Greet your malware samples before you tear them apart.
pegreet is a tool that performs static analysis and feature extraction on Portable Executable files. As a cli app, it should help with first steps in malware analysis / reverse engineering. As a library, it can be used to extract useful information from samples in bulk for use in exploratory data analysis or building malware classification models.
Table of Contents
- dump general file information
- compute hashes (MD5, SHA1, SHA256, Imphash, SSDEEP)
- calculate entropy
- detect packers via PEiD signatures
- dump info from headers
- dump info from sections
- dump imports and exports
- annotate suspicious Windows API functions
- display file parsing warnings
- disassemble code from entry point
- find strings
- categorize strings
- recognize known malicious section names
- annotate suspicious entropy and size mismatches
- extract resources
- lookup on VirusTotal
- lookup for public sandbox reports
- check file against YARA rules
- check digital signature
- sort strings with StringSifter
- extract obfuscated strings with FLOSS
- custom output (csv, json, markdown)
<virtual environment shenanigans>
pip install pegreetpipx install pegreetfrom pathlib import Path
import pegreet
pe = pegreet.load(Path('data/samples/petya.exe'))
info_data = pegreet.info(pe)
print(info_data)
print(pegreet.pretty_info(info_data))
strings_data = pegreet.find_strings(pe)
print(strings_data)
print(pegreet.pretty_strings(strings_data))
print(pegreet.disasm(pe, num_lines=40))
$ pegreet --help
Usage: pegreet [OPTIONS] COMMAND [ARGS]...
╭─ Options ───────────────────────────────────────────╮
│ --help Show this message and │
│ exit. │
╰─────────────────────────────────────────────────────╯
╭─ Commands ──────────────────────────────────────────╮
│ disassemble disassemble a specified number │
│ instructions from entry point │
│ info print useful info │
│ strings print strings │
╰─────────────────────────────────────────────────────╯
$ pegreet info data/samples/petya.exe
...
$ pegreet strings --show-uncategorized data/samples/petya.exe
...
$ pegreet disassemble data/samples/petya.exe 40
...
I started this project in 2020 in an attempt to learn about PE files and feature extraction for use in malware data science.
There are many other (better) tools available that implement similar functionality (see below). What I tried to do with pegreet is to focus on only the features that are useful to malware analysis to make it easier to digest the information. pegreet also provides annotations for suspicious indicators that can be used as jumping points for an investigation.
The pefile library was used extensively to implement the parsing of PE files. I would like to explore using the LIEF project instead as it supports multiple executable formats and it was used in the EMBER dataset. Maybe I'll follow this project up with an 'ELFgreet'.
- pefile - python library for reading PE info
- peframe - PE analysis tool
- PEpper - PE analysis tool
- PEcli - PE analysis tool
- PPEE - PE analysis tool
- PE Studio - PE analysis tool
- pev - PE analysis tool
- pecheck - PE analysis tool
- PE-bear - PE analysis tool
- PE-sieve - scans live PEs for suspicious indicators and dumps
- PE_unmapper - convert dump to raw
- IAT Patcher - IAT editor
- corkami PE101 and PE102 - fantastic visualizations
- corkami PE wiki - lots of info
- corkami PE POCs - cool/weird stuff
- PE format layout graph - nice visualization
- PE format walkthrough - overlay of PE format on raw hex
- PE Format - PE documentation by MS
- An In-Depth Look into the Win32 Portable Executable File Format Part 1 and Part 2 - writeups by MS
pegreet is distributed under the terms of any of the following licenses: