`\n\n#### Signature Info\n##### Signature Verification\n> No file signature data found\n\n#### PEiD\n- `Armadillo v1.71`\n- `Microsoft Visual C++ v5.0/v6.0 (MFC)`\n- `Microsoft Visual C++`\n",
                 "language": "C",
                 "imphash": "a2cee99c7e42d671d47e3fb71c71bda4",
                 "imports": [

diff --git a/malice/__init__.py b/malice/__init__.py
@@ -17,16 +17,17 @@
 from os import path
 
 import chardet
-from future.builtins import open
 
 import pefile
 import peutils
-from lcid import LCID
+from future.builtins import open
 from pehash.pehasher import calculate_pehash
 from sig import get_signify
 from utils import get_entropy, get_md5, get_sha256, get_type, sha256_checksum
 from utils.charset import safe_str, translate_str
 
+from .lcid import LCID
+
 # from verifysigs.asn1utils import dn
 # from verifysigs.sigs_helper import get_auth_data
 
@@ -100,7 +101,7 @@ def debug(self):
 
             # When it is a unicode, we know we are coming from RSDS which is UTF-8
             # otherwise, we come from NB10 and we need to guess the charset.
-            if type(self.pe.pdb_filename) != unicode:
+            if not isinstance(self.pe.pdb_filename, unicode):
                 char_enc_guessed = translate_str(self.pe.pdb_filename)
                 pdb_filename = char_enc_guessed['converted']
             else:
@@ -492,7 +493,7 @@ def resource_strings(self):
                             success = False
                             try:
                                 comment = "%s (id:%s - lang_id:0x%04X [%s])" % (str(dir_type.name), str(nameID.name),
-                                                                                language.id, lcid[language.id])
+                                                                                language.id, LCID[language.id])
                             except KeyError:
                                 comment = "%s (id:%s - lang_id:0x%04X [Unknown language])" % (str(
                                     dir_type.name), str(nameID.name), language.id)
@@ -709,7 +710,7 @@ def find_language(iat, sample, content):
 
             # VB check
             if check_module(iat, 'VB'):
-                self.log('info', "{0} - Possible language: Visual Basic".format(sample.name))
+                log('info', "{0} - Possible language: Visual Basic".format(sample.name))
                 return 'Visual Basic'
 
             # .NET check

diff --git a/utils/markdown.jinja2 b/utils/markdown.jinja2
@@ -4,10 +4,12 @@
 {% if exe.get('info') -%}
 #### Header
 
- - **Target Machine:** `{{ exe['info'].get('machine_type') }}`
- - **Compilation Timestamp:** `{{ exe['info']['compiletime'].get('datetime') }}`
- - **Entry Point:** `{{ exe['info'].get('entrypoint') }}`
- - **Contained Sections:** `{{ exe['info'].get('number_of_sections') }}`
+- **Target Machine:** `{{ exe['info'].get('machine_type') }}`
+{% if exe['info'].get('compiletime') -%}
+- **Compilation Timestamp:** `{{ exe['info']['compiletime'].get('datetime') }}`
+{% endif -%}
+- **Entry Point:** `{{ exe['info'].get('entrypoint') }}`
+- **Contained Sections:** `{{ exe['info'].get('number_of_sections') }}`
 {% endif %}
 {% if exe.get('sections') -%}
 #### Sections