diff --git a/analyzers/FileInfo/fileinfo_analyzer.py b/analyzers/FileInfo/fileinfo_analyzer.py index e7a269d77..a2ff6aa81 100755 --- a/analyzers/FileInfo/fileinfo_analyzer.py +++ b/analyzers/FileInfo/fileinfo_analyzer.py @@ -16,7 +16,8 @@ def __init__(self): # Create a dictionary of custom submodules self.available_submodules = [ - GZIPSubmodule() + GZIPSubmodule(), + PESubmodule() ] def run(self): diff --git a/analyzers/FileInfo/submodules/__init__.py b/analyzers/FileInfo/submodules/__init__.py index 7bcbb6661..717e8a6fc 100644 --- a/analyzers/FileInfo/submodules/__init__.py +++ b/analyzers/FileInfo/submodules/__init__.py @@ -1,2 +1,3 @@ from .submodule_metadata import MetadataSubmodule -from .submodule_gzip import GZIPSubmodule \ No newline at end of file +from .submodule_gzip import GZIPSubmodule +from .submodule_pe import PESubmodule \ No newline at end of file diff --git a/analyzers/FileInfo/submodules/submodule_metadata.py b/analyzers/FileInfo/submodules/submodule_metadata.py index 03801aba3..a9a54e35a 100644 --- a/analyzers/FileInfo/submodules/submodule_metadata.py +++ b/analyzers/FileInfo/submodules/submodule_metadata.py @@ -20,6 +20,14 @@ def check_file(self, **kwargs): """ return True + def exif(self, path): + # Exif info + exifreport = pyexifinfo.get_json(path) + result = dict((key, value) for key, value in exifreport[0].items() if + not (key.startswith("File") or key.startswith("SourceFile"))) + return result + + def analyze_file(self, path): # Hash the file with io.open(path, 'rb') as fh: @@ -40,6 +48,9 @@ def analyze_file(self, path): 'ssdeep': ssdeep.digest() }) + self.add_result_subsection('Exif Info', self.exif(path) + ) + # Get libmagic info magicliteral = magic.Magic().from_file(path) mimetype = magic.Magic(mime=True).from_file(path) @@ -47,6 +58,7 @@ def analyze_file(self, path): 'Magic literal': magicliteral, 'MimeType': mimetype, 'Filetype': pyexifinfo.fileType(path) + }) return self.results diff --git a/analyzers/FileInfo/submodules/submodule_pe.py b/analyzers/FileInfo/submodules/submodule_pe.py new file mode 100644 index 000000000..69ec1f359 --- /dev/null +++ b/analyzers/FileInfo/submodules/submodule_pe.py @@ -0,0 +1,48 @@ +import magic +import hashlib +import io +import pyexifinfo +import pefile + +from .submodule_base import SubmoduleBaseclass +from ssdeep import Hash + + +class PESubmodule(SubmoduleBaseclass): + def __init__(self): + SubmoduleBaseclass.__init__(self) + self.name = 'PE' + + def check_file(self, **kwargs): + """ + PE submodule will analyze every PE like EXE, DLL or DRIVER, therefore it will always return true. + + :return: True + """ + if kwargs.get('filetype') in ['Win32 EXE']: + return True + + def PE_info(self, pe): + table = [] + try: + for fileinfo in pe.FileInfo: + if fileinfo.Key.decode() == 'StringFileInfo': + for stringtable in fileinfo.StringTable: + for entry in stringtable.entries.items(): + table.append({'Info': entry[0].decode(), 'Value': entry[1].decode()}) + return table + except Exception as excp: + return 'None' + + def analyze_file(self, path): + try: + pe = pefile.PE(path) + pedict = pe.dump_dict() + except Exception as excp: + print("Failed processing {}".format(path)) + + self.add_result_subsection('PE Info', { + "Info": self.PE_info(pe) + }) + + return self.results \ No newline at end of file