Pftriage – Python Tool And Library To Help Analyze Files During Malware Triage And Analysis

Pftriage - Python Tool And Library To Help Analyze Files During Malware Triage And Analysis

pftriage is a instrument to assist analyze information throughout malware triage. It permits an analyst to shortly view and extract properties of a file to assist through the triage course of. The instrument additionally has an analyze perform which might detect widespread malicious indicators utilized by malware.

Note: On Mac – Apple has carried out their very own model of the file command. However, libmagic might be put in utilizing homebrew

$ brew set up libmagic


utilization: pftriage [options]

Show details about a file for triage.

positional arguments:
  file                  The file to triage.

optionally available arguments:
  -h, --help            present this assist message and exit
  -i, --imports         Display import tree
  -s, --sections        Display overview of sections. For extra detailed data
                        go the -v swap
  --removeoverlay       Remove overlay knowledge.
  --extractoverlay      Extract overlay knowledge.
  -r, --resources       Display useful resource informations
                        Dump knowledge utilizing the handed offset or 'ALL'. Currently
                        solely works with sources.
  -a, --analyze         Analyze the file.
  -v, --verbose         Display model.
  -V, --version         Print model and exit.

Display Section data through the use of the -s or –sections swap. Additionally you possibly can go (-v) for a extra verbose view of part particulars.
To export a piece go –dump and the specified part Virtual Address. (ex: –dump 0x00001000)

 ---- Section Overview (use -v for detailed part data)  ----

 Name        Raw Size    Raw Data Pointer  Virtual Address     Virtual Size        Entropy             Hash
 .textual content       0x00012200  0x00000400        0x00001000          0x000121d8          6.71168555177       ff38fce4f48772f82fc77b4ef223fd74
 .rdata      0x00005a00  0x00012600        0x00014000          0x0000591a          4.81719489022       b0c15ee9bf8480a07012c2cf277c3083
 .knowledge       0x00001a00  0x00018000        0x0001a000          0x0000ab80          5.28838495072       5d969a878a5106ba526aa29967ef877f
 .rsrc       0x00002200  0x00019a00        0x00025000          0x00002144          7.91994689603       d361caffeadb934c9f6b13b2474c6f0f
 .overlay    0x00009b30  0x0001bc00        0x00000000          0x00000000          0                   N/A

Display useful resource knowledge through the use of -r or –resources.

 ---- Resource Overview ----

  Name        Language        SubLang             Offset      Size        Code Page   Type
  0x68        LANG_RUSSIAN    RUSSIAN             0x000250e0  0x00000cee  0x000004e4
  0x69        LANG_RUSSIAN    RUSSIAN             0x00025dd0  0x000011e6  0x000004e4

  Name        Language        SubLang             Offset      Size        Code Page   Type
  0x1         LANG_ENGLISH    ENGLISH_US          0x00026fb8  0x0000018b  0x000004e4

To extract a particular useful resource use -D with the specified offset. If you wish to extract all sources go ALL istead of a particular offset.

Display Import knowledge and modules utilizing -i or –imports. Imports that are recognized as ordinals will likely be recognized and embody the Ordinal used.

[*] Loading File...
 ---- Imports ----
 Number of imported modules: 4

  |-- GetProcessHeap
  |-- HeapFree
  |-- HeapAlloc
  |-- SetLastError
  |-- GetLastError

  |-- getaddrinfo
  |-- freeaddrinfo
  |-- closesocket Ordinal[3] (Imported by Ordinal)
  |-- WSAStartup Ordinal[115] (Imported by Ordinal)
  |-- socket Ordinal[23] (Imported by Ordinal)
  |-- ship Ordinal[19] (Imported by Ordinal)
  |-- recv Ordinal[16] (Imported by Ordinal)
  |-- join Ordinal[4] (Imported by Ordinal)

  |-- CoCreateInstance
  |-- ...

Display exports utilizing -e or –exports.

[*] Loading File...

 ---- Exports ----
 Total Exports: 5
 Address     Ordinal   Name
 0x00001151  1         DiscoverResources
 0x00001103  2         LoadBITMAP
 0x00001137  3         LoadICON
 0x000010e9  4         LoadIMAGE
 0x0000111d  5         LoadSTRINGW

File and model metadata is displayed if no choices are handed on the commandline.

[*] Loading File...
[*] Processing File particulars...

---- File Summary ----

     Filename         samaple.exe
     Magic Type       PE32 executable (GUI) Intel 80386, for MS Windows
     Size             135168
     First Bytes      4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00

     MD5              8e8a8fe8361c7238f60d6bbfdbd304a8
     SHA1             557832efe10daff3f528a3c3589eb5a6dfd12447
     SHA256           118983ba4e1c12a366d7d6e9461c68bf222e2b03f3c1296091dee92ac0cc9dd8
     Import Hash      0239fd611af3d0e9b0c46c5837c80e09

     Linker Version   12.0 - (Visual Studio 2013)
     Image Base       0x400000
     Compile Time     Thu Jun 23 16:04:21 2016 UTC
     Checksum         0
     Filename         pattern.exe
     EP Bytes         55 8b ec 51 83 65 fc 00 8d 45 fc 56 57 50 e8 64
     Signature        0x4550
     First Bytes      4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
     Sections         4
     Entry Point      0x139de
     Packed           False
     Size             135168

PFTriage can performa a easy evaluation of a file to determine malicious traits.

[*] Loading File...
[*] Analyzing File...
[*] Analysis Complete...

  [!] Checksum        Invalid CheckSum
  [!] AntiDebug       AntiDebug Function import [GetTickCount]
  [!] AntiDebug       AntiDebug Function import [QueryPerformanceCounter]
  [!] Imports         Suspicious API Call [TerminateProcess]
  [!] AntiDebug       AntiDebug Function import [SetUnhandledExceptionFilter]
  [!] AntiDebug       AntiDebug Function import [IsDebuggerPresent]

Overlay Data
Overlay knowledge is recognized by analyzing or displaying part data of the file. If overlay knowledge exists PFTriage can both take away the info through the use of the (–removeoverlay) swap or export the overlay knowledge through the use of the (–extractoverlay) swap.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.