Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tweak peutils.py #456

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Tweak peutils.py #456

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions peutils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,11 @@ def __init__(self, filename=None, data=None):
# - A dictionary with a string as a key (packer name)
# and None as value to indicate a full signature
#
self.signature_tree_eponly_true = dict()
self.signature_tree_eponly_true = {}
self.signature_count_eponly_true = 0
self.signature_tree_eponly_false = dict()
self.signature_tree_eponly_false = {}
self.signature_count_eponly_false = 0
self.signature_tree_section_start = dict()
self.signature_tree_section_start = {}
self.signature_count_section_start = 0

# The depth (length) of the longest signature
Expand Down Expand Up @@ -94,7 +94,7 @@ def generate_section_signatures(self, pe, name, sig_length=512):
name,
idx + 1,
len(pe.sections),
"".join([c for c in section.Name if c in string.printable]),
"".join(c for c in section.Name if c in string.printable),
)

section_signatures.append(
Expand Down Expand Up @@ -129,7 +129,7 @@ def __generate_signature(

data = pe.__data__[offset : offset + sig_length]

signature_bytes = " ".join(["%02x" % ord(c) for c in data])
signature_bytes = " ".join("%02x" % ord(c) for c in data)

if ep_only == True:
ep_only = "true"
Expand Down Expand Up @@ -342,7 +342,7 @@ def __match_signature_tree(self, signature_tree, data, depth=0):
if None in list(match.values()):
# idx represent how deep we are in the tree
#
# names = [idx+depth]
# names = [idx + depth]
names = list()

# For each of the item pairs we check
Expand Down Expand Up @@ -500,9 +500,9 @@ def is_valid(pe):

def is_suspicious(pe):
"""
unusual locations of import tables
non recognized section names
presence of long ASCII strings
Unusual locations of import tables
Non-recognized section names
Presence of long ASCII strings
"""

relocations_overlap_entry_point = False
Expand Down Expand Up @@ -544,7 +544,7 @@ def is_suspicious(pe):
warnings_while_parsing

# If there are few or none (should come with a standard "density" of strings/kilobytes of data) longer (>8)
# ascii sequences that might indicate packed data, (this is similar to the entropy test in some ways but
# ASCII sequences that might indicate packed data, (this is similar to the entropy test in some ways but
# might help to discard cases of legitimate installer or compressed data)

# If compressed data (high entropy) and is_driver => uuuuhhh, nasty
Expand All @@ -568,7 +568,6 @@ def is_probably_packed(pe):
# Assume that the file is packed when no data is available
if not total_pe_data_length:
return True
has_significant_amount_of_compressed_data = False

# If some of the sections have high entropy and they make for more than 20% of the file's size
# it's assumed that it could be an installer or a packed file
Expand All @@ -582,7 +581,8 @@ def is_probably_packed(pe):
if s_entropy > 7.4:
total_compressed_data += s_length

if (total_compressed_data / total_pe_data_length) > 0.2:
has_significant_amount_of_compressed_data = True
has_significant_amount_of_compressed_data = (
total_compressed_data / total_pe_data_length > 0.2
)

return has_significant_amount_of_compressed_data
Loading