Python peutils.SignatureDatabase() Examples
The following are 9
code examples of peutils.SignatureDatabase().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
peutils
, or try the search function
.
.
Example #1
| Source File: malwareclustering_api.py From Cortex-Analyzers with GNU Affero General Public License v3.0 | 6 votes |
|
def __init__(self, host, port, user, password, threshold=40, secure=False, filepath=None, filename=None, folder_path=None):
"""Connects to neo4j database, loads options and set connectors.
@raise CuckooReportError: if unable to connect.
"""
self.threshold = int(threshold)
self.graph = Graph(host=host, user=user, password=password, secure=secure, port=port)
self.filepath = filepath
self.filename = filename
self.folder_path = folder_path
self.scout = ApiScout()
self.scout.setBaseAddress(0)
self.scout.loadWinApi1024(os.path.abspath(os.path.join(os.path.dirname(__file__))) + os.sep + "data" + os.sep + "winapi1024v1.txt")
self.magictest = magic.Magic(uncompress=True)
CWD = os.path.abspath(os.path.dirname(__file__))
USERDB = os.path.join(CWD, os.path.normpath("data/UserDB.TXT"))
with open(USERDB, 'rt') as f:
sig_data = f.read()
self.signatures = peutils.SignatureDatabase(data=sig_data)
if self.folder_path:
self.files = self.get_files(folder_path)
Example #2
| Source File: pescanner.py From CapTipper with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, data, yara_rules=None, peid_sigs=None):
self.pedata = data
# initialize YARA rules if provided
if yara_rules and sys.modules.has_key('yara'):
self.rules = yara.compile(yara_rules)
else:
self.rules = None
# initialize PEiD signatures if provided
if peid_sigs:
self.sigs = peutils.SignatureDatabase(peid_sigs)
else:
self.sigs = None
Example #3
| Source File: static.py From mac-a-mal-cuckoo with MIT License | 5 votes |
|
def _get_peid_signatures(self):
"""Gets PEID signatures.
@return: matched signatures or None.
"""
try:
sig_path = os.path.join(CUCKOO_ROOT, "data",
"peutils", "UserDB.TXT")
signatures = peutils.SignatureDatabase(sig_path)
return signatures.match(self.pe, ep_only=True)
except:
return None
Example #4
| Source File: pecore.py From malwareHunter with GNU General Public License v2.0 | 5 votes |
|
def check_peid(filename):
signatures = peutils.SignatureDatabase(pathname)
pe = pefile.PE(filename)
matches = signatures.match_all(pe,ep_only = True)
return matches
# Check for Anti VM
Example #5
| Source File: static.py From CuckooSploit with GNU General Public License v3.0 | 5 votes |
|
def _get_peid_signatures(self):
"""Gets PEID signatures.
@return: matched signatures or None.
"""
if not self.pe:
return None
try:
sig_path = os.path.join(CUCKOO_ROOT, "data",
"peutils", "UserDB.TXT")
signatures = peutils.SignatureDatabase(sig_path)
return signatures.match(self.pe, ep_only=True)
except:
return None
Example #6
| Source File: pescanner.py From codex-backend with MIT License | 5 votes |
|
def __init__(self, files, yara_rules=None, peid_sigs=None):
self.files = files
# initialize YARA rules if provided
if yara_rules and sys.modules.has_key('yara'):
self.rules = yara.compile(yara_rules)
else:
self.rules = None
# initialize PEiD signatures if provided
if peid_sigs:
self.sigs = peutils.SignatureDatabase(peid_sigs)
else:
self.sigs = None
print("PEiD no inicializado")
Example #7
| Source File: basic_analyze.py From MalAnalyzer with GNU General Public License v3.0 | 5 votes |
|
def get_packer_info_pe(self,pe):
# PE (PEid)
# pe = pefile.PE(self.filepath)
signatures = peutils.SignatureDatabase(basic_conf["PEidSign_path"])
# matches is list()
self.packer = signatures.match_all(pe, ep_only = True)
Example #8
| Source File: PEIDDetector.py From PyPackerDetect with GNU Affero General Public License v3.0 | 5 votes |
|
def __init__(self, config):
super().__init__(config)
if (self.config["UseLargePEIDDatabase"]):
self.signatures = peutils.SignatureDatabase('deps/peid/signatures_long.txt')
else:
self.signatures = peutils.SignatureDatabase('deps/peid/signatures_short.txt')
Example #9
| Source File: pe.py From CIRTKit with MIT License | 4 votes |
|
def peid(self):
def get_signatures():
with file(os.path.join(CIRTKIT_ROOT, 'data/peid/UserDB.TXT'), 'rt') as f:
sig_data = f.read()
signatures = peutils.SignatureDatabase(data=sig_data)
return signatures
def get_matches(pe, signatures):
matches = signatures.match_all(pe, ep_only=True)
return matches
if not self.__check_session():
return
signatures = get_signatures()
peid_matches = get_matches(self.pe, signatures)
if peid_matches:
self.log('info', "PEiD Signatures:")
for sig in peid_matches:
if type(sig) is list:
self.log('item', sig[0])
else:
self.log('item', sig)
else:
self.log('info', "No PEiD signatures matched.")
if self.args.scan and peid_matches:
self.log('info', "Scanning the repository for matching samples...")
db = Database()
samples = db.find(key='all')
matches = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_pe = pefile.PE(sample_path)
cur_peid_matches = get_matches(cur_pe, signatures)
except:
continue
if peid_matches == cur_peid_matches:
matches.append([sample.name, sample.sha256])
self.log('info', "{0} relevant matches found".format(bold(len(matches))))
if len(matches) > 0:
self.log('table', dict(header=['Name', 'SHA256'], rows=matches))
