def _malwarebazaar(self, sha256_digest, cache=True):
params = {'query': 'get_info', 'hash': sha256_digest}
document = db.file_collection.select(sha256_digest)
if 'malwarebazaar' not in document or not cache:
try:
response = requests.post(API_ENDPOINT,
data=params,
headers=HEADERS,
proxies=PROXIES,
timeout=10)
except Exception:
raise error.InterfaceWarning(
'failed to connect to MalwareBazaar')
if 'application/json' not in response.headers.get('content-type'):
raise error.InterfaceWarning(
'invalid response received from MalwareBazaar')
data = {'malwarebazaar': response.json()}
db.file_collection.update(sha256_digest, data)
document = db.file_collection.select(sha256_digest)
if not document or 'malwarebazaar' not in document:
raise error.MongoError(
'error adding malwarebazaar into file document %s' %
sha256_digest)
if str(document['malwarebazaar']['query_status']) == 'hash_not_found':
raise error.InterfaceWarning('File not present in MalwareBazaar')
if str(document['malwarebazaar']['query_status']) != 'ok':
raise error.InterfaceWarning('An unexpected error occured')
return document['malwarebazaar']
def _vt_scan(self, sha256_digest, cache=True):
params = {
'apikey': API_KEY,
'resource': sha256_digest,
'allinfo': 1
}
document = db.file_collection.select(sha256_digest)
if 'vt' not in document or not cache:
try:
response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',
params=params,
headers=HEADERS,
proxies=PROXIES,
timeout=10)
except Exception:
raise error.InterfaceWarning("failed to connect to VirusTotal")
if 'application/json' not in response.headers.get('content-type'):
raise error.InterfaceWarning("invalid response received from VirusTotal")
if 'response_code' not in response.json():
raise error.InterfaceWarning("unknown response from VirusTotal")
data = {'vt': response.json()}
db.file_collection.update(sha256_digest, data)
document = db.file_collection.select(sha256_digest)
if not document or 'vt' not in document:
raise error.MongoError('error adding vt into file document %s' % sha256_digest)
if document['vt']["response_code"] is 0:
raise error.InterfaceWarning("file is not present on VirusTotal")
# Check if we had public key but now its private, if so warn that cache is out of date
# NOTE: we just check for missing info variable
if IS_PRIVATE and 'first_seen' not in document['vt']:
raise error.InterfaceWarning("private key specified but no private api data in cache, please flush vt cache for sample")
return document['vt']
def test_mongo_error():
"""
Test the class CommandError
"""
err = error.MongoError('hello')
assert 'hello' in err.message
assert err.status_code == 500
assert None is err.payload
def ssdeep(self, args, file, opts):
document = db.file_collection.select(file.sha256_digest)
if 'ssdeep' not in document:
fuzzy = str(pydeep.hash_file(file.file_path), encoding="utf-8")
data = {'ssdeep': fuzzy}
if not db.file_collection.update(file.sha256_digest, data):
raise error.MongoError(
'error adding ssdeep hash into file document %s' %
file.sha256_digest)
document = db.file_collection.select(file.sha256_digest)
return {'ssdeep': document['ssdeep']}
def sha1_digest(self, args, file, opts):
document = db.file_collection.select(file.sha256_digest)
if 'sha1_digest' not in document:
sha1_hash = hashlib.sha1()
with open(file.file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha1_hash.update(chunk)
sha1_digest = sha1_hash.hexdigest()
data = {'sha1_digest': sha1_digest}
if not db.file_collection.update(file.sha256_digest, data):
raise error.MongoError(
'error adding sha1_digest into file document %s' %
file.sha256_digest)
document = db.file_collection.select(file.sha256_digest)
return {'sha1_digest': document['sha1_digest']}
def imageinfo(self, args, file, opts):
proc = subprocess.run([self.vol, '-f', file.file_path, 'imageinfo'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
if proc.returncode != 0:
raise error.CommandError(proc.stderr)
output = str(proc.stdout, encoding="utf-8")
# Try and extract profile
try:
prof = output.split('\n')[0].split(':')[1]
if 'suggestion' not in prof:
if ',' in prof:
prof = prof.split(',')[0]
data = {'profile': prof.strip()}
if not db.file_collection.update(file.sha256_digest, data):
raise error.MongoError(
'Error adding profile into file document %s' %
file.sha256_digest)
except Exception: # noqa pylint: disable=broad-except
pass
return {'imageinfo': output}