pftriage is a tool to help analyze files during malware triage. It allows an analyst to quickly view and extract the properties of a file to help during the triage process. The tool also has an analyze function which can detect common malicious indicators used by malware.
- Bug fixes
- Code clean up
- Minor updates
- Fix issues with details
- Update to use
file-magicpackage for libmagic
git clone https://github.com/idiom/pftriage.git
pip install -r requirements.txt
Display Section information by using the -s or –sections switch. Additionally, you can pass (-v) for a more verbose view of section details.
To export a section pass –dump and the desired section Virtual Address. (ex: –dump 0x00001000)
Display resource data by using -r or –resources.
To extract a specific resource use -D with the desired offset. If you want to extract all resources pass ALL instead of a specific offset.
Display Import data and modules using -i or –imports. Imports which are identified as ordinals will be identified and include the Ordinal used.
Display exports using -e or –exports.
File and version metadata is displayed if no options are passed on the commandline.
PFTriage can perform a simple analysis of a file to identify malicious characteristics.
Overlay data is identified by analyzing or displaying section information of the file. If overlay data exists PFTriage can either remove the data by using the (–removeoverlay) switch or export the overlay data by using the (–extractoverlay) switch.