-
Notifications
You must be signed in to change notification settings - Fork 95
Plugins
Pyew supports plugins in the form of Python classes. A Pyew plugin can be used in either interactive or batch mode. In batch mode, typically, the plugin returns the corresponding result and in interactive mode shows the results.
The following is a dummy plugin you may use as a template for your own plugins:
def example(pyew):
print "Hello world!"
functions = {"hello":example}
Save it as, for example, hello.py and place this file in the plugins directory. Now, you can issue in Pyew the command "hello" to see the message "Hello World!".
To add support for batch mode, you can change the current plugin in one of the following ways:
Mode 1
def example(pyew):
if pyew.batch:
return "Hello World!"
else:
print "Hello World!"
Mode 2
def example(pyew, doprint=True):
if doprint:
print "Hello World!"
else:
return "Hello World!"
The 2nd mode is the prefered one.
As of 2010-01, the following is the list of plugins distributed with Pyew:
Print the OLE2 structure of the currently opened file or buffer. Uses OleFileIO_PL by Philippe Lagadec.
Try to detect the compiler and/or packer's signature. Uses PEUtils by Ero Carrera. A UserDB.txt file with ~4445 signatures is distributed with Pyew.
In interactive mode, the plugin returns a list with every matched signature.
Shows the callgraph of the current program with xdot.py by Jose Fonseca.
In batch mode, the plugin returns a DOT buffer.
Show an image representing the current opened file or buffer. Requires Python Imaging Library.
Search URLs in the current file or buffer. In batch mode, the plugin returns a list with every detected URL.
Search URLs in the current file or buffer using the 'url' plugin and check if any of the URLs is known to be bad using the malware's URL list distributed by MalwarePatrol.
Search URLs in the current file or buffer using the 'url' plugin and check if the URL is still alive or not.
Search the hash of the current file or buffer using the VirusTotal search hash utility and prints the AV detection results. Currently, the plugin doesn't support uploading the current sample or buffer. This feature will be added soon.
Open in a browser the behavior's report generated by ThreatExpert. The report may or may not exists. The plugin doesn't support uploading the current file or buffer.
Show decoded streams data in a GUI.
Print decoded streams data (text mode).
Get information about the streams. Show a list of the streams with filters applied to them.
Show the list of streams.
Show general information about the PDF.
Show the PDF's object list.
Seek to one specified object.
Seek to one specified stream.
Search for common antivm tricks. Subject to be replaced soon.
Search for shellcodes in the current file or buffer using LibEmu. Subject to be removed soon.