Update app.py

app.py

@@ -4,26 +4,209 @@ import zipfile
 import tempfile
 import pefile
 import shutil
+import subprocess
+import re
+import struct
 from pathlib import Path
+from capstone import Cs, CS_ARCH_X86, CS_MODE_32, CS_MODE_64
 
-st.set_page_config(page_title="File Analyzer", page_icon="🔍")
+st.set_page_config(page_title="Advanced File Analyzer", page_icon="🔍", layout="wide")
 
-st.title("File Analysis Tool")
+st.title("Advanced File Analysis Tool")
 st.markdown("""
-This tool allows you to analyze various file types:
+This tool allows you to:
 - Extract and view contents of .zip files
-- Unpack .exe files to examine their contents
-- View information about .dll files
+- Decompile .exe files to Python-like code
+- View decompiled code from .dll files
+- Automatically analyze nested executables
 """)
 
-# No size limit
+def try_pyinstaller_extraction(file_path, output_dir):
+    """Attempt to extract Python scripts from PyInstaller executables"""
+    try:
+        # Install pyinstxtractor if not already present
+        subprocess.run(["pip", "install", "pyinstxtractor"], capture_output=True)
+        
+        # Run pyinstxtractor on the file
+        result = subprocess.run(["python", "-m", "pyinstxtractor", file_path], 
+                               cwd=output_dir, capture_output=True, text=True)
+        
+        extracted_dir = os.path.join(output_dir, os.path.basename(file_path) + "_extracted")
+        
+        if os.path.exists(extracted_dir):
+            # Try to decompile the Python bytecode files
+            subprocess.run(["pip", "install", "uncompyle6"], capture_output=True)
+            
+            python_files = {}
+            for root, _, files in os.walk(extracted_dir):
+                for file in files:
+                    if file.endswith('.pyc') or file.endswith('.pyo'):
+                        pyc_path = os.path.join(root, file)
+                        py_path = pyc_path + ".py"
+                        try:
+                            subprocess.run(["uncompyle6", pyc_path, "-o", py_path], capture_output=True)
+                            if os.path.exists(py_path):
+                                with open(py_path, 'r', encoding='utf-8', errors='ignore') as f:
+                                    rel_path = os.path.relpath(pyc_path, extracted_dir)
+                                    python_files[rel_path] = f.read()
+                        except:
+                            pass
+            
+            return {
+                "success": True,
+                "message": "Successfully extracted Python code",
+                "files": python_files
+            }
+        return {
+            "success": False,
+            "message": "Not a PyInstaller executable or extraction failed"
+        }
+    except Exception as e:
+        return {
+            "success": False,
+            "message": f"PyInstaller extraction error: {str(e)}"
+        }
+
+def disassemble_binary(file_path, is_dll=False):
+    """Disassemble a binary file to approximate code"""
+    try:
+        pe = pefile.PE(file_path)
+        
+        # Determine if 32-bit or 64-bit
+        is_64bit = pe.OPTIONAL_HEADER.Magic == 0x20b
+        mode = CS_MODE_64 if is_64bit else CS_MODE_32
+        
+        # Initialize disassembler
+        md = Cs(CS_ARCH_X86, mode)
+        md.detail = True
+        
+        code_sections = []
+        
+        # Find the entry point for EXEs
+        entry_point = None
+        if not is_dll:
+            entry_rva = pe.OPTIONAL_HEADER.AddressOfEntryPoint
+            for section in pe.sections:
+                if section.contains_rva(entry_rva):
+                    entry_offset = entry_rva - section.VirtualAddress + section.PointerToRawData
+                    entry_point = entry_offset
+        
+        # Process each section
+        for section in pe.sections:
+            section_name = section.Name.decode('utf-8', errors='ignore').strip('\x00')
+            
+            # Focus on code sections
+            if section.Characteristics & 0x20000000:  # IMAGE_SCN_CNT_CODE
+                section_data = pe.get_data(section.VirtualAddress, section.SizeOfRawData)
+                
+                # Start disassembly from entry point if in this section
+                start_offset = 0
+                if entry_point is not None and section.contains_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint):
+                    start_offset = entry_point - section.PointerToRawData
+                
+                # Limit to reasonable size for preview
+                preview_size = min(len(section_data) - start_offset, 4096)
+                
+                # Disassemble
+                disassembly = []
+                is_entry = entry_point is not None and section.contains_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+                
+                for i, (address, size, mnemonic, op_str) in enumerate(md.disasm_lite(
+                        section_data[start_offset:start_offset+preview_size], 
+                        section.VirtualAddress + start_offset)):
+                    
+                    # Mark entry point
+                    entry_marker = "ENTRY POINT -> " if is_entry and i == 0 else ""
+                    disassembly.append(f"{entry_marker}0x{address:08x}: {mnemonic} {op_str}")
+                
+                code_sections.append({
+                    "name": section_name,
+                    "disassembly": disassembly
+                })
+        
+        # Get exports for DLLs
+        exports = []
+        if is_dll and hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
+            for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
+                if exp.name:
+                    exports.append(exp.name.decode('utf-8', errors='ignore'))
+        
+        # Convert to pseudo-Python
+        pseudo_python = generate_pseudo_python(code_sections, exports, is_dll)
+        
+        return {
+            "success": True,
+            "code_sections": code_sections,
+            "exports": exports,
+            "pseudo_python": pseudo_python
+        }
+    except Exception as e:
+        return {
+            "success": False,
+            "message": f"Disassembly error: {str(e)}"
+        }
+
+def generate_pseudo_python(code_sections, exports, is_dll):
+    """Generate pseudo-Python code from disassembly"""
+    pseudo_code = []
+    
+    pseudo_code.append("# This is an approximation generated from binary code")
+    pseudo_code.append("# It is NOT the original source code")
+    pseudo_code.append("")
+    
+    if is_dll:
+        pseudo_code.append("# DLL Export Functions")
+        for export in exports:
+            pseudo_code.append(f"def {export}():")
+            pseudo_code.append("    # Implementation not recoverable from binary")
+            pseudo_code.append("    pass")
+            pseudo_code.append("")
+    
+    for section in code_sections:
+        pseudo_code.append(f"# Code Section: {section['name']}")
+        pseudo_code.append("def main():")
+        
+        # Very basic pattern recognition for common operations
+        in_function = False
+        current_function = None
+        
+        # Extract common patterns from assembly
+        for line in section['disassembly'][:100]:  # Limit to first 100 instructions for preview
+            # Look for call instructions to infer function calls
+            if "call" in line and "0x" in line:
+                addr = re.search(r'0x[0-9a-f]+', line)
+                if addr:
+                    pseudo_code.append(f"    call_function_{addr.group(0)}()")
+            # Look for mov instructions to infer variable assignments
+            elif "mov" in line:
+                reg_match = re.search(r'mov\s+(\w+),\s+(.+)', line)
+                if reg_match:
+                    dest, source = reg_match.groups()
+                    pseudo_code.append(f"    {dest} = {source}  # {line}")
+            # Look for common comparisons
+            elif "cmp" in line:
+                cmp_match = re.search(r'cmp\s+(\w+),\s+(.+)', line)
+                if cmp_match:
+                    a, b = cmp_match.groups()
+                    pseudo_code.append(f"    if {a} == {b}:  # {line}")
+                    pseudo_code.append("        pass")
+            else:
+                pseudo_code.append(f"    # {line}")
+                
+        pseudo_code.append("")
+        
+        pseudo_code.append("if __name__ == '__main__':")
+        pseudo_code.append("    main()")
+        pseudo_code.append("")
+    
+    return "\n".join(pseudo_code)
 
 def unpack_exe(file_path, output_dir):
-    """Extract information from an EXE file using pefile"""
+    """Extract information from an EXE file and attempt to convert to Python"""
     try:
         pe = pefile.PE(file_path)
         
-        # Create a basic info dictionary
+        # Basic PE information
         info = {
             "Machine": hex(pe.FILE_HEADER.Machine),
             "TimeDateStamp": pe.FILE_HEADER.TimeDateStamp,
@@ -59,6 +242,7 @@ def unpack_exe(file_path, output_dir):
         if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
             resource_dir = os.path.join(output_dir, "resources")
             os.makedirs(resource_dir, exist_ok=True)
+            extracted_resources = []
             
             for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
                 if hasattr(resource_type, 'directory'):
@@ -67,19 +251,33 @@ def unpack_exe(file_path, output_dir):
                             for resource_lang in resource_id.directory.entries:
                                 data = pe.get_data(resource_lang.data.struct.OffsetToData, resource_lang.data.struct.Size)
                                 resource_filename = f"resource_{resource_type.id}_{resource_id.id}_{resource_lang.id}"
-                                with open(os.path.join(resource_dir, resource_filename), 'wb') as f:
+                                resource_path = os.path.join(resource_dir, resource_filename)
+                                with open(resource_path, 'wb') as f:
                                     f.write(data)
+                                extracted_resources.append(resource_filename)
+            
+            info["ExtractedResources"] = extracted_resources
+        
+        # Try to disassemble and convert to pseudo-Python
+        disassembly_result = disassemble_binary(file_path)
+        
+        # Try PyInstaller extraction for Python executables
+        pyinstaller_result = try_pyinstaller_extraction(file_path, output_dir)
         
-        return info
+        return {
+            "basic_info": info,
+            "disassembly": disassembly_result,
+            "pyinstaller": pyinstaller_result
+        }
     except Exception as e:
         return {"Error": str(e)}
 
 def analyze_dll(file_path):
-    """Extract information from a DLL file using pefile"""
+    """Extract information and code from a DLL file"""
     try:
         pe = pefile.PE(file_path)
         
-        # Create a basic info dictionary
+        # Basic information
         info = {
             "Machine": hex(pe.FILE_HEADER.Machine),
             "TimeDateStamp": pe.FILE_HEADER.TimeDateStamp,
@@ -99,7 +297,7 @@ def analyze_dll(file_path):
                 "Entropy": section.get_entropy()
             })
         
-        # Get exports if present
+        # Get exports
         if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
             info["Exports"] = []
             for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
@@ -120,7 +318,13 @@ def analyze_dll(file_path):
                     "Functions": imports
                 })
         
-        return info
+        # Try to disassemble and convert to pseudo-Python
+        disassembly_result = disassemble_binary(file_path, is_dll=True)
+        
+        return {
+            "basic_info": info,
+            "disassembly": disassembly_result
+        }
     except Exception as e:
         return {"Error": str(e)}
 
@@ -165,7 +369,6 @@ def process_zip_file(file_path, temp_dir):
 uploaded_file = st.file_uploader("Upload a file (.zip, .exe, or .dll)", type=["zip", "exe", "dll"])
 
 if uploaded_file is not None:
-    # Process file without size check
     with tempfile.TemporaryDirectory() as temp_dir:
         # Save the uploaded file to the temporary directory
         file_path = os.path.join(temp_dir, uploaded_file.name)
@@ -193,30 +396,114 @@ if uploaded_file is not None:
                     st.subheader("Detected Executable Files")
                     for file_path, file_info in result['nested_files'].items():
                         with st.expander(f"{file_path} ({file_info['type'].upper()})"):
-                            st.json(file_info['info'])
+                            if file_info['type'] == 'exe':
+                                tabs = st.tabs(["Basic Info", "Python Code", "Disassembly"])
+                                with tabs[0]:
+                                    st.json(file_info['info'].get('basic_info', {}))
+                                with tabs[1]:
+                                    pyinstaller_result = file_info['info'].get('pyinstaller', {})
+                                    disassembly = file_info['info'].get('disassembly', {})
+                                    
+                                    if pyinstaller_result.get('success', False):
+                                        st.success("Python code extracted successfully!")
+                                        for filename, content in pyinstaller_result.get('files', {}).items():
+                                            with st.expander(f"Python File: {filename}"):
+                                                st.code(content, language="python")
+                                    else:
+                                        st.warning("Not a Python executable or extraction failed.")
+                                        st.subheader("Generated Python-like Code")
+                                        st.code(disassembly.get('pseudo_python', "# No code could be generated"), language="python")
+                                with tabs[2]:
+                                    disassembly = file_info['info'].get('disassembly', {})
+                                    if disassembly.get('success', False):
+                                        for section in disassembly.get('code_sections', []):
+                                            with st.expander(f"Section: {section['name']}"):
+                                                st.code("\n".join(section['disassembly']), language="asm")
+                                    else:
+                                        st.error(disassembly.get('message', "Disassembly failed"))
+                            else:  # DLL
+                                tabs = st.tabs(["Basic Info", "DLL Code", "Exports/Imports"])
+                                with tabs[0]:
+                                    st.json(file_info['info'].get('basic_info', {}))
+                                with tabs[1]:
+                                    disassembly = file_info['info'].get('disassembly', {})
+                                    st.subheader("Generated Python-like Code")
+                                    st.code(disassembly.get('pseudo_python', "# No code could be generated"), language="python")
+                                with tabs[2]:
+                                    basic_info = file_info['info'].get('basic_info', {})
+                                    if 'Exports' in basic_info:
+                                        st.subheader("Exported Functions")
+                                        st.json(basic_info['Exports'])
+                                    if 'Imports' in basic_info:
+                                        st.subheader("Imported DLLs and Functions")
+                                        st.json(basic_info['Imports'])
         
         elif uploaded_file.name.lower().endswith('.exe'):
-            st.subheader("EXE File Analysis")
+            st.subheader("EXE File Analysis and Decompilation")
             output_dir = os.path.join(temp_dir, "exe_unpacked")
             os.makedirs(output_dir, exist_ok=True)
             
             try:
                 exe_info = unpack_exe(file_path, output_dir)
-                st.json(exe_info)
                 
-                # Check if resources were extracted
-                resource_dir = os.path.join(output_dir, "resources")
-                if os.path.exists(resource_dir) and os.listdir(resource_dir):
-                    st.subheader("Extracted Resources")
-                    for resource_file in os.listdir(resource_dir):
-                        st.text(f"Resource: {resource_file}")
+                tabs = st.tabs(["Basic Info", "Python Code", "Disassembly", "Resources"])
+                with tabs[0]:
+                    st.json(exe_info.get('basic_info', {}))
+                with tabs[1]:
+                    pyinstaller_result = exe_info.get('pyinstaller', {})
+                    disassembly = exe_info.get('disassembly', {})
+                    
+                    if pyinstaller_result.get('success', False):
+                        st.success("Python code extracted successfully!")
+                        for filename, content in pyinstaller_result.get('files', {}).items():
+                            with st.expander(f"Python File: {filename}"):
+                                st.code(content, language="python")
+                    else:
+                        st.warning(pyinstaller_result.get('message', "Not a Python executable or extraction failed."))
+                        st.subheader("Generated Python-like Code")
+                        st.code(disassembly.get('pseudo_python', "# No code could be generated"), language="python")
+                with tabs[2]:
+                    disassembly = exe_info.get('disassembly', {})
+                    if disassembly.get('success', False):
+                        for section in disassembly.get('code_sections', []):
+                            with st.expander(f"Section: {section['name']}"):
+                                st.code("\n".join(section['disassembly']), language="asm")
+                    else:
+                        st.error(disassembly.get('message', "Disassembly failed"))
+                with tabs[3]:
+                    basic_info = exe_info.get('basic_info', {})
+                    if 'ExtractedResources' in basic_info:
+                        st.write(f"Found {len(basic_info['ExtractedResources'])} resources")
+                        for resource in basic_info['ExtractedResources']:
+                            st.text(f"Resource: {resource}")
             except Exception as e:
                 st.error(f"Error analyzing EXE file: {str(e)}")
         
         elif uploaded_file.name.lower().endswith('.dll'):
-            st.subheader("DLL File Information")
+            st.subheader("DLL File Analysis and Decompilation")
             try:
                 dll_info = analyze_dll(file_path)
-                st.json(dll_info)
+                
+                tabs = st.tabs(["Basic Info", "DLL Code", "Exports/Imports"])
+                with tabs[0]:
+                    st.json(dll_info.get('basic_info', {}))
+                with tabs[1]:
+                    disassembly = dll_info.get('disassembly', {})
+                    st.subheader("Generated Python-like Code")
+                    st.code(disassembly.get('pseudo_python', "# No code could be generated"), language="python")
+                    
+                    if disassembly.get('success', False):
+                        st.subheader("Assembly Code")
+                        for section in disassembly.get('code_sections', []):
+                            with st.expander(f"Section: {section['name']}"):
+                                st.code("\n".join(section['disassembly']), language="asm")
+                with tabs[2]:
+                    basic_info = dll_info.get('basic_info', {})
+                    if 'Exports' in basic_info:
+                        st.subheader("Exported Functions")
+                        st.json(basic_info['Exports'])
+                    if 'Imports' in basic_info:
+                        st.subheader("Imported DLLs and Functions")
+                        st.json(basic_info['Imports'])
             except Exception as e:
                 st.error(f"Error analyzing DLL file: {str(e)}")