- Joined
- May 15, 2017
- Messages
- 981
- Likes
- 760
- Points
- 1,045
![PEpper_1_logo.jpeg](https://1.bp.blogspot.com/-lM5EiQ30skY/XVYsS9NJKNI/AAAAAAAAQAg/cxRQuwBC8VkHnsbIZ2Oj0yWlb7mXwShYgCLcBGAs/s640/PEpper_1_logo.jpeg)
An open source tool to perform malware static analysis on Portable Executable
Installation
Code:
git clone https://github.com/Th3Hurrican3/PEpper/
cd PEpper
pip3 install -r requirements.txt
python3 pepper.py ./malware_dir
Screenshot
![](https://1.bp.blogspot.com/-fe62AlQYwh8/XVYsvSUut1I/AAAAAAAAQAw/TYcE-Z2U0jAzUXcixKTRR6en0bC845hXACLcBGAs/s640/PEpper_2_1.png)
![](https://1.bp.blogspot.com/-PkCYkbbr46M/XVYsvMVCaqI/AAAAAAAAQAs/JMIimHDROpUEeiNoTmG5BODXf70nmFUxQCLcBGAs/s640/PEpper_3_2.png)
![](https://1.bp.blogspot.com/-_69GHQ6AYZg/XVYsvpdth-I/AAAAAAAAQA0/j-YPgGsm3JM_grNABtzefj6EfbpP0snNACLcBGAs/s640/PEpper_4_3.png)
![](https://1.bp.blogspot.com/-cXfnPT90nA8/XVYsv3DHAaI/AAAAAAAAQA4/1S3J5q_5BZcLaB_peW8C2u3zag3wkg8PACLcBGAs/s640/PEpper_5_4.png)
CSV output
![](https://1.bp.blogspot.com/-h1yhM3Y1m4I/XVYs1ZgktTI/AAAAAAAAQA8/z_vTX_PltHAF4K4JGoS7TVicE1mgaDGUQCLcBGAs/s640/PEpper_6_csv.png)
Feature extracted
- Suspicious entropy ratio
- Suspicious name ratio
- Suspicious code size
- Suspicious debugging time-stamp
- Number of export
- Number of anti-debugging calls
- Number of virtual-machine detection calls
- Number of suspicious API calls
- Number of suspicious strings
- Number of YARA rules matches
- Number of URL found
- Number of IP found
- Cookie on the stack (GS) support
- Control Flow Guard (CFG) support
- Data Execution Prevention (DEP) support
- Address Space Layout Randomization (ASLR) support
- Structured Exception Handling (SEH) support
- Thread Local Storage (TLS) support
- Presence of manifest
- Presence of version
- Presence of digital certificate
- Packer detection
- VirusTotal database detection
- Import hash
- Can be run on single or multiple PE (placed inside a directory)
- Output will be saved (in the same directory of pepper.py) as output.csv
- To use VirusTotal scan, add your private key in the module called "virustotal.py" (Internet connection required)