malice-plugins / pescan Goto Github PK
View Code? Open in Web Editor NEWMalice PExecutable Plugin
License: Other
Malice PExecutable Plugin
License: Other
Scanning same file as in #4 results in:
2018-12-06 10:04:47,747 - __main__ - ERROR - failed to run malice plugin: pescan
Traceback (most recent call last):
File "/usr/sbin/pescan", line 122, in scan
malice_scan['results']['markdown'] = json2markdown(pe_results)
File "/usr/sbin/utils/__init__.py", line 74, in json2markdown
return Template(f.read()).render(exe=json_data)
File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
return self.environment.handle_exception(exc_info, True)
File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
reraise(exc_type, exc_value, tb)
File "<template>", line 62, in top-level template code
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 10: ordinal not in range(128)
DIALOG_TITLE: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x6e - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x6f - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
BUTTON: FILE_STRING
SUCCESS
PE: STRINGS - RT_DIALOG (id:0x71 - lang_id:0x0409 [English-United States])
DIALOG_TITLE: FILE_STRING
BUTTON: FILE_STRING
SUCCESS
All plugins are up to date.
Scanning putty.exe (7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1) results in the following output from pescan:
>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs putty.exe
...
2018-11-29 11:02:35,648 - malice - ERROR - 'module' object has no attribute '__getitem__'
Traceback (most recent call last):
File "/usr/sbin/malice/__init__.py", line 800, in run
self.resource_strings()
File "/usr/sbin/malice/__init__.py", line 495, in resource_strings
language.id, lcid[language.id])
TypeError: 'module' object has no attribute '__getitem__'
2018-11-29 11:02:35,699 - __main__ - ERROR - failed to run malice plugin: pescan
Traceback (most recent call last):
File "/usr/sbin/pescan", line 122, in scan
malice_scan['results']['markdown'] = json2markdown(pe_results)
File "/usr/sbin/utils/__init__.py", line 74, in json2markdown
return Template(f.read()).render(exe=json_data)
File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
return self.environment.handle_exception(exc_info, True)
File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
reraise(exc_type, exc_value, tb)
File "<template>", line 8, in top-level template code
File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 430, in getattr
return getattr(obj, attribute)
UndefinedError: 'dict object' has no attribute 'compiletime'
...
The error didn't occur with a couple of other exe files i tested.
Docker version:
Docker version:
Client:
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:49:01 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:16:44 2018
OS/Arch: linux/amd64
Experimental: false
Docker info (with some info removed):
Docker info:
Containers: 6
Running: 1
Paused: 0
Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: No swap limit support
All plugins are up to date.
Scanning FileZilla_3.38.1_win64-setup_bundled.exe (8de6ddd0687ba0075e10aad4c80dd80a436c4791a3a6d67cdfc7aa14da3ade0d) results in the following output from pescan:
>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs FileZilla_3.38.1_win64-setup_bundled.exe
...
2018-11-29 11:08:28,186 - malice - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
File "/usr/sbin/malice/__init__.py", line 788, in run
self.results['signature'] = get_signify(self.file, log=log)
File "/usr/sbin/malice/sig.py", line 22, in get_signify
s_data.verify()
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
signed_datas = list(self.signed_datas)
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
yield SignedData.from_certificate(certificate['certificate'], pefile=self)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
signed_data = SignedData(data, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
super(AuthenticodeSignerInfo, self)._parse()
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
required=self._required_authenticated_attributes
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
([_print_type(x) for x in required], [_print_type(x) for x in result]))
File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
return ".".join(t)
TypeError: sequence item 0: expected string, int found
...
The error didn't occur with a couple of other exe files i tested.
This may be a bug in pescan itself.
Docker version:
Docker version:
Client:
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:49:01 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:16:44 2018
OS/Arch: linux/amd64
Experimental: false
Docker info (with some info removed):
Docker info:
Containers: 6
Running: 1
Paused: 0
Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: No swap limit support
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.