ryanbekabe/peanalyst4.py

## peanalyst4.py
#Python PE Analyst - MD5-SHA256-Size-PE Section-DLLs of .exe
#16/04/2019 - bekabeipa@gmail.com
#DB MySQL structure: id;filename;md5;sha256;filesize;dump;time
import datetime
import time
import pefile
import mmap
import hashlib
import pymysql
pymysql.install_as_MySQLdb()

import MySQLdb
db = MySQLdb.connect(user="root",passwd="",host="localhost",db="test")
cursor = db.cursor()

global now
now = datetime.datetime.now()
global exe_path
exe_path = "cmd4.exe"
fd = open(exe_path, 'rb')
pePath = pefile.PE(exe_path)
pe_data = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_READ)
pe = pefile.PE(data=pe_data, fast_load=True)
global strpe
strpe = str(pe)

hasher = hashlib.md5()
hashersha256 = hashlib.sha256()
with open(exe_path, 'rb') as afile:
    buf = afile.read()
    hasher.update(buf)
    hashersha256.update(buf)
print(hasher.hexdigest())
print(hashersha256.hexdigest())


def file_size(fname):
    import os
    statinfo = os.stat(fname)
    return statinfo.st_size

cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), strpe, now))
data=cursor.fetchall()

global pesection
for section in pe.sections:
    pesection = section.Name.decode('utf-8') + " - " + hex(section.Misc_VirtualSize) + " - " + hex(section.VirtualAddress) + " - " + hex(section.SizeOfRawData) #, section.Name, hex(section.VirtualAddress),hex(section.Misc_VirtualSize), section.SizeOfRawData
    print(pesection)
    cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), pesection, now))
    data=cursor.fetchall()

def foo(dll):
	cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), dll, now))
	data=cursor.fetchall()

#print("[*] Listing imported DLLs...")
for entry in pePath.DIRECTORY_ENTRY_IMPORT:
	global dll
	dll = '\t' + entry.dll.decode('utf-8')
	foo(dll)

db.close()
	#Python PE Analyst - MD5-SHA256-Size-PE Section-DLLs of .exe
	#16/04/2019 - bekabeipa@gmail.com
	#DB MySQL structure: id;filename;md5;sha256;filesize;dump;time
	import datetime
	import time
	import pefile
	import mmap
	import hashlib
	import pymysql
	pymysql.install_as_MySQLdb()

	import MySQLdb
	db = MySQLdb.connect(user="root",passwd="",host="localhost",db="test")
	cursor = db.cursor()

	global now
	now = datetime.datetime.now()
	global exe_path
	exe_path = "cmd4.exe"
	fd = open(exe_path, 'rb')
	pePath = pefile.PE(exe_path)
	pe_data = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_READ)
	pe = pefile.PE(data=pe_data, fast_load=True)
	global strpe
	strpe = str(pe)

	hasher = hashlib.md5()
	hashersha256 = hashlib.sha256()
	with open(exe_path, 'rb') as afile:
	buf = afile.read()
	hasher.update(buf)
	hashersha256.update(buf)
	print(hasher.hexdigest())
	print(hashersha256.hexdigest())


	def file_size(fname):
	import os
	statinfo = os.stat(fname)
	return statinfo.st_size

	cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), strpe, now))
	data=cursor.fetchall()

	global pesection
	for section in pe.sections:
	pesection = section.Name.decode('utf-8') + " - " + hex(section.Misc_VirtualSize) + " - " + hex(section.VirtualAddress) + " - " + hex(section.SizeOfRawData) #, section.Name, hex(section.VirtualAddress),hex(section.Misc_VirtualSize), section.SizeOfRawData
	print(pesection)
	cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), pesection, now))
	data=cursor.fetchall()

	def foo(dll):
	cursor.execute("INSERT INTO pedump VALUES (NULL, %s, %s, %s, %s, %s, %s)", (exe_path, hasher.hexdigest(), hashersha256.hexdigest(), file_size(exe_path), dll, now))
	data=cursor.fetchall()

	#print("[*] Listing imported DLLs...")
	for entry in pePath.DIRECTORY_ENTRY_IMPORT:
	global dll
	dll = '\t' + entry.dll.decode('utf-8')
	foo(dll)

	db.close()