def analyze_dex(self, data):
'''
start analyzing dex logic (r2p timeout = 10) for individual dex
add description to strings, get words and wordsstripped from the dex
'''
r2p = r2open(data["Location"]["File"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
k = 'APK_DEX_1'
data[k] = {
"Classes": [],
"Externals": [],
"Symbols": [],
"Bigfunctions": [],
"Suspicious": [],
"_Classes": ["Type", "Name"],
"_Externals": ["Type", "Name"],
"_Symbols": ["Type", "Address", "X", "Name"],
"_Bigfunctions": ["Size", "Name"],
"_Suspicious": ["Location", "Function", "Xrefs"]
}
data[k]["Classes"] = self.get_all_classes(r2p)
data[k]["Externals"] = self.get_all_externals(r2p)
data[k]["Symbols"] = self.get_all_symbols(r2p)
data[k]["Bigfunctions"] = self.big_functions(r2p)
data[k]["Suspicious"] = self.check_sus(r2p)
get_words(data, data["Location"]["File"])
#future plan; force closing - try,except
r2p.quit()
def analyze(self, data):
'''
start analyzing pcap logic, add descriptions and get words and wordsstripped from the file
'''
data["PCAP"] = deepcopy(self.datastruct)
packets = scapy.rdpcap(data["Location"]["File"])
all, ports, ips, rarp, rdns, http, urlshttp, domains = self.read_all_packets(
packets)
data["PCAP"]["Domains"] = domains
data["PCAP"]["URLs"] = urlshttp
data["PCAP"]["ARP"] = rarp
data["PCAP"]["DNS"] = rdns
data["PCAP"]["HTTP"] = http
data["PCAP"]["ALL"] = all
data["PCAP"]["PORTS"] = ports
data["PCAP"]["IP4S"] = ips
self.waf.analyze(data["PCAP"]["HTTP"], data["PCAP"]["WAF"], "waf.json")
add_description("Ports", data["PCAP"]["ALL"], "SourcePort")
add_description("Ports", data["PCAP"]["ALL"], "DestinationPort")
add_description("Ports", data["PCAP"]["PORTS"], "Port")
add_description("DNSServers", data["PCAP"]["IP4S"], "IP")
add_description("ReservedIP", data["PCAP"]["IP4S"], "IP")
add_description("CountriesIPs", data["PCAP"]["IP4S"], "IP")
get_words(data, data["Location"]["File"])
def analyze(self, data, parsed):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from array
'''
Streams = []
Parts = []
Mixed = []
Headers = []
data["EMAIL"] = deepcopy(self.datastruct)
f = data["FilesDumps"][data["Location"]["File"]]
message = message_from_bytes(f)
Headers = self.get_headers(data["EMAIL"]["General"], message)
self.get_content(data["EMAIL"], data["Location"]["File"])
Parts = self.get_content_multi(data, message)
if self.check_attachment_and_make_dir(data, message):
Streams = self.get_attachment(data, message)
else:
pass
Mixed = Streams + Parts + Headers
if len(Mixed) > 0:
get_words_multi_filesarray(
data, Mixed) #have to be bytes < will check this later on
else:
get_words(data, data["Location"]["File"])
parsed.type = "email"
def analyze(self, data):
'''
start analyzing cod logic, get words and wordsstripped from the file
'''
with open(data["Location"]["File"], 'rb') as file:
data["COD"] = deepcopy(self.datastruct)
_temp = []
temp_f = file.read(sizeof(Header))
header = Header.from_buffer_copy(temp_f)
file.read(header.Codesize)
dataraw = file.read(header.Datasize)
_data = _Data.from_buffer_copy(dataraw)
r_offset = _data.Exportedstringoffset
rall = int((_data.Databytesoffset-_data.Exportedstringoffset)/sizeof(ResourceData))
for _ in range(rall):
temp_sig = ""
resource_data = ResourceData.from_buffer_copy(dataraw[r_offset:])
if resource_data.Size > 1:
temp_sig = "".join("{:02x}".format(x) for x in dataraw[resource_data.DataPointer:resource_data.DataPointer+10])
_temp.append({"DataPointer":resource_data.DataPointer,
"Size":resource_data.Size, "Sig":temp_sig,
"Data":(dataraw[resource_data.DataPointer:resource_data.DataPointer+resource_data.Size]).decode("utf-8", "ignore")})
#print(dataraw[resource_data.Dataptr:resource_data.Dataptr+resource_data.Size])
r_offset = r_offset + sizeof(ResourceData)
for temp_x, temp_y in header._fields_:
if isinstance(getattr(header, temp_x), int):
data["COD"]["Header"].update({temp_x:hex(getattr(header, temp_x))})
for temp_x, temp_y in _data._fields_:
if isinstance(getattr(_data, temp_x), int):
data["COD"]["Data"].update({temp_x:hex(getattr(_data, temp_x))})
data["COD"]["Resources"] = _temp
file.seek(0)
data["COD"]["Symbols"] = self.get_functions_old(file.read())
get_words(data, data["Location"]["File"])
def analyze(self,data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS":[]}
pe = PE(data["Location"]["File"])
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe,ep)
sig = section.get_data(ep, 12)
singinhex = "".join("{:02x}".format(x) for x in sig)
data["PE"]["General"] = { "PE Type" : self.what_type(pe),
"Entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":section.Name.decode("utf-8",errors="ignore").strip("\00"),
"Header checksum": hex(pe.OPTIONAL_HEADER.CheckSum),
"Verify checksum": hex(pe.generate_checksum()),
"Match checksum":pe.verify_checksum(),
"Sig":singinhex,
"imphash":pe.get_imphash(),
"warning":pe.get_warnings() if len(pe.get_warnings())> 0 else "None",
"Timestamp":datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S')}
data["PE"]["Characteristics"] = self.get_characteristics(pe)
data["PE"]["Singed"],data["PE"]["SignatureExtracted"] = self.check_if_singed(pe)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe)
data["PE"]["Sections"] = self.get_sections(pe)
data["PE"]["Dlls"] = self.get_dlls(pe)
data["PE"]["Resources"],data["PE"]["Manifest"],data["ICONS"]["ICONS"] = self.get_recourse(pe)
data["PE"]["Imported functions"] = self.get_imported_functions(pe)
data["PE"]["Exported functions"] = self.get_exported_functions(pe)
add_description("WinApis",data["PE"]["Imported functions"],"Function")
add_description("ManHelp",data["PE"]["Imported functions"],"Function")
add_description("WinDlls",data["PE"]["Dlls"],"Dll")
add_description("WinSections",data["PE"]["Sections"],"Section")
add_description("WinResources",data["PE"]["Resources"],"Resource")
get_words(data,data["Location"]["File"])
def analyze_dex(self, data):
'''
start analyzing dex logic (r2p timeout = 10) for individual dex
add description to strings, get words and wordsstripped from the dex
'''
r2p = r2open(data["Location"]["File"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
self.dex_wrapper(data, r2p, 'APK_DEX_1')
get_words(data, data["Location"]["File"])
r2p.quit()
def check_sig(self, data):
'''
start unknown files logic, this file is not detected by otehr modules
if file is archive, then unpack and get words, wordsstripped otherwise
get words, wordsstripped from the file only
'''
if data["Details"]["Properties"]["mime"] == "application/java-archive" or \
data["Details"]["Properties"]["mime"] == "application/zip" or \
data["Details"]["Properties"]["mime"] == "application/zlib":
unpack_file(data, data["Location"]["File"])
get_words_multi_files(data, data["Packed"]["Files"])
else:
get_words(data, data["Location"]["File"])
def analyze(self, data):
'''
start analyzing pdf logic, get pdf objects,
get words and wordsstripped from buffers if streams exist
otherwise get words and wordsstripped from file
'''
_Streams = []
data["PDF"] = deepcopy(self.datastruct)
f = data["FilesDumps"][data["Location"]["File"]]
objlen, objs = self.get_object(f)
strlen, strs, _Streams = self.get_stream(f)
jslen, jslist = self.get_js(f)
jalen, jaslist = self.get_javascript(f)
oalen, oalist = self.get_openaction(f)
llen, llist = self.get_lunch(f)
ulen, ulist = self.get_uri(f)
alen, alist = self.get_action(f)
gtrlen, gtrlist = self.get_gotor(f)
rmlen, rmlist = self.get_richmedia(f)
aalen, aalist = self.get_aa(f)
data["PDF"]["Count"] = {
"Object": objlen,
"Stream": strlen,
"JS": jslen,
"Javascript": jalen,
"OpenAction": oalen,
"Launch": llen,
"URI": ulen,
"Action": alen,
"GoTo": gtrlen,
"RichMedia": rmlen,
"AA": aalen
}
data["PDF"]["Object"] = objs
data["PDF"]["JS"] = jslist
data["PDF"]["Javascript"] = jaslist
data["PDF"]["OpenAction"] = oalist
data["PDF"]["Launch"] = llist
data["PDF"]["URI"] = ulist
data["PDF"]["Action"] = alist
data["PDF"]["GoTo"] = gtrlist
data["PDF"]["RichMedia"] = rmlist
data["PDF"]["AA"] = aalist
data["PDF"]["Stream"] = strs
if len(_Streams) > 0:
get_words_multi_filesarray(data, _Streams)
else:
get_words(data, _Streams)
def analyze(self, data):
'''
start analyzing ole logic
'''
data["OLE"] = self.datastruct
f = data["FilesDumps"][data["Location"]["File"]]
self.get_general(data["OLE"]["General"], f)
data["OLE"]["Objects"], objects = self.get_streams(f)
data["OLE"]["Macro"] = self.extract_macros(data["Location"]["File"])
#data["OLE"]["Objects"],objects = self.get_objects(data,f)
if len(objects) > 0:
get_words_multi_filesarray(data, objects)
else:
get_words(data, data["Location"]["File"])
def analyze(self, data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from array
'''
data["HTML"] = deepcopy(self.datastruct)
temp_f = data["FilesDumps"][data["Location"]["File"]].lower()
soup = BeautifulSoup(temp_f, 'html.parser')
self.get_all_hrefs(data["HTML"]["hrefs"], soup)
self.get_all_srcs(data["HTML"]["srcs"], soup)
self.get_a(data["HTML"]["A"], soup)
self.get_scripts(data["HTML"]["Scripts"], soup)
self.get_iframes(data["HTML"]["Iframes"], soup)
self.get_links(data["HTML"]["Links"], soup)
self.get_forms(data["HTML"]["Forms"], soup)
get_words(data, data["Location"]["File"])
def analyze_macho(self, data):
'''
start analyzing macho logic, add descriptions and get words and wordsstripped from the file
'''
macho = MachO.MachO(data["Location"]["File"])
data["MACHO"] = deepcopy(self.datastruct)
fbuffer = data["FilesDumps"][data["Location"]["File"]]
data["MACHO"]["General"]: {}
data["MACHO"]["Sections"] = self.get_sections(macho, fbuffer)
data["MACHO"]["Libraries"] = self.get_libs(macho)
data["MACHO"]["Symbols"] = self.get_symbols(macho)
data["MACHO"]["Undefined Symbols"] = self.get_undef_symbols(macho)
data["MACHO"]["External Symbols"] = self.get_extdef_symbols(macho)
data["MACHO"]["Local Symbols"] = self.get_local_symbols(macho)
add_description("ManHelp", data["MACHO"]["Symbols"], "Symbol")
get_words(data, data["Location"]["File"])
def analyze(self, data):
'''
start analyzing elf logic, add description to strings and get words and wordsstripped from the file
'''
with open(data["Location"]["File"], 'rb') as file_1, open(data["Location"]["File"], 'rb') as file_2:
data["ELF"] = deepcopy(self.datastruct)
elf = ELFFile(file_1)
data["ELF"]["General"] = {"ELF Type" :elf.header.e_type,
"ELF Machine" :elf.header.e_machine,
"Entropy":get_entropy(file_2.read()),
"Entrypoint":hex(elf.header.e_entry),
"Interpreter":self.get_iter(elf)}
data["ELF"]["Sections"] = self.get_section(elf)
data["ELF"]["Dynamic"] = self.get_dynamic(elf)
data["ELF"]["Symbols"] = self.get_symbols(elf)
data["ELF"]["Relocations"] = self.get_relocations(elf)
add_description("ManHelp", data["ELF"]["Symbols"], "Symbol")
add_description("LinuxSections", data["ELF"]["Sections"], "Section")
get_words(data, data["Location"]["File"])
def analyze(self, data, parsed):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from array (need to implement from extract_msg.dev_classes import Message)
'''
streams = []
parts = []
mixed = []
headers = []
data["MSG"] = deepcopy(self.datastruct)
message = Message(data["Location"]["File"])
headers = self.get_headers(data["MSG"]["General"], message)
self.get_content(data["MSG"], message)
if self.check_attachment_and_make_dir(data, message):
streams = self.get_attachment(data, message)
else:
pass
mixed = streams + parts + headers
if len(mixed) > 0:
get_words_multi_filesarray(
data, mixed) # have to be bytes < will check this later on
else:
get_words(data, data["Location"]["File"])
parsed.type = "msg"
def analyze(self, data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS": []}
pe_info = PE(data["Location"]["File"])
ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe_info, ep_info)
singinhex = "UnKnown"
en_section_name = "UnKnown"
sig_instructions = "UnKnown"
with ignore_excpetion(Exception):
sig = section.get_data(ep_info, 52)
singinhex = "".join("{:02x}".format(x) for x in sig)
r2p = r2open("-", flags=['-2'])
r2p.cmd("e anal.timeout = 5")
temp_sig_instructions = r2p.cmd(
"pad {}".format(singinhex)).split("\n")[:8]
sig_instructions = "\n".join(temp_sig_instructions)
with ignore_excpetion(Exception):
en_section_name = section.Name.decode("utf-8",
errors="ignore").strip("\00")
data["PE"]["General"] = {
"PE Type":
self.what_type(pe_info),
"Entrypoint":
pe_info.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":
en_section_name,
"Header checksum":
hex(pe_info.OPTIONAL_HEADER.CheckSum),
"Verify checksum":
hex(pe_info.generate_checksum()),
"Match checksum":
pe_info.verify_checksum(),
"Sig":
singinhex,
"imphash":
pe_info.get_imphash(),
"warning":
pe_info.get_warnings()
if len(pe_info.get_warnings()) > 0 else "None",
"Timestamp":
datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime(
'%Y-%m-%d %H:%M:%S')
}
data["PE"]["Characteristics"] = self.get_characteristics(pe_info)
data["PE"]["Singed"], data["PE"][
"SignatureExtracted"] = self.check_if_singed(pe_info)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info)
data["PE"]["Sections"] = self.get_sections(pe_info)
data["PE"]["Dlls"] = self.get_dlls(pe_info)
data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][
"ICONS"] = self.get_recourse(pe_info)
data["PE"]["Imported functions"] = self.get_imported_functions(pe_info)
data["PE"]["Exported functions"] = self.get_exported_functions(pe_info)
data["PE"]["Entrypoint"] = sig_instructions
add_description("WinApis", data["PE"]["Imported functions"],
"Function")
add_description("ManHelp", data["PE"]["Imported functions"],
"Function")
add_description("WinDlls", data["PE"]["Dlls"], "Dll")
add_description("WinSections", data["PE"]["Sections"], "Section")
add_description("WinResources", data["PE"]["Resources"], "Resource")
get_words(data, data["Location"]["File"])
