iGSrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSr \Rr Sr "SS\ 5r SrSrS rg) zpeutils, Portable Executable utilities module Copyright (c) 2005-2023 Ero Carrera All rights reserved. Nz Ero Carrerazero.carrera@gmail.comc\rSrSrSrSSjrSSjrSSjrSSjrSSjr SS jr S r SS jr SS jr SS jrSSjrSrg)SignatureDatabaseaThis class loads and keeps a parsed PEiD signature database. Usage: sig_db = SignatureDatabase('/path/to/signature/file') and/or sig_db = SignatureDatabase() sig_db.load('/path/to/signature/file') Signature databases can be combined by performing multiple loads. The filename parameter can be a URL too. In that case the signature database will be downloaded from that location. Nc[R"S[R5Ul[ 5UlSUl[ 5UlSUl[ 5Ul SUl SUl URXS9 g)Nzh\[(.*?)\]\s+?signature\s*=\s*(.*?)(\s+\?\?)*\s*ep_only\s*=\s*(\w+)(?:\s*section_start_only\s*=\s*(\w+)|)rfilenamedata) recompileS parse_sigdictsignature_tree_eponly_truesignature_count_eponly_truesignature_tree_eponly_falsesignature_count_eponly_falsesignature_tree_section_startsignature_count_section_start max_depth_SignatureDatabase__loadselfrr s 4C:\des-py\RoboSAPF\venv\Lib\site-packages\peutils.py__init__SignatureDatabase.__init__&sm v DD "+/&'+,(+/6(,-),0F)-.* X 1c [5n[UR5HupVURU:aMURnSUUS-[ UR5SR URVs/sHo[R;dMUPM sn54-n URURUUU SSUS95 M SR U5S-$s snf)zGenerates signatures for all the sections in a PE file. If the section contains any data a signature will be created for it. The signature name will be a combination of the parameter 'name' and the section number and its name. z%s Section(%d/%d,%s)FT)ep_onlysection_start_only sig_length ) list enumeratesections SizeOfRawDataPointerToRawDatalenjoinNamestring printableappend&_SignatureDatabase__generate_signature) rpenamer"section_signaturesidxsectionoffsetcsig_names rgenerate_section_signatures-SignatureDatabase.generate_section_signaturesHs"V%bkk2LC$$z1--F-aBKK GLLJLq9I9I4ILJK 1H  % %))!'+) * 34yy+,t33Ks 6CCcpURURR5nURXUSUS9$)zGenerate signatures for the entry point of a PE file. Creates a signature whose name will be the parameter 'name' and the section number and its name. T)r r")get_offset_from_rvaOPTIONAL_HEADERAddressOfEntryPointr/)rr0r1r"r5s rgenerate_ep_signature'SignatureDatabase.generate_ep_signaturensA''(:(:(N(NO(( dz)  rc URX"U-nSRUVs/sHnS[U5-PM sn5n US:XaSnOSnUS:XaSnOSnSU<SU <SU<S U<S 3 n U $s snf) N z%02xTtruefalse[z] signature = z ep_only = z section_start_only = r#)__data__r*ord) rr0r5r1r r!r"r r6signature_bytes signatures r__generate_signature&SignatureDatabase.__generate_signature{s{{6Z$78((T#BTFSVOT#BC d?GG  %!' !(       '$CsA+cURXU5nU(a+US:XaUVs/sHoUSUSS4PM sn$USS$gs snf)zMatches and returns the exact match(es). If ep_only is True the result will be a string with the packer name. Otherwise it will be a list of the form (file_offset, packer_name) specifying where in the file the signature was found. FrrN_SignatureDatabase__match)rr0r r!matchesmatchs rrPSignatureDatabase.matchs`,,r,>? %?FFgUq58B<0gFF1:b> ! GsAcPURXU5nU(a US:XaU$US$g)z+Matches and returns all the likely matches.FrNrM)rr0r r!rOs r match_allSignatureDatabase.match_alls4,,r,>? %1: rcbUSLa?URnURnURVs/sHowRPM nnOhUSLa7UR 5nUR nURRn U /nO,URnURn[[U55n/n UH>n URXdXUR-5n U (dM,U RX45 M@ USLa U (aU S$U $![aneSnAff=fs snf![aneSnAff=f)NTr)rE Exceptionrr&r(get_memory_mapped_imagerr<r=rranger)(_SignatureDatabase__match_signature_treerr.) rr0r r!r excp signaturesr4scan_addresseseprOr3results r__matchSignatureDatabase.__matchsB  %  {{ ::JGIkkRk766kNRN _  113 88J ##77B!TN;;D99J"3t9-N!C00T^^';<Fv}- " d?qz!y  S  s4 DD D DDD D.(D))D.cUnS/nUSLa URnOUSLa URn/nUH>nURWXHXR-5n U (dM,UR X45 M@ USLa U(aUS$U$)NrT)rrrYrr.) r code_datar r!r r\r[rOr3r^s r match_dataSignatureDatabase.match_data s  %::J _88J!C00Ds^^';<Fv}- " d?qz!rc R[5nUn[UVs/sH%n[U[5(aUO [ U5PM' sn5HupxUc OUR US5n S[UR 55;aW[5n [UR55Hn U SbM U RU S5 M! URU 5 SU;aFUR SS5n X'S-Sn U (a&URURXXs-S-55 U nM UbtS[UR 55;aW[5n [UR55Hn U SbM U RU S5 M! URU 5 U$s snf)zRecursive function to find matches along the signature tree. signature_tree is the part of the tree left to walk data is the data being checked against the signature tree depth keeps track of how far we have gone down the tree Nrrz??) r$r% isinstanceintrFgetvaluesitemsr.extendrY)rsignature_treer depth matched_namesrPbr3byte match_nextnamesitemmatch_tree_alternatedata_remainings r__match_signature_tree(SignatureDatabase.__match_signature_tree6s  #QU#VQUAAs););AQ$GQU#VWIC}4.J tELLN++ !/DAw T!W-0$$U+ u}',yyt'<$!%Agi!!((330#+PQ/ EWX`  elln)=!=FEU[[]+7?LLa),   'q$Ws,F$c"URXS9 g)z^Load a PEiD signature file. Invoking this method on different files combines the signatures. rN)rrs rloadSignatureDatabase.load~s X 1rcUb[RRU5(dA[RR U5nUR 5nUR5 O0[US5nUR 5nUR5 OUnU(dgSnURRU5nUGHunnn n n U R5R5n URSS5R5nUR5V s/sH o"U 5PM n n U S:XaSn OSn U S:XaSn OSn SnU SLa"UR nU=R"S - slOHU SLa"UR$nU=R&S - slO!UR(nU=R*S - sl[-U 5HeunnUS -[/U 5:Xa&UR1U[355UU'SUUU'OUR1U[355UU'UUnUS - nMg XR4:dGMzXlGM g![a ef=f![a ef=fs sn f) Nrtc*SU;aU$[US5$)N?)rg)values rto_byte)SignatureDatabase.__load..to_bytese| ub> !rz\nrrBTFrr)ospathexistsurllibrequesturlopenreadcloseIOErroropenr findallstriplowerreplacesplitrrrrrrr%r)rhrr)rrr sig_fsig_datarrO packer_namerHsuperfluous_wildcardsr r!rorGrmtreer3rps r__loadSignatureDatabase.__loadsK  77>>(++"NN228r/rPrSrNrcrYryr__static_attributes__rrrrsM" 2D$4L  UX62 IV*XFP2d'rrcg)rNr)r0s ris_validrsrcSnSn[US5(aURHnSnURHpnURURR s=::aURS-::aO OSnUb!XERs=::a US-::aO OUS- nURnMr M SnUR 5nU(aU g)z` unusual locations of import tables non recognized section names presence of long ASCII strings FrDIRECTORY_ENTRY_BASERELOCNTr)hasattrrentriesrvar<r= get_warnings)r0relocations_overlap_entry_pointsequential_relocs base_reloclast_reloc_rvarelocwarnings_while_parsingwarningss r is_suspiciousrs',# r.//66J!N#++99 2 2 F FW%))VW-W6:3#.&))I~7II%*%!&,7&# H rc[UR55nU(dgSnSnURH8nUR5n[UR 55nUS:dM4X6- nM: X1- S:aSnU$)a$Returns True is there is a high likelihood that a file is packed or contains compressed data. The sections of the PE file will be analyzed, if enough sections look like containing compressed data and the data makes up for more than 20% of the total file size, the function will return True. TFrg@g?)r)trimr& get_entropyget_data)r0total_pe_data_length)has_significant_amount_of_compressed_datatotal_compressed_datar4 s_entropys_lengths ris_probably_packedr(srwwy> 05- ;;'') w'')* s? ! - !  4;481 44r)rrr r,urllib.requestr urllib.parse urllib.errorpefile __author__ __version__ __contact__objectrrrrrrrrsR 11    % V'V'r 3 l!5r