malwarehouse icon indicating copy to clipboard operation
malwarehouse copied to clipboard

Published 20 hours ago verified publisher icon sroberts

Consider integrating PEFile

Open sroberts opened this issue 12 years ago • 2 comments

I'm not quite sure yet what to do with this, but I feel like there are some cool possibilities.

Ref: PEFILE

sroberts avatar Feb 11 '13 03:02 sroberts

The only thing I've really used pefile for is for:

  1. checking the possible compile date of the pefile https://gist.github.com/znb/4753210
  2. grabbing the exports of a DLL https://gist.github.com/znb/4753213

There's a bunch more you can do with it, but I'm not sure how useful it would be for malwarehouse. Unless of course you wanted to drop a more detailed analysis of the PE file when importing samples.

znb avatar Feb 11 '13 08:02 znb

That's pretty much what I have it in mind for, pulling compile date, compiler version, etc. I agree there's probably more out there, but my plan would be using it for tagging similar to the way I'm using Yara. Unfortunately it's not generic enough to use on all file types.

Thanks for the gists. Those will be a great help when I go that direction.

sroberts avatar Feb 11 '13 15:02 sroberts