def get_attr_pe(r, sha256):
path = r.hget(sha256, 'path')
try:
pe = pefile.PE(path)
except (pefile.PEFormatError):
print("{} not a PE file".format(path))
return False
r.hset(sha256, 'is_pefile', True)
if hasattr(pe, 'FILE_HEADER'):
r.hset(sha256, 'timestamp', pe.FILE_HEADER.TimeDateStamp)
r.hset(sha256, 'timestamp_iso', datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).isoformat())
r.zincrby('timestamps', pe.FILE_HEADER.TimeDateStamp)
r.sadd('timestamp:{}'.format(pe.FILE_HEADER.TimeDateStamp), sha256)
imphash = pe.get_imphash()
r.hset(sha256, 'imphash', imphash)
r.zincrby('imphashs', imphash)
r.sadd('imphash:{}'.format(imphash), sha256)
if hasattr(pe, 'OPTIONAL_HEADER'):
r.hset(sha256, 'entrypoint', pe.OPTIONAL_HEADER.AddressOfEntryPoint)
r.zincrby('entrypoints', pe.OPTIONAL_HEADER.AddressOfEntryPoint)
r.sadd('entrypoint:{}'.format(pe.OPTIONAL_HEADER.AddressOfEntryPoint), sha256)
if hasattr(pe, 'FILE_HEADER'):
r.hset(sha256, 'secnumber', pe.FILE_HEADER.NumberOfSections)
r.zincrby('secnumbers', pe.FILE_HEADER.NumberOfSections)
r.sadd('secnumber:{}'.format(pe.FILE_HEADER.NumberOfSections), sha256)
if hasattr(pe, 'VS_VERSIONINFO'):
for entry in pe.FileInfo:
if hasattr(entry, 'StringTable'):
for st_entry in entry.StringTable:
ofn = st_entry.entries.get(b'OriginalFilename')
if ofn:
if isinstance(ofn, bytes):
o = ofn.decode()
else:
o = ofn
r.hset(sha256, 'originalfilename', o)
r.zincrby('originalfilenames', o)
r.sadd(u'originalfilename:{}'.format(o), sha256)
# Section info: names, sizes, entropy vals
for section in pe.sections:
name = section.Name.decode('utf-8', 'ignore').replace('\x00', '')
r.sadd('{}:secnames'.format(sha256), name)
r.hset('{}:{}'.format(sha256, name), 'size', section.SizeOfRawData)
r.hset('{}:{}'.format(sha256, name), 'entropy', H(section.get_data()))
# adding section info to PE data
r.hset(sha256, 'nb_tls', check_tls(pe))
r.hset(sha256, 'ep_section', check_ep_section(pe))
return True
# Returns Entropy value for given data chunk
评论列表
文章目录
