macostag/scanPE.py

## scanPE.py
import pefile
import pprint
import datetime
import sys
import magic

def getMagicType(buffer):
	typeFile = magic.from_buffer(buffer)
	return typeFile

def main():
	print "PE Scanner :"
	sample =  sys.argv[1]
	pe =pefile.PE(sample)

	timeDateStamp = float(pe.NT_HEADERS.FILE_HEADER.TimeDateStamp)
	timeDate = datetime.datetime.fromtimestamp(timeDateStamp)

	print "\n[+] Compile Time -> " + timeDate.isoformat()

	print "\n[+] Number of sections -> " + str(pe.NT_HEADERS.FILE_HEADER.NumberOfSections)
	print "[+] Sections :"

	for s in pe.sections:
		print s.Name
		print " Size of Raw Data -> " + (hex(s.SizeOfRawData))
		print " Virtual Size -> " + (hex(s.Misc_VirtualSize))

	print "\n[+] Resources : "
	if hasattr(pe,'DIRECTORY_ENTRY_RESOURCE'):
		for rType in pe.DIRECTORY_ENTRY_RESOURCE.entries:
			print " Entry : "
			print "  Type Name -> " + str(rType.name)
			if hasattr(rType, 'directory'):
				for rId in rType.directory.entries:
					if hasattr(rId, 'directory'):
						for rLang in rId.directory.entries:
							data = pe.get_data(rLang.data.struct.OffsetToData, rLang.data.struct.Size)
							dataSize = rLang.data.struct.Size
							typeFile = getMagicType(data)
							lang = pefile.LANG.get(rLang.data.lang)
							subLang = pefile.get_sublang_name_for_lang( rLang.data.lang, rLang.data.sublang )

							print "  Size -> " + str(hex(dataSize))
							print "  Type -> " + typeFile
							print "  Lang -> " + lang
							print "  subLang -> " + subLang

	print "\n[+] Number of data directories : " + str(pe.OPTIONAL_HEADER.NumberOfRvaAndSizes)

	for header in pe.OPTIONAL_HEADER.DATA_DIRECTORY:
		print " " + header.name + " : "
		print " Virtual Address -> " + hex(header.VirtualAddress)
		print " Size -> " + hex(header.Size)

	print "\n[+] Imported DLL : "
	if hasattr(pe,'DIRECTORY_ENTRY_IMPORT'):
		for entryIm in pe.DIRECTORY_ENTRY_IMPORT:
			print " " + entryIm.dll
			for func in entryIm.imports:
				print "  (" + str(func.hint) + ") " + func.name

	print "\n[+] Exported DLL : "
	if hasattr(pe,'DIRECTORY_ENTRY_EXPORT'):
		for entryEx in pe.DIRECTORY_ENTRY_EXPORT.symbols:
			print " " + entryEx.name

if __name__ == '__main__':
	main()
	import pefile
	import pprint
	import datetime
	import sys
	import magic

	def getMagicType(buffer):
	typeFile = magic.from_buffer(buffer)
	return typeFile

	def main():
	print "PE Scanner :"
	sample = sys.argv[1]
	pe =pefile.PE(sample)

	timeDateStamp = float(pe.NT_HEADERS.FILE_HEADER.TimeDateStamp)
	timeDate = datetime.datetime.fromtimestamp(timeDateStamp)

	print "\n[+] Compile Time -> " + timeDate.isoformat()

	print "\n[+] Number of sections -> " + str(pe.NT_HEADERS.FILE_HEADER.NumberOfSections)
	print "[+] Sections :"

	for s in pe.sections:
	print s.Name
	print " Size of Raw Data -> " + (hex(s.SizeOfRawData))
	print " Virtual Size -> " + (hex(s.Misc_VirtualSize))

	print "\n[+] Resources : "
	if hasattr(pe,'DIRECTORY_ENTRY_RESOURCE'):
	for rType in pe.DIRECTORY_ENTRY_RESOURCE.entries:
	print " Entry : "
	print " Type Name -> " + str(rType.name)
	if hasattr(rType, 'directory'):
	for rId in rType.directory.entries:
	if hasattr(rId, 'directory'):
	for rLang in rId.directory.entries:
	data = pe.get_data(rLang.data.struct.OffsetToData, rLang.data.struct.Size)
	dataSize = rLang.data.struct.Size
	typeFile = getMagicType(data)
	lang = pefile.LANG.get(rLang.data.lang)
	subLang = pefile.get_sublang_name_for_lang( rLang.data.lang, rLang.data.sublang )

	print " Size -> " + str(hex(dataSize))
	print " Type -> " + typeFile
	print " Lang -> " + lang
	print " subLang -> " + subLang

	print "\n[+] Number of data directories : " + str(pe.OPTIONAL_HEADER.NumberOfRvaAndSizes)

	for header in pe.OPTIONAL_HEADER.DATA_DIRECTORY:
	print " " + header.name + " : "
	print " Virtual Address -> " + hex(header.VirtualAddress)
	print " Size -> " + hex(header.Size)

	print "\n[+] Imported DLL : "
	if hasattr(pe,'DIRECTORY_ENTRY_IMPORT'):
	for entryIm in pe.DIRECTORY_ENTRY_IMPORT:
	print " " + entryIm.dll
	for func in entryIm.imports:
	print " (" + str(func.hint) + ") " + func.name

	print "\n[+] Exported DLL : "
	if hasattr(pe,'DIRECTORY_ENTRY_EXPORT'):
	for entryEx in pe.DIRECTORY_ENTRY_EXPORT.symbols:
	print " " + entryEx.name

	if __name__ == '__main__':
	main()