Official repository for Pyew.

Overview

pyew

Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Check out the wiki to get started.

Comments
  • Chkurl not working properly

    Chkurl not working properly

    Some URLs return 404 using wget, but chkurl still reports those as OK. Have you 
    noticed this problem?
    
    

    Original issue reported on code.google.com by [email protected] on 4 Dec 2011 at 10:21

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 9
  • Problems with vt

    Problems with vt

    I am starter with this program so this might be newbie mistake.
    
    """
    [0x00000000]> vt
    File 002.exe with MD5 ea58eefb31cfc7e866a771bf13294347
    ------------------------------------------------------
    
    Error: local variable 'match' referenced before assignment
    """
    
    Here is the report if I do send it using browser: 
    http://www.virustotal.com/file-scan/report.html?id=7897ce606aac0e8186a68909a51e8
    4dd298a5e590e80235000128cf004ff0c2b-1323035150
    
    Am I doing something wrong or is this programming error?
    

    Original issue reported on code.google.com by [email protected] on 4 Dec 2011 at 9:55

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 9
  • syntax error while compiling

    syntax error while compiling

    File "./vstruct/defs/windows/win_5_1_i386/win32k.py", line 358 class ACCESS_STATE::__unnamed(vstruct.VStruct): ^ SyntaxError: invalid syntax

    opened by shibumi 5
  • Official project migration?

    Official project migration?

    Please kindly change default migration description, preferrably mentioning that this is the official migration by the author (search github for "pyew" to see why). Also, please capture original https://code.google.com/p/pyew/ page as README, etc, etc.

    Thanks.

    opened by pfalcon 5
  • [gcluster] directory scanning issue

    [gcluster] directory scanning issue

    Hello,
    
    When scanning a directory with gcluster :
    
    ---
    
    hash:filename:primes_hash:nodes_total:nodes_max:nodes_avg:nodes_min:edges_total:
    edges_max:edges_avg:edges_min:ccs_total:ccs_max:ccs_avg:ccs_min:functions:adjace
    ncy_list
    Traceback (most recent call last):
      File "./gcluster.py", line 353, in <module>
        compareDirectory(sys.argv[1])
      File "./gcluster.py", line 334, in compareDirectory
        print "%s:%s:%s:%s%d:%s" % (hash, pyew.f.name, str(phash.as_integer_ratio()[0]), data, len(pyew.functions), str(alist.adjacency_lists(pyew)))
    TypeError: 'dict' object is not callable
    
    ---
    

    Original issue reported on code.google.com by [email protected] on 7 May 2013 at 7:38

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 4
  • missing basic blocks

    missing basic blocks

    What steps will reproduce the problem?
    1. Analysis/Deepanalysis calc.exe (win xp sp0)
    2. compare basicblocks found with pyew with IDA 
    
    What is the expected output? What do you see instead?
     I found 26 basic blocks. should be 32 (4 which might be hard to catch (SEH blocks))
    
    What version of the product are you using? On what operating system?
    PYEW "1.2.0.0", ubuntu 12.04 64bit 
    
    Please provide any additional information below.
    it misses a short jump @ addr 0x010124c8 to basicblock @ 0x010124d8
    and a short jump @ addr 0x010125cd to basicblock @ 0x010125dd
    
    both jumps have same offset 0x0e: opcode EB 0E
    

    Original issue reported on code.google.com by [email protected] on 7 May 2013 at 1:28

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 3
  • Error: name 'pdfilter' is not defined

    Error: name 'pdfilter' is not defined

    What steps will reproduce the problem?
    1. installing using hg
    2. ./pyew <pdf file name>
    
    
    after loading the pdf the pdf filet plugins are not present
    
    im using it on Debian 6 64bit (same results with the 32bit versions as well) 
    python 2.7 stock.
    
    
    during loading i get the following warning:
    Error loading file: 'pdf'
    
    when trying to invoke pdfilter i get the following error:
    
    Error: name 'pdfilter' is not defined
    
    
    

    Original issue reported on code.google.com by [email protected] on 18 Jan 2012 at 11:19

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 3
  • Missing DATABASE_PATH  when analyzing ELF binary

    Missing DATABASE_PATH when analyzing ELF binary

    Hello,
    When I try to analyze an ELF binary I get the following traceback (For your 
    information: pysqlite and sqlite3 are installed.) :
    
    user@trudy /opt/pyew % python2 pyew.py /usr/bin/ls
    ELF Information
    
    Entry Point at 0x1ce0
    CodAnalyzing address 0x00011e40 - 0 in queue / 3 total                          
                                    Analyzing address 0x0000cc50 - 1 in queue / 2 
    total
    Traceback (most recent call last):n queue / 1 total                             
      File "pyew.py", line 532, in <module>
        main(sys.argv[1])
      File "pyew.py", line 219, in main
        saveAndCompareInDatabase(pyew)
      File "pyew.py", line 164, in saveAndCompareInDatabase
        db = sqlite3.connect(DATABASE_PATH)
    

    Original issue reported on code.google.com by [email protected] on 7 Aug 2014 at 1:27

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 2
  • how can i add new function to print out the result of loadPeFunctions into text file

    how can i add new function to print out the result of loadPeFunctions into text file

    Hello every one
    i am try to get the function call of pe file
    and i want to export this result into text file for my processing later
    but i can add the code :
    file = open("text.txt", 'w') into pyew_core.py
    can i help me?
    thank you very much for readling mt isses!
    good bye
    
    

    Original issue reported on code.google.com by [email protected] on 19 Mar 2014 at 7:31

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 2
  • VT plugin's using the wrong query url

    VT plugin's using the wrong query url

    What steps will reproduce the problem?
    1.open a malware using pyew
    2.try to use vt on it
    
    We should have the result here. Instead we have a 403 forbidden message.
    
    
    I'm using the latest mercurial version at this date under GNU linux Sabayon.
    
    
    I managed to come over the problem using this url string in 
    plugins/virustotal.py :
    baseUrl = "https://www.virustotal.com/search?query=%s"
    instead of :
    baseUrl = "http://www.virustotal.com/en/file/%s/analysis/"
    
    Regards.
    
    
    

    Original issue reported on code.google.com by [email protected] on 9 Dec 2013 at 10:49

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 2
  • diStorm3 Compatible

    diStorm3 Compatible

    for those who need it
    
    ex :
    on linux 64bit
    
    /path/to/distorm3/make/linux % make 
    sudo mv libdistorm3.so /usr/lib64
    
    patch :
    
    diff --git a/pydistorm.py b/pydistorm.py
    --- a/pydistorm.py
    +++ b/pydistorm.py
    @@ -32,11 +32,11 @@
    
     osVer = platform.system()
     if osVer == "Windows":
    -    LIB_FILENAME = "distorm64.dll"
    +    LIB_FILENAME = "distorm3.dll"
     else:
    -    LIB_FILENAME = 'libdistorm64.so'
    +    LIB_FILENAME = 'libdistorm3.so'
    
    -distorm = cdll.LoadLibrary(LIB_FILENAME)
    +distorm3 = cdll.LoadLibrary(LIB_FILENAME)
     Decode16Bits = 0
     Decode32Bits = 1
     Decode64Bits = 2
    @@ -44,11 +44,11 @@
    
     if osVer == "Windows":
         if SUPPORT_64BIT_OFFSET:
    -        decode_func = distorm.distorm_decode64
    +        decode_func = distorm3.distorm_decode64
         else:
    -        decode_func = distorm.distorm_decode32
    +        decode_func = distorm3.distorm_decode32
     else:
    -    decode_func = distorm.internal_decode
    +    decode_func = distorm3.distorm_decode64
    
     DECRES_NONE = 0
     DECRES_SUCCESS = 1
    
    
    

    Original issue reported on code.google.com by [email protected] on 24 Sep 2012 at 12:45

    Type-Defect Priority-Medium auto-migrated 
    opened by GoogleCodeExporter 2
  • License change

    License change

    I will be changing the license of this project to the GNU Affero GPL 3.0. While it means no change for 99,99% of users, I would like to know if you have a strong opinion against the change.

    opened by joxeankoret 0
  • merge/replace patches from Debian

    merge/replace patches from Debian

    Before pyew was removed from Debian, it had a few patches, it would be great if they could be merged into your version or replaced by other commits:

    https://sources.debian.org/src/pyew/2.0-4/debian/patches/

    opened by pabs3 0
  • Migrate from Python 2 to Python 3

    Migrate from Python 2 to Python 3

    Forwarding https://bugs.debian.org/937434

    Python 2 is EOL soon so distros are working on removing all modules that require Python 2. Consequently pyew got removed from Debian and will become unusable on most distributions released in the next few years as they remove Python 2 modules and runtimes. Migrating the codebase to Python 3 so that pyew can be used after 2020 would be a good idea.

    https://pythonclock.org/ https://bugs.debian.org/939059

    PS:

    opened by pabs3 1
  • leaves a cache file in ~/

    leaves a cache file in ~/

    Forwarding https://bugs.debian.org/688525

    When I run pyew /bin/ls I get a cache file (~/pyew-files.sqlite) in sqlite format directly in my home directory. That should be moved to a better place, preferably following the XDG basedir spec:

    $ sqlite3 pyew-files.sqlite .schema
    CREATE TABLE antidebugs (
                            id integer not null primary key,
                            sample_id, addr, mnemonic
                            );
    CREATE TABLE function_stats (
                            id integer not null primary key,
                            sample_id, addr, nodes, edges, cc);
    CREATE TABLE samples (id integer not null primary key,
                                           md5, sha1, sha256, filename, type);
    
    opened by pabs3 2
  • Improper division into basic blocks

    Improper division into basic blocks

    Hello, I try to enumerate all basic blocks using the following code:

    from pyew import CPyew
    
    def main(f):
        pyew = CPyew(plugins=True, batch=True)
        pyew.loadFile(f)
        ca = pyew._anal
        for _, block in ca.basic_blocks.iteritems():
            for instr in block.instructions:
                print "%s %s" % (instr.mnemonic, instr.operands)
            print '--------------------------------------------'
    
    
    if __name__ == "__main__":
        if len(sys.argv) == 1:
            print "Usage:", sys.argv[0], "<program file>"
        else:
            main(sys.argv[1])
    

    It get's me basic blocks, but some of them are incorrect because the last instruction in them is not ret, call, jmp and etc. Here the example (here you can see that the last block instruction is mov): code

    opened by 0x123456789 4
Owner
Joxean
I analyse, break and code stuff in no specific order.
Joxean
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

null 8 Jun 23, 2022
This repository is one of a few malware collections on the GitHub.

This repository is one of a few malware collections on the GitHub.

Andrew 1.7k Dec 28, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
This is a repository filled with scripts that were made with Python, and designed to exploit computer systems.

PYTHON-EXPLOITATION This is a repository filled with scripts that were made with Python, and designed to exploit computer systems. Networking tcp_clin

Nathan Galindo 1 Oct 30, 2021
Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List CVE-2021-41349 Exchange XSS PoC <= Exchange 2013 update 23 <= Exchange 2016 update 2

0x0021h 263 Feb 14, 2022
Community Repository for Unofficial Saltbox Add-ons

Saltbox Sandbox Repo Community Repository for Unofficial Saltbox Add-ons Requirements Saltbox Documentation Undetermined Roles List of roles can be fo

Salty Organization 31 Dec 19, 2022
This repository uses a mixture of numbers, alphabets, and other symbols found on the computer keyboard

This repository uses a mixture of numbers, alphabets, and other symbols found on the computer keyboard to form a 16-character password which is unpredictable and cannot easily be memorised.

Mohammad Shaad Shaikh 1 Nov 23, 2021
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

null 1 Dec 11, 2021
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

null 26 Dec 26, 2022
This Repository is an up-to-date version of Harvard nlp's Legacy code and a Refactoring of the jupyter notebook version as a shell script version.

This Repository is an up-to-date version of Harvard nlp's Legacy code and a Refactoring of the jupyter notebook version as a shell script version.

신재욱 17 Sep 25, 2022
This repository consists of the python scripts for execution and automation of vivid tasks.

Scripting.py is a repository being maintained to keep log of the python scripts that I create for automating and executing some of my boring manual task.

Prakriti Regmi 1 Feb 7, 2022
Official implementation of the paper "Backdoor Attacks on Self-Supervised Learning".

SSL-Backdoor Abstract Large-scale unlabeled data has allowed recent progress in self-supervised learning methods that learn rich visual representation

UMBC Vision 44 Nov 21, 2022
In this Github repository I will share my freqtrade files with you. I want to help people with this repository who don't know Freqtrade so much yet.

My Freqtrade stuff In this Github repository I will share my freqtrade files with you. I want to help people with this repository who don't know Freqt

Simon Kebekus 104 Dec 31, 2022
Prabashwara's Pm Bot repository. You can deploy and edit this repository.

Tᴇʟᴇɢʀᴀᴍ Pᴍ Bᴏᴛ | Prabashwara's PM Bot Unmaintained. The new repo of @Pm-Bot is private. (It is no longer based on this source code. The completely re

Rivibibu Prabshwara Ⓒ 2 Jul 5, 2022
Official repository for Spyder - The Scientific Python Development Environment

Copyright © 2009–2021 Spyder Project Contributors Some source files and icons may be under other authorship/licenses; see NOTICE.txt. Project status B

Spyder IDE 7.3k Dec 31, 2022
Official repository for gevent-socketio

Presentation gevent-socketio is a Python implementation of the Socket.IO protocol, developed originally for Node.js by LearnBoost and then ported to o

Alexandre Bourget 1.2k Dec 12, 2022
A jazzy skin for the Django Admin-Interface (official repository).

Django Grappelli A jazzy skin for the Django admin interface. Grappelli is a grid-based alternative/extension to the Django administration interface.

Patrick Kranzlmueller 3.4k Dec 31, 2022
Official project repository for the Setuptools build system

See the Installation Instructions in the Python Packaging User's Guide for instructions on installing, upgrading, and uninstalling Setuptools. Questio

Python Packaging Authority 1.9k Jan 8, 2023
Unknown Horizons official code repository

Unknown-Horizons based on Fifengine is no longer in development. We are porting it to Godot Engine. Please dont report any new bugs. Only bugfixes wil

Unknown Horizons 1.3k Dec 30, 2022
The official source code repository for the calibre ebook manager

calibre calibre is an e-book manager. It can view, convert, edit and catalog e-books in all of the major e-book formats. It can also talk to e-book re

Kovid Goyal 14.1k Dec 27, 2022