pegreet 0.3.0

Library and CLI tool for parsing, validating, modifying, and updating `pyproject.toml` files.

PEgreet

Greet your samples before you tear them apart.

PEgreet is a tool that performs static analysis and feature extraction on Portable Executable files. It should help with your first steps in analyzing a malware sample.

Features

Implemented

• dump general file information
• compute hashes (MD5, SHA1, SHA256, Imphash, SSDEEP)
• calculate entropy
• detect packers via PEiD signatures
• dump info from headers
• dump info from sections
• dump imports and exports
• annotate suspicious Windows API functions
• display file parsing warnings
• disassemble code from entry point
• find strings
• categorize strings

In Progress

• recognize known malicious section names

To Do

• annotate suspicious entropy and size mismatches
• extract resources
• lookup on VirusTotal
• lookup for public sandbox reports
• check file against YARA rules
• check digital signature
• sort strings with StringSifter
• extract obfuscated strings with FLOSS
• custom output (csv, json, markdown)
• modular design

Screenshots

Installation

PEgreet uses Python 3

Get PEgreet

git clone https://github.com/patrickarmengol/PEgreet.git
cd PEgreet

Install Required Dependencies

• pefile

pip install -r requirements.txt

Install Optional Dependencies

• ssdeep + python-ssdeep for generating ssdeep hashes
• capstone for code disassembly

(install ssdeep using package manager)
pip install -r optional-requirements.txt

Usage

usage: pegreet.py [-h] [-i] [-s [{c,a}]] [-d N] file

a tool to perform static analysis and feature extraction on Portable Executable files

positional arguments:
  file        the file's path

optional arguments:
  -h, --help  show this help message and exit
  -i          print useful info
  -s [{c,a}]  print strings - [c]ategorized (default) or [a]ll
  -d N        disassemble a specified number instructions from entry point

Notes

I started this project in an attempt to learn about PE files and feature extraction for use in malware data science.

There are many other (better) tools available that implement similar functionality (see below). What I tried to do with PEgreet is to focus on only the features that are useful to malware analysis to make it easier to digest the information. PEgreet also provides annotations for suspicious indicators that can be used as jumping points for an investigation.

The pefile library was used extensively to implement the parsing of PE files. I would like to explore using the LIEF project instead as it supports multiple executable formats and it was used in the EMBER dataset. Maybe I'll follow this project up with an 'ELFgreet'.

Resources

Similar Tools

• pefile - python library for reading PE info
• peframe - PE analysis tool
• PEpper - PE analysis tool
• PEcli - PE analysis tool
• PPEE - PE analysis tool
• PE Studio - PE analysis tool
• pev - PE analysis tool
• pecheck - PE analysis tool
• PE-bear - PE analysis tool
• PE-sieve - scans live PEs for suspicious indicators and dumps
• PE_unmapper - convert dump to raw
• IAT Patcher - IAT editor

PE file info

• corkami PE101 and PE102 - fantastic visualizations
• corkami PE wiki - lots of info
• corkami PE POCs - cool/weird stuff
• PE format layout graph - nice visualization
• PE format walkthrough - overlay of PE format on raw hex
• PE Format - PE documentation by MS
• An In-Depth Look into the Win32 Portable Executable File Format Part 1 and Part 2 - writeups by MS