def delete_tag(self, tag_name, sha256):
session = self.Session()
try:
# First remove the tag from the sample
malware_entry = session.query(Malware).filter(Malware.sha256 == sha256).first()
tag = session.query(Tag).filter(Tag.tag == tag_name).first()
try:
malware_entry = session.query(Malware).filter(Malware.sha256 == sha256).first()
malware_entry.tag.remove(tag)
session.commit()
except:
print_error("Tag {0} does not exist for this sample".format(tag_name))
# If tag has no entries drop it
count = len(self.find("tag", tag_name))
if count == 0:
session.delete(tag)
session.commit()
print_warning("Tag {0} has no additional entries dropping from Database".format(tag_name))
except SQLAlchemyError as e:
print_error("Unable to delete tag: {0}".format(e))
session.rollback()
finally:
session.close()
def load_modules():
# Import modules package.
import viper.modules as modules
plugins = dict()
# Walk recursively through all modules and packages.
for loader, module_name, ispkg in pkgutil.walk_packages(modules.__path__, modules.__name__ + '.'):
# If current item is a package, skip.
if ispkg:
continue
# Try to import the module, otherwise skip.
try:
module = importlib.import_module(module_name)
except ImportError as e:
print_warning("Something wrong happened while importing the module {0}: {1}".format(module_name, e))
continue
# Walk through all members of currently imported modules.
for member_name, member_object in inspect.getmembers(module):
# Check if current member is a class.
if inspect.isclass(member_object):
# Yield the class if it's a subclass of Module.
if issubclass(member_object, Module) and member_object is not Module:
plugins[member_object.cmd] = dict(obj=member_object,
description=member_object.description,
parser_args=get_argparse_parser_actions(member_object().parser),
subparser_args=get_argparse_subparser_actions(member_object().parser))
return plugins
def delete_tag(self, tag_name, sha256):
session = self.Session()
try:
# First remove the tag from the sample
malware_entry = session.query(Malware).filter(
Malware.sha256 == sha256).first()
tag = session.query(Tag).filter(Tag.tag == tag_name).first()
try:
malware_entry = session.query(Malware).filter(
Malware.sha256 == sha256).first()
malware_entry.tag.remove(tag)
session.commit()
except:
print_error(
"Tag {0} does not exist for this sample".format(tag_name))
# If tag has no entries drop it
count = len(self.find('tag', tag_name))
if count == 0:
session.delete(tag)
session.commit()
print_warning(
"Tag {0} has no additional entries dropping from Database".
format(tag_name))
except SQLAlchemyError as e:
print_error("Unable to delete tag: {0}".format(e))
session.rollback()
finally:
session.close()
def load_commands():
# Import modules package.
import viper.core.ui.cmd as cmd
plugins = dict()
# Walk recursively through all cmd and packages.
for loader, cmd_name, ispkg in pkgutil.walk_packages(cmd.__path__, cmd.__name__ + '.'):
# If current item is a package, skip.
if ispkg:
continue
# Try to import the command, otherwise skip.
try:
cmd_module = importlib.import_module(cmd_name)
except ImportError as e:
print_warning("Something wrong happened while importing the command {0}: {1}".format(cmd_name, e))
continue
# Walk through all members of currently imported cmd.
for member_name, member_object in inspect.getmembers(cmd_module):
# Check if current member is a class.
if inspect.isclass(member_object):
# Yield the class if it's a subclass of Command.
if issubclass(member_object, Command) and member_object is not Command:
instance = member_object()
plugins[member_object.cmd] = dict(obj=instance.run,
description=instance.description,
parser_args=get_argparse_parser_actions(instance.parser),
fs_path_completion=instance.fs_path_completion)
return plugins
def load_modules():
# Add $HOME/.viper/ as a Python path.
sys.path.insert(0, os.path.join(expanduser("~"), ".viper"))
try:
import modules
except ImportError:
return dict()
else:
plugins = dict()
# Walk recursively through all modules and packages.
for loader, module_name, ispkg in pkgutil.walk_packages(modules.__path__, modules.__name__ + '.'):
# If current item is a package, skip.
if ispkg:
continue
# Try to import the module, otherwise skip.
try:
module = importlib.import_module(module_name)
except ImportError as e:
print_warning("Something wrong happened while importing the module {0}: {1}".format(module_name, e))
continue
# Walk through all members of currently imported modules.
for member_name, member_object in inspect.getmembers(module):
# Check if current member is a class.
if inspect.isclass(member_object):
# Yield the class if it's a subclass of Module.
if issubclass(member_object, Module) and member_object is not Module:
plugins[member_object.cmd] = dict(obj=member_object,
description=member_object.description,
categories=getattr(member_object, "categories", []),
parser_args=get_argparse_parser_actions(member_object().parser),
subparser_args=get_argparse_subparser_actions(member_object().parser))
return plugins
def store_sample(file_object):
sha256 = file_object.sha256
if not sha256:
print_error("No hash")
return None
folder = os.path.join(
__project__.get_path(),
'binaries',
sha256[0],
sha256[1],
sha256[2],
sha256[3]
)
if not os.path.exists(folder):
os.makedirs(folder, 0o750)
file_path = os.path.join(folder, sha256)
if not os.path.exists(file_path):
with open(file_path, 'wb') as stored:
for chunk in file_object.get_chunks():
stored.write(chunk)
else:
print_warning("File exists already")
return None
return file_path
def load_modules():
# Import modules package.
import modules
plugins = dict()
# Walk recursively through all modules and packages.
for loader, module_name, ispkg in pkgutil.walk_packages(
modules.__path__, modules.__name__ + '.'):
# If current item is a package, skip.
if ispkg:
continue
# Try to import the module, otherwise skip.
try:
module = __import__(module_name, globals(), locals(), ['dummy'],
-1)
except ImportError as e:
print_warning(
"Something wrong happened while importing the module {0}: {1}".
format(module_name, e))
continue
# Walk through all members of currently imported modules.
for member_name, member_object in inspect.getmembers(module):
# Check if current member is a class.
if inspect.isclass(member_object):
# Yield the class if it's a subclass of Module.
if issubclass(member_object,
Module) and member_object is not Module:
plugins[member_object.cmd] = dict(
obj=member_object,
description=member_object.description)
return plugins
def store_sample(file_object):
sha256 = file_object.sha256
if not sha256:
print_error("No hash")
return None
folder = os.path.join(
__project__.get_path(),
'binaries',
sha256[0],
sha256[1],
sha256[2],
sha256[3]
)
if not os.path.exists(folder):
os.makedirs(folder, 0o750)
file_path = os.path.join(folder, sha256)
if not os.path.exists(file_path):
with open(file_path, 'wb') as stored:
for chunk in file_object.get_chunks():
stored.write(chunk)
else:
print_warning("File exists already")
return None
return file_path
def load_commands():
# Import modules package.
import viper.core.ui.cmd as cmd
plugins = dict()
# Walk recursively through all cmd and packages.
for loader, cmd_name, ispkg in pkgutil.walk_packages(cmd.__path__, cmd.__name__ + '.'):
# If current item is a package, skip.
if ispkg:
continue
# Try to import the command, otherwise skip.
try:
cmd_module = importlib.import_module(cmd_name)
except ImportError as e:
print_warning("Something wrong happened while importing the command {0}: {1}".format(cmd_name, e))
continue
# Walk through all members of currently imported cmd.
for member_name, member_object in inspect.getmembers(cmd_module):
# Check if current member is a class.
if inspect.isclass(member_object):
# Yield the class if it's a subclass of Command.
if issubclass(member_object, Command) and member_object is not Command:
instance = member_object()
plugins[member_object.cmd] = dict(obj=instance.run,
description=instance.description,
parser_args=get_argparse_parser_actions(instance.parser),
fs_path_completion=instance.fs_path_completion)
return plugins
def check_and_deploy_yara_rules():
"""Yara: check whether rule path exist - if not copy default set of rules to directory"""
yara_rules_path = os.path.join(__project__.base_path, "yara")
if os.path.exists(yara_rules_path):
print_info("Using Yara rules from directory: {}".format(yara_rules_path))
else:
# Prio 1: rules if Viper was installed with pip
yara_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_YARA_RULES)
# Prio 2: rules if Viper was checkout from repo
yara_path_repo = os.path.join(VIPER_ROOT, "data", "yara")
if os.path.exists(yara_path_setup_utils):
print_warning("Yara rule directory not found - copying default "
"rules ({}) to: {}".format(yara_path_setup_utils, yara_rules_path))
shutil.copytree(yara_path_setup_utils, yara_rules_path)
elif os.path.exists(yara_path_repo):
print_warning("Yara rule directory not found - copying default "
"rules ({}) to: {}".format(yara_path_repo, yara_rules_path))
shutil.copytree(yara_path_repo, yara_rules_path)
else:
print_error("No default Yara rules found")
def config(data):
key = 'C\x00O\x00N\x00F\x00I\x00G'
config_coded = extract_config(data)
config_raw = rc4crypt(config_coded, key)
# 1.3.x - Not implemented yet.
if len(config_raw) == 0xe10:
print_warning("Detected XtremeRAT 1.3.x, not supported yet")
config = None
# 2.9.x - Not a stable extract.
elif len(config_raw) == 0x1390 or len(config_raw) == 0x1392:
config = v29(config_raw)
# 3.1 & 3.2
elif len(config_raw) == 0x5Cc:
config = v32(config_raw)
# 3.5
elif len(config_raw) == 0x7f0:
config = v35(config_raw)
else:
print_error("No known XtremeRAT version detected")
config = None
return config
def config(data):
key = 'C\x00O\x00N\x00F\x00I\x00G'
config_coded = extract_config(data)
config_raw = rc4crypt(config_coded, key)
# 1.3.x - Not implemented yet.
if len(config_raw) == 0xe10:
print_warning("Detected XtremeRAT 1.3.x, not supported yet")
config = None
# 2.9.x - Not a stable extract.
elif len(config_raw) == 0x1390 or len(config_raw) == 0x1392:
config = v29(config_raw)
# 3.1 & 3.2
elif len(config_raw) == 0x5Cc:
config = v32(config_raw)
# 3.5
elif len(config_raw) == 0x7f0:
config = v35(config_raw)
else:
print_error("No known XtremeRAT version detected")
config = None
return config
