Skip to content

Commit 48d1fa0

Browse files
author
sgtdede
committed
Add yara support + with valhalla DEMO yara rules
1 parent 15c8c9d commit 48d1fa0

File tree

8 files changed

+57462
-8
lines changed

8 files changed

+57462
-8
lines changed

README.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,19 @@
11
# pe-checks
2-
PE file informations (VirusTotal like) for malware development and AV evasion research
2+
PE file informations (VirusTotal like) for malware development and AV evasion research
33

44
## Installation
5-
#### *Note*:
5+
#### *Note*:
66
This script requires python3
77

88
### Check out the source code
99
```
1010
git clone --recurse-submodules https://github.com/sgtdede/pe-checks.git
1111
cd pe-checks
12-
```
12+
```
1313
### Install the python dependencies
1414
```
1515
pip install -r requirements.txt
16-
```
16+
```
1717

1818
## Help
1919
```
@@ -42,7 +42,7 @@ python pe-checks.py doggo.exe -v -s -c
4242
![image](https://user-images.githubusercontent.com/5963320/130305483-aadc7dc5-4995-4411-a24f-1768c4a3440d.png)
4343

4444
## Thanks to
45-
This script is powered by [pefile](https://github.com/erocarrera/pefile), [capa](https://github.com/fireeye/capa), [RichPE](https://github.com/RichHeaderResearch/RichPE) and [PyDefenderCheck](https://gist.github.com/daddycocoaman/108d807e89a0f9731304bc848fa219f0)
45+
This script is powered by [pefile](https://github.com/erocarrera/pefile), [capa](https://github.com/fireeye/capa), [RichPE](https://github.com/RichHeaderResearch/RichPE), [yara-python](https://github.com/VirusTotal/yara-python), [valhallaAPI](https://github.com/NextronSystems/valhallaAPI) and [PyDefenderCheck](https://gist.github.com/daddycocoaman/108d807e89a0f9731304bc848fa219f0)
4646

4747
## TODO
4848
- Add signature support

pe-checks.py

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,14 @@
99
from pydefendercheck import DefenderScanner
1010
from rich import rich_it
1111
from spoof_check import scheck_it
12+
from yara_scan import valhalla_scan
1213

1314
parser = argparse.ArgumentParser(description='PE informations')
1415
parser.add_argument(dest='filenames',metavar='filename', nargs='*')
1516
parser.add_argument('-a', '--all', dest='all', action='store_true', help='perform all modules')
1617
parser.add_argument('-c', '--capa', dest='capa', action='store_true', help='perform a CAPA scan')
1718
parser.add_argument('-s', '--scan', dest='scan', action='store_true', help='perform a defender engine scan (WARNING:before lauching that scan you need to adjust Defender settings to: Defender ON, Submission OFF)')
19+
parser.add_argument('-y', '--yara', dest='yara', action='store_true', help='perform a yara scan using Valhalla\'s free rules')
1820
parser.add_argument('-v', dest='verbose', action='store_true', help='verbose mode')
1921
args = parser.parse_args()
2022

@@ -89,16 +91,21 @@ def CapaReport(filename):
8991

9092
def main():
9193
for filename in args.filenames:
92-
print(f'{"==================================================":<50} {"File informations":^20} {"==================================================":>50}')
94+
print(f'{"==================================================":<50} {"File informations":^30} {"==================================================":>50}')
9395
SingleFileInfo(filename)
9496
if args.capa or args.all:
9597
print()
96-
print(f'{"==================================================":<50} {"Capa analysis":^20} {"==================================================":>50}')
98+
print(f'{"==================================================":<50} {"Capa analysis":^30} {"==================================================":>50}')
9799
CapaReport(filename)
98100
if args.scan or args.all:
99101
print()
100-
print(f'{"==================================================":<50} {"Defender scan":^20} {"==================================================":>50}')
102+
print(f'{"==================================================":<50} {"Defender scan":^30} {"==================================================":>50}')
101103
scanner = DefenderScanner(Path(filename))
102104
print(scanner.result)
105+
if args.yara or args.all:
106+
print()
107+
print(f'{"==================================================":<50} {"Yara (Valhalla rules) scan":^30} {"==================================================":>50}')
108+
valhalla_scan(filename)
109+
103110

104111
main()

requirements.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,4 @@
11
pefile>=2021.5.24
22
flare-capa>=2.0.0
3+
yara-python>=4.1.2
4+
valhallaAPI>=0.5.2

valhalla-rules-versions

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
2021082508

valhalla-rules.compiled

12 MB
Binary file not shown.

0 commit comments

Comments
 (0)