Saturday, December 25, 2010

Installing pescanner.py on Windows

I don't often work with Python scripts, but I recently had an instance where, due to advice from a trusted source, I needed to run pescanner.py, mentioned in the Malware Analyst's Cookbook. In short, what I wanted to do was take look at a couple of suspicious executable files, having already run several AV scanners to identify and locate those files. Based on what I learned in setting this up, I wanted to share the steps I used to get this script running on Windows XP SP3.

Pescanner.py is a powerful tool that takes a look into a Windows portable executable (PE) file, and reports on "suspicious" elements of the file, if found, based on heuristics identified within the "Pimp my PE" paper. Pescanner.py can also incorporate YARA functionality so that PEiD and ClamAV signatures can be used, as well. This can be extremely valuable to an analyst, as we're all aware how AV alone often times will not detect malware. I've seen cases where malware was detected by the installed AV, only to have the timeline clearly show that at some point further down the road, another file with the same name was dumped on the system, but NOT detected by the same AV.

Install Python: I opted for ActiveState's ActivePython, but you can also get the current distro for Windows from Python.org.

Install Pefile: Do NOT use the pypm utility that ships with ActivePython to install the pefile module; instead go directly to the source and get the latest version. Download the archive and copy the pefile.py and peutils.py files into the Lib directory for your Python installation.

Download pescanner.py: Go here (this is rev. 18, get the most current one available) and get the file; the easiest thing to do is click on "View raw file" and save it where you want it to go. I had some issues getting the script running on Windows 2003, and it came down to the indentations...if you program Python, you may know what I mean. I had selected and copied the code in my browser, and pasted it into a Notepad window; when I saved the code using "View raw file" from the Google Code site, things worked. On my XP system, I pasted the code into an UltraEdit window and saved it.

Installing python-magic: According to this source, you'll need a couple of files to get python-magic installed on your system. First, go get the GnuWin32 file utility, and download the latest archive. Copy magic1.dll to your system32 directory and put the magic file in the same directory as pescanner.py. You can get regex2.dll from the latest regex archive (copy the file to your system32 dir), and zlib1.dll from the latest zlib archive.

For this one, I contacted MHL (one of the Cookbook authors...) and he sent me the below instructions for installing python-magic on Windows:

Assuming you already have Python from python.org or the ActivePython version...
1) Install
setuptools
2) Get
python-magic
* python setup.py build
* python setup.py install

3) Get the GnuWin32's
File utility
* Place magic1.dll from the Binaries package into your system32 dir

* Place "magic" from the Binaries package into your system32 dir (or anywhere else, just as long as you remember the path)

* Place zlib1.dll and regex2.dll from the Dependencies package into your system32 dir

4) Test your installation

C:\> python

>>> import magic

>>> test = magic.Magic(magic_file='C:\path\to\your\magic')

>>> print test.from_buffer("test") ASCII text, with no line terminators

For more information, go
here and here.

Again, many thanks to MHL for providing those instructions.

Another lesson here is to not stick with one tool or one set of tools, but instead be open to finding and using a tool or technique that works, and incorporating it into your toolkit. While Perl has the Parse::Win32Registry module and Python does not appear to have something comparable, Python does have the pefile module (on which pescanner.py was built) and Perl does not have (to the best of my knowledge) a comparable module. So rather than fitting the case to the tool, it's often a much better idea (albeit not easier) to find a tool or technique that will help you with your case.

4 comments:

Magento Themes said...

Thank you for helping me, I was in difficulty by this scanner issues.

Chris Ahearn said...

Thanks Harlan. A newer version of pescanner.py was what I needed for my linux install.

Anonymous said...

I think there is win32::exe on perl thought i do't try it

H. Carvey said...

@Anonymous...

No, they aren't.