Windows applications analysis utility
(pretty simple at the moment, but who knows whats coming up next..)
- Retrieving basic sample information, such as:
- compiler info
- packer info
- installer info
- architecture, subsystem, PE format, imagebase and EP
- verifying checksum and signature
- Obtaining info about PE rich signature
- Detecting sample capabilities based on large collection of yara rules
- Checking sample against vendor signatures (Detect It Easy, PE Tools, etc)
- Inspecting PE sections, dumping them, checking their entropy
- Gathering various info about PE imports, exports and resources
- Parsing overlay info
- Hashing a sample (sha256, sha1, md5, imphash,
ssdeep, rich header hash, etc)
- .NET samples support
- Parsing strings from
Stringsheap - Parsing strings from
UserStringsheap - Parsing guids from
Guidheap - Parsing metadata tables (WIP)
- Parsing strings from
- Custom yara checker for testing your own yara rules
- Extendable by plugins
- Cross-platform user-friendly UI powered by Tkinter!
- Clone this repository
- Install requirements (
pip install -r requirements.py)
python3 main.py
- VirusTotal for
yara❤️ - RetDec for providing yara rules
- Yara-Rules for providing yara rules
- PETools for signatures that i generated some yara rules from
- horsicq for signatures from Detect It Easy based on which i generated some yara rules as well
- Adam for PE sections names info
- dishather for PE rich header comp.id database
- rdbende for tkinter
chlorophylladd-on - ragardner for tkinter
tksheetadd-on - erocarrera for
pefilelibrary - malwarefrank for
dnfilelibrary - romainthomas for
lieflibrary - elceef for pure python ssdeep hashing implementation (
ppdeeplibrary)
This project was made by me, and my python knowledge kinda sucks
Don't expect to see quality code here (PR's are welcomed!)
I'm working on this project at spare time, which means that no regular support of this tool will be provided
