# Copyright (c) 2013 Geir Skjotskift# # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Read PE files and check for properties. Output in return code for easy scripting.
pefile - https://code.google.com/p/pefile/
argparse - (inlcuded in python >= 2.7)
Both can be install via easy_install :
# easy_install pefile # easy_install argparse
usage: pecantrip.py [-h] [-v] [-i | -e | -w] FILE positional arguments: FILE Name of the file to check optional arguments: -h, --help show this help message and exit -v, --verbose Verbose output to stderr -i, --imports exit code 1 if no import table, or 2 if this is not a PE file -e, --exports exit code 1 if no export table, or 2 if this is not a PE file -w, --warnings exit code 1 there are PE parsing warnings, or 2 if this is not a PE file
#!/usr/bin/env bash # # EXAMPLE USAGE : pecantrip.py # # Sort files based on missing import table. # mkdir good 2> /dev/null [ $? -ne 0 ] && echo "Directory 'good' allready exists. Exiting" && exit 1 mkdir bad 2> /dev/null [ $? -ne 0 ] && echo "Directory 'bad' allready exists. Exiting" && exit 1 mkdir unknown 2> /dev/null [ $? -ne 0 ] && echo "Directory 'unknown' allready exists. Exiting" && exit 1 for f in `find . -type f`; do pecantrip.py -i $f RETVAL=$? [ $RETVAL -eq 0 ] && mv $f good/. [ $RETVAL -eq 1 ] && mv $f bad/. [ $RETVAL -eq 2 ] && mv $f unknown/. done