PE static analysis engine

I’ve been recently working on PE static analysis engine.

Feature extraction Link to heading

I built a PE feature extraction module. Mostly based on LIEF && pefile, it is extracting a lot (>150) of features like:

• checksums
• amount of exports
• entropy of sections
• packing detection
• antidebug features

… plus some more interesting ones.

Classification Link to heading

• I used the feature extraction module to set up a classification model to discriminate between benignware and malware.
• Organized in malware families, the appropriate datasets can help detecting correlation and thus help with attribution.
• My ROC curve has a (capital) gamma shape, but …
• … I’m looking for more benignware to complete the datasets

Modes Link to heading

GUI Link to heading

It has a fancy GUI mode based on flask where you can push a binary and obtain a web view of all the features extracted. It also has an history

CLI Link to heading

The CLI mode allows you to do everything you can with the GUI plus the classification tasks :

• extract PE(s) features
• build a classification model
• submit PE(s) to the classification model
• extract feature correlation informations (like correlation/scatter matrix)

Download Link to heading

This is not released (yet?)