Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

malice-plugins/pescan

Repository files navigation

pescan

Malice PExecutable Plugin

This repository contains a Dockerfile of malice/pescan.


Dependencies

Installation

  1. Install Docker.
  2. Download trusted build from public DockerHub: docker pull malice/pescan

Usage

$ docker run --rm -v /path/to/malware:/malware malice/pescan --help

Usage: pescan [OPTIONS] COMMAND [ARGS]...

Malice PExecutable Plugin

Author: blacktop <https://github.com/blacktop>

Options:
--version print the version
-h, --help Show this message and exit.

Commands:
scan scan a file
web start web service

Scanning

$ docker run --rm -v /path/to/malware:/malware malice/pescan scan --help

Usage: pescan.py scan [OPTIONS] FILE_PATH

Malice PExecutable Scanner

Options:
-v, --verbose verbose output
-t, --table output as Markdown table
-x, --proxy PROXY proxy settings for Malice webhook endpoint [$MALICE_PROXY]
-c, --callback ENDPOINT POST results back to Malice webhook [$MALICE_ENDPOINT]
--elasticsearch HOST elasticsearch address for Malice to store results [$MALICE_ELASTICSEARCH]
--timeout SECS malice plugin timeout (default: 10) [$MALICE_TIMEOUT]
-d, --dump dump possibly embedded binaries
--output PATH where to extract the embedded objects to (default: /malware)
[$MALICE_EXTRACT_PATH]
--peid PATH path to the PEiD database file (default:peid/UserDB.TXT)
[$MALICE_PEID_PATH]
-h, --help Show this message and exit.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

{
"linker_version": "06.00",
"compiletime": {
"unix": 1164878434,
"datetime": "2006-11-30 09:20:34"
},
"imports": [
{
"name": "GetStartupInfoA",
"address": "0x406044"
},
{
"name": "GetModuleHandleA",
"address": "0x406048"
},
{
"name": "CreatePipe",
"address": "0x40604c"
},
{
"name": "PeekNamedPipe",
"address": "0x406050"
},
{
"name": "ReadFile",
"address": "0x406054"
},
{
"name": "CreateProcessA",
"address": "0x406058"
},
...SNIP...
{
"name": "WSACleanup",
"address": "0x406210"
},
{
"name": "ioctlsocket",
"address": "0x406214"
}
],
"resource_versioninfo": {
"legalcopyright": "(C) Microsoft Corporation. All rights reserved.",
"internalname": "iexplore",
"fileversion": "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)",
"companyname": "Microsoft Corporation",
"productname": "Microsoft(R) Windows(R) Operating System",
"productversion": "6.00.2900.2180",
"original_filename": "IEXPLORE.EXE",
"file_description": "Internet Explorer"
},
"rich_header_info": [
{
"tool_id": 12,
"version": 7291,
"times used": 1
},
...SNIP...
{
"tool_id": 6,
"version": 1720,
"times used": 1
}
],
"os_version": "04.00",
"is_packed": false,
"entrypoint": "0x5a46",
"sections": [
{
"raw_data_size": 20480,
"name": ".text",
"rva": "0x1000",
"pointer_to_raw_data": 4096,
"entropy": 5.988944574755928,
"virtual_size": "0x4bfe"
},
{
"raw_data_size": 4096,
"name": ".rdata",
"rva": "0x6000",
"pointer_to_raw_data": 24576,
"entropy": 3.291179369026711,
"virtual_size": "0xc44"
},
{
"raw_data_size": 4096,
"name": ".data",
"rva": "0x7000",
"pointer_to_raw_data": 28672,
"entropy": 4.04448531075933,
"virtual_size": "0x17b0"
},
{
"raw_data_size": 8192,
"name": ".rsrc",
"rva": "0x9000",
"pointer_to_raw_data": 32768,
"entropy": 4.49716326553469,
"virtual_size": "0x15d0"
}
],
"resources": [
{
"language_desc": "Chinese-People's Republic of China",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x90f0",
"size": "0x10a8",
"type": "data",
"id": 1,
"md5": "14bf7c82dcfb7e41243f5b87d0c79538"
},
{
"language_desc": "Chinese-People's Republic of China",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"name": "RT_GROUP_ICON",
"language": "LANG_CHINESE",
"offset": "0xa198",
"size": "0x14",
"type": "data",
"id": 2,
"md5": "3c68f77c35c26ff079a1c410ee44fa62"
},
{
"language_desc": "Chinese-People's Republic of China",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"name": "RT_VERSION",
"language": "LANG_CHINESE",
"offset": "0xa1b0",
"size": "0x41c",
"type": "data",
"id": 3,
"md5": "9a12ece86a71c3499df0fb0ebe6ea33e"
}
],
"peid": [
"Armadillo v1.71",
"Microsoft Visual C++ v5.0/v6.0 (MFC)",
"Microsoft Visual C++"
],
"calculated_file_size": 42448,
"imphash": "a2cee99c7e42d671d47e3fb71c71bda4",
"number_of_sections": 4,
"pehash": "884bf0684addc269d641efb74e0fcb88267211da",
"machine_type": "0x14c (IMAGE_FILE_MACHINE_I386)",
"image_base": 4194304,
"language": "C",
"size_of_image": 45056,
"signature": {
"heuristic": "No file signature data found"
}
}

pescan

Header

  • Target Machine: 0x14c (IMAGE_FILE_MACHINE_I386)
  • Compilation Timestamp: 2006-11-30 09:20:34
  • Entry Point: 0x5a46
  • Contained Sections: 4

Sections

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 0x1000 0x4bfe 20480 5.99 9062ff3acdff9ac80cd9f97a0df42383
.rdata 0x6000 0xc44 4096 3.29 28c9e7872eb9d0a20a1d953382722735
.data 0x7000 0x17b0 4096 4.04 c38a0453ad319c9cd8b1760baf57a528
.rsrc 0x9000 0x15d0 8192 4.50 0d4522a26417d45c33759d2a6375a55f

Imports

KERNEL32.DLL
  • GetStartupInfoA
  • GetModuleHandleA
  • CreatePipe
  • PeekNamedPipe
  • ReadFile
  • CreateProcessA

...SNIP...

ADVAPI32.dll
  • RegCloseKey
  • RegSetValueExA
  • RegQueryValueExA

...SNIP...

MPR.dll
  • WNetCloseEnum
  • WNetOpenEnumA
  • WNetEnumResourceA
MSVCRT.dll
  • _except_handler3
  • __set_app_type
  • pfmode

...SNIP...

SHLWAPI.dll
  • SHDeleteKeyA
WS2_32.dll
  • gethostname

  • gethostbyname

    ...SNIP...

Resources

SHA-256 Size Entropy File Type Type Language
52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 0x10a8 6.52 None RT_ICON Chinese-People's Republic of China
a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 0x14 1.78 None RT_GROUP_ICON Chinese-People's Republic of China
934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 0x41c 3.47 None RT_VERSION Chinese-People's Republic of China

File Version Information

  • Copyright: (C) Microsoft Corporation. All rights reserved.
  • Product: Microsoft(R) Windows(R) Operating System
  • Description: Internet Explorer
  • Original Name: IEXPLORE.EXE
  • Internal Name: iexplore
  • File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

Signature Info

Signature Verification

No file signature data found

PEiD

  • Armadillo v1.71
  • Microsoft Visual C++ v5.0/v6.0 (MFC)
  • Microsoft Visual C++

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md

Credits

Heavily (if not entirely) influenced by the viper PE module and by CSE's alsvc_pefile

TODO

  • activate dumping functionality
  • add timeout protection
  • revisit security/signature stuff
  • add proxy settings for callback POST

License

MIT Copyright (c) 2016 blacktop

Releases

No releases published

Packages

No packages published