Beispiel #1
0
def get(filename):
    
    matchesVM =[] 
    
    vm_xmlfile = getPath(lib.enum.paths.VM_XML_FILE)


    fexecutable = open(filename,"rb")
    xml = XMLParser()

    XmlElements = xml.getElementsByTag(vm_xmlfile,'vm')
    buf = fexecutable.read()
    fexecutable.close()
    
    # elem =  [text , {attr}]
    # XmlElements [elem..]
    for elem in XmlElements:
            
            match = re.findall(elem[0], buf, re.IGNORECASE | re.MULTILINE)
            
            if match:
                matchesVM.append(elem[1]['name']) # VMbox , VMware
            elif buf.find(elem[0][::-1]) > -1:  # hex virtual machine tricks
                matchesVM.append(elem[1]['name']) # VirtualPc trick
    return matchesVM
Beispiel #2
0
 def testName(self):
    
     api_list_xml_path = lib.enum.getPath(lib.enum.paths.APILIST_XML_FILE)#os.path.abspath(os.getcwd()+os.sep+'config'+ os.sep+'config-xml'+ os.sep +'apilist.xml')
     dir_entry_import = lib.enum.pefile_attribute.DIRECTORY_ENTRY_IMPORT
     
     apiPath = enum.getPath(lib.enum.paths.APILIST_XML_FILE)
     entry_import = "DIRECTORY_ENTRY_IMPORT"
     
   
  #   self.assertEqual(api_list_xml_path,apiPath,'Successfully')
  #   self.assertEqual(dir_entry_import,entry_import,'Successfully')
     print apiPath
Beispiel #3
0
def get(pe):
    packer_db =  getPath(lib.enum.paths.PACKER_DB)
    signatures = peutils.SignatureDatabase(packer_db)
    matches = signatures.match_all(pe,ep_only = True)
    
    arrPacker =[]
    if matches:
        for packer in matches:
            if packer[0] not in arrPacker:
                arrPacker.append(packer[0])
    
    
    return arrPacker    
def get(pe):
    
    dir_entry_import = enum.pefile_attribute.DIRECTORY_ENTRY_IMPORT
    apiPath = enum.getPath(enum.paths.APILIST_XML_FILE)
    suspicious_api_found = []
    xmlPar = XMLParser()
    apilist =  xmlPar.getElementTextByTag(apiPath,'api')
    if hasattr(pe,dir_entry_import):
           for l in pe.DIRECTORY_ENTRY_IMPORT:
            for imp in l.imports:
                for alert in apilist:
                    if alert:
                        if str(imp.name).startswith(alert):
                            suspicious_api_found.append(imp.name)

    return sorted(set(suspicious_api_found))
Beispiel #5
0
def get(pe):
    antidbgs_path = getPath(lib.enum.paths.ANTI_DEBUGGER)
    xml = XMLParser() 
    
    antidbgs = xml.getElementTextByTag(antidbgs_path, 'function')
    
    dir_entry_import = hasattr(pe,pefile_attribute.DIRECTORY_ENTRY_IMPORT)

    founded_antidebugger = []

    if dir_entry_import:
         for lib in pe.DIRECTORY_ENTRY_IMPORT:
             for imp in lib.imports:
                 for antidbg in antidbgs:
                     if antidbg:
                            if str(imp.name).startswith(antidbg):
                                founded_antidebugger.append(imp.name)
                            
    
    return list(set(founded_antidebugger))   # we can use sorted(set()) ==> create list
Beispiel #6
0
    def testName(self):
        xml = XMLParser() 
        path = getPath(lib.enum.paths.APILIST_XML_FILE)
        print "API LIST PATH " ,path
        ElementAttribute = xml.getElementAttribByTag(path,'api')
        
        
        
        print 'Element Attribute ' % ElementAttribute
        
        
        ElementText = xml.getElementTextByTag(path, 'api')
        print 'Element Text '  % ElementText 
        
        
        # create a new xml and append
        newxml = XMLParser()
        newxml.setRoot("Malware")
        attribute = {'id':'5'}
        r = newxml.getRoot()
        added = newxml.addSubElement(r,"Konuk","18", attribute)
        addedNew = newxml.addSubElement(added,"subKonuk","25",attribute)
        newxml.createXMLFile("mithat.xml")
        print 'new xml file created'
        
        tagdict = {'tag':'university','text':'GYTE','status':'Finished'}
        
        xml.append('mithat.xml', tagdict)


        te = xml.getElementsByTag('mithatt.xml','permission')
        #print te[0][0]
        
        te = xml.getElementsByTag('filetype.xml','file')
        for elem in te :
           print elem[1]
	def configuration(self,suspicious_file):

		parser = SafeConfigParser()
		parser.read(enum.getPath(enum.paths.VIRUSTOTAL))
		self.apiKey = parser.get('virustotal','secretKey')
		self.suspicious_file = suspicious_file
Beispiel #8
0
def get(filename):
    
    
    executable_file  = open(filename,'rb')
    arrPeFile = [] # word raw
    
    arrURL = [] 
    arrFILE = []
    arrFileNames = [] # description , filename
    
    for found_str in stream.get_process(executable_file):
        fname = re.findall("(.+\.([a-z]{2,3}$))+", found_str, re.IGNORECASE | re.MULTILINE)
        if fname:
           word = fname[0][0]
           arrPeFile.append(word)
           
    for elem in sorted(set(arrPeFile)):
        match = re.search(enum.file_url_pattern, elem, re.IGNORECASE)
    
        if match and len(elem) > 6:
            arrURL.append(elem)
        else :
             arrFILE.append(elem)    
 
    
    xml = XMLParser()
    file_type_path = getPath(lib.enum.paths.FILE_TYPE)
    file_type_list= xml.getElementsByTag(file_type_path,'file')
    
    for elem in sorted(set(arrFILE)):
        for file_type in file_type_list: #  file_type is list [.zip,{'type':'Compressed'}]
            matched = re.search(file_type[0]+"$", elem, re.IGNORECASE)  #file_type[0] ==> '.zip' file_type[1] ==> {'type':'compressed'}
            if matched:
                arrFileNames.append([file_type[1]['type'],elem])
                """
                arrFileNames ->
        
                    [ ['Web Page', 'a.php'], 
                    ['Binary',   'a.bin'], 
                    ['Binary',   'a.bin'], 
                    ['Library',  'KERNEL32.DLL'],
                    ['Library',  'xxx.dll'] ]
                """
    
    filelist =[]
    
    
    if arrFileNames:
        
        uniq_descr = [] # uniq description ['Web Page','Binary','Movie','Audio']
        
        [item for item in arrFileNames if item[0] not in uniq_descr and not uniq_descr.append(item[0])]
        
        
        
        found = {}
        match = []
        
        for descr in uniq_descr:
            for elem in arrFileNames:
                if elem[0] == descr:
                    match.append(elem[1])
            found[descr] = match
            match = []
            
        filelist = found.items()  
        
        """
        'print found' -> Dictionary {}

        { 'Binary': ['core_x86.bin', 'dropper_x86.bin'], 
        'Web Page': ['gate.php'], 
        'Library': ['IPHLPAPI.DLL', 'WININET.dll'] }


        'print found.items()' -> List []

        [ ('Binary',   ['core_x86.bin', 'dropper_x86.bin']), 
        ('Web Page', ['gate.php']),
        ('Library',  ['IPHLPAPI.DLL', 'WININET.dll']) ]
        """
    return filelist,arrURL