AustralianCyberSecurityCentre/azul-plugin-portex

# Azul 插件 Portex 针对 PE 文件的静态恶意软件分析，侧重于畸形鲁棒性和异常检测。 ## 安装 ``` pip install azul-portex ``` 要安装 azul-plugin-portex 以进行开发，请运行命令 （从本项目的根目录）： ``` pip install -e . ``` 您还需要使用命令 `./install-portex.sh` 安装 portex 二进制文件 这是一个安装二进制文件的 bash 脚本，因此您应首先检查该脚本。 ## 用法 在本地文件上的用法： ``` $ azul-plugin-portex malware.file ... example output goes here ... ``` 此插件在 PE 文件上运行 Portex 在本地文件上的用法： ``` azul-plugin-portex path/to/file.exe ``` 示例输出： ``` COMPLETED events (1) event for 72805063ab7465bc5624cd73c625abad0bfd7e8c7c39a1f13d0bdfb5a8a420b9:None {} output data streams (2): 34555 bytes - EventData(hash='a4820e3513deadb92a5064e44605f1794826ddba83e19587873bb4ad0331c50e', label='report') 50902 bytes - EventData(hash='562afd87b3c0162b91fba360d3e8e863cd67c93d0c4075510ba31049fd28e5fc', label='safe_png') output features: portex_anomalies: portex_anomaly - COFF Header: Time date stamp is too far in the past portex_anomaly - Deprecated Characteristic in COFF File Header: IMAGE_FILE_LINE_NUMS_STRIPPED portex_anomaly - Deprecated Characteristic in COFF File Header: IMAGE_FILE_LOCAL_SYMS_STRIPPED portex_anomaly - Import function typical for injection/unpacking: CreateProcessA creates a process (check if SUSPENDED flag is used) portex_anomaly - Import function typical for injection/unpacking: CreateThread is used to open and execute a thread in the victim process portex_anomaly - Import function typical for injection/unpacking: GetProcAddress dynamically resolves imports portex_anomaly - Import function typical for injection/unpacking: LoadLibraryA maps module into the address space of the calling process or dynamically resolves imports portex_anomaly - Import function typical for injection/unpacking: WinExec runs the specified application portex_anomaly - Imports are fractionated! Affected import DLLs: ole32.DLL, OLEAUT32.DLL, WININET.DLL, KERNEL32.DLL, USER32.DLL, GDI32.DLL, ADVAPI32.DLL, CRTDLL.DLL, MSVCRT.DLL, glu32.dll, avifil32.dll portex_anomaly - Optional Header: size of code is too small (0x8000), it should be 0xac00 portex_anomaly - Optional Header: size of initialized data is too small (0x4200), it should be 0x9e00 portex_anomaly - Optional Header: size of uninitialized data is too large (0x21400), it should be 0x0 portex_anomaly - Section 1 with name .text has write and execute characteristics. portex_anomaly - Section 6 with name .l1 has write and execute characteristics. portex_anomaly - Section Header 1 with name .text has unusual characteristics, that shouldn't be there: Write portex_anomaly - Section Header 1 with name .text: SIZE_OF_RAW_DATA (32460) must be a multiple of File Alignment (512) portex_anomaly - Section Header 10 with name .idata should (but doesn't) contain the characteristics: Write portex_anomaly - Section Header 11 with name .idata should (but doesn't) contain the characteristics: Write portex_anomaly - Section Header 12 with name .data has unusual characteristics, that shouldn't be there: Discardable portex_anomaly - Section Header 12 with name .data should (but doesn't) contain the characteristics: Write portex_anomaly - Section Header 13 with name .rsrc has unusual characteristics, that shouldn't be there: Discardable portex_anomaly - Section Header 2 with name .rdata has unusual characteristics, that shouldn't be there: Uninitialized Data, Write portex_anomaly - Section Header 2 with name .rdata should (but doesn't) contain the characteristics: Initialized Data portex_anomaly - Section Header 2 with name .rdata: SIZE_OF_RAW_DATA is 0 portex_anomaly - Section Header 3 with name .rsrc has unusual characteristics, that shouldn't be there: Write portex_anomaly - Section Header 3 with name .rsrc: SIZE_OF_RAW_DATA (12752) must be a multiple of File Alignment (512) portex_anomaly - Section Header 4 with name .idata has unusual characteristics, that shouldn't be there: Code portex_anomaly - Section Header 4 with name .idata: SIZE_OF_RAW_DATA (3748) must be a multiple of File Alignment (512) portex_anomaly - Section Header 7 with name .text has unusual characteristics, that shouldn't be there: Initialized Data, Shared portex_anomaly - Section Header 7 with name .text should (but doesn't) contain the characteristics: Code, Execute portex_anomaly - Section Header 8 with name .idata should (but doesn't) contain the characteristics: Write portex_anomaly - Section Header 9 with name .rsrc has unusual characteristics, that shouldn't be there: Code, Execute portex_anomaly - Section Header 9 with name .rsrc should (but doesn't) contain the characteristics: Initialized Data portex_anomaly - Section name is unusual: .kofbl portex_anomaly - Section name is unusual: .l1 Feature key: portex_anomalies: Anomalies flagged by portex ``` ## Python 包管理 此 Python 包使用 `pyproject.toml` 文件进行管理。 Python 包的安装和测试标准化通过 tox 处理。 Tox 命令包括： ``` # 运行所有标准 tox 操作 tox # 仅运行 linting tox -e style # 仅运行测试 tox -e test ``` ## 依赖管理 依赖项在 pyproject.toml 和 debian.txt 文件中进行管理。 版本锁定通过 `uv.lock` 文件实现。 由于 `uv.lock` 文件配置为使用私有 UV registry，使用 UV 的外部开发人员需要删除现有的 `uv.lock` 文件，并将项目配置更新为指向公开可用的 PyPI registry。 要添加新依赖项，建议使用 uv 命令 `uv add ` 或者对于开发包使用 `uv add --dev ` 用于代码检查 (linting) 和样式管理的工具是 `ruff`，它通过 `pyproject.toml` 进行配置 debian.txt 文件管理需要在开发系统和 Docker 镜像上安装的 debian 依赖项。 有时 debian.txt 文件不够用，在这种情况下，可能需要直接修改 Dockerfile 以 安装复杂的依赖项。

标签：DNS 反向解析, DOM解析, PE文件分析, Python, TypeScript, 二进制分析, 云安全运维, 免杀检测, 反调试, 威胁情报, 安全插件, 应用安全, 开发者工具, 异常检测, 文件格式解析, 无后门, 畸形文件分析, 结构异常, 网络安全, 进程注入检测, 逆向工具, 隐私保护, 静态恶意软件分析