Pepper - An Opened Upwards Origin Script To Perform Malware Static Analysis On Portable Executable
An opened upward source tool to perform malware static analysis on Portable Executable
Installation
eva@paradise: $ git clone https://github.com/Th3Hurrican3/PEpper/ eva@paradise: $ cd PEpper eva@paradise: $ pip3 install -r requirements.txt eva@paradise: $ python3 pepper.py ./malware_dirScreenshot
CSV output
Feature extracted
- Suspicious entropy ratio
- Suspicious name ratio
- Suspicious code size
- Suspicious debugging time-stamp
- Number of export
- Number of anti-debugging calls
- Number of virtual-machine detection calls
- Number of suspicious API calls
- Number of suspicious strings
- Number of YARA rules matches
- Number of URL found
- Number of IP found
- Cookie on the stack (GS) support
- Control Flow Guard (CFG) support
- Data Execution Prevention (DEP) support
- Address Space Layout Randomization (ASLR) support
- Structured Exception Handling (SEH) support
- Thread Local Storage (TLS) support
- Presence of manifest
- Presence of version
- Presence of digital certificate
- Packer detection
- VirusTotal database detection
- Import hash
Notes
- Can survive run on single or multiple PE (placed within a directory)
- Output volition survive saved (in the same directory of pepper.py) every bit output.csv
- To role VirusTotal scan, add together your mortal fundamental inwards the module called "virustotal.py" (Internet connector required)
Credits
Many thank y'all to those who indirectly helped me inwards this work, specially:
- The LIEF projection together with its awesome library
- PEstudio, a actually amazing software to analyze PE
- PEframe from guelfoweb, an incredible widespread tool to perform static analysis on Portable Executable malware together with malicious MS Office documents
- Yara-Rules project, which provides compiled signatures, classified together with kept every bit upward to appointment every bit possible
