-
Notifications
You must be signed in to change notification settings - Fork 5
/
die_packer_scan.py
executable file
·163 lines (133 loc) · 4.92 KB
/
die_packer_scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
"""
Author of this code work, Tsubasa Kuwabara. c FFRI Security, Inc. 2020
"""
import subprocess
import shutil
import os
import json
from util import extract_file_recursive
CWD_DIR = os.getcwd()
def is_die_packingdata_detectable(path, result):
label = os.path.basename(os.path.dirname(path))
label = label.replace("WinUpack", "(Win)Upack")
label = label.replace("BeRoEXEPacker", "BeRo")
label = label.replace("Yoda`s Crpyter", "Yoda's Crypter")
if "detects" not in result:
return False, [label]
detects = result["detects"]
protector_list = []
for i in detects:
if (
"type" not in i
or "string" not in i
or (
i["type"] != "protector"
and i["type"] != "packer"
and i["type"] != "installer"
)
):
continue
if "Nullsoft Scriptable Install System" in i["string"]:
i["string"] += "NSIS"
protector_list.append(i["string"])
if len(protector_list) <= 0:
return False, [label]
detectable_bool = False
for protector in protector_list:
if label.lower() in protector.lower():
detectable_bool = True
break
return detectable_bool, [label]
def is_die_rcelab_detectable(path, result):
label = os.path.basename(os.path.dirname(path))
if "ZProtect 1.4.4.0/UnPackMe2" in path or "ZProtect 1.4.4.0/UnPackMe1" in path:
label = "ZProtect"
label = label.replace("dot", ".")
with open(os.path.join(CWD_DIR, "rce_label_convert.json"), "r") as f:
json_data = json.load(f)
replace_bool = False
for i in json_data:
if i in label and "die" in json_data[i]:
label = json_data[i]["die"]
replace_bool = True
break
if not replace_bool:
new_label = ""
for i in range(len(label.split(" ")) - 1):
new_label += label.split(" ")[i] + " "
if len(label.split(" ")) <= 1:
new_label = label + " "
label = new_label[:-1]
detects = result["detects"]
protector_list = []
for i in detects:
if (
"type" not in i
or "string" not in i
or (i["type"] != "protector" and i["type"] != "packer")
):
continue
protector_list.append(i["string"])
if len(protector_list) <= 0:
return False, [label]
detectable_bool = False
for protector in protector_list:
if label.lower() in protector.lower():
detectable_bool = True
break
return detectable_bool, [label]
def is_detectable(path, dataset_name, result):
if dataset_name == "PackingData":
return is_die_packingdata_detectable(path, result)
elif dataset_name == "RCE_Lab":
return is_die_rcelab_detectable(path, result)
else:
return False, []
def scan_file_recursive(path, dataset_name, json_result):
for name in os.listdir(path):
new_path = os.path.join(path, name)
if os.path.isdir(new_path):
scan_file_recursive(new_path, dataset_name, json_result)
else:
if ".exe" in new_path.lower() or ".dll" in new_path.lower():
tmp_path = os.path.join(CWD_DIR, "test.exe")
shutil.copy(new_path, tmp_path)
result = subprocess.check_output(["./diec.sh", "-j", tmp_path])
os.remove(tmp_path)
result = json.loads(result)
detectable_bool, label_list = is_detectable(
new_path, dataset_name, result
)
json_result.append(
{
"path": os.path.dirname(new_path),
"name": os.path.basename(new_path),
"scan": result,
"detectable": detectable_bool,
"labels": label_list,
}
)
def scan(path, dataset_name):
for name in os.listdir(path):
new_path = os.path.join(path, name)
if not os.path.isdir(new_path):
continue
if ".git" in name:
continue
print(new_path)
json_result = []
scan_file_recursive(new_path, dataset_name, json_result)
with open(
os.path.join(CWD_DIR, "result/die/", dataset_name, name + ".json"), "w"
) as f:
json.dump(json_result, f, indent=4)
print("create json: " + new_path + ".json")
def main():
os.chdir("die_lin64_portable_3.00/die_lin64_portable/")
path = os.path.join(CWD_DIR, "dataset/PackingData/")
scan(path, "PackingData")
path = os.path.join(CWD_DIR, "dataset/UnpackMe/")
extract_file_recursive(path)
scan(path, "RCE_Lab")
if __name__ == "__main__":
main()