-
Notifications
You must be signed in to change notification settings - Fork 1
/
extract_info.py
83 lines (67 loc) · 2.51 KB
/
extract_info.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import pefile
def get_entropy(data):
'''
Used to get the entropy
'''
if len(data) == 0:
return 0.0
occurences = array.array('L', [0]*256)
for x in data:
occurences[x if isinstance(x, int) else ord(x)] += 1
entropy = 0
for x in occurences:
if x:
p_x = float(x) / len(data)
entropy -= p_x*math.log(p_x, 2)
return entropy
def extract_info(fpath):
'''
Extracts information from PE file of application
'''
res = {}
pe = pefile.PE(fpath)
res['BaseOfCode'] = pe.OPTIONAL_HEADER.BaseOfCode
try:
res['BaseOfData'] = pe.OPTIONAL_HEADER.BaseOfData
except AttributeError:
res['BaseOfData'] = 0
res['Characteristics'] = pe.FILE_HEADER.Characteristics
res['DllCharacteristics'] = pe.OPTIONAL_HEADER.DllCharacteristics
entropy = map(lambda x:x.get_entropy(), pe.sections)
res['Entropy']=sum(entropy)
res['FileAlignment'] = pe.OPTIONAL_HEADER.FileAlignment
res['ImageBase'] = pe.OPTIONAL_HEADER.ImageBase
# res['SectionsNb'] = len(pe.sections)
dll_list = []
func_list=[]
for i in pe.DIRECTORY_ENTRY_IMPORT:
dll_list.append((i.dll.decode('utf-8')).lower())
for j in i.imports :
try:
func_list.append(j.name.decode('utf-8').lower())
except:
continue
func_list=list(set(func_list))
res['ImportedDlls'] = (" ".join(dll_list))
res['ImportedSymbols'] = (" ".join(func_list))
res['Machine'] = pe.FILE_HEADER.Machine
res['Magic'] = pe.OPTIONAL_HEADER.Magic
res['NumberOfRvaAndSizes'] = pe.OPTIONAL_HEADER.NumberOfRvaAndSizes
res['NumberOfSections'] = len(pe.sections)
res['NumberOfSymbols'] = pe.FILE_HEADER.NumberOfSymbols
res['PointerToSymbolTable'] = pe.FILE_HEADER.PointerToSymbolTable
size_of_raw = 0
for section in pe.sections:
size_of_raw+=section.SizeOfRawData
res['Size'] = size_of_raw
res['SizeOfCode'] = pe.OPTIONAL_HEADER.SizeOfCode
res['SizeOfHeaders'] = pe.OPTIONAL_HEADER.SizeOfHeaders
res['SizeOfImage'] = pe.OPTIONAL_HEADER.SizeOfImage
res['SizeOfInitializedData'] = pe.OPTIONAL_HEADER.SizeOfInitializedData
res['SizeOfOptionalHeader'] = pe.FILE_HEADER.SizeOfOptionalHeader
res['SizeOfUninitializedData'] = pe.OPTIONAL_HEADER.SizeOfUninitializedData
# res['SectionsMeanEntropy'] = sum(entropy)/float(len(entropy))
# res['SectionsMinEntropy'] = min(entropy)
# res['SectionsMaxEntropy'] = max(entropy)
# print(res)
return res