peframe 6

README.rst

@@ -1,28 +1,23 @@
 =============
-PEframe 5.0.1
+PEframe 6.0.0
 =============
 
-PEframe is a open source tool to perform static analysis on `Portable Executable <http://en.wikipedia.org/wiki/Portable_Executable>`_ malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, and much more information about the suspicious files.
-
-Documentation will be available soon.
+PEframe is a open source tool to perform static analysis on `Portable Executable <http://en.wikipedia.org/wiki/Portable_Executable>`_ malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.
 
 Usage
 -----
 
 .. code-block:: bash
 
-    $ peframe <filename>            Short output analysis
+    python3 peframe-cli.py <filename>     Short output analysis
+
+    python3 peframe-cli.py -i <filename>  Interactive mode
 
-    $ peframe --json <filename>     Full output analysis JSON format
+    python3 peframe-cli.py -j <filename>  Full output analysis JSON format
     
-    $ peframe --strings <filename>  Strings output
+    python3 peframe-cli.py -s <filename>  Strings output
     
-You can edit `stringsmatch.json <https://github.com/guelfoweb/peframe/blob/master/peframe/signatures/stringsmatch.json>`_ file to configure your fuzzer and virustotal apikey.
-
-Output example
---------------
-
-`Short data example <http://pastebin.com/hrKNtLMN>`_ | `Full data (JSON) example <http://pastebin.com/tpmdsibd/>`_
+You can edit `config-peframe.json <https://github.com/guelfoweb/peframe/blob/master/peframe/signatures/stringsmatch.json>`_ file in "config" folder to configure virustotal API key.
 
 
 Install
@@ -32,29 +27,20 @@ Install
 
 .. code-block::
 
-    Python 2.7.x
+    Python >= 3.6.6
+    libssl-dev
+    swig
 
 **How to**
 
-To install from PyPI:
-
- .. code-block:: bash
-
-   # pip install https://github.com/guelfoweb/peframe/archive/master.zip
-
-To install from source:
-
- .. code-block:: bash
-
-   $ git clone https://github.com/guelfoweb/peframe.git
+Install using PyPI:
 
-   $ cd peframe
+   pip3 install -r requirements.txt
 
-   # python setup.py install
+Install on Debian/Ubuntu:
 
-**Note**
+   bash install.sh
 
-For Windows environment, you need to follow the instructions here: https://github.com/ahupp/python-magic#dependencies (Thanks to `Biagio <https://www.linkedin.com/in/biagiotagliaferro/>`_)
 
 Talk about...
 -------------
@@ -66,7 +52,7 @@ Talk about...
   * `Automated Static and Dynamic Analysis of Malware <http://www.cyberdefensemagazine.com/newsletters/august-2013/index.html#p=26>`_ *(Cyber Defence Magazine, Andrew Browne, Director Malware Lab Lavasoft).*
   * `Suspicious File Analysis with PEframe <https://eforensicsmag.com/download/malware-analysis/>`_ *(eForensics Magazine, Chintan Gurjar)*
   * `CERT FR Security Bulletin <https://www.cert.ssi.gouv.fr/actualite/CERTFR-2014-ACT-030/>`_ *(PEframe was mentioned in the security bulletin CERTFR-2014-ACT-030)*
-  * `Infosec CERT-PA Malware Analysis <https://infosec.cert-pa.it/analyze/submission.html>`_ *(PEframe is used in the malware analysis engine of Infosec project, developed by Davide Baglieri)*
+  * `Infosec CERT-PA Malware Analysis <https://infosec.cert-pa.it/analyze/submission.html>`_ *(PEframe is used in the malware analysis engine of Infosec project)*
 
 Other
 -----

config/config-peframe.json

@@ -0,0 +1,3 @@
+{
+	"virustotal": ""
+}

install.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# PEFrame 6.0
+# Debian/Ubuntu Installation
+
+echo "Check for python3......"
+if [ -z $(which python3) ]; then
+	sudo apt -y install python3
+	sudo apt -y install python3-dev
+fi
+
+echo "Check for pip3........."
+if [ -z $(which pip3) ]; then
+	sudo apt -y install python3-pip
+fi
+
+echo "Install libssl-dev....."
+sudo apt -y install libssl-dev
+
+echo "Install swig..........."
+sudo apt -y install swig
+
+echo "Install dependencies..."
+pip3 install -r requirements.txt

modules/apialert.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+def get_result(pe, strings_match):
+	alerts = []
+	if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
+		for lib in pe.DIRECTORY_ENTRY_IMPORT:
+			for imp in lib.imports:
+				for alert in strings_match:
+					if alert and imp.name != None: # remove 'null'
+						if imp.name.decode('ascii').startswith(alert):
+							alerts.append(imp.name.decode('ascii'))
+
+	return sorted(set(alerts))

modules/autocomplete.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+# https://stackoverflow.com/questions/7821661/how-to-code-autocompletion-in-python
+
+import readline
+
+class MyCompleter(object):  # Custom completer
+
+	def __init__(self, cmd_list):
+		self.cmd_list = sorted(cmd_list)
+
+	def complete(self, text, state):
+		if state == 0:  # on first trigger, build possible matches
+			if text:  # cache matches (entries that start with entered text)
+				self.matches = [s for s in self.cmd_list 
+									if s and s.startswith(text)]
+			else:  # no text entered, all matches possible
+				self.matches = self.cmd_list[:]
+
+		# return match indexed by state
+		try: 
+			return self.matches[state]
+		except IndexError:
+			return None
+
+
+def get_result(cmd_list, prompt_text):
+	completer = MyCompleter(cmd_list)
+	readline.set_completer(completer.complete)
+	readline.set_completer_delims(' \t\n;')
+	readline.parse_and_bind('tab: complete')
+
+	for cmd in cmd_list:
+		readline.add_history(cmd)
+
+	raw = input(prompt_text+' ')
+
+	return raw