Exescan
Jump to navigation
Jump to search
Description
PE File Anomaly Detector Tool
Installation
Requirements
- Python - http://python.org/ >= 2.5 < 3.0
- PEfile - http://code.google.com/p/pefile/
Exescan
- Download link: http://securityxploded.com/getfile_plus.php?id=4011
Usage
Syntax
Usage: prog [option] file/Directory
Options
- -a
- advanced scan with anomaly detection
- -b
- display basic information
- -m
- scan for commonly known malware APIs
- -i
- display import/export table
- -p
- display PE header
Examples
Example #1
C:\tools\ExeScan>python exescan.py -a \malware\bintext.exe
C:\malware\bintext.exe
**********************************************************
** Author: Amit Malik ([email protected]) **
** http://www.SecurityXploded.com **
** **
**********************************************************
[+] File: C:\malware\bintext.exe
[*] MD5 : 30170b9e391f9f62afa14affc10bba13
[*] SHA-1 : 531b48897de360b83643f37e74e5efe0e6a35246
[*] SHA-256 : 907ba8f9ac12d0a5d6e1c3c43c2ebd4f9e3851c02bc08fd6f2f9856e8e7fd6f3
[+] File Type: EXE
[+] Signature [Compiler/Packer]
[*] No match found.
[+] Address of entry point : 0x00001061
[+] Image Base Address : 0x00400000
[+] Sections
Name: .text Virtual Address: 0x00001000 Size: 0x0004c000 Entropy: 7.995590
Name: .rsrc Virtual Address: 0x0004d000 Size: 0x00001000 Entropy: 3.827535
[+] Anomalies Check
[*] Based on the sections entropy check! file is possibly packed
[*] Header Checksum is zero!
[*] Optional Header NumberOfRvaAndSizes field is valued illegal
[*] Optional Header LoaderFlags field is valued illegal
[+] Following expected Malware APIs are Detected
[-] Import Table
IA: 0x0040102c GetProcAddress
IA: 0x00401028 LoadLibraryA
[-] Entire Executable
1 times GetProcAddress
1 times LoadLibrary
1 times LoadLibraryA
Example #2
C:\tools\ExeScan>python exescan.py -a \malware\windowsxp2.exe
C:\malware\windowsxp2.exe
**********************************************************
** Author: Amit Malik ([email protected]) **
** http://www.SecurityXploded.com **
** **
**********************************************************
[+] File: C:\malware\windowsxp2.exe
[*] MD5 : f04cb834ac843ad08a1a5c17e4f67ba3
[*] SHA-1 : 5483af01af68d62f3354c5f8923f97ea08910979
[*] SHA-256 : 5ebdba9cd72f7ff3feff287985f740506264da46df8956927a9087be3bf922d2
[+] File Type: EXE
[+] Signature [Compiler/Packer]
['PECompact V2.X-> Bitsum Technologies']
['PeCompact 2.xx --> BitSum Technologies']
[+] Address of entry point : 0x000028e8
[+] Image Base Address : 0x00400000
[+] Sections
Name: .text Virtual Address: 0x00001000 Size: 0x00116000 Entropy: 7.998314
Name: .rsrc Virtual Address: 0x00117000 Size: 0x00003000 Entropy: 4.987640
[+] Anomalies Check
[*] Based on the sections entropy check! file is possibly packed
[+] Following expected Malware APIs are Detected
[-] Import Table
IA: 0x00518a94 GetProcAddress
IA: 0x00518a90 LoadLibraryA
IA: 0x00518a98 VirtualAlloc
[-] Entire Executable
1 times GetProcAddress
1 times LoadLibrary
1 times LoadLibraryA
1 times VirtualAlloc