def lookup(malware: str) -> int:
match = False
for expression, family, _ in load_mapping():
if re.match(expression, malware, re.IGNORECASE):
print('Found match %r -> %r.' % (malware, family))
match = True
if not match:
print('Found no match.', file=sys.stderr)
return 1
return 0
def main():
parser = argparse.ArgumentParser(
prog='check_malpedia',
description=
'Checks if malpedia lists malware names which this mapping does not support.'
)
parser.add_argument('-o',
'--online',
action='store_true',
help='Check online against the Malpedia REST-API.')
parser.add_argument('-u',
'--username',
type=str,
default="",
help='Malpedia Username (for online mode).')
parser.add_argument('-p',
'--password',
type=str,
default="",
help='Malpedia Password (for online mode).')
parser.add_argument('-m',
'--malpedia_root',
type=str,
default="",
help='Check offline against the Malpedia repository.')
parser.add_argument('-ge',
'--generate-existing',
action='store_true',
help='Generate missing existing mappings.')
parser.add_argument('-gn',
'--generate-new',
action='store_true',
help='Generate missing new mappings.')
args = parser.parse_args()
malpedia_names = {}
if args.malpedia_root:
malpedia_names = get_malpedia_names_offline(args.malpedia_root)
elif args.online and args.username and args.password:
malpedia_names = get_malpedia_names_online(args.username,
args.password)
else:
parser.print_help()
mapping = {line[0] for line in load_mapping()}
if args.generate_new or args.generate_existing:
generate_mappings(mapping,
malpedia_names,
existing=args.generate_existing,
new=args.generate_new)
else:
check_mapping_regexes(mapping, malpedia_names)
def count_matches(include_malpedia: bool = False):
if exrex is None:
print("Error: Python module exrex is needed but not available.",
file=sys.stderr)
return 2
replace = re.compile(
r'\{[0-9]*,?([0-9]{2,}|[3-9])(,[0-9]*)?\}'
) # either more than one digit or greater than 2. Match also '{..,n}' or '{n,...}'
print(
sum(
exrex.count(replace.sub('', expression))
for expression, _, _ in load_mapping(
include_malpedia=include_malpedia) if '*' not in expression))
from common import find_mapping, load_mapping
filename = find_mapping()
error = False
with open(filename) as handle:
for line in handle.readlines():
if not re.match('^"\^[^"]*\$",[0-9a-z/_-]*,(.*)?$', line):
print("Line does not match defined format: %r." % line, file=sys.stderr)
error = True
if error:
sys.exit(1)
expressions = [line[:2] for line in load_mapping(filename)]
error = False
for _, family in expressions:
family_match = False
for expression, other_family in expressions:
try:
if re.match(expression, family):
if family != other_family:
print('Malware family %r matches to another family %r.' % (family, other_family))
error = True
else:
family_match = True
except re.error as exc:
print('Error parsing expression %r: %r' % (expression, exc))
from common import find_mapping, load_mapping
for filename in ('mapping.csv', 'malpedia.csv'):
filename = find_mapping(filename=filename)
error = False
with open(filename) as handle:
for line in handle.readlines():
if not re.match('^("\^[^"]*\$",[0-9a-z/_-]*,(.*)?$|#)', line):
print("Line does not match defined format: %r." % line,
file=sys.stderr)
error = True
if error:
sys.exit(1)
expressions = [line[:2] for line in load_mapping(include_malpedia=True)]
error = False
erroneous = [False] * len(expressions)
for _, family in expressions:
family_match = False
for index, (expression, other_family) in enumerate(expressions):
if erroneous[index]:
continue
try:
if re.fullmatch(expression, family):
if family != other_family:
print('Malware family %r matches to another family %r.' %
(family, other_family))
error = True
else:
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import sys
from common import load_mapping
try:
import exrex
except ImportError:
print("Error: Python module exrex is needed but not available.", file=sys.stderr)
sys.exit(2)
expressions = {line[0] for line in load_mapping()}
known = set()
for expression in expressions:
for ind, result in enumerate(exrex.generate(expression)):
if result in known:
print('Found overlap: %r.' % result)
else:
known.add(result)
if ind > 100:
print('Stop generating expressions for %r.' % expression)
break