A-RE Windows

Windows applications analysis utility
(pretty simple at the moment, but who knows whats coming up next..)

Current features:

• Retrieving basic sample information, such as:
  • compiler info
  • packer info
  • installer info
  • architecture, subsystem, PE format, imagebase and EP
  • verifying checksum and signature

• Obtaining info about PE rich signature
• Detecting sample capabilities based on large collection of yara rules
• Checking sample against vendor signatures (Detect It Easy, PE Tools, etc)
• Inspecting PE sections, dumping them, checking their entropy
• Gathering various info about PE imports, exports and resources
• Parsing overlay info
• Hashing a sample (sha256, sha1, md5, imphash, ssdeep, rich header hash, etc)

• .NET samples support
  • Parsing strings from Strings heap
  • Parsing strings from UserStrings heap
  • Parsing guids from Guid heap
  • Parsing metadata tables (WIP)

• Custom yara checker for testing your own yara rules
• Extendable by plugins
• Cross-platform user-friendly UI powered by Tkinter!

Installation:

• Clone this repository
• Install requirements (pip install -r requirements.py)

Usage:

python3 main.py

Credits:

• VirusTotal for yara ❤️
• RetDec for providing yara rules
• Yara-Rules for providing yara rules
• PETools for signatures that i generated some yara rules from
• horsicq for signatures from Detect It Easy based on which i generated some yara rules as well
• Adam for PE sections names info
• dishather for PE rich header comp.id database
• rdbende for tkinter chlorophyll add-on
• ragardner for tkinter tksheet add-on
• erocarrera for pefile library
• malwarefrank for dnfile library
• romainthomas for lief library
• elceef for pure python ssdeep hashing implementation (ppdeep library)

Notes:

This project was made by me, and my python knowledge kinda sucks
Don't expect to see quality code here (PR's are welcomed!)
I'm working on this project at spare time, which means that no regular support of this tool will be provided

Preview: