Library and CLI tool for parsing, validating, modifying, and updating `pyproject.toml` files.

These details have not been verified by PyPI

Project links

Project description

pegreet

Greet your malware samples before you tear them apart.

pegreet is a tool that performs static analysis and feature extraction on Portable Executable files. As a cli app, it should help with first steps in malware analysis / reverse engineering. As a library, it can be used to extract useful information from samples in bulk for use in exploratory data analysis or building malware classification models.

Table of Contents

Features
Screenshots
Installation
Resources
Notes
License

Features

Implemented

dump general file information
compute hashes (MD5, SHA1, SHA256, Imphash, SSDEEP)
calculate entropy
detect packers via PEiD signatures
dump info from headers
dump info from sections
dump imports and exports
annotate suspicious Windows API functions
display file parsing warnings
disassemble code from entry point
find strings
categorize strings

To Do

recognize known malicious section names
annotate suspicious entropy and size mismatches
extract resources
lookup on VirusTotal
lookup for public sandbox reports
check file against YARA rules
check digital signature
sort strings with StringSifter
extract obfuscated strings with FLOSS
custom output (csv, json, markdown)

Screenshots

Installation

as a module

<virtual environment shenanigans>
pip install pegreet

as a cli app

pipx install pegreet

Usage

as a module

from pathlib import Path
import pegreet

pe = pegreet.load(Path('data/samples/petya.exe'))

info_data = pegreet.info(pe)
print(info_data)
print(pegreet.pretty_info(info_data))

strings_data = pegreet.find_strings(pe)
print(strings_data)
print(pegreet.pretty_strings(strings_data))

print(pegreet.disasm(pe, num_lines=40))

as a cli app

$ pegreet --help

 Usage: pegreet [OPTIONS] COMMAND [ARGS]...

╭─ Options ───────────────────────────────────────────╮
│ --help                        Show this message and │
│                               exit.                 │
╰─────────────────────────────────────────────────────╯
╭─ Commands ──────────────────────────────────────────╮
│ disassemble  disassemble a specified number         │
│              instructions from entry point          │
│ info         print useful info                      │
│ strings      print strings                          │
╰─────────────────────────────────────────────────────╯


$ pegreet info data/samples/petya.exe
...


$ pegreet strings --show-uncategorized data/samples/petya.exe
...


$ pegreet disassemble data/samples/petya.exe 40
...

Notes

I started this project in 2020 in an attempt to learn about PE files and feature extraction for use in malware data science.

There are many other (better) tools available that implement similar functionality (see below). What I tried to do with pegreet is to focus on only the features that are useful to malware analysis to make it easier to digest the information. pegreet also provides annotations for suspicious indicators that can be used as jumping points for an investigation.

The pefile library was used extensively to implement the parsing of PE files. I would like to explore using the LIEF project instead as it supports multiple executable formats and it was used in the EMBER dataset. Maybe I'll follow this project up with an 'ELFgreet'.

Resources

Similar Tools

pefile - python library for reading PE info
peframe - PE analysis tool
PEpper - PE analysis tool
PEcli - PE analysis tool
PPEE - PE analysis tool
PE Studio - PE analysis tool
pev - PE analysis tool
pecheck - PE analysis tool
PE-bear - PE analysis tool
PE-sieve - scans live PEs for suspicious indicators and dumps
PE_unmapper - convert dump to raw
IAT Patcher - IAT editor

PE file info

corkami PE101 and PE102 - fantastic visualizations
corkami PE wiki - lots of info
corkami PE POCs - cool/weird stuff
PE format layout graph - nice visualization
PE format walkthrough - overlay of PE format on raw hex
PE Format - PE documentation by MS
An In-Depth Look into the Win32 Portable Executable File Format Part 1 and Part 2 - writeups by MS

License

pegreet is distributed under the terms of any of the following licenses:

Project details

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

This version

0.4.2

Dec 17, 2022

0.4.1

Dec 16, 2022

0.4.0

Dec 16, 2022

0.3.0

Dec 16, 2022

0.2.0

Dec 15, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pegreet-0.4.2.tar.gz (11.1 MB view details)

Uploaded Dec 17, 2022 Source

Built Distribution

pegreet-0.4.2-py3-none-any.whl (13.3 kB view details)

Uploaded Dec 17, 2022 Python 3

File details

Details for the file pegreet-0.4.2.tar.gz.

File metadata

Download URL: pegreet-0.4.2.tar.gz
Upload date: Dec 17, 2022
Size: 11.1 MB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: python-httpx/0.23.1

File hashes

Hashes for pegreet-0.4.2.tar.gz
Algorithm	Hash digest
SHA256	`743042e38eba155edab6464d8f866327caece974de6ba6134e07805931f1a25d`
MD5	`e3069bbd8e417f58b578f4336aabcd68`
BLAKE2b-256	`7b75d77d5ed95a9dbcfa8ba1c1aab35d2a614833256a538bfc859e638d53b63c`

See more details on using hashes here.

File details

Details for the file pegreet-0.4.2-py3-none-any.whl.

File metadata

Download URL: pegreet-0.4.2-py3-none-any.whl
Upload date: Dec 17, 2022
Size: 13.3 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: python-httpx/0.23.1

File hashes

Hashes for pegreet-0.4.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`fc649c83186a68469e37396a646a0e0eebad7c86fd200f1a33ab7e66d6169475`
MD5	`7777cb75f30af69f5bdd4e9e6b00418a`
BLAKE2b-256	`3eaa652f84c9cbb798a278ecbde39ae55a111fb196618e2571e2af9d6de7c67d`