API tools faq
paste
Advertisement
opexxx

pehash.py

opexxx
Jun 3rd, 2014
314
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.78 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. from __future__ import division
  3.  
  4. import sys
  5. import pefile
  6. import bitstring
  7. import string
  8. import bz2
  9. import hashlib
  10.  
  11. if len(sys.argv) < 1:
  12. parser.error("no files specified")
  13. try:
  14. exe = pefile.PE(sys.argv[1])
  15.  
  16. #image characteristics
  17. img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
  18. #pad to 16 bits
  19. img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
  20. img_chars_xor = img_chars[0:7] ^ img_chars[8:15]
  21.  
  22. #start to build pehash
  23. pehash_bin = bitstring.BitArray(img_chars_xor)
  24.  
  25. #subsystem -
  26. sub_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Machine))
  27. #pad to 16 bits
  28. sub_chars = bitstring.BitArray(bytes=sub_chars.tobytes())
  29. sub_chars_xor = sub_chars[0:7] ^ sub_chars[8:15]
  30. pehash_bin.append(sub_chars_xor)
  31.  
  32. #Stack Commit Size
  33. stk_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfStackCommit))
  34. stk_size_bits = string.zfill(stk_size.bin, 32)
  35. #now xor the bits
  36. stk_size = bitstring.BitArray(bin=stk_size_bits)
  37. stk_size_xor = stk_size[8:15] ^ stk_size[16:23] ^ stk_size[24:31]
  38. #pad to 8 bits
  39. stk_size_xor = bitstring.BitArray(bytes=stk_size_xor.tobytes())
  40. pehash_bin.append(stk_size_xor)
  41.  
  42. #Heap Commit Size
  43. hp_size = bitstring.BitArray(hex(exe.OPTIONAL_HEADER.SizeOfHeapCommit))
  44. hp_size_bits = string.zfill(hp_size.bin, 32)
  45. #now xor the bits
  46. hp_size = bitstring.BitArray(bin=hp_size_bits)
  47. hp_size_xor = hp_size[8:15] ^ hp_size[16:23] ^ hp_size[24:31]
  48. #pad to 8 bits
  49. hp_size_xor = bitstring.BitArray(bytes=hp_size_xor.tobytes())
  50. pehash_bin.append(hp_size_xor)
  51.  
  52. #Section chars
  53. for section in exe.sections:
  54. #virutal address
  55. sect_va =  bitstring.BitArray(hex(section.VirtualAddress))
  56. sect_va = bitstring.BitArray(bytes=sect_va.tobytes())
  57. pehash_bin.append(sect_va)
  58.  
  59. #rawsize
  60. sect_rs =  bitstring.BitArray(hex(section.SizeOfRawData))
  61. sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
  62. sect_rs_bits = string.zfill(sect_rs.bin, 32)
  63. sect_rs = bitstring.BitArray(bin=sect_rs_bits)
  64. sect_rs = bitstring.BitArray(bytes=sect_rs.tobytes())
  65. sect_rs_bits = sect_rs[8:31]
  66. pehash_bin.append(sect_rs_bits)
  67.  
  68. #section chars
  69. sect_chars =  bitstring.BitArray(hex(section.Characteristics))
  70. sect_chars = bitstring.BitArray(bytes=sect_chars.tobytes())
  71. sect_chars_xor = sect_chars[16:23] ^ sect_chars[24:31]
  72. pehash_bin.append(sect_chars_xor)
  73.  
  74. #entropy calulation
  75. address = section.VirtualAddress
  76. size = section.SizeOfRawData
  77. raw = exe.write()[address+size:]
  78. if size == 0:
  79. kolmog = bitstring.BitArray(float=1, length=32)
  80. pehash_bin.append(kolmog[0:7])
  81. continue
  82. bz2_raw = bz2.compress(raw)
  83. bz2_size = len(bz2_raw)
  84. #k = round(bz2_size / size, 5)
  85. k = bz2_size / size
  86. kolmog = bitstring.BitArray(float=k, length=32)
  87. pehash_bin.append(kolmog[0:7])
  88.  
  89. m = hashlib.sha1()
  90. m.update(pehash_bin.tobytes())
  91. print m.hexdigest()
  92.  
  93. except:
  94. print "ERROR not PE"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!