Implement PEDeepEntrypoint for anomaly detection#570
Conversation
Added PEDeepEntrypoint class to analyze PE entry points and detect anomalies based on their depth within sections.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the PEDeepEntrypoint signature to detect PE files with entry points located unusually deep within a section, a common indicator of packers or shellcode. The feedback highlights critical compatibility issues with Python 2.7, noting that the current parsing logic fails for unicode objects and the use of f-strings will result in syntax errors in standard Cuckoo environments.
| def _parse_hex_or_int(value, default=0): | ||
| """Safely parse a value that may be a hex string, decimal string, or int.""" | ||
| if isinstance(value, int): | ||
| return value | ||
| if isinstance(value, str): | ||
| try: | ||
| return int(value, 16) if value.startswith("0x") else int(value) | ||
| except (ValueError, TypeError): | ||
| return default | ||
| return default |
There was a problem hiding this comment.
The current implementation of _parse_hex_or_int uses isinstance(value, str), which in Python 2.7 (the environment for many Cuckoo installations) will return False for unicode objects. Since Cuckoo results often contain unicode strings, this method will fail to parse them and return the default value. Additionally, the logic can be simplified using int(value, 0) to automatically handle both hex (with 0x) and decimal strings.
| def _parse_hex_or_int(value, default=0): | |
| """Safely parse a value that may be a hex string, decimal string, or int.""" | |
| if isinstance(value, int): | |
| return value | |
| if isinstance(value, str): | |
| try: | |
| return int(value, 16) if value.startswith("0x") else int(value) | |
| except (ValueError, TypeError): | |
| return default | |
| return default | |
| @staticmethod | |
| def _parse_hex_or_int(value, default=0): | |
| """Safely parse a value that may be a hex string, decimal string, or int.""" | |
| try: | |
| return int(value, 0) | |
| except (ValueError, TypeError): | |
| try: | |
| return int(value) | |
| except (ValueError, TypeError): | |
| return default |
| dynamic_desc = ( | ||
| f"The PE entry point (0x{ep_val:x}) is located {percentage:.1f}% " | ||
| f"deep into the '{sec_name}' section. Normal compilers place the EP " | ||
| f"near the beginning. This strongly indicates an appended packer stub " | ||
| f"or shellcode." | ||
| ) |
There was a problem hiding this comment.
The use of f-strings is not compatible with Python 2.7, which is the standard environment for many Cuckoo Sandbox installations. This will result in a SyntaxError when the signature is loaded. Please use the .format() method or % operator for string formatting to ensure cross-version compatibility.
| dynamic_desc = ( | |
| f"The PE entry point (0x{ep_val:x}) is located {percentage:.1f}% " | |
| f"deep into the '{sec_name}' section. Normal compilers place the EP " | |
| f"near the beginning. This strongly indicates an appended packer stub " | |
| f"or shellcode." | |
| ) | |
| dynamic_desc = ( | |
| "The PE entry point (0x{0:x}) is located {1:.1f}% " | |
| "deep into the '{2}' section. Normal compilers place the EP " | |
| "near the beginning. This strongly indicates an appended packer stub " | |
| "or shellcode.".format(ep_val, percentage, sec_name) | |
| ) |
|
It's not very helpful that Gemini keeps talking rubbish about cape depending on Python 2! |
2 participants
Added PEDeepEntrypoint class to analyze PE entry points and detect anomalies based on their depth within sections. I have found this over time to be a good packer indicator.
Pikabot ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
