Merge pull request #456 from j-t-1/peutils

Tweak peutils.py

Author: nightlark

peutils.py

@@ -57,11 +57,11 @@ def __init__(self, filename=None, data=None):
         # - A dictionary with a string as a key (packer name)
         #   and None as value to indicate a full signature
         #
-        self.signature_tree_eponly_true = dict()
+        self.signature_tree_eponly_true = {}
         self.signature_count_eponly_true = 0
-        self.signature_tree_eponly_false = dict()
+        self.signature_tree_eponly_false = {}
         self.signature_count_eponly_false = 0
-        self.signature_tree_section_start = dict()
+        self.signature_tree_section_start = {}
         self.signature_count_section_start = 0
 
         # The depth (length) of the longest signature
@@ -92,7 +92,7 @@ def generate_section_signatures(self, pe, name, sig_length=512):
                 name,
                 idx + 1,
                 len(pe.sections),
-                "".join([c for c in section.Name if c in string.printable]),
+                "".join(c for c in section.Name if c in string.printable),
             )
 
             section_signatures.append(
@@ -127,7 +127,7 @@ def __generate_signature(
 
         data = pe.__data__[offset : offset + sig_length]
 
-        signature_bytes = " ".join(["%02x" % ord(c) for c in data])
+        signature_bytes = " ".join(f"{ord(c):02x}" for c in data)
 
         if ep_only == True:
             ep_only = "true"
@@ -340,7 +340,7 @@ def __match_signature_tree(self, signature_tree, data, depth=0):
             if None in list(match.values()):
                 # idx represent how deep we are in the tree
                 #
-                # names = [idx+depth]
+                # names = [idx + depth]
                 names = list()
 
                 # For each of the item pairs we check
@@ -498,9 +498,9 @@ def is_valid(pe):
 
 def is_suspicious(pe):
     """
-    unusual locations of import tables
-    non recognized section names
-    presence of long ASCII strings
+    Unusual locations of import tables
+    Non-recognized section names
+    Presence of long ASCII strings
     """
 
     relocations_overlap_entry_point = False
@@ -542,7 +542,7 @@ def is_suspicious(pe):
         warnings_while_parsing
 
     # If there are few or none (should come with a standard "density" of strings/kilobytes of data) longer (>8)
-    # ascii sequences that might indicate packed data, (this is similar to the entropy test in some ways but
+    # ASCII sequences that might indicate packed data, (this is similar to the entropy test in some ways but
     # might help to discard cases of legitimate installer or compressed data)
 
     # If compressed data (high entropy) and is_driver => uuuuhhh, nasty
@@ -580,7 +580,6 @@ def is_probably_packed(pe, section_entropy=7.4, packed_threshold=0.2):
     # Assume that the file is packed when no data is available
     if not total_pe_data_length:
         return True
-    has_significant_amount_of_compressed_data = False
 
     # If some of the sections have high entropy and they make for more than 20% of the file's size
     # it's assumed that it could be an installer or a packed file
@@ -591,6 +590,7 @@ def is_probably_packed(pe, section_entropy=7.4, packed_threshold=0.2):
         if s_entropy > section_entropy:
             total_compressed_data += len(section.get_data())
 
+    has_significant_amount_of_compressed_data = False
     if (total_compressed_data / total_pe_data_length) > packed_threshold:
         has_significant_amount_of_compressed_data = True