python malware scanner

섹션수가 적은거로 악성여부를 의심하면 안되는구나 ㅡㅡ;

import pefile, sys, os, re

base64table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

blist = ['IsDebuggerPresent', 'ShellExecute', 'ShellExecuteEx', 'URLDownloadToFile']

exts = ['exe', 'sys', 'ocx', 'dll']

def func( fname ):

fd = open(fname)

if fd.read(2) != 'MZ' :

# print fname, ' is not PE'

return

# check if file extension matches

tmp = fname.split('.')

fext = tmp[ len(tmp)-1 ]

if not fext in exts:

print fname + ' is PE with wrong extension!'

return

# search for PE inside PE!

regex = re.compile('MZ[\S\s]{238}PE')

it = regex.findall( fd.read() )

if len(it) > 0 :

print fname + ' has embbeded PE'

return

# search for BASE64 table

fd.seek(0,0)

if len( re.compile( base64table ).findall( fd.read() ) ) > 0 :

                print fname + ' has base64 table!'

                return

# search for UPX string

fd.seek(0,0)

if len( re.compile('UPX').findall( fd.read() ) ) > 0 :

print fname + ' might be UPX packed!'

return

fd.close()

pe = pefile.PE(fname, fast_load=True)

pe.parse_data_directories( directories=[

pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'],

pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT'] ] )

try:

# search for suspicious imported APIs

cnt=0

for entry in pe.DIRECTORY_ENTRY_IMPORT:

for imp in entry.imports:

for l in blist:

if imp.name == l:

cnt += 1

if cnt > 0:

print fname + ' might be malicious!'

return

# check number of import descriptors and sections

if len( pe.DIRECTORY_ENTRY_IMPORT ) < 2 or pe.FILE_HEADER.NumberOfSections < 3 :

print fname + ' might be packed!'

return

except:

print fname + ' has no DIRECTORY_ENTRY_IMPORT!?'

def scan( d ):

try:

path=''

for filename in os.listdir( d ):

path = d + '/' + filename

if os.path.isdir( path ) :

# print path + ' is dir'

scan( path )

continue

func( path )

except:

print 'permission denied for ' + d

def main():

scan('.')

if __name__ == '__main__':

main()