public static void Analyze(List <string> mFiles, List <string> bFiles) { object locker = new object(); List <StaticFeatures> lst = new List <StaticFeatures>(); Parallel.ForEach(mFiles, file => { StaticFeatures sf = Analyze(file, true); lock (locker) lst.Add(sf); OnFileAnalyzed(sf.Name, true); }); Parallel.ForEach(bFiles, file => { StaticFeatures sf = Analyze(file, false); lock (locker) lst.Add(sf); OnFileAnalyzed(sf.Name, true); }); OnAnalysisComplete(new StaticDataset(lst)); }
private static StaticFeatures Analyze(string file, bool isMalicious) { StaticFeatures sf = new StaticFeatures(); sf.Name = Path.GetFileNameWithoutExtension(file); sf.IsMalware = isMalicious; PEFile peFile = new PEFile(file); sf.f01_Reserved_e_res1 = peFile.MSDOS_Header.e_res1.Any(x => x != 0); sf.f02_Reserved_e_res2 = peFile.MSDOS_Header.e_res2.Any(x => x != 0); sf.f03_Aligned_e_lfanew = peFile.MSDOS_Header.e_lfanew % 8 != 0; sf.f04_NumberOfSections = peFile.FileHeader.NumberOfSections >= 96; sf.f05_Reserved_Characterisitics = (peFile.FileHeader.Characteristics & 0x808c) != 0; uint fa, ea; if (peFile.Is32BitHeader) { sf.f06_Obsolete_LoaderFlags = peFile.OptionalHeader32.LoaderFlags != 0; sf.f07_Obsolete_Win32Version = peFile.OptionalHeader32.Win32VersionValue != 0; sf.f08_SectionAlignment = peFile.OptionalHeader32.SectionAlignment < peFile.OptionalHeader32.FileAlignment; sf.f09_NumberOfRVA = peFile.OptionalHeader32.NumberOfRvaAndSizes > 16; sf.f10_DLLCharacterisitics = (peFile.OptionalHeader32.DllCharacteristics & 0xF) != 0; sf.f26_TLS_Callbacks = peFile.OptionalHeader32.DataDirectory[9].Size != 0; fa = peFile.OptionalHeader32.FileAlignment; ea = peFile.OptionalHeader32.AddressOfEntryPoint; } else { sf.f06_Obsolete_LoaderFlags = peFile.OptionalHeader64.LoaderFlags != 0; sf.f07_Obsolete_Win32Version = peFile.OptionalHeader64.Win32VersionValue != 0; sf.f08_SectionAlignment = peFile.OptionalHeader64.SectionAlignment < peFile.OptionalHeader64.FileAlignment; sf.f09_NumberOfRVA = peFile.OptionalHeader64.NumberOfRvaAndSizes > 16; sf.f10_DLLCharacterisitics = (peFile.OptionalHeader64.DllCharacteristics & 0xF) != 0; sf.f26_TLS_Callbacks = peFile.OptionalHeader64.DataDirectory[9].Size != 0; fa = peFile.OptionalHeader64.FileAlignment; ea = peFile.OptionalHeader64.AddressOfEntryPoint; } foreach (IMAGE_SECTION_HEADER sec in peFile.ImageSectionHeaders) { sf.SectionNames.Add(new string(sec.Name)); if (!standardSections.Contains(new string(sec.Name).Trim(new char[] { '\0', ' ' }))) { sf.f24_PercentOfNonStandardSectionNames++; } if (sec.SizeOfRawData % fa != 0) { sf.f11_Aligned_SizeOfRawData = true; } if (sec.PointerToRawData % fa != 0) { sf.f12_Aligned_PointerToRawData = true; } if (sec.SizeOfRawData != 0 && (sec.Characteristics & SectionFlags.ContentUninitializedData) == SectionFlags.ContentUninitializedData) { sf.f13_UD_SizeOfRawData = true; } if (sec.PointerToRawData != 0 && (sec.Characteristics & SectionFlags.ContentUninitializedData) == SectionFlags.ContentUninitializedData) { sf.f14_UD_PointerToRawData = true; } if (sec.NumberOfLinenumbers != 0) { sf.f15_Reserved_NumberOfLineNumbers = true; } if (sec.NumberOfRelocations != 0) { sf.f16_Reserved_NumberOfRelocations = true; } if (sec.SizeOfRawData >= new FileInfo(file).Length&& sec.VirtualSize != 0) { sf.f27_LargeSizeOfRawData = true; } } sf.f24_PercentOfNonStandardSectionNames = sf.f24_PercentOfNonStandardSectionNames / peFile.ImageSectionHeaders.Length; sf.f17_Max_ES = peFile.EntropyScores.Max(x => x); sf.f18_Min_ES = peFile.EntropyScores.Min(x => x); sf.f19_Avg_ES = (sf.f17_Max_ES + sf.f18_Min_ES) / 2; for (int i = 0; i < peFile.FileHeader.NumberOfSections; i++) { if (peFile.ImageSectionHeaders[i].VirtualAddress <= ea && (peFile.ImageSectionHeaders[i].VirtualSize + peFile.ImageSectionHeaders[i].VirtualAddress) >= ea) { sf.f20_CS_ES = peFile.EntropyScores[i]; break; } } sf.f21_Percent1_ES = (double)peFile.EntropyScores.Count(x => x >= 7 && x < 7.5) / peFile.FileHeader.NumberOfSections; sf.f22_Percent2_ES = (double)peFile.EntropyScores.Count(x => x >= 7.5 && x < 8) / peFile.FileHeader.NumberOfSections; sf.f23_Overlapped_PE = peFile.MSDOS_Header.e_lfanew < 0x40; sf.f25_PercentSections_CEW = (double)peFile.ImageSectionHeaders.Count(x => (x.Characteristics & (SectionFlags.MemoryExecute | SectionFlags.MemoryWrite)) == (SectionFlags.MemoryExecute | SectionFlags.MemoryWrite)) / peFile.ImageSectionHeaders.Length; return(sf); }