def ScanFile(filename, signatures, minimumEntropy):
global oLogger
if not FileContentsStartsWithMZ(filename):
return
try:
pe = GetPEObject(filename)
except pefile.PEFormatError:
oLogger.PrintAndLog(('%s', '%s'), (filename, 'PEFormatError'))
return
except TypeError:
oLogger.PrintAndLog(('%s', '%s'), (filename, 'TypeError'))
return
try:
raw = pe.write()
except MemoryError:
oLogger.PrintAndLog(('%s', '%s'), (filename, 'MemoryError'))
return
entropy = pe.sections[0].entropy_H(raw)
if entropy >= minimumEntropy:
countFlagsExecute = 0
countFlagsExecuteAndWrite = 0
for section in pe.sections:
if section.IMAGE_SCN_MEM_EXECUTE:
countFlagsExecute += 1
if section.IMAGE_SCN_MEM_EXECUTE and section.IMAGE_SCN_MEM_WRITE:
countFlagsExecuteAndWrite += 1
calculatedCRC = pe.generate_checksum()
crcDifferent = pe.OPTIONAL_HEADER.CheckSum != 0 and pe.OPTIONAL_HEADER.CheckSum != calculatedCRC
info = GetVersionInfo(pe)
oLogger.PrintAndLog(('%s', '%f', '%d', '%d', '%d', '%d', '%08X', '%08X', '%d', '%s', '%s', '%s', '%s'), (filename, entropy, len(pe.sections), countFlagsExecute, countFlagsExecuteAndWrite, pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size, pe.OPTIONAL_HEADER.CheckSum, calculatedCRC, crcDifferent, time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)), repr(RVOES(info, 'CompanyName')), repr(RVOES(info, 'ProductName')), hashlib.md5(raw).hexdigest()))
评论列表
文章目录
