Python peutils.SignatureDatabase() Examples
The following are 9
code examples of peutils.SignatureDatabase().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
peutils
, or try the search function
.
Example #1
Source File: malwareclustering_api.py From Cortex-Analyzers with GNU Affero General Public License v3.0 | 6 votes |
def __init__(self, host, port, user, password, threshold=40, secure=False, filepath=None, filename=None, folder_path=None): """Connects to neo4j database, loads options and set connectors. @raise CuckooReportError: if unable to connect. """ self.threshold = int(threshold) self.graph = Graph(host=host, user=user, password=password, secure=secure, port=port) self.filepath = filepath self.filename = filename self.folder_path = folder_path self.scout = ApiScout() self.scout.setBaseAddress(0) self.scout.loadWinApi1024(os.path.abspath(os.path.join(os.path.dirname(__file__))) + os.sep + "data" + os.sep + "winapi1024v1.txt") self.magictest = magic.Magic(uncompress=True) CWD = os.path.abspath(os.path.dirname(__file__)) USERDB = os.path.join(CWD, os.path.normpath("data/UserDB.TXT")) with open(USERDB, 'rt') as f: sig_data = f.read() self.signatures = peutils.SignatureDatabase(data=sig_data) if self.folder_path: self.files = self.get_files(folder_path)
Example #2
Source File: pescanner.py From CapTipper with GNU General Public License v3.0 | 5 votes |
def __init__(self, data, yara_rules=None, peid_sigs=None): self.pedata = data # initialize YARA rules if provided if yara_rules and sys.modules.has_key('yara'): self.rules = yara.compile(yara_rules) else: self.rules = None # initialize PEiD signatures if provided if peid_sigs: self.sigs = peutils.SignatureDatabase(peid_sigs) else: self.sigs = None
Example #3
Source File: static.py From mac-a-mal-cuckoo with MIT License | 5 votes |
def _get_peid_signatures(self): """Gets PEID signatures. @return: matched signatures or None. """ try: sig_path = os.path.join(CUCKOO_ROOT, "data", "peutils", "UserDB.TXT") signatures = peutils.SignatureDatabase(sig_path) return signatures.match(self.pe, ep_only=True) except: return None
Example #4
Source File: pecore.py From malwareHunter with GNU General Public License v2.0 | 5 votes |
def check_peid(filename): signatures = peutils.SignatureDatabase(pathname) pe = pefile.PE(filename) matches = signatures.match_all(pe,ep_only = True) return matches # Check for Anti VM
Example #5
Source File: static.py From CuckooSploit with GNU General Public License v3.0 | 5 votes |
def _get_peid_signatures(self): """Gets PEID signatures. @return: matched signatures or None. """ if not self.pe: return None try: sig_path = os.path.join(CUCKOO_ROOT, "data", "peutils", "UserDB.TXT") signatures = peutils.SignatureDatabase(sig_path) return signatures.match(self.pe, ep_only=True) except: return None
Example #6
Source File: pescanner.py From codex-backend with MIT License | 5 votes |
def __init__(self, files, yara_rules=None, peid_sigs=None): self.files = files # initialize YARA rules if provided if yara_rules and sys.modules.has_key('yara'): self.rules = yara.compile(yara_rules) else: self.rules = None # initialize PEiD signatures if provided if peid_sigs: self.sigs = peutils.SignatureDatabase(peid_sigs) else: self.sigs = None print("PEiD no inicializado")
Example #7
Source File: basic_analyze.py From MalAnalyzer with GNU General Public License v3.0 | 5 votes |
def get_packer_info_pe(self,pe): # PE (PEid) # pe = pefile.PE(self.filepath) signatures = peutils.SignatureDatabase(basic_conf["PEidSign_path"]) # matches is list() self.packer = signatures.match_all(pe, ep_only = True)
Example #8
Source File: PEIDDetector.py From PyPackerDetect with GNU Affero General Public License v3.0 | 5 votes |
def __init__(self, config): super().__init__(config) if (self.config["UseLargePEIDDatabase"]): self.signatures = peutils.SignatureDatabase('deps/peid/signatures_long.txt') else: self.signatures = peutils.SignatureDatabase('deps/peid/signatures_short.txt')
Example #9
Source File: pe.py From CIRTKit with MIT License | 4 votes |
def peid(self): def get_signatures(): with file(os.path.join(CIRTKIT_ROOT, 'data/peid/UserDB.TXT'), 'rt') as f: sig_data = f.read() signatures = peutils.SignatureDatabase(data=sig_data) return signatures def get_matches(pe, signatures): matches = signatures.match_all(pe, ep_only=True) return matches if not self.__check_session(): return signatures = get_signatures() peid_matches = get_matches(self.pe, signatures) if peid_matches: self.log('info', "PEiD Signatures:") for sig in peid_matches: if type(sig) is list: self.log('item', sig[0]) else: self.log('item', sig) else: self.log('info', "No PEiD signatures matched.") if self.args.scan and peid_matches: self.log('info', "Scanning the repository for matching samples...") db = Database() samples = db.find(key='all') matches = [] for sample in samples: if sample.sha256 == __sessions__.current.file.sha256: continue sample_path = get_sample_path(sample.sha256) if not os.path.exists(sample_path): continue try: cur_pe = pefile.PE(sample_path) cur_peid_matches = get_matches(cur_pe, signatures) except: continue if peid_matches == cur_peid_matches: matches.append([sample.name, sample.sha256]) self.log('info', "{0} relevant matches found".format(bold(len(matches)))) if len(matches) > 0: self.log('table', dict(header=['Name', 'SHA256'], rows=matches))