forked from joxeankoret/cosa-nostra
/
pyew_batch.py
executable file
·171 lines (144 loc) · 4.34 KB
/
pyew_batch.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/usr/bin/python3
import os
import sys
import time
import sqlite3
from hashlib import sha1
sys.path.append("pyew")
from pyew_core import CPyew
from cn_log import log
from cn_db import init_web_db
from cosa_nostra import open_db
try:
import pyclamd
except ImportError:
log("No pyclamd support, files will not have a description.")
pyclamd = None
#-----------------------------------------------------------------------
ANALYSIS_FAILED = 0
ANALYSIS_SUCCESS = 1
ANALYSIS_ALREADY = 2
#-----------------------------------------------------------------------
def primes(n):
if n==2: return [2]
elif n<2: return []
s=list(range(3,n+1,2))
mroot = n ** 0.5
half=(n+1)/2-1
i=0
m=3
while m <= mroot:
if s[i]:
j=(m*m-3)/2
s[j]=0
while j<half:
s[j]=0
j+=m
i=i+1
m=2*i+3
return [2]+[x for x in s if x]
#-----------------------------------------------------------------------
class CPyewAnalyser:
def __init__(self):
# Calculate prime numbers
self.primes_table = primes(16384*4)
self.db = open_db()
self.db.printing = False
self.clamd = None
if pyclamd is not None:
self.clamd = pyclamd.ClamdAgnostic()
self.clamd.ping()
def file_exists(self, sha1_hash):
what = "1"
args = {"sha1":sha1_hash}
where = "hash = $sha1"
ret = self.db.select("samples", args, what=what, where=where)
rows = list(ret)
return len(rows) > 0
def get_description(self, buf):
if self.clamd is None:
return None
ret = self.clamd.scan_stream(buf)
if ret is None:
return None
# Answer format is in the following form:
# >>> cd.scan_stream(buf)
# >>> {u'stream': ('FOUND', 'Win.Trojan.Miniduke-3')}
ret = ret["stream"][1]
log("Found malware name %s" % repr(ret))
return ret
def analyse(self, path):
filename = path
t = time.time()
buf = open(filename, "rb").read()
sha1_hash = sha1(buf).hexdigest()
if self.file_exists(sha1_hash):
log("Already existing file %s..." % sha1_hash)
return ANALYSIS_ALREADY
pyew = CPyew(batch=True)
pyew.analysis_timeout = 300
pyew.codeanalysis = True
pyew.deepcodeanalysis = True
try:
pyew.loadFile(path)
load_error = False
except KeyboardInterrupt:
log("Abort")
return ANALYSIS_FAILED
except:
log("ERROR loading file %s" % path)
load_error = True
if not load_error:
if pyew.format not in ["PE", "ELF", "bootsector"]:
if pyew.format not in ["PDF", "OLE2"]:
log("Not a known executable/document format")
load_error = True
if load_error:
return ANALYSIS_FAILED
primes = []
total_functions = len(pyew.function_stats)
if not load_error and total_functions > 0:
nodes = []
edges = []
ccs = []
callgraph = 1
for x in pyew.function_stats:
nodes.append(pyew.function_stats[x][0])
edges.append(pyew.function_stats[x][1])
cc = pyew.function_stats[x][2]
ccs.append(cc)
prime = self.primes_table[cc]
callgraph *= prime
primes.append(prime)
avg_nodes = abs(sum(nodes)/total_functions)
avg_edges = abs(sum(edges)/total_functions)
avg_ccs = abs(sum(ccs)/total_functions)
elif load_error:
total_functions = avg_nodes = avg_edges = avg_ccs = -1
callgraph = -1
msg = "%d-%d-%d-%d" % (total_functions, avg_nodes, avg_edges, avg_ccs)
log("File analysed %s, callgraph signature %s" % (msg, callgraph))
log("Time to analyze %f" % (time.time() - t))
callgraph = str(callgraph)
primes = ",".join(map(str, primes))
desc = self.get_description(buf)
self.db.insert("samples", filename=filename, callgraph=callgraph, \
hash=sha1_hash, total_functions=total_functions, \
format=pyew.format, primes=primes, description=desc,\
analysis_date=time.asctime())
return ANALYSIS_SUCCESS
#-----------------------------------------------------------------------
def usage():
print("Usage:", sys.argv[0], "<executable file>")
#-----------------------------------------------------------------------
def main(path):
anal = CPyewAnalyser()
ret = anal.analyse(path)
if ret > ANALYSIS_FAILED:
sys.exit(0)
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) == 1:
usage()
else:
main(sys.argv[1])