public static void Analyze(List <string> mFiles, List <string> bFiles)
{
object locker = new object();
List <StaticFeatures> lst = new List <StaticFeatures>();
Parallel.ForEach(mFiles, file =>
{
StaticFeatures sf = Analyze(file, true);
lock (locker)
lst.Add(sf);
OnFileAnalyzed(sf.Name, true);
});
Parallel.ForEach(bFiles, file =>
{
StaticFeatures sf = Analyze(file, false);
lock (locker)
lst.Add(sf);
OnFileAnalyzed(sf.Name, true);
});
OnAnalysisComplete(new StaticDataset(lst));
}
private static StaticFeatures Analyze(string file, bool isMalicious)
{
StaticFeatures sf = new StaticFeatures();
sf.Name = Path.GetFileNameWithoutExtension(file);
sf.IsMalware = isMalicious;
PEFile peFile = new PEFile(file);
sf.f01_Reserved_e_res1 = peFile.MSDOS_Header.e_res1.Any(x => x != 0);
sf.f02_Reserved_e_res2 = peFile.MSDOS_Header.e_res2.Any(x => x != 0);
sf.f03_Aligned_e_lfanew = peFile.MSDOS_Header.e_lfanew % 8 != 0;
sf.f04_NumberOfSections = peFile.FileHeader.NumberOfSections >= 96;
sf.f05_Reserved_Characterisitics = (peFile.FileHeader.Characteristics & 0x808c) != 0;
uint fa, ea;
if (peFile.Is32BitHeader)
{
sf.f06_Obsolete_LoaderFlags = peFile.OptionalHeader32.LoaderFlags != 0;
sf.f07_Obsolete_Win32Version = peFile.OptionalHeader32.Win32VersionValue != 0;
sf.f08_SectionAlignment = peFile.OptionalHeader32.SectionAlignment < peFile.OptionalHeader32.FileAlignment;
sf.f09_NumberOfRVA = peFile.OptionalHeader32.NumberOfRvaAndSizes > 16;
sf.f10_DLLCharacterisitics = (peFile.OptionalHeader32.DllCharacteristics & 0xF) != 0;
sf.f26_TLS_Callbacks = peFile.OptionalHeader32.DataDirectory[9].Size != 0;
fa = peFile.OptionalHeader32.FileAlignment;
ea = peFile.OptionalHeader32.AddressOfEntryPoint;
}
else
{
sf.f06_Obsolete_LoaderFlags = peFile.OptionalHeader64.LoaderFlags != 0;
sf.f07_Obsolete_Win32Version = peFile.OptionalHeader64.Win32VersionValue != 0;
sf.f08_SectionAlignment = peFile.OptionalHeader64.SectionAlignment < peFile.OptionalHeader64.FileAlignment;
sf.f09_NumberOfRVA = peFile.OptionalHeader64.NumberOfRvaAndSizes > 16;
sf.f10_DLLCharacterisitics = (peFile.OptionalHeader64.DllCharacteristics & 0xF) != 0;
sf.f26_TLS_Callbacks = peFile.OptionalHeader64.DataDirectory[9].Size != 0;
fa = peFile.OptionalHeader64.FileAlignment;
ea = peFile.OptionalHeader64.AddressOfEntryPoint;
}
foreach (IMAGE_SECTION_HEADER sec in peFile.ImageSectionHeaders)
{
sf.SectionNames.Add(new string(sec.Name));
if (!standardSections.Contains(new string(sec.Name).Trim(new char[] { '\0', ' ' })))
{
sf.f24_PercentOfNonStandardSectionNames++;
}
if (sec.SizeOfRawData % fa != 0)
{
sf.f11_Aligned_SizeOfRawData = true;
}
if (sec.PointerToRawData % fa != 0)
{
sf.f12_Aligned_PointerToRawData = true;
}
if (sec.SizeOfRawData != 0 && (sec.Characteristics & SectionFlags.ContentUninitializedData) == SectionFlags.ContentUninitializedData)
{
sf.f13_UD_SizeOfRawData = true;
}
if (sec.PointerToRawData != 0 && (sec.Characteristics & SectionFlags.ContentUninitializedData) == SectionFlags.ContentUninitializedData)
{
sf.f14_UD_PointerToRawData = true;
}
if (sec.NumberOfLinenumbers != 0)
{
sf.f15_Reserved_NumberOfLineNumbers = true;
}
if (sec.NumberOfRelocations != 0)
{
sf.f16_Reserved_NumberOfRelocations = true;
}
if (sec.SizeOfRawData >= new FileInfo(file).Length&& sec.VirtualSize != 0)
{
sf.f27_LargeSizeOfRawData = true;
}
}
sf.f24_PercentOfNonStandardSectionNames = sf.f24_PercentOfNonStandardSectionNames / peFile.ImageSectionHeaders.Length;
sf.f17_Max_ES = peFile.EntropyScores.Max(x => x);
sf.f18_Min_ES = peFile.EntropyScores.Min(x => x);
sf.f19_Avg_ES = (sf.f17_Max_ES + sf.f18_Min_ES) / 2;
for (int i = 0; i < peFile.FileHeader.NumberOfSections; i++)
{
if (peFile.ImageSectionHeaders[i].VirtualAddress <= ea && (peFile.ImageSectionHeaders[i].VirtualSize + peFile.ImageSectionHeaders[i].VirtualAddress) >= ea)
{
sf.f20_CS_ES = peFile.EntropyScores[i];
break;
}
}
sf.f21_Percent1_ES = (double)peFile.EntropyScores.Count(x => x >= 7 && x < 7.5) / peFile.FileHeader.NumberOfSections;
sf.f22_Percent2_ES = (double)peFile.EntropyScores.Count(x => x >= 7.5 && x < 8) / peFile.FileHeader.NumberOfSections;
sf.f23_Overlapped_PE = peFile.MSDOS_Header.e_lfanew < 0x40;
sf.f25_PercentSections_CEW = (double)peFile.ImageSectionHeaders.Count(x => (x.Characteristics & (SectionFlags.MemoryExecute | SectionFlags.MemoryWrite)) == (SectionFlags.MemoryExecute | SectionFlags.MemoryWrite)) / peFile.ImageSectionHeaders.Length;
return(sf);
}
