Code Monkey home page Code Monkey logo

pescan's Introduction

pescan logo

pescan

Circle CI License Docker Stars Docker Pulls Docker Image

Malice PExecutable Plugin

This repository contains a Dockerfile of malice/pescan.

Dependencies

Installation

  1. Install Docker.
  2. Download trusted build from public DockerHub: docker pull malice/pescan

Usage

$ docker run --rm -v /path/to/malware:/malware malice/pescan --help

Usage: pescan [OPTIONS] COMMAND [ARGS]...

  Malice PExecutable Plugin

  Author: blacktop <https://github.com/blacktop>

Options:
  --version   print the version
  -h, --help  Show this message and exit.

Commands:
  scan  scan a file
  web   start web service

Scanning

$ docker run --rm -v /path/to/malware:/malware malice/pescan scan --help

Usage: pescan.py scan [OPTIONS] FILE_PATH

  Malice PExecutable Scanner

Options:
  -v, --verbose            verbose output
  -t, --table              output as Markdown table
  -x, --proxy PROXY        proxy settings for Malice webhook endpoint [$MALICE_PROXY]
  -c, --callback ENDPOINT  POST results back to Malice webhook [$MALICE_ENDPOINT]
  --elasticsearch HOST     elasticsearch address for Malice to store results [$MALICE_ELASTICSEARCH]
  --timeout SECS           malice plugin timeout (default: 10) [$MALICE_TIMEOUT]
  -d, --dump               dump possibly embedded binaries
  --output PATH            where to extract the embedded objects to (default: /malware)
                           [$MALICE_EXTRACT_PATH]
  --peid PATH              path to the PEiD database file (default:peid/UserDB.TXT)
                           [$MALICE_PEID_PATH]
  -h, --help               Show this message and exit.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

JSON

{
  "linker_version": "06.00",
  "compiletime": {
    "unix": 1164878434,
    "datetime": "2006-11-30 09:20:34"
  },
  "imports": [
    {
      "name": "GetStartupInfoA",
      "address": "0x406044"
    },
    {
      "name": "GetModuleHandleA",
      "address": "0x406048"
    },
    {
      "name": "CreatePipe",
      "address": "0x40604c"
    },
    {
      "name": "PeekNamedPipe",
      "address": "0x406050"
    },
    {
      "name": "ReadFile",
      "address": "0x406054"
    },
    {
      "name": "CreateProcessA",
      "address": "0x406058"
    },
    ...SNIP...
    {
      "name": "WSACleanup",
      "address": "0x406210"
    },
    {
      "name": "ioctlsocket",
      "address": "0x406214"
    }
  ],
  "resource_versioninfo": {
    "legalcopyright": "(C) Microsoft Corporation. All rights reserved.",
    "internalname": "iexplore",
    "fileversion": "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)",
    "companyname": "Microsoft Corporation",
    "productname": "Microsoft(R) Windows(R) Operating System",
    "productversion": "6.00.2900.2180",
    "original_filename": "IEXPLORE.EXE",
    "file_description": "Internet Explorer"
  },
  "rich_header_info": [
    {
      "tool_id": 12,
      "version": 7291,
      "times used": 1
    },
    ...SNIP...
    {
      "tool_id": 6,
      "version": 1720,
      "times used": 1
    }
  ],
  "os_version": "04.00",
  "is_packed": false,
  "entrypoint": "0x5a46",
  "sections": [
    {
      "raw_data_size": 20480,
      "name": ".text",
      "rva": "0x1000",
      "pointer_to_raw_data": 4096,
      "entropy": 5.988944574755928,
      "virtual_size": "0x4bfe"
    },
    {
      "raw_data_size": 4096,
      "name": ".rdata",
      "rva": "0x6000",
      "pointer_to_raw_data": 24576,
      "entropy": 3.291179369026711,
      "virtual_size": "0xc44"
    },
    {
      "raw_data_size": 4096,
      "name": ".data",
      "rva": "0x7000",
      "pointer_to_raw_data": 28672,
      "entropy": 4.04448531075933,
      "virtual_size": "0x17b0"
    },
    {
      "raw_data_size": 8192,
      "name": ".rsrc",
      "rva": "0x9000",
      "pointer_to_raw_data": 32768,
      "entropy": 4.49716326553469,
      "virtual_size": "0x15d0"
    }
  ],
  "resources": [
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_ICON",
      "language": "LANG_CHINESE",
      "offset": "0x90f0",
      "size": "0x10a8",
      "type": "data",
      "id": 1,
      "md5": "14bf7c82dcfb7e41243f5b87d0c79538"
    },
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_GROUP_ICON",
      "language": "LANG_CHINESE",
      "offset": "0xa198",
      "size": "0x14",
      "type": "data",
      "id": 2,
      "md5": "3c68f77c35c26ff079a1c410ee44fa62"
    },
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_VERSION",
      "language": "LANG_CHINESE",
      "offset": "0xa1b0",
      "size": "0x41c",
      "type": "data",
      "id": 3,
      "md5": "9a12ece86a71c3499df0fb0ebe6ea33e"
    }
  ],
  "peid": [
    "Armadillo v1.71",
    "Microsoft Visual C++ v5.0/v6.0 (MFC)",
    "Microsoft Visual C++"
  ],
  "calculated_file_size": 42448,
  "imphash": "a2cee99c7e42d671d47e3fb71c71bda4",
  "number_of_sections": 4,
  "pehash": "884bf0684addc269d641efb74e0fcb88267211da",
  "machine_type": "0x14c (IMAGE_FILE_MACHINE_I386)",
  "image_base": 4194304,
  "language": "C",
  "size_of_image": 45056,
  "signature": {
    "heuristic": "No file signature data found"
  }
}

Markdown

pescan

Header

  • Target Machine: 0x14c (IMAGE_FILE_MACHINE_I386)
  • Compilation Timestamp: 2006-11-30 09:20:34
  • Entry Point: 0x5a46
  • Contained Sections: 4

Sections

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 0x1000 0x4bfe 20480 5.99 9062ff3acdff9ac80cd9f97a0df42383
.rdata 0x6000 0xc44 4096 3.29 28c9e7872eb9d0a20a1d953382722735
.data 0x7000 0x17b0 4096 4.04 c38a0453ad319c9cd8b1760baf57a528
.rsrc 0x9000 0x15d0 8192 4.50 0d4522a26417d45c33759d2a6375a55f

Imports

KERNEL32.DLL
  • GetStartupInfoA
  • GetModuleHandleA
  • CreatePipe
  • PeekNamedPipe
  • ReadFile
  • CreateProcessA

...SNIP...

ADVAPI32.dll
  • RegCloseKey
  • RegSetValueExA
  • RegQueryValueExA

...SNIP...

MPR.dll
  • WNetCloseEnum
  • WNetOpenEnumA
  • WNetEnumResourceA
MSVCRT.dll
  • _except_handler3
  • __set_app_type
  • pfmode

...SNIP...

SHLWAPI.dll
  • SHDeleteKeyA
WS2_32.dll

  • gethostname

  • gethostbyname

    ...SNIP...

Resources

SHA-256 Size Entropy File Type Type Language
52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 0x10a8 6.52 None RT_ICON Chinese-People's Republic of China
a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 0x14 1.78 None RT_GROUP_ICON Chinese-People's Republic of China
934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 0x41c 3.47 None RT_VERSION Chinese-People's Republic of China

File Version Information

  • Copyright: (C) Microsoft Corporation. All rights reserved.
  • Product: Microsoft(R) Windows(R) Operating System
  • Description: Internet Explorer
  • Original Name: IEXPLORE.EXE
  • Internal Name: iexplore
  • File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

Signature Info

Signature Verification

No file signature data found

PEiD

  • Armadillo v1.71
  • Microsoft Visual C++ v5.0/v6.0 (MFC)
  • Microsoft Visual C++

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md

Credits

Heavily (if not entirely) influenced by the viper PE module and by CSE's alsvc_pefile

TODO

  • activate dumping functionality
  • add timeout protection
  • revisit security/signature stuff
  • add proxy settings for callback POST

License

MIT Copyright (c) 2016 blacktop

pescan's People

Contributors

blacktop avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

pombredanne acealchemycyberblaze benhe119 xzvb12 magusto strajansebastian ralex1975 fjkhorasani thomasxm cyb3rchi3f

pescan's Issues

UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2

Scanning same file as in #4 results in:

2018-12-06 10:04:47,747 - __main__ - ERROR - failed to run malice plugin: pescan
Traceback (most recent call last):
  File "/usr/sbin/pescan", line 122, in scan
    malice_scan['results']['markdown'] = json2markdown(pe_results)
  File "/usr/sbin/utils/__init__.py", line 74, in json2markdown
    return Template(f.read()).render(exe=json_data)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "<template>", line 62, in top-level template code
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 10: ordinal not in range(128)
DIALOG_TITLE: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x6e - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x6f - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x71 - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
SUCCESS

Error in get_signify

All plugins are up to date.

Scanning FileZilla_3.38.1_win64-setup_bundled.exe (8de6ddd0687ba0075e10aad4c80dd80a436c4791a3a6d67cdfc7aa14da3ade0d) results in the following output from pescan:

>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs FileZilla_3.38.1_win64-setup_bundled.exe

...

2018-11-29 11:08:28,186 - malice - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
  File "/usr/sbin/malice/__init__.py", line 788, in run
    self.results['signature'] = get_signify(self.file, log=log)
  File "/usr/sbin/malice/sig.py", line 22, in get_signify
    s_data.verify()
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
    signed_datas = list(self.signed_datas)
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
    yield SignedData.from_certificate(certificate['certificate'], pefile=self)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
    signed_data = SignedData(data, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
    self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
    super(AuthenticodeSignerInfo, self)._parse()
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
    required=self._required_authenticated_attributes
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
    ([_print_type(x) for x in required], [_print_type(x) for x in result]))
  File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
    return ".".join(t)
TypeError: sequence item 0: expected string, int found

...

The error didn't occur with a couple of other exe files i tested.
This may be a bug in pescan itself.

Docker version:

Docker version:
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:49:01 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:16:44 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Docker info (with some info removed):

Docker info:
Containers: 6
 Running: 1
 Paused: 0
 Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

UndefinedError: 'dict object' has no attribute 'compiletime'

All plugins are up to date.

Scanning putty.exe (7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1) results in the following output from pescan:

>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs putty.exe

...

2018-11-29 11:02:35,648 - malice - ERROR - 'module' object has no attribute '__getitem__'
Traceback (most recent call last):
  File "/usr/sbin/malice/__init__.py", line 800, in run
    self.resource_strings()
  File "/usr/sbin/malice/__init__.py", line 495, in resource_strings
    language.id, lcid[language.id])
TypeError: 'module' object has no attribute '__getitem__'
2018-11-29 11:02:35,699 - __main__ - ERROR - failed to run malice plugin: pescan
Traceback (most recent call last):
  File "/usr/sbin/pescan", line 122, in scan
    malice_scan['results']['markdown'] = json2markdown(pe_results)
  File "/usr/sbin/utils/__init__.py", line 74, in json2markdown
    return Template(f.read()).render(exe=json_data)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "<template>", line 8, in top-level template code
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 430, in getattr
    return getattr(obj, attribute)
UndefinedError: 'dict object' has no attribute 'compiletime'

...

The error didn't occur with a couple of other exe files i tested.

Docker version:

Docker version:
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:49:01 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:16:44 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Docker info (with some info removed):

Docker info:
Containers: 6
 Running: 1
 Paused: 0
 Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.