{"id":26654129,"url":"https://github.com/malice-plugins/pescan","last_synced_at":"2025-08-25T13:07:21.609Z","repository":{"id":53664590,"uuid":"52167527","full_name":"malice-plugins/pescan","owner":"malice-plugins","description":"Malice PExecutable Plugin","archived":false,"fork":false,"pushed_at":"2021-03-19T23:54:44.000Z","size":328,"stargazers_count":16,"open_issues_count":5,"forks_count":11,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-12T21:54:43.881Z","etag":null,"topics":["docker","executable","malice","malice-plugin","malware","malware-analysis","malware-research","pe","pe-executable","pefile","peid","plugin","signature-verification","windows"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/malice-plugins.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-02-20T18:06:29.000Z","updated_at":"2024-07-01T07:49:41.000Z","dependencies_parsed_at":"2022-09-04T20:22:50.925Z","dependency_job_id":null,"html_url":"https://github.com/malice-plugins/pescan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/malice-plugins/pescan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malice-plugins%2Fpescan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malice-plugins%2Fpescan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malice-plugins%2Fpescan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malice-plugins%2Fpescan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/malice-plugins","download_url":"https://codeload.github.com/malice-plugins/pescan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/malice-plugins%2Fpescan/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265262545,"owners_count":23736411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","executable","malice","malice-plugin","malware","malware-analysis","malware-research","pe","pe-executable","pefile","peid","plugin","signature-verification","windows"],"created_at":"2025-03-25T04:57:23.658Z","updated_at":"2025-07-14T08:07:53.384Z","avatar_url":"https://github.com/malice-plugins.png","language":"Python","readme":"![pescan logo](https://github.com/malice-plugins/pescan/blob/master/docs/exe.png)\n\n# pescan\n\n[![Circle CI](https://circleci.com/gh/malice-plugins/pescan.png?style=shield)](https://circleci.com/gh/malice-plugins/pescan) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/malice/pescan.svg)](https://hub.docker.com/r/malice/pescan/) [![Docker Pulls](https://img.shields.io/docker/pulls/malice/pescan.svg)](https://hub.docker.com/r/malice/pescan/) [![Docker Image](https://img.shields.io/badge/docker%20image-81.7MB-blue.svg)](https://hub.docker.com/r/malice/pescan/)\n\nMalice PExecutable Plugin\n\n\u003e This repository contains a **Dockerfile** of **malice/pescan**.\n\n---\n\n## Dependencies\n\n- [malice/alpine](https://hub.docker.com/r/malice/alpine/)\n\n## Installation\n\n1. Install [Docker](https://www.docker.io/).\n2. Download [trusted build](https://hub.docker.com/r/malice/pescan/) from public [DockerHub](https://hub.docker.com): `docker pull malice/pescan`\n\n## Usage\n\n```bash\n$ docker run --rm -v /path/to/malware:/malware malice/pescan --help\n\nUsage: pescan [OPTIONS] COMMAND [ARGS]...\n\n Malice PExecutable Plugin\n\n Author: blacktop \u003chttps://github.com/blacktop\u003e\n\nOptions:\n --version print the version\n -h, --help Show this message and exit.\n\nCommands:\n scan scan a file\n web start web service\n```\n\n### Scanning\n\n```bash\n$ docker run --rm -v /path/to/malware:/malware malice/pescan scan --help\n\nUsage: pescan.py scan [OPTIONS] FILE_PATH\n\n Malice PExecutable Scanner\n\nOptions:\n -v, --verbose verbose output\n -t, --table output as Markdown table\n -x, --proxy PROXY proxy settings for Malice webhook endpoint [$MALICE_PROXY]\n -c, --callback ENDPOINT POST results back to Malice webhook [$MALICE_ENDPOINT]\n --elasticsearch HOST elasticsearch address for Malice to store results [$MALICE_ELASTICSEARCH]\n --timeout SECS malice plugin timeout (default: 10) [$MALICE_TIMEOUT]\n -d, --dump dump possibly embedded binaries\n --output PATH where to extract the embedded objects to (default: /malware)\n [$MALICE_EXTRACT_PATH]\n --peid PATH path to the PEiD database file (default:peid/UserDB.TXT)\n [$MALICE_PEID_PATH]\n -h, --help Show this message and exit.\n```\n\nThis will output to stdout and POST to malice results API webhook endpoint.\n\n## Sample Output\n\n### [JSON](https://github.com/malice-plugins/pescan/blob/master/docs/results.json)\n\n```json\n{\n \"linker_version\": \"06.00\",\n \"compiletime\": {\n \"unix\": 1164878434,\n \"datetime\": \"2006-11-30 09:20:34\"\n },\n \"imports\": [\n {\n \"name\": \"GetStartupInfoA\",\n \"address\": \"0x406044\"\n },\n {\n \"name\": \"GetModuleHandleA\",\n \"address\": \"0x406048\"\n },\n {\n \"name\": \"CreatePipe\",\n \"address\": \"0x40604c\"\n },\n {\n \"name\": \"PeekNamedPipe\",\n \"address\": \"0x406050\"\n },\n {\n \"name\": \"ReadFile\",\n \"address\": \"0x406054\"\n },\n {\n \"name\": \"CreateProcessA\",\n \"address\": \"0x406058\"\n },\n ...SNIP...\n {\n \"name\": \"WSACleanup\",\n \"address\": \"0x406210\"\n },\n {\n \"name\": \"ioctlsocket\",\n \"address\": \"0x406214\"\n }\n ],\n \"resource_versioninfo\": {\n \"legalcopyright\": \"(C) Microsoft Corporation. All rights reserved.\",\n \"internalname\": \"iexplore\",\n \"fileversion\": \"6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)\",\n \"companyname\": \"Microsoft Corporation\",\n \"productname\": \"Microsoft(R) Windows(R) Operating System\",\n \"productversion\": \"6.00.2900.2180\",\n \"original_filename\": \"IEXPLORE.EXE\",\n \"file_description\": \"Internet Explorer\"\n },\n \"rich_header_info\": [\n {\n \"tool_id\": 12,\n \"version\": 7291,\n \"times used\": 1\n },\n ...SNIP...\n {\n \"tool_id\": 6,\n \"version\": 1720,\n \"times used\": 1\n }\n ],\n \"os_version\": \"04.00\",\n \"is_packed\": false,\n \"entrypoint\": \"0x5a46\",\n \"sections\": [\n {\n \"raw_data_size\": 20480,\n \"name\": \".text\",\n \"rva\": \"0x1000\",\n \"pointer_to_raw_data\": 4096,\n \"entropy\": 5.988944574755928,\n \"virtual_size\": \"0x4bfe\"\n },\n {\n \"raw_data_size\": 4096,\n \"name\": \".rdata\",\n \"rva\": \"0x6000\",\n \"pointer_to_raw_data\": 24576,\n \"entropy\": 3.291179369026711,\n \"virtual_size\": \"0xc44\"\n },\n {\n \"raw_data_size\": 4096,\n \"name\": \".data\",\n \"rva\": \"0x7000\",\n \"pointer_to_raw_data\": 28672,\n \"entropy\": 4.04448531075933,\n \"virtual_size\": \"0x17b0\"\n },\n {\n \"raw_data_size\": 8192,\n \"name\": \".rsrc\",\n \"rva\": \"0x9000\",\n \"pointer_to_raw_data\": 32768,\n \"entropy\": 4.49716326553469,\n \"virtual_size\": \"0x15d0\"\n }\n ],\n \"resources\": [\n {\n \"language_desc\": \"Chinese-People's Republic of China\",\n \"sublanguage\": \"SUBLANG_CHINESE_SIMPLIFIED\",\n \"name\": \"RT_ICON\",\n \"language\": \"LANG_CHINESE\",\n \"offset\": \"0x90f0\",\n \"size\": \"0x10a8\",\n \"type\": \"data\",\n \"id\": 1,\n \"md5\": \"14bf7c82dcfb7e41243f5b87d0c79538\"\n },\n {\n \"language_desc\": \"Chinese-People's Republic of China\",\n \"sublanguage\": \"SUBLANG_CHINESE_SIMPLIFIED\",\n \"name\": \"RT_GROUP_ICON\",\n \"language\": \"LANG_CHINESE\",\n \"offset\": \"0xa198\",\n \"size\": \"0x14\",\n \"type\": \"data\",\n \"id\": 2,\n \"md5\": \"3c68f77c35c26ff079a1c410ee44fa62\"\n },\n {\n \"language_desc\": \"Chinese-People's Republic of China\",\n \"sublanguage\": \"SUBLANG_CHINESE_SIMPLIFIED\",\n \"name\": \"RT_VERSION\",\n \"language\": \"LANG_CHINESE\",\n \"offset\": \"0xa1b0\",\n \"size\": \"0x41c\",\n \"type\": \"data\",\n \"id\": 3,\n \"md5\": \"9a12ece86a71c3499df0fb0ebe6ea33e\"\n }\n ],\n \"peid\": [\n \"Armadillo v1.71\",\n \"Microsoft Visual C++ v5.0/v6.0 (MFC)\",\n \"Microsoft Visual C++\"\n ],\n \"calculated_file_size\": 42448,\n \"imphash\": \"a2cee99c7e42d671d47e3fb71c71bda4\",\n \"number_of_sections\": 4,\n \"pehash\": \"884bf0684addc269d641efb74e0fcb88267211da\",\n \"machine_type\": \"0x14c (IMAGE_FILE_MACHINE_I386)\",\n \"image_base\": 4194304,\n \"language\": \"C\",\n \"size_of_image\": 45056,\n \"signature\": {\n \"heuristic\": \"No file signature data found\"\n }\n}\n```\n\n### [Markdown](https://github.com/malice-plugins/pescan/blob/master/docs/SAMPLE.md)\n\n---\n\n### pescan\n\n#### Header\n\n- **Target Machine:** `0x14c (IMAGE_FILE_MACHINE_I386)`\n- **Compilation Timestamp:** `2006-11-30 09:20:34`\n- **Entry Point:** `0x5a46`\n- **Contained Sections:** `4`\n\n#### Sections\n\n| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |\n| ------ | --------------- | ------------ | -------- | ------- | -------------------------------- |\n| .text | 0x1000 | 0x4bfe | 20480 | 5.99 | 9062ff3acdff9ac80cd9f97a0df42383 |\n| .rdata | 0x6000 | 0xc44 | 4096 | 3.29 | 28c9e7872eb9d0a20a1d953382722735 |\n| .data | 0x7000 | 0x17b0 | 4096 | 4.04 | c38a0453ad319c9cd8b1760baf57a528 |\n| .rsrc | 0x9000 | 0x15d0 | 8192 | 4.50 | 0d4522a26417d45c33759d2a6375a55f |\n\n#### Imports\n\n##### `KERNEL32.DLL`\n\n- GetStartupInfoA\n- GetModuleHandleA\n- CreatePipe\n- PeekNamedPipe\n- ReadFile\n- CreateProcessA\n\n...SNIP...\n\n##### `ADVAPI32.dll`\n\n- RegCloseKey\n- RegSetValueExA\n- RegQueryValueExA\n\n...SNIP...\n\n##### `MPR.dll`\n\n- WNetCloseEnum\n- WNetOpenEnumA\n- WNetEnumResourceA\n\n##### `MSVCRT.dll`\n\n- \\_except_handler3\n- \\_\\_set_app_type\n- **p**fmode\n\n...SNIP...\n\n##### `SHLWAPI.dll`\n\n- SHDeleteKeyA\n\n##### `WS2_32.dll`\n\n- gethostname\n- gethostbyname\n\n ...SNIP...\n\n#### Resources\n\n| SHA-256 | Size | Entropy | File Type | Type | Language |\n| ---------------------------------------------------------------- | ------ | ------- | --------- | ------------- | ---------------------------------- |\n| 52a955550acda3b566c9fa9eda164853df4135dfa5eb7b173b3c5453a12f85a3 | 0x10a8 | 6.52 | None | RT_ICON | Chinese-People's Republic of China |\n| a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0 | 0x14 | 1.78 | None | RT_GROUP_ICON | Chinese-People's Republic of China |\n| 934b13844893dc0438a47aadc20d4873f806000c761249795c7f265ccca48bc9 | 0x41c | 3.47 | None | RT_VERSION | Chinese-People's Republic of China |\n\n#### File Version Information\n\n- **Copyright:** `(C) Microsoft Corporation. All rights reserved.`\n- **Product:** `Microsoft(R) Windows(R) Operating System`\n- **Description:** `Internet Explorer`\n- **Original Name:** `IEXPLORE.EXE`\n- **Internal Name:** `iexplore`\n- **File Version:** `6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)`\n\n#### Signature Info\n\n##### Signature Verification\n\n\u003e No file signature data found\n\n#### PEiD\n\n- `Armadillo v1.71`\n- `Microsoft Visual C++ v5.0/v6.0 (MFC)`\n- `Microsoft Visual C++`\n\n---\n\n## Documentation\n\n- [To write results to ElasticSearch](https://github.com/malice-plugins/pescan/blob/master/docs/elasticsearch.md)\n- [To create a pe scan micro-service](https://github.com/malice-plugins/pescan/blob/master/docs/web.md)\n- [To post results to a webhook](https://github.com/malice-plugins/pescan/blob/master/docs/callback.md)\n\n## Issues\n\nFind a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to [file an issue](https://github.com/malice-plugins/pescan/issues/new)\n\n## CHANGELOG\n\nSee [`CHANGELOG.md`](https://github.com/malice-plugins/pescan/blob/master/CHANGELOG.md)\n\n## Contributing\n\n[See all contributors on GitHub](https://github.com/malice-plugins/pescan/graphs/contributors).\n\nPlease update the [CHANGELOG.md](https://github.com/malice-plugins/pescan/blob/master/CHANGELOG)\n\n## Credits\n\nHeavily (if not entirely) influenced by the [viper PE module](https://github.com/viper-framework/viper/blob/master/viper/modules/pe.py) and by CSE's [alsvc_pefile](https://bitbucket.org/cse-assemblyline/alsvc_pefile)\n\n## TODO\n\n- [x] activate dumping functionality\n- [ ] add timeout protection\n- [ ] revisit security/signature stuff\n- [ ] add proxy settings for callback POST\n\n## License\n\nMIT Copyright (c) 2016 **blacktop**\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalice-plugins%2Fpescan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmalice-plugins%2Fpescan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmalice-plugins%2Fpescan/lists"}