## Virustotal Python Scanner script 0.01
## Created by Alexander Hanel
import sys
import os
import pefile
import peutils
import math
import time
import datetime
import subprocess
##############################################################
## Print PE file attributes & metadata
def attributes():
print "Optional Header:", hex(pe.OPTIONAL_HEADER.ImageBase)
print "Address Of Entry Point:", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
machine = 0
machine = pe.FILE_HEADER.Machine
print "Required CPU type:", pefile.MACHINE_TYPE[machine]
dll = pe.FILE_HEADER.IMAGE_FILE_DLL
print "DLL:", dll
print "Subsystem:", pefile.SUBSYSTEM_TYPE[pe.OPTIONAL_HEADER.Subsystem]
print "Compile Time:", datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp)
print "Number of RVA and Sizes:", pe.OPTIONAL_HEADER.NumberOfRvaAndSizes
##############################################################
## Analyze Sections
def sections_analysis():
print "Number of Sections:", pe.FILE_HEADER.NumberOfSections
print
print "Section VirtualAddress VirtualSize SizeofRawData Entropy"
for section in pe.sections:
print "%-8s" % section.Name, "%-14s" % hex(section.VirtualAddress), "%-11s" % hex(section.Misc_VirtualSize),\
"%-13s" % section.SizeOfRawData, "%.2f" % E(section.data)
print
##############################################################
## Dump Imports
def IAT():
print "Imported DLLS:"
i = 1
for entry in pe.DIRECTORY_ENTRY_IMPORT:
bool = 1 ## For Formattting
print "%2s" % [i], "%-17s" % entry.dll
print "\t",
for imp in entry.imports:
if bool:
print "%-1s" % imp.name,
bool = 0
else:
sys.stdout.write("%s%s" % (", ",imp.name)) # Python Print adds a blank space
print
i += 1
##############################################################
## Entropy calculation from Ero Carrera's blog ###############
def E(data):
entropy = 0
if not data:
return 0
ent = 0
for x in range(256):
p_x = float(data.count(chr(x)))/len(data)
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return entropy
##############################################################
## Load PEID userdb.txt database and scan file
def PEID():
signatures = peutils.SignatureDatabase('userdb.txt')
matches = signatures.match_all(pe,ep_only = True)
print "PEID Signature Match(es): ", matches
print
##############################################################
## Print Sophos
def sophos(filetmp):
print
print "Sophos Scan in progress.."
output = "None"
path = os.path.abspath(filetmp)
pwd = os.getcwd()
output = subprocess.call([os.path.join(pwd, 'cmd_scan', 'Sophos', 'SAV32CLI.EXE'), path])
## Thanks habnabit
##############################################################
if len(sys.argv) < 2:
print "Pyton Script "
sys.exit(3)
exename = sys.argv[1]
pe = pefile.PE(exename)
print "\nPortable Executable Information"
attributes()
sections_analysis()
PEID()
IAT()
sophos(exename)
## <- Format bug with SyntaxHighlighter (remove line)
Portable Executable Virustotal Example
Subscribe to:
Posts (Atom)
