0x0be · KooshaYeganeh · Sep 24, 2024 · Sep 24, 2024 · Sep 24, 2024
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,162 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
diff --git a/install b/install
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+## This installation file is compatible with Python version 3.8 and later and has been developed to adapt this software to new versions of Python.
+
+# check virtualenv
+
+virt=`whereis virtualenv | cut -d" " -f2`
+if [ "$virt" == "/usr/bin/virtualenv" ];then
+	true
+else
+	echo "virtualenv Not Installed ..."
+	echo "Start Install virtualenv"
+	sudo pip3 install virtualenv
+	echo "virtualenv Installed [ OK ]"
+fi
+
+
+
+virtualenv venv
+source venv/bin/activate
+echo "virtualenv ctreated [ OK ]"
+packages=`cat requirements.txt | cut -d" " -f1`
+for p in $packages;do
+	pip install $p
+done
+
+echo "Python Packages Installed [ OK ]"
+
+# create New Requirements File
+
+pip freeze > requirements.txt
+
+
+
+
diff --git a/modules/antidbg.py b/modules/antidbg.py
@@ -3,11 +3,9 @@
 import sys
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # check for anti-debugging calls
 
-
 def get_rule(path):
     root_dir = os.path.dirname(sys.modules['__main__'].__file__)
     return os.path.join(root_dir, 'signatures', path)

diff --git a/modules/apialert.py b/modules/apialert.py
@@ -3,7 +3,7 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
+
 
 # checks for suspicious calls
 

diff --git a/modules/aslr.py b/modules/aslr.py
@@ -1,20 +1,21 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
-
-# check if PE support for Address Space Layout Randomization
-
-
+# Check if PE supports Address Space Layout Randomization (ASLR)
 def get(malware, csv):
     print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format(
         "ASLR", " -------------------------------") + colors.DEFAULT))
+
     binary = lief.parse(malware)
-    if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE):
+
+    # Define the DYNAMIC_BASE flag
+    DYNAMIC_BASE_FLAG = 0x0040
+
+    # Check if ASLR (DYNAMIC_BASE) is enabled
+    if binary.optional_header.dll_characteristics & DYNAMIC_BASE_FLAG:
         print((colors.GREEN + "[" + '\u2713' +
                "]" + colors.DEFAULT + " The file supports Address Space Layout Randomization (ASLR)"))
         csv.write("1,")
     else:
-        print((
-            colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Address Space Layout Randomization (ASLR)"))
+        print((colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Address Space Layout Randomization (ASLR)"))
         csv.write("0,")
diff --git a/modules/badstr.py b/modules/badstr.py
@@ -5,7 +5,7 @@
 import string
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
+
 
 # check for some possible bad strings hardcoded inside PE
 

diff --git a/modules/certificate.py b/modules/certificate.py
@@ -4,7 +4,6 @@
 from . import colors
 from lief.PE import oid_to_string
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # print PE certificates
 

diff --git a/modules/cfg.py b/modules/cfg.py
@@ -1,20 +1,23 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # check if PE file supports control flow guard
 
 
 def get(malware, csv):
     print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format(
         "CFG", " -------------------------------") + colors.DEFAULT))
+
     binary = lief.parse(malware)
-    if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.GUARD_CF):
-        print((colors.GREEN + "[" + '\u2713' +
-               "]" + colors.DEFAULT + " The file supports Control Flow Guard (CFG)"))
-        csv.write("1,")
+
+    # Control Flow Guard (CFG) is represented by the 0x4000 flag in DLLCharacteristics
+    GUARD_CF_FLAG = 0x4000
+
+    if binary.optional_header.dll_characteristics & GUARD_CF_FLAG:
+        print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " Control Flow Guard (CFG) is enabled."))
+        csv.write("CFG Enabled,")
     else:
-        print((
-            colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Control Flow Guard (CFG)"))
-        csv.write("0,")
+        print((colors.RED + "[X]" + colors.DEFAULT + " Control Flow Guard (CFG) is not enabled."))
+        csv.write("CFG Not Enabled,")
+
diff --git a/modules/codeint.py b/modules/codeint.py
@@ -1,7 +1,7 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
+
 
 # PE ignores Code Integrity? Let's find out together
 

diff --git a/modules/dbgts.py b/modules/dbgts.py
@@ -2,7 +2,7 @@
 from . import colors
 import datetime
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
+
 
 # check for suspicious debug timestamps
 

diff --git a/modules/dep.py b/modules/dep.py
@@ -1,16 +1,18 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
-
-# check if PE supports Data Execution Prevention
-
-
+# Check if PE supports Data Execution Prevention (DEP)
 def get(malware, csv):
     print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format(
         "DEP", " -------------------------------") + colors.DEFAULT))
+
     binary = lief.parse(malware)
-    if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.NX_COMPAT):
+
+    # Define NX_COMPAT flag
+    NX_COMPAT_FLAG = 0x0100
+
+    # Check if DEP (NX_COMPAT) is enabled
+    if binary.optional_header.dll_characteristics & NX_COMPAT_FLAG:
         print((colors.GREEN + "[" + '\u2713' +
                "]" + colors.DEFAULT + " The file supports Data Execution Prevention (DEP)"))
         csv.write("1,")

diff --git a/modules/exports.py b/modules/exports.py
@@ -1,7 +1,6 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # print exports of PE
 

diff --git a/modules/fileheader.py b/modules/fileheader.py
@@ -1,7 +1,6 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # print the PE header
 

diff --git a/modules/gs.py b/modules/gs.py
@@ -1,7 +1,6 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # check if PE supports cookies on the stack (GS)
 

diff --git a/modules/imports.py b/modules/imports.py
@@ -1,7 +1,6 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # print imports of PE
 

diff --git a/modules/manifest.py b/modules/manifest.py
@@ -1,7 +1,6 @@
 import lief
 from . import colors
 
-lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR)
 
 # check whether the PE has a manifest
 

diff --git a/modules/modules/__init__.py b/modules/modules/__init__.py