pegreet 0.4.1

Library and CLI tool for parsing, validating, modifying, and updating `pyproject.toml` files.

pegreet

Greet your malware samples before you tear them apart.

pegreet is a tool that performs static analysis and feature extraction on Portable Executable files. As a cli app, it should help with first steps in malware analysis / reverse engineering. As a library, it can be used to extract useful information from samples in bulk for use in exploratory data analysis or building malware classification models.

---

Table of Contents

• Features
• Screenshots
• Installation
• Resources
• Notes
• License

Features

Implemented

• dump general file information
• compute hashes (MD5, SHA1, SHA256, Imphash, SSDEEP)
• calculate entropy
• detect packers via PEiD signatures
• dump info from headers
• dump info from sections
• dump imports and exports
• annotate suspicious Windows API functions
• display file parsing warnings
• disassemble code from entry point
• find strings
• categorize strings

To Do

• recognize known malicious section names
• annotate suspicious entropy and size mismatches
• extract resources
• lookup on VirusTotal
• lookup for public sandbox reports
• check file against YARA rules
• check digital signature
• sort strings with StringSifter
• extract obfuscated strings with FLOSS
• custom output (csv, json, markdown)

Screenshots

Installation

as a module

<virtual environment shenanigans>
pip install pegreet

as a cli app

pipx install pegreet

---

Usage

$ pegreet --help

 Usage: pegreet [OPTIONS] COMMAND [ARGS]...

╭─ Options ───────────────────────────────────────────╮
│ --help                        Show this message and │
│                               exit.                 │
╰─────────────────────────────────────────────────────╯
╭─ Commands ──────────────────────────────────────────╮
│ disassemble  disassemble a specified number         │
│              instructions from entry point          │
│ info         print useful info                      │
│ strings      print strings                          │
╰─────────────────────────────────────────────────────╯

Notes

I started this project in 2020 in an attempt to learn about PE files and feature extraction for use in malware data science.

There are many other (better) tools available that implement similar functionality (see below). What I tried to do with pegreet is to focus on only the features that are useful to malware analysis to make it easier to digest the information. pegreet also provides annotations for suspicious indicators that can be used as jumping points for an investigation.

The pefile library was used extensively to implement the parsing of PE files. I would like to explore using the LIEF project instead as it supports multiple executable formats and it was used in the EMBER dataset. Maybe I'll follow this project up with an 'ELFgreet'.

Resources

Similar Tools

• pefile - python library for reading PE info
• peframe - PE analysis tool
• PEpper - PE analysis tool
• PEcli - PE analysis tool
• PPEE - PE analysis tool
• PE Studio - PE analysis tool
• pev - PE analysis tool
• pecheck - PE analysis tool
• PE-bear - PE analysis tool
• PE-sieve - scans live PEs for suspicious indicators and dumps
• PE_unmapper - convert dump to raw
• IAT Patcher - IAT editor

PE file info

• corkami PE101 and PE102 - fantastic visualizations
• corkami PE wiki - lots of info
• corkami PE POCs - cool/weird stuff
• PE format layout graph - nice visualization
• PE format walkthrough - overlay of PE format on raw hex
• PE Format - PE documentation by MS
• An In-Depth Look into the Win32 Portable Executable File Format Part 1 and Part 2 - writeups by MS

License

pegreet is distributed under the terms of any of the following licenses:

• Apache-2.0
• MIT