search

sroberts / malwarehouse

A warehouse for your malware
http://sroberts.github.com/malwarehouse/
Other
131 stars 43 forks source link

Consider integrating PEFile #4

Open sroberts opened 11 years ago

sroberts commented 11 years ago

I'm not quite sure yet what to do with this, but I feel like there are some cool possibilities.

Ref: PEFILE

znb commented 11 years ago

The only thing I've really used pefile for is for:

  1. checking the possible compile date of the pefile https://gist.github.com/znb/4753210
  2. grabbing the exports of a DLL https://gist.github.com/znb/4753213

There's a bunch more you can do with it, but I'm not sure how useful it would be for malwarehouse. Unless of course you wanted to drop a more detailed analysis of the PE file when importing samples.

sroberts commented 11 years ago

That's pretty much what I have it in mind for, pulling compile date, compiler version, etc. I agree there's probably more out there, but my plan would be using it for tagging similar to the way I'm using Yara. Unfortunately it's not generic enough to use on all file types.

Thanks for the gists. Those will be a great help when I go that direction.