Portable Executable Virustotal Example

## Virustotal Python Scanner script 0.01
## Created by Alexander Hanel

import sys
import os
import pefile
import peutils
import math
import time
import datetime
import subprocess

##############################################################
## Print PE file attributes & metadata
def attributes():  
        print "Optional Header:", hex(pe.OPTIONAL_HEADER.ImageBase)
        print "Address Of Entry Point:", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
        machine = 0
        machine = pe.FILE_HEADER.Machine
        print "Required CPU type:", pefile.MACHINE_TYPE[machine]
        dll = pe.FILE_HEADER.IMAGE_FILE_DLL
        print "DLL:", dll
        print "Subsystem:", pefile.SUBSYSTEM_TYPE[pe.OPTIONAL_HEADER.Subsystem]
        print "Compile Time:", datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp)
        print "Number of RVA and Sizes:", pe.OPTIONAL_HEADER.NumberOfRvaAndSizes

##############################################################
## Analyze Sections
def sections_analysis():
        print "Number of Sections:", pe.FILE_HEADER.NumberOfSections
        print
        print "Section  VirtualAddress VirtualSize SizeofRawData Entropy"
        for section in pe.sections:
                print "%-8s"  % section.Name, "%-14s" % hex(section.VirtualAddress), "%-11s" % hex(section.Misc_VirtualSize),\
                      "%-13s" % section.SizeOfRawData, "%.2f" % E(section.data)
        print 

##############################################################
## Dump Imports
def IAT():
        print "Imported DLLS:"
        i = 1
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
                bool = 1 ## For Formattting 
                print "%2s" % [i], "%-17s" % entry.dll
                print "\t",
                for imp in entry.imports:
                        if bool:
                                print "%-1s" % imp.name,
                                bool = 0
                        else:
                                sys.stdout.write("%s%s" % (", ",imp.name)) # Python Print adds a blank space 
                print
                i += 1
                
##############################################################
## Entropy calculation from Ero Carrera's blog ###############
def E(data):
        entropy = 0  
        if not data:
                return 0
        ent = 0
        for x in range(256):
                p_x = float(data.count(chr(x)))/len(data)
                if p_x > 0:
                        entropy += - p_x*math.log(p_x, 2)
        return entropy

##############################################################
## Load PEID userdb.txt database and scan file
def PEID():
        signatures = peutils.SignatureDatabase('userdb.txt')
        matches = signatures.match_all(pe,ep_only = True)
        print "PEID Signature Match(es): ", matches
        print

##############################################################
## Print Sophos
def sophos(filetmp):
        print
        print "Sophos Scan in progress.."
        output = "None"
        path = os.path.abspath(filetmp)
        pwd = os.getcwd()
        output = subprocess.call([os.path.join(pwd, 'cmd_scan', 'Sophos', 'SAV32CLI.EXE'), path])
        
## Thanks habnabit
##############################################################

if len(sys.argv) < 2:
        print "Pyton Script "
        sys.exit(3)
exename = sys.argv[1]
pe = pefile.PE(exename)
print "\nPortable Executable Information"
attributes()
sections_analysis()
PEID()
IAT()
sophos(exename)

##   <- Format bug with SyntaxHighlighter (remove line)