#212 WIP add PE submodule

TheHive-Project · Mar 26, 2018 · decd7d8 · decd7d8
1 parent 8f46f15
commit decd7d8
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 2 deletions.
diff --git a/analyzers/FileInfo/fileinfo_analyzer.py b/analyzers/FileInfo/fileinfo_analyzer.py
@@ -16,7 +16,8 @@ def __init__(self):
 
         # Create a dictionary of custom submodules
         self.available_submodules = [
-            GZIPSubmodule()
+            GZIPSubmodule(),
+            PESubmodule()
         ]
 
     def run(self):

diff --git a/analyzers/FileInfo/submodules/__init__.py b/analyzers/FileInfo/submodules/__init__.py
@@ -1,2 +1,3 @@
 from .submodule_metadata import MetadataSubmodule
-from .submodule_gzip import GZIPSubmodule
+from .submodule_gzip import GZIPSubmodule
+from .submodule_pe import PESubmodule
diff --git a/analyzers/FileInfo/submodules/submodule_metadata.py b/analyzers/FileInfo/submodules/submodule_metadata.py
@@ -20,6 +20,14 @@ def check_file(self, **kwargs):
         """
         return True
 
+    def exif(self, path):
+        # Exif info
+        exifreport = pyexifinfo.get_json(path)
+        result = dict((key, value) for key, value in exifreport[0].items() if
+                      not (key.startswith("File") or key.startswith("SourceFile")))
+        return result
+
+
     def analyze_file(self, path):
         # Hash the file
         with io.open(path, 'rb') as fh:
@@ -40,13 +48,17 @@ def analyze_file(self, path):
             'ssdeep': ssdeep.digest()
         })
 
+        self.add_result_subsection('Exif Info', self.exif(path)
+        )
+
         # Get libmagic info
         magicliteral = magic.Magic().from_file(path)
         mimetype = magic.Magic(mime=True).from_file(path)
         self.add_result_subsection('Filetype determination', {
             'Magic literal': magicliteral,
             'MimeType': mimetype,
             'Filetype': pyexifinfo.fileType(path)
+
         })
 
         return self.results
diff --git a/analyzers/FileInfo/submodules/submodule_pe.py b/analyzers/FileInfo/submodules/submodule_pe.py
@@ -0,0 +1,48 @@
+import magic
+import hashlib
+import io
+import pyexifinfo
+import pefile
+
+from .submodule_base import SubmoduleBaseclass
+from ssdeep import Hash
+
+
+class PESubmodule(SubmoduleBaseclass):
+    def __init__(self):
+        SubmoduleBaseclass.__init__(self)
+        self.name = 'PE'
+
+    def check_file(self, **kwargs):
+        """
+        PE submodule will analyze every PE like EXE, DLL or DRIVER, therefore it will always return true.
+
+        :return: True
+        """
+        if kwargs.get('filetype') in ['Win32 EXE']:
+            return True
+
+    def PE_info(self, pe):
+        table = []
+        try:
+            for fileinfo in pe.FileInfo:
+                if fileinfo.Key.decode() == 'StringFileInfo':
+                    for stringtable in fileinfo.StringTable:
+                        for entry in stringtable.entries.items():
+                            table.append({'Info': entry[0].decode(), 'Value': entry[1].decode()})
+            return table
+        except Exception as excp:
+            return 'None'
+
+    def analyze_file(self, path):
+        try:
+            pe = pefile.PE(path)
+            pedict = pe.dump_dict()
+        except Exception as excp:
+            print("Failed processing {}".format(path))
+
+        self.add_result_subsection('PE Info', {
+            "Info": self.PE_info(pe)
+        })
+
+        return self.results