def get(filename): matchesVM =[] vm_xmlfile = getPath(lib.enum.paths.VM_XML_FILE) fexecutable = open(filename,"rb") xml = XMLParser() XmlElements = xml.getElementsByTag(vm_xmlfile,'vm') buf = fexecutable.read() fexecutable.close() # elem = [text , {attr}] # XmlElements [elem..] for elem in XmlElements: match = re.findall(elem[0], buf, re.IGNORECASE | re.MULTILINE) if match: matchesVM.append(elem[1]['name']) # VMbox , VMware elif buf.find(elem[0][::-1]) > -1: # hex virtual machine tricks matchesVM.append(elem[1]['name']) # VirtualPc trick return matchesVM
def testName(self): api_list_xml_path = lib.enum.getPath(lib.enum.paths.APILIST_XML_FILE)#os.path.abspath(os.getcwd()+os.sep+'config'+ os.sep+'config-xml'+ os.sep +'apilist.xml') dir_entry_import = lib.enum.pefile_attribute.DIRECTORY_ENTRY_IMPORT apiPath = enum.getPath(lib.enum.paths.APILIST_XML_FILE) entry_import = "DIRECTORY_ENTRY_IMPORT" # self.assertEqual(api_list_xml_path,apiPath,'Successfully') # self.assertEqual(dir_entry_import,entry_import,'Successfully') print apiPath
def get(pe): packer_db = getPath(lib.enum.paths.PACKER_DB) signatures = peutils.SignatureDatabase(packer_db) matches = signatures.match_all(pe,ep_only = True) arrPacker =[] if matches: for packer in matches: if packer[0] not in arrPacker: arrPacker.append(packer[0]) return arrPacker
def get(pe): dir_entry_import = enum.pefile_attribute.DIRECTORY_ENTRY_IMPORT apiPath = enum.getPath(enum.paths.APILIST_XML_FILE) suspicious_api_found = [] xmlPar = XMLParser() apilist = xmlPar.getElementTextByTag(apiPath,'api') if hasattr(pe,dir_entry_import): for l in pe.DIRECTORY_ENTRY_IMPORT: for imp in l.imports: for alert in apilist: if alert: if str(imp.name).startswith(alert): suspicious_api_found.append(imp.name) return sorted(set(suspicious_api_found))
def get(pe): antidbgs_path = getPath(lib.enum.paths.ANTI_DEBUGGER) xml = XMLParser() antidbgs = xml.getElementTextByTag(antidbgs_path, 'function') dir_entry_import = hasattr(pe,pefile_attribute.DIRECTORY_ENTRY_IMPORT) founded_antidebugger = [] if dir_entry_import: for lib in pe.DIRECTORY_ENTRY_IMPORT: for imp in lib.imports: for antidbg in antidbgs: if antidbg: if str(imp.name).startswith(antidbg): founded_antidebugger.append(imp.name) return list(set(founded_antidebugger)) # we can use sorted(set()) ==> create list
def testName(self): xml = XMLParser() path = getPath(lib.enum.paths.APILIST_XML_FILE) print "API LIST PATH " ,path ElementAttribute = xml.getElementAttribByTag(path,'api') print 'Element Attribute ' % ElementAttribute ElementText = xml.getElementTextByTag(path, 'api') print 'Element Text ' % ElementText # create a new xml and append newxml = XMLParser() newxml.setRoot("Malware") attribute = {'id':'5'} r = newxml.getRoot() added = newxml.addSubElement(r,"Konuk","18", attribute) addedNew = newxml.addSubElement(added,"subKonuk","25",attribute) newxml.createXMLFile("mithat.xml") print 'new xml file created' tagdict = {'tag':'university','text':'GYTE','status':'Finished'} xml.append('mithat.xml', tagdict) te = xml.getElementsByTag('mithatt.xml','permission') #print te[0][0] te = xml.getElementsByTag('filetype.xml','file') for elem in te : print elem[1]
def configuration(self,suspicious_file): parser = SafeConfigParser() parser.read(enum.getPath(enum.paths.VIRUSTOTAL)) self.apiKey = parser.get('virustotal','secretKey') self.suspicious_file = suspicious_file
def get(filename): executable_file = open(filename,'rb') arrPeFile = [] # word raw arrURL = [] arrFILE = [] arrFileNames = [] # description , filename for found_str in stream.get_process(executable_file): fname = re.findall("(.+\.([a-z]{2,3}$))+", found_str, re.IGNORECASE | re.MULTILINE) if fname: word = fname[0][0] arrPeFile.append(word) for elem in sorted(set(arrPeFile)): match = re.search(enum.file_url_pattern, elem, re.IGNORECASE) if match and len(elem) > 6: arrURL.append(elem) else : arrFILE.append(elem) xml = XMLParser() file_type_path = getPath(lib.enum.paths.FILE_TYPE) file_type_list= xml.getElementsByTag(file_type_path,'file') for elem in sorted(set(arrFILE)): for file_type in file_type_list: # file_type is list [.zip,{'type':'Compressed'}] matched = re.search(file_type[0]+"$", elem, re.IGNORECASE) #file_type[0] ==> '.zip' file_type[1] ==> {'type':'compressed'} if matched: arrFileNames.append([file_type[1]['type'],elem]) """ arrFileNames -> [ ['Web Page', 'a.php'], ['Binary', 'a.bin'], ['Binary', 'a.bin'], ['Library', 'KERNEL32.DLL'], ['Library', 'xxx.dll'] ] """ filelist =[] if arrFileNames: uniq_descr = [] # uniq description ['Web Page','Binary','Movie','Audio'] [item for item in arrFileNames if item[0] not in uniq_descr and not uniq_descr.append(item[0])] found = {} match = [] for descr in uniq_descr: for elem in arrFileNames: if elem[0] == descr: match.append(elem[1]) found[descr] = match match = [] filelist = found.items() """ 'print found' -> Dictionary {} { 'Binary': ['core_x86.bin', 'dropper_x86.bin'], 'Web Page': ['gate.php'], 'Library': ['IPHLPAPI.DLL', 'WININET.dll'] } 'print found.items()' -> List [] [ ('Binary', ['core_x86.bin', 'dropper_x86.bin']), ('Web Page', ['gate.php']), ('Library', ['IPHLPAPI.DLL', 'WININET.dll']) ] """ return filelist,arrURL