Python peutils.SignatureDatabase() Examples

The following are 9 code examples of peutils.SignatureDatabase(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module peutils , or try the search function .
Example #1
Source File: malwareclustering_api.py    From Cortex-Analyzers with GNU Affero General Public License v3.0 6 votes vote down vote up
def __init__(self, host, port, user, password, threshold=40, secure=False, filepath=None, filename=None, folder_path=None):
        """Connects to neo4j database, loads options and set connectors.
        @raise CuckooReportError: if unable to connect.
        """
        self.threshold = int(threshold)
        self.graph = Graph(host=host, user=user, password=password, secure=secure, port=port)
        self.filepath = filepath
        self.filename = filename
        self.folder_path = folder_path
        self.scout = ApiScout()
        self.scout.setBaseAddress(0)
        self.scout.loadWinApi1024(os.path.abspath(os.path.join(os.path.dirname(__file__))) +  os.sep + "data" + os.sep + "winapi1024v1.txt")
        
        self.magictest = magic.Magic(uncompress=True)
        CWD = os.path.abspath(os.path.dirname(__file__))
        USERDB = os.path.join(CWD, os.path.normpath("data/UserDB.TXT"))
        with open(USERDB, 'rt') as f:
            sig_data = f.read()
            self.signatures = peutils.SignatureDatabase(data=sig_data)
        
        if self.folder_path:
            self.files = self.get_files(folder_path) 
Example #2
Source File: pescanner.py    From CapTipper with GNU General Public License v3.0 5 votes vote down vote up
def __init__(self, data, yara_rules=None, peid_sigs=None):
        self.pedata = data
        
        # initialize YARA rules if provided 
        if yara_rules and sys.modules.has_key('yara'):
            self.rules = yara.compile(yara_rules)
        else:
            self.rules = None
            
        # initialize PEiD signatures if provided 
        if peid_sigs:
            self.sigs = peutils.SignatureDatabase(peid_sigs)
        else:
            self.sigs = None 
Example #3
Source File: static.py    From mac-a-mal-cuckoo with MIT License 5 votes vote down vote up
def _get_peid_signatures(self):
        """Gets PEID signatures.
        @return: matched signatures or None.
        """
        try:
            sig_path = os.path.join(CUCKOO_ROOT, "data",
                                    "peutils", "UserDB.TXT")
            signatures = peutils.SignatureDatabase(sig_path)
            return signatures.match(self.pe, ep_only=True)
        except:
            return None 
Example #4
Source File: pecore.py    From malwareHunter with GNU General Public License v2.0 5 votes vote down vote up
def check_peid(filename):
    signatures = peutils.SignatureDatabase(pathname)
    pe         = pefile.PE(filename)
    matches    = signatures.match_all(pe,ep_only = True)
    return matches

# Check for Anti VM 
Example #5
Source File: static.py    From CuckooSploit with GNU General Public License v3.0 5 votes vote down vote up
def _get_peid_signatures(self):
        """Gets PEID signatures.
        @return: matched signatures or None.
        """
        if not self.pe:
            return None

        try:
            sig_path = os.path.join(CUCKOO_ROOT, "data",
                                    "peutils", "UserDB.TXT")
            signatures = peutils.SignatureDatabase(sig_path)
            return signatures.match(self.pe, ep_only=True)
        except:
            return None 
Example #6
Source File: pescanner.py    From codex-backend with MIT License 5 votes vote down vote up
def __init__(self, files, yara_rules=None, peid_sigs=None):
        self.files = files

        # initialize YARA rules if provided
        if yara_rules and sys.modules.has_key('yara'):
            self.rules = yara.compile(yara_rules)
        else:
            self.rules = None

        # initialize PEiD signatures if provided
        if peid_sigs:
            self.sigs = peutils.SignatureDatabase(peid_sigs)
        else:
            self.sigs = None
            print("PEiD no inicializado") 
Example #7
Source File: basic_analyze.py    From MalAnalyzer with GNU General Public License v3.0 5 votes vote down vote up
def get_packer_info_pe(self,pe):
        # PE (PEid)
        # pe = pefile.PE(self.filepath)
        signatures = peutils.SignatureDatabase(basic_conf["PEidSign_path"])
        # matches is list()
        self.packer = signatures.match_all(pe, ep_only = True) 
Example #8
Source File: PEIDDetector.py    From PyPackerDetect with GNU Affero General Public License v3.0 5 votes vote down vote up
def __init__(self, config):
		super().__init__(config)
		if (self.config["UseLargePEIDDatabase"]):
			self.signatures = peutils.SignatureDatabase('deps/peid/signatures_long.txt')
		else:
			self.signatures = peutils.SignatureDatabase('deps/peid/signatures_short.txt') 
Example #9
Source File: pe.py    From CIRTKit with MIT License 4 votes vote down vote up
def peid(self):

        def get_signatures():
            with file(os.path.join(CIRTKIT_ROOT, 'data/peid/UserDB.TXT'), 'rt') as f:
                sig_data = f.read()

            signatures = peutils.SignatureDatabase(data=sig_data)

            return signatures

        def get_matches(pe, signatures):
            matches = signatures.match_all(pe, ep_only=True)
            return matches

        if not self.__check_session():
            return

        signatures = get_signatures()
        peid_matches = get_matches(self.pe, signatures)

        if peid_matches:
            self.log('info', "PEiD Signatures:")
            for sig in peid_matches:
                if type(sig) is list:
                    self.log('item', sig[0])
                else:
                    self.log('item', sig)
        else:
            self.log('info', "No PEiD signatures matched.")

        if self.args.scan and peid_matches:
            self.log('info', "Scanning the repository for matching samples...")

            db = Database()
            samples = db.find(key='all')

            matches = []
            for sample in samples:
                if sample.sha256 == __sessions__.current.file.sha256:
                    continue

                sample_path = get_sample_path(sample.sha256)
                if not os.path.exists(sample_path):
                    continue

                try:
                    cur_pe = pefile.PE(sample_path)
                    cur_peid_matches = get_matches(cur_pe, signatures)
                except:
                    continue

                if peid_matches == cur_peid_matches:
                    matches.append([sample.name, sample.sha256])

            self.log('info', "{0} relevant matches found".format(bold(len(matches))))

            if len(matches) > 0:
                self.log('table', dict(header=['Name', 'SHA256'], rows=matches))