ProgramExecutableAnalyzer 1.0.0

This script analyzes MZ-PE (MS-DOS) executable.

Program Executable Analyzer

Description

This script analyzes MZ-PE (MS-DOS) executable file.

This tool is useful for malware analysis or debug/understand compiled dependencies.

1. Verify signature and print informations about signature and trust
2. Analyze DLLs and imported functions name
3. Analyze exported functions name
4. Get executable filename at the compiled time
5. Get encodings and languages used for compilation
6. Print informations about rich headers
7. Get timestamps saved in executable
8. Print informations about sections and characteristics (permissions, ect...)
9. Print the entry point position and section
10. Get architecture, system version, resources (Version file, Manifest)
11. Get company name, product name, product version, copyright
12. Sections names, sizes, addresses and characteristics
13. Analyze MS-DOS and NT headers
14. When matplotlib is installed, generate charts to compare sections on the disk and in the memory
15. When matplotlib and EntropyAnalysis are installed, generate charts for entropy analysis (with sections)
16. Extract overlay

TODO: analyze results to detect language and score the risk.

Requirements

• python3
• Python 3 Standard library

Optional

• matplotlib
• EntropyAnalysis

Matplotlib and EntropyAnalysis are not installed by ProgramExecutableAnalyzer because this package can be installed on server without GUI.

You can install optinal required packages with the following command: python3 -m pip install matplotlib EntropyAnalysis

Installation

pip install ProgramExecutableAnalyzer

Usages

python3 ProgramExecutableAnalyzer.py -h
python3 ProgramExecutableAnalyzer.py executable.exe
python3 ProgramExecutableAnalyzer.py -c executable.exe  # No color
python3 ProgramExecutableAnalyzer.py -v executable.exe  # Verbose mode

Screenshots

Links

• Github Page
• Pypi package
• Python Executable
• Windows Executable

Licence

Licensed under the GPL, version 3.