From e99a05db55c84b47f01151c1049d9e6d358c57cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= <jerome@thehive-project.org>
Date: Thu, 31 May 2018 20:41:53 +0200
Subject: [PATCH] #212 WIP - add pefile raw output

---
 analyzers/FileInfo/submodules/submodule_pe.py | 43 ++++++++++++++-----
 1 file changed, 33 insertions(+), 10 deletions(-)

diff --git a/analyzers/FileInfo/submodules/submodule_pe.py b/analyzers/FileInfo/submodules/submodule_pe.py
index 911bcd634..ff2c72c83 100644
--- a/analyzers/FileInfo/submodules/submodule_pe.py
+++ b/analyzers/FileInfo/submodules/submodule_pe.py
@@ -16,7 +16,7 @@ def check_file(self, **kwargs):
         :return: True
         """
         try:
-            if kwargs.get('filetype') in ['Win32 EXE']:
+            if kwargs.get('filetype') in ['Win32 EXE', 'Win64 EXE']:
                 return True
         except KeyError:
             return False
@@ -32,6 +32,22 @@ def pe_machine(pedict):
             else:
                 return str(machinetype) + ' => Not x86/64 or Itanium'
 
+    @staticmethod
+    def pe_type(pe):
+        if pe.is_exe():
+            return "EXE"
+        elif pe.is_dll():
+            return "DLL"
+        elif pe.is_driver():
+            return "DRIVER"
+        else:
+            return "UNKNOWN"
+
+    @staticmethod
+    def pe_dump(pe):
+        return pe.dump_info()
+
+
     @staticmethod
     def compilation_timestamp(pedict):
         if pedict:
@@ -67,16 +83,22 @@ def pe_info(self, pe):
     @staticmethod
     def pe_iat(pe):
         table = []
+
         if pe:
-            for entry in pe.DIRECTORY_ENTRY_IMPORT:
-                imp = {
-                    'entryname': entry.dll.decode(),
-                    'symbols': []
-                }
-                for symbol in entry.imports:
-                    if symbol.name is not None:
-                        imp['symbols'].append(symbol.name.decode())
-                table.append(imp)
+            try:
+                for entry in pe.DIRECTORY_ENTRY_IMPORT:
+                    # try:
+                    imp = {
+                        'entryname': entry.dll.decode(),
+                        'symbols': []
+                    }
+                    # try:
+                    for symbol in entry.imports:
+                        if symbol.name is not None:
+                            imp['symbols'].append(symbol.name.decode())
+                    table.append(imp)
+            except AttributeError:
+                pass
         return table
 
     # PE:Sections list of {Name, Size, Entropy, MD5, SHA1, SHA256, SHA512} #
@@ -107,4 +129,5 @@ def analyze_file(self, path):
             })
         self.add_result_subsection('Import Adress Tables', self.pe_iat(pe))
         self.add_result_subsection('Sections', self.pe_sections(pe))
+        self.add_result_subsection('pefile raw output', self.pe_dump(pe))
         return self.results