Skip to content

malice-plugins/pescan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pescan logo

pescan

Circle CI License Docker Stars Docker Pulls Docker Image

Malice PExecutable Plugin

This repository contains a Dockerfile of malice/pescan.


Dependencies

Installation

  1. Install Docker.
  2. Download trusted build from public DockerHub: docker pull malice/pescan

Usage

$ docker run --rm -v /path/to/malware:/malware malice/pescan --help

Usage: pescan [OPTIONS] COMMAND [ARGS]...

  Malice PExecutable Plugin

  Author: blacktop <https://github.com/blacktop>

Options:
  --version   print the version
  -h, --help  Show this message and exit.

Commands:
  scan  scan a file
  web   start web service

Scanning

$ docker run --rm -v /path/to/malware:/malware malice/pescan scan --help

Usage: pescan.py scan [OPTIONS] FILE_PATH

  Malice PExecutable Scanner

Options:
  -v, --verbose            verbose output
  -t, --table              output as Markdown table
  -x, --proxy PROXY        proxy settings for Malice webhook endpoint [$MALICE_PROXY]
  -c, --callback ENDPOINT  POST results back to Malice webhook [$MALICE_ENDPOINT]
  --elasticsearch HOST     elasticsearch address for Malice to store results [$MALICE_ELASTICSEARCH]
  --timeout SECS           malice plugin timeout (default: 10) [$MALICE_TIMEOUT]
  -d, --dump               dump possibly embedded binaries
  --output PATH            where to extract the embedded objects to (default: /malware)
                           [$MALICE_EXTRACT_PATH]
  --peid PATH              path to the PEiD database file (default:peid/UserDB.TXT)
                           [$MALICE_PEID_PATH]
  -h, --help               Show this message and exit.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

{
  "linker_version": "06.00",
  "compiletime": {
    "unix": 1164878434,
    "datetime": "2006-11-30 09:20:34"
  },
  "imports": [
    {
      "name": "GetStartupInfoA",
      "address": "0x406044"
    },
    {
      "name": "GetModuleHandleA",
      "address": "0x406048"
    },
    {
      "name": "CreatePipe",
      "address": "0x40604c"
    },
    {
      "name": "PeekNamedPipe",
      "address": "0x406050"
    },
    {
      "name": "ReadFile",
      "address": "0x406054"
    },
    {
      "name": "CreateProcessA",
      "address": "0x406058"
    },
    ...SNIP...
    {
      "name": "WSACleanup",
      "address": "0x406210"
    },
    {
      "name": "ioctlsocket",
      "address": "0x406214"
    }
  ],
  "resource_versioninfo": {
    "legalcopyright": "(C) Microsoft Corporation. All rights reserved.",
    "internalname": "iexplore",
    "fileversion": "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)",
    "companyname": "Microsoft Corporation",
    "productname": "Microsoft(R) Windows(R) Operating System",
    "productversion": "6.00.2900.2180",
    "original_filename": "IEXPLORE.EXE",
    "file_description": "Internet Explorer"
  },
  "rich_header_info": [
    {
      "tool_id": 12,
      "version": 7291,
      "times used": 1
    },
    ...SNIP...
    {
      "tool_id": 6,
      "version": 1720,
      "times used": 1
    }
  ],
  "os_version": "04.00",
  "is_packed": false,
  "entrypoint": "0x5a46",
  "sections": [
    {
      "raw_data_size": 20480,
      "name": ".text",
      "rva": "0x1000",
      "pointer_to_raw_data": 4096,
      "entropy": 5.988944574755928,
      "virtual_size": "0x4bfe"
    },
    {
      "raw_data_size": 4096,
      "name": ".rdata",
      "rva": "0x6000",
      "pointer_to_raw_data": 24576,
      "entropy": 3.291179369026711,
      "virtual_size": "0xc44"
    },
    {
      "raw_data_size": 4096,
      "name": ".data",
      "rva": "0x7000",
      "pointer_to_raw_data": 28672,
      "entropy": 4.04448531075933,
      "virtual_size": "0x17b0"
    },
    {
      "raw_data_size": 8192,
      "name": ".rsrc",
      "rva": "0x9000",
      "pointer_to_raw_data": 32768,
      "entropy": 4.49716326553469,
      "virtual_size": "0x15d0"
    }
  ],
  "resources": [
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_ICON",
      "language": "LANG_CHINESE",
      "offset": "0x90f0",
      "size": "0x10a8",
      "type": "data",
      "id": 1,
      "md5": "14bf7c82dcfb7e41243f5b87d0c79538"
    },
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_GROUP_ICON",
      "language": "LANG_CHINESE",
      "offset": "0xa198",
      "size": "0x14",
      "type": "data",
      "id": 2,
      "md5": "3c68f77c35c26ff079a1c410ee44fa62"
    },
    {
      "language_desc": "Chinese-People's Republic of China",
      "sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
      "name": "RT_VERSION",
      "language": "LANG_CHINESE",
      "offset": "0xa1b0",
      "size": "0x41c",
      "type": "data",
      "id": 3,
      "md5": "9a12ece86a71c3499df0fb0ebe6ea33e"
    }
  ],
  "peid": [
    "Armadillo v1.71",
    "Microsoft Visual C++ v5.0/v6.0 (MFC)",
    "Microsoft Visual C++"
  ],
  "calculated_file_size": 42448,
  "imphash": "a2cee99c7e42d671d47e3fb71c71bda4",
  "number_of_sections": 4,
  "pehash": "884bf0684addc269d641efb74e0fcb88267211da",
  "machine_type": "0x14c (IMAGE_FILE_MACHINE_I386)",
  "image_base": 4194304,
  "language": "C",
  "size_of_image": 45056,
  "signature": {
    "heuristic": "No file signature data found"
  }
}

pescan

Header

  • Target Machine: 0x14c (IMAGE_FILE_MACHINE_I386)
  • Compilation Timestamp: 2006-11-30 09:20:34
  • Entry Point: 0x5a46
  • Contained Sections: 4

Sections

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 0x1000 0x4bfe 20480 5.99 9062ff3acdff9ac80cd9f97a0df42383
.rdata 0x6000 0xc44 4096 3.29 28c9e7872eb9d0a20a1d953382722735
.data 0x7000 0x17b0 4096 4.04 c38a0453ad319c9cd8b1760baf57a528
.rsrc 0x9000 0x15d0 8192 4.50 0d4522a26417d45c33759d2a6375a55f

Imports

KERNEL32.DLL
  • GetStartupInfoA
  • GetModuleHandleA
  • CreatePipe
  • PeekNamedPipe
  • ReadFile
  • CreateProcessA

...SNIP...

ADVAPI32.dll
  • RegCloseKey
  • RegSetValueExA
  • RegQueryValueExA

...SNIP...

MPR.dll
  • WNetCloseEnum
  • WNetOpenEnumA
  • WNetEnumResourceA
MSVCRT.dll
  • _except_handler3
  • __set_app_type
  • pfmode

...SNIP...

SHLWAPI.dll
  • SHDeleteKeyA
WS2_32.dll
  • gethostname

  • gethostbyname

    ...SNIP...

Resources

SHA-256 Size Entropy File Type Type Language
52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 0x10a8 6.52 None RT_ICON Chinese-People's Republic of China
a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 0x14 1.78 None RT_GROUP_ICON Chinese-People's Republic of China
934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 0x41c 3.47 None RT_VERSION Chinese-People's Republic of China

File Version Information

  • Copyright: (C) Microsoft Corporation. All rights reserved.
  • Product: Microsoft(R) Windows(R) Operating System
  • Description: Internet Explorer
  • Original Name: IEXPLORE.EXE
  • Internal Name: iexplore
  • File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

Signature Info

Signature Verification

No file signature data found

PEiD

  • Armadillo v1.71
  • Microsoft Visual C++ v5.0/v6.0 (MFC)
  • Microsoft Visual C++

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md

Credits

Heavily (if not entirely) influenced by the viper PE module and by CSE's alsvc_pefile

TODO

  • activate dumping functionality
  • add timeout protection
  • revisit security/signature stuff
  • add proxy settings for callback POST

License

MIT Copyright (c) 2016 blacktop