diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 0b7ec8e..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "python.pythonPath": "${workspaceFolder}/venv/bin/python" -} diff --git a/Makefile b/Makefile index 8d88dca..fb91b02 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ ORG=malice NAME=pescan CATEGORY=exe VERSION=$(shell cat VERSION) +FLAGS?= MALWARE?=tests/malware EXTRACT?=/malware/tests/dump @@ -12,7 +13,7 @@ all: build size tag test_all .PHONY: build build: - docker build -t $(ORG)/$(NAME):$(VERSION) . + docker build $(FLAGS) -t $(ORG)/$(NAME):$(VERSION) . .PHONY: size size: diff --git a/docs/SAMPLE.md b/docs/SAMPLE.md index b779b40..c153eb1 100644 --- a/docs/SAMPLE.md +++ b/docs/SAMPLE.md @@ -2,23 +2,24 @@ #### Header - - **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)` - - **Compilation Timestamp:** `2006-11-30 09:20:34` - - **Entry Point:** `0x5a46` - - **Contained Sections:** `4` +- **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)` +- **Compilation Timestamp:** `2006-11-30 09:20:34` +- **Entry Point:** `0x5a46` +- **Contained Sections:** `4` #### Sections -| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 | -|------|-----------------|--------------|----------|---------|-----| -| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 | -| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 | -| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 | -| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f | +| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 | +| ------ | --------------- | ------------ | -------- | ------- | -------------------------------- | +| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 | +| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 | +| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 | +| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f | #### Imports ##### `KERNEL32.DLL` + - GetStartupInfoA - GetModuleHandleA - CreatePipe @@ -75,6 +76,7 @@ - CreateThread ##### `ADVAPI32.dll` + - RegCloseKey - RegSetValueExA - RegQueryValueExA @@ -93,30 +95,32 @@ - RegEnumValueA ##### `MPR.dll` + - WNetCloseEnum - WNetOpenEnumA - WNetEnumResourceA ##### `MSVCRT.dll` -- _except_handler3 -- __set_app_type -- __p__fmode -- __p__commode -- _adjust_fdiv -- __setusermatherr -- _initterm -- __getmainargs -- _acmdln + +- \_except_handler3 +- \_\_set_app_type +- **p**fmode +- **p**commode +- \_adjust_fdiv +- \_\_setusermatherr +- \_initterm +- \_\_getmainargs +- \_acmdln - exit -- _XcptFilter -- _exit +- \_XcptFilter +- \_exit - swprintf - fwrite - fopen - fseek - fread - fclose -- _strnicmp +- \_strnicmp - strcmp - sprintf - memcpy @@ -132,17 +136,19 @@ - strcpy - strcat - malloc -- _EH_prolog -- __CxxFrameHandler +- \_EH_prolog +- \_\_CxxFrameHandler - rename -- _controlfp +- \_controlfp - free -- _itoa +- \_itoa ##### `SHLWAPI.dll` + - SHDeleteKeyA ##### `WS2_32.dll` + - gethostname - gethostbyname - WSAGetLastError @@ -159,30 +165,31 @@ - WSACleanup - ioctlsocket - #### Resources -| SHA-256 | Size | Entropy | File Type | Type | Language | -|---------|------|---------|-----------|------|----------| -| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China | -| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China | -| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China | +| SHA-256 | Size | Entropy | File Type | Type | Language | +| ---------------------------------------------------------------- | ------ | ------- | --------- | ------------- | ---------------------------------- | +| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China | +| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China | +| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China | #### File Version Information - - **Copyright:** `(C) Microsoft Corporation. All rights reserved.` - - **Product:** `Microsoft(R) Windows(R) Operating System` - - **Description:** `Internet Explorer` - - **Original Name:** `IEXPLORE.EXE` - - **Internal Name:** `iexplore` - - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)` +- **Copyright:** `(C) Microsoft Corporation. All rights reserved.` +- **Product:** `Microsoft(R) Windows(R) Operating System` +- **Description:** `Internet Explorer` +- **Original Name:** `IEXPLORE.EXE` +- **Internal Name:** `iexplore` +- **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)` #### Signature Info + ##### Signature Verification + > No file signature data found #### PEiD + - `Armadillo v1.71` - `Microsoft Visual C++ v5.0/v6.0 (MFC)` - `Microsoft Visual C++` - diff --git a/docs/elastic.json b/docs/elastic.json index a7e135b..be66e55 100644 --- a/docs/elastic.json +++ b/docs/elastic.json @@ -1,5 +1,5 @@ { - "took": 90, + "took": 94, "timed_out": false, "_shards": { "total": 5, @@ -17,7 +17,7 @@ "_id": "befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408", "_score": 1, "_source": { - "scan_date": "2018-12-01T16:39:47.260990", + "scan_date": "2018-12-01T17:10:34.396593", "plugins": { "exe": { "pescan": { @@ -40,7 +40,7 @@ "Microsoft Visual C++ v5.0/v6.0 (MFC)", "Microsoft Visual C++" ], - "markdown": "### pescan\n\n#### Header\n\n - **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`\n - **Compilation Timestamp:** `2006-11-30 09:20:34`\n - **Entry Point:** `0x5a46`\n - **Contained Sections:** `4`\n\n#### Sections\n\n| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |\n|------|-----------------|--------------|----------|---------|-----|\n| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |\n| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |\n| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |\n| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |\n\n#### Imports\n\n##### `KERNEL32.DLL`\n- GetStartupInfoA\n- GetModuleHandleA\n- CreatePipe\n- PeekNamedPipe\n- ReadFile\n- CreateProcessA\n- MultiByteToWideChar\n- GlobalAlloc\n- GlobalFree\n- GetLocalTime\n- RemoveDirectoryA\n- FindNextFileA\n- FindFirstFileA\n- GetFileTime\n- SetFileTime\n- FindClose\n- GetPriorityClass\n- OpenProcess\n- GetCurrentProcess\n- DuplicateHandle\n- GetLastError\n- LocalFree\n- CreateToolhelp32Snapshot\n- Process32First\n- Process32Next\n- GetLogicalDriveStringsA\n- GetDriveTypeA\n- GetVolumeInformationA\n- GetComputerNameA\n- CreateFileA\n- GetFileSize\n- WriteFile\n- LoadLibraryA\n- GetProcAddress\n- FreeLibrary\n- GetVersionExA\n- GetSystemDefaultLangID\n- OpenMutexA\n- CreateMutexA\n- CloseHandle\n- lstrcmpiA\n- ExitProcess\n- SetEvent\n- WaitForSingleObject\n- Sleep\n- DeleteFileA\n- CopyFileA\n- GetWindowsDirectoryA\n- GetModuleFileNameA\n- CreateDirectoryA\n- GetFileAttributesA\n- SetFileAttributesA\n- CreateEventA\n- CreateThread\n\n##### `ADVAPI32.dll`\n- RegCloseKey\n- RegSetValueExA\n- RegQueryValueExA\n- RegCreateKeyExA\n- RegDeleteValueA\n- RegOpenKeyExA\n- SetSecurityInfo\n- SetEntriesInAclA\n- AdjustTokenPrivileges\n- LookupPrivilegeValueA\n- GetTokenInformation\n- OpenProcessToken\n- GetUserNameA\n- LookupAccountSidA\n- RegEnumKeyExA\n- RegEnumValueA\n\n##### `MPR.dll`\n- WNetCloseEnum\n- WNetOpenEnumA\n- WNetEnumResourceA\n\n##### `MSVCRT.dll`\n- _except_handler3\n- __set_app_type\n- __p__fmode\n- __p__commode\n- _adjust_fdiv\n- __setusermatherr\n- _initterm\n- __getmainargs\n- _acmdln\n- exit\n- _XcptFilter\n- _exit\n- swprintf\n- fwrite\n- fopen\n- fseek\n- fread\n- fclose\n- _strnicmp\n- strcmp\n- sprintf\n- memcpy\n- strstr\n- strchr\n- atoi\n- memset\n- strlen\n- strrchr\n- time\n- srand\n- rand\n- strcpy\n- strcat\n- malloc\n- _EH_prolog\n- __CxxFrameHandler\n- rename\n- _controlfp\n- free\n- _itoa\n\n##### `SHLWAPI.dll`\n- SHDeleteKeyA\n\n##### `WS2_32.dll`\n- gethostname\n- gethostbyname\n- WSAGetLastError\n- inet_ntoa\n- inet_addr\n- socket\n- htons\n- connect\n- select\n- send\n- closesocket\n- recv\n- WSAStartup\n- WSACleanup\n- ioctlsocket\n\n\n#### Resources\n\n| SHA-256 | Size | Entropy | File Type | Type | Language |\n|---------|------|---------|-----------|------|----------|\n| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |\n| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |\n| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |\n\n#### File Version Information\n\n - **Copyright:** `(C) Microsoft Corporation. All rights reserved.`\n - **Product:** `Microsoft(R) Windows(R) Operating System`\n - **Description:** `Internet Explorer`\n - **Original Name:** `IEXPLORE.EXE`\n - **Internal Name:** `iexplore`\n - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`\n\n#### Signature Info\n##### Signature Verification\n> No file signature data found\n\n#### PEiD\n- `Armadillo v1.71`\n- `Microsoft Visual C++ v5.0/v6.0 (MFC)`\n- `Microsoft Visual C++`\n", + "markdown": "### pescan\n\n#### Header\n\n- **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`\n- **Compilation Timestamp:** `2006-11-30 09:20:34`\n- **Entry Point:** `0x5a46`\n- **Contained Sections:** `4`\n\n#### Sections\n\n| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |\n|------|-----------------|--------------|----------|---------|-----|\n| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |\n| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |\n| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |\n| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |\n\n#### Imports\n\n##### `KERNEL32.DLL`\n- GetStartupInfoA\n- GetModuleHandleA\n- CreatePipe\n- PeekNamedPipe\n- ReadFile\n- CreateProcessA\n- MultiByteToWideChar\n- GlobalAlloc\n- GlobalFree\n- GetLocalTime\n- RemoveDirectoryA\n- FindNextFileA\n- FindFirstFileA\n- GetFileTime\n- SetFileTime\n- FindClose\n- GetPriorityClass\n- OpenProcess\n- GetCurrentProcess\n- DuplicateHandle\n- GetLastError\n- LocalFree\n- CreateToolhelp32Snapshot\n- Process32First\n- Process32Next\n- GetLogicalDriveStringsA\n- GetDriveTypeA\n- GetVolumeInformationA\n- GetComputerNameA\n- CreateFileA\n- GetFileSize\n- WriteFile\n- LoadLibraryA\n- GetProcAddress\n- FreeLibrary\n- GetVersionExA\n- GetSystemDefaultLangID\n- OpenMutexA\n- CreateMutexA\n- CloseHandle\n- lstrcmpiA\n- ExitProcess\n- SetEvent\n- WaitForSingleObject\n- Sleep\n- DeleteFileA\n- CopyFileA\n- GetWindowsDirectoryA\n- GetModuleFileNameA\n- CreateDirectoryA\n- GetFileAttributesA\n- SetFileAttributesA\n- CreateEventA\n- CreateThread\n\n##### `ADVAPI32.dll`\n- RegCloseKey\n- RegSetValueExA\n- RegQueryValueExA\n- RegCreateKeyExA\n- RegDeleteValueA\n- RegOpenKeyExA\n- SetSecurityInfo\n- SetEntriesInAclA\n- AdjustTokenPrivileges\n- LookupPrivilegeValueA\n- GetTokenInformation\n- OpenProcessToken\n- GetUserNameA\n- LookupAccountSidA\n- RegEnumKeyExA\n- RegEnumValueA\n\n##### `MPR.dll`\n- WNetCloseEnum\n- WNetOpenEnumA\n- WNetEnumResourceA\n\n##### `MSVCRT.dll`\n- _except_handler3\n- __set_app_type\n- __p__fmode\n- __p__commode\n- _adjust_fdiv\n- __setusermatherr\n- _initterm\n- __getmainargs\n- _acmdln\n- exit\n- _XcptFilter\n- _exit\n- swprintf\n- fwrite\n- fopen\n- fseek\n- fread\n- fclose\n- _strnicmp\n- strcmp\n- sprintf\n- memcpy\n- strstr\n- strchr\n- atoi\n- memset\n- strlen\n- strrchr\n- time\n- srand\n- rand\n- strcpy\n- strcat\n- malloc\n- _EH_prolog\n- __CxxFrameHandler\n- rename\n- _controlfp\n- free\n- _itoa\n\n##### `SHLWAPI.dll`\n- SHDeleteKeyA\n\n##### `WS2_32.dll`\n- gethostname\n- gethostbyname\n- WSAGetLastError\n- inet_ntoa\n- inet_addr\n- socket\n- htons\n- connect\n- select\n- send\n- closesocket\n- recv\n- WSAStartup\n- WSACleanup\n- ioctlsocket\n\n\n#### Resources\n\n| SHA-256 | Size | Entropy | File Type | Type | Language |\n|---------|------|---------|-----------|------|----------|\n| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |\n| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |\n| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |\n\n#### File Version Information\n\n - **Copyright:** `(C) Microsoft Corporation. All rights reserved.`\n - **Product:** `Microsoft(R) Windows(R) Operating System`\n - **Description:** `Internet Explorer`\n - **Original Name:** `IEXPLORE.EXE`\n - **Internal Name:** `iexplore`\n - **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`\n\n#### Signature Info\n##### Signature Verification\n> No file signature data found\n\n#### PEiD\n- `Armadillo v1.71`\n- `Microsoft Visual C++ v5.0/v6.0 (MFC)`\n- `Microsoft Visual C++`\n", "language": "C", "imphash": "a2cee99c7e42d671d47e3fb71c71bda4", "imports": [ diff --git a/malice/__init__.py b/malice/__init__.py index a78882b..1c3181a 100644 --- a/malice/__init__.py +++ b/malice/__init__.py @@ -17,16 +17,17 @@ from os import path import chardet -from future.builtins import open import pefile import peutils -from lcid import LCID +from future.builtins import open from pehash.pehasher import calculate_pehash from sig import get_signify from utils import get_entropy, get_md5, get_sha256, get_type, sha256_checksum from utils.charset import safe_str, translate_str +from .lcid import LCID + # from verifysigs.asn1utils import dn # from verifysigs.sigs_helper import get_auth_data @@ -100,7 +101,7 @@ def debug(self): # When it is a unicode, we know we are coming from RSDS which is UTF-8 # otherwise, we come from NB10 and we need to guess the charset. - if type(self.pe.pdb_filename) != unicode: + if not isinstance(self.pe.pdb_filename, unicode): char_enc_guessed = translate_str(self.pe.pdb_filename) pdb_filename = char_enc_guessed['converted'] else: @@ -492,7 +493,7 @@ def resource_strings(self): success = False try: comment = "%s (id:%s - lang_id:0x%04X [%s])" % (str(dir_type.name), str(nameID.name), - language.id, lcid[language.id]) + language.id, LCID[language.id]) except KeyError: comment = "%s (id:%s - lang_id:0x%04X [Unknown language])" % (str( dir_type.name), str(nameID.name), language.id) @@ -709,7 +710,7 @@ def find_language(iat, sample, content): # VB check if check_module(iat, 'VB'): - self.log('info', "{0} - Possible language: Visual Basic".format(sample.name)) + log('info', "{0} - Possible language: Visual Basic".format(sample.name)) return 'Visual Basic' # .NET check diff --git a/utils/markdown.jinja2 b/utils/markdown.jinja2 index 0464381..d79b915 100644 --- a/utils/markdown.jinja2 +++ b/utils/markdown.jinja2 @@ -4,10 +4,12 @@ {% if exe.get('info') -%} #### Header - - **Target Machine:** `{{ exe['info'].get('machine_type') }}` - - **Compilation Timestamp:** `{{ exe['info']['compiletime'].get('datetime') }}` - - **Entry Point:** `{{ exe['info'].get('entrypoint') }}` - - **Contained Sections:** `{{ exe['info'].get('number_of_sections') }}` +- **Target Machine:** `{{ exe['info'].get('machine_type') }}` +{% if exe['info'].get('compiletime') -%} +- **Compilation Timestamp:** `{{ exe['info']['compiletime'].get('datetime') }}` +{% endif -%} +- **Entry Point:** `{{ exe['info'].get('entrypoint') }}` +- **Contained Sections:** `{{ exe['info'].get('number_of_sections') }}` {% endif %} {% if exe.get('sections') -%} #### Sections