Question: # Please create a runnable program (recommend using Python). # This program should be able to scan a folder, and analyze the PE structure of
# Please create a runnable program (recommend using Python). # This program should be able to scan a folder, and analyze the PE structure of each malware sample. # Then, implement the following heuristic rules: # 1. If three or more export functions have the same memory address, it's a malware. # 2. If three or more export functions have the same memory offset (the difference between two export functions are the same), it's a malware. # When running your program, it should be able to scan through all malware samples and output which rules that malware sample violate. # import pefile import sys import array import os # Check for two or more duplicates in array # def checkForDup(array): # for elem in array: if array.count(elem) >= 2: return True return false # # # # Check for three or more duplicates in array def checkForDupThree(array): for elem in array: if array.count(elem) >= 3: return True return false # get current working directory path = os.getcwd() # testing - print all files in directory # with os.scandir(path) as files: for file in files: print(file.name) -- INSERT -- # # 1,15 Top # print array for testing # print each element on new line # print(*array, sep = " ") # Boolean for suspicious file printing sus_file = False # check if array has three or more duplicate memory addresses result = checkForDupThree( array) if result: sus_file = True print("\tSUSPICIOUS FILE DETECTED \tREASON: contains three or more export functions with the same memory address") # Sort array array.sort() #create array to store memory offset values offset_arr = [] # iterate through array, subtract adjacent elements to get memory offset, and store to diff_list array for i in rangeli, len(array)): offset_arr.append( array[i] - array [i-1]) #test print array # print(offset_arr) # check if array has three or more duplicate memory offset values result = checkForDupThree( offset_arr) if result: if sus_file: print("\tREASON: contains three or more export functions with the same memory offset") else: print("\tSUSPICIOUS FILE DETECTED \tREASON: contains three or more export functions with the same memory offset") sus_file = True # If file is not suspicious if not sus file: print("\tFILE DOES NOT CONTAIN EXPORT FUNCTIONS THAT MATCH DEFINED HEURISTIC RULES") # Line spacing print (" ") # testing - print all files in directory # with os.scandir(path) as files: for file in files: # print(file.name) # # print(" ") # iterate through files in directory with os.scandir(path) as files: for file in files: # filter for files that do not end with ".py" # if (file.path.endswith(".dll") or file.path.endswith(".DLL")): if not (file.path.endswith(".py")): pe = pefile.PE(file) if hasattr(pe, DIRECTORY_ENTRY_EXPORT'): print("SCANNING FILE: %s"%file.name) array = [] for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: # convert hex to integer and store to array array.append((( int(exp.address + pe.OPTIONAL_HEADER. ImageBase)))) # print array for testing # print each element on new line # print(*array, sep = " ") # Boolean for suspicious file printing sus_file = False # check if array has three or more duplicate memory addresses result = checkForDupThree( array) if result: sus_file = True print("\tSUSPICIOUS FILE DETECTED \TREASON: contains three or more export functions with the same memory address") # Sort array array.sort() #create array to store memory offset values offset_arr = [] INSERT -- 73,1 6 5>And we get the result as below: X100011e0 b'CreateDatabaseQueryObject' 1 5x100011e0nalware b'DataImporterMain' 2 x100011e0 b'FlashboxMain' 3 5x10001000 b'kugouMain' 4 hefaultdict(
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts
Study Help