{"id":13538841,"url":"https://github.com/0x0be/PEpper","last_synced_at":"2025-04-02T05:32:06.844Z","repository":{"id":46752006,"uuid":"196735700","full_name":"0x0be/PEpper","owner":"0x0be","description":" An open source script to perform malware static analysis on Portable Executable ","archived":false,"fork":false,"pushed_at":"2023-05-23T00:52:01.000Z","size":2162,"stargazers_count":309,"open_issues_count":3,"forks_count":71,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-08-06T13:11:56.133Z","etag":null,"topics":["malware","malware-analysis","python3","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x0be.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-13T15:15:36.000Z","updated_at":"2024-08-01T02:19:38.000Z","dependencies_parsed_at":"2024-07-25T08:03:27.791Z","dependency_job_id":"40879cb1-11b4-4134-9f82-065d19e2c002","html_url":"https://github.com/0x0be/PEpper","commit_stats":null,"previous_names":["th3hurrican3/pepper"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x0be%2FPEpper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x0be%2FPEpper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x0be%2FPEpper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x0be%2FPEpper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x0be","download_url":"https://codeload.github.com/0x0be/PEpper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246763808,"owners_count":20829795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","malware-analysis","python3","static-analysis"],"created_at":"2024-08-01T09:01:16.803Z","updated_at":"2025-04-02T05:32:01.837Z","avatar_url":"https://github.com/0x0be.png","language":"YARA","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/Th3Hurrican3/PEpper/media/logo.jpg\" alt=\"PEpper logo\"\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003ePEpper\u003c/h3\u003e\n\u003cp align=\"center\"\u003e\n    An open source tool to perform \u003ci\u003emalware static analysis\u003c/i\u003e on \u003cb\u003eP\u003c/b\u003eortable \u003cb\u003eE\u003c/b\u003executable\n\u003c/p\u003e\n\n# Installation\n\n```console\neva@paradise:~$ git clone https://github.com/blackeko/PEpper/\neva@paradise:~$ cd PEpper\neva@paradise:~$ pip3 install -r requirements.txt\neva@paradise:~$ python3 pepper.py ./malware_dir\n```\n\n# Screenshot\n\n\u003ctable style=\"width:100%\"\u003e\n\t\t\u003ctr\u003e\n\t\t\t\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/blackeko/PEpper/media/1.png\" \u003e\u003c/td\u003e\n\t\t\t\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/blackeko/PEpper/media/2.png\" \u003e\u003c/td\u003e\n\t\t\u003c/tr\u003e\n\t\t\u003ctr\u003e\n\t\t\t\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/blackeko/PEpper/media/3.png\" \u003e\u003c/td\u003e\n\t\t\t\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/blackeko/PEpper/media/4.png\" \u003e\u003c/td\u003e\n\t\t\u003c/tr\u003e\n\u003c/table\u003e\n\nand more rows..\n\n# CSV output\n\n\u003cp\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/blackeko/PEpper/media/csv.png\" alt=\"outcome\"\u003e\n\u003c/p\u003e\n\nand more columns..\n\n# Feature extracted\n\n- **Suspicious entropy** ratio\n- **Suspicious name** ratio\n- Suspicious **code size**\n- Suspicious **debugging time-stamp** \n- Number of **export**\n- Number of **anti-debugging** calls\n- Number of **virtual-machine detection** calls\n- Number of **suspicious API** calls\n- Number of **suspicious strings**\n- Number of **YARA** rules matches \n- Number of **URL** found\n- Number of **IP** found\n- *Cookie on the stack* (**GS**) support\n- *Control Flow Guard* (**CFG**) support\n- *Data Execution Prevention* (**DEP**) support\n- *Address Space Layout Randomization* (**ASLR**) support\n- *Structured Exception Handling* (**SEH**) support\n- *Thread Local Storage* (**TLS**) support\n- Presence of **manifest**\n- Presence of **version**\n- Presence of **digital certificate**\n- **Packer** detection\n- **VirusTotal** database detection\n- **Import hash**\n\n# Notes\n\n- Can be run on *single* or *multiple* PE (placed inside a directory)\n- Output will be saved (in the same directory of *pepper.py*) as **FILENAME-output.csv**\n- To use **VirusTotal scan**, add your private key in the module called \"virustotal.py\" (Internet connection required)\n- \u003cimg alt=\"Software License\" src=\"https://img.shields.io/badge/license-GPL3-brightgreen.svg?style=flat-square\"\u003e\n\n# Credits\n\nMany thanks to those who indirectly helped me in this work, specially:\n\n- The [LIEF](https://github.com/lief-project/LIEF) project and its awesome library\n- [PEstudio](https://www.winitor.com/), a really amazing software to analyze PE\n- [PEframe](https://github.com/guelfoweb/peframe) from [guelfoweb](https://github.com/guelfoweb), an incredible widespread tool to perform static analysis on Portable Executable malware and malicious MS Office documents\n- [Yara-Rules](https://github.com/Yara-Rules/rules) project, which provides compiled signatures, classified and kept as up to date as possible\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x0be%2FPEpper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x0be%2FPEpper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x0be%2FPEpper/lists"}