Python script that extracts and saves in a database some PE file security characteristics or flags searching for every PE binary in a whole directory, and saving results in a database

Technology description

This is a Python script that extracts and saves in a database some PE file security characteristics or flags searching for every PE binary in a whole directory, and saving results in a database.

It checks for architecture flag in the header, and for the following security flags: ASLR, NO_SEH, DEP and CFG. It searches for every PE binary in a whole directory, and saves results in a database. Code is clear enough to modify flags and formats to your own needs.

Functionalities

The script just needs a path and a tag. The program will go through the path and subdirectories searching for .DLL and .EXE files and extracting the flags in the PE header (thanks to PEfile python library). The program requires a tag that will be used as a suffix for logs and database filenames, so different analysis can be done in the same directory.

The information provided by the script is:

- Percentage of .DLL and .EXE files with i386, AMD64 or other architecture.
- Percentage of ASLR, NO_SEH, DEP and CFG flags enabled or disabled in the headers.
- After finishing the analysis it will prompt to export results in a SQL or CSV format.

It will create as well a .db file which is a sqlite file with the information collected.
Innovation Technologies

Latch ARW

Latch ARW is a tool that adds a layer of authorization in Windows systems on “protected” folders so that any write or delete operation of the files is denied.

Latch USB Monitor

Monitors Plug ‘n Play device (PNP) changes in Windows and gives the user the possibility of tracking incoming devices, and react accordingly to a preconfigured Latch response.

MicEnum

MicEnum is a graphical tool that enumerates the Integrity Levels of the objects in the hard disks, helps to detect anomalies and allows to store and restore this information in an XML file.