def _do_work(self, submission):
s = Session()
r = Report(
module=self.__ModuleName__,
short="Short desc...",
full="",
submission=submission
)
s.add(r)
#Do the actual work
sql = """select sha1, md5, FileName, FileSize, ProductName, ProductVersion, Language, ApplicationType, o.OpSystemCode, OpSystemName, OpSystemVersion, o.MfgCode, MfgName
from file f inner join Prod p on p.ProductCode=f.ProductCode inner join OS o on f.OpSystemCode=o.OpSystemCode inner join Mfg m on m.MfgCode=o.MfgCode
where sha1=?;"""
results = self.db.execute(sql, (submission.file.sha1.upper(),)).fetchall()
if len(results) == 0:
# Unknown in Db
r.short = "Unknown File - sha1 : %s" % (submission.file.sha1)
else:
# Known in Hash Db
r.short = "File known to be safe (%s match)" % (len(results))
r.threat_level = 0
for result in results:
report_details = {
'FileName': result[2],
'FileSize': result[3],
'Product': {
'ProductName': result[4],
'ProductVersion': result[5],
'Language': result[6],
'ApplicationType': result[7],
'OS': {
'OpSystemCode': result[8],
'OpSystemName': result[9],
'OpSystemVersion': result[10],
'MfgCode': result[11],
'MfgName': result[12],
},
},
}
json = JSONEncoder().encode(report_details)
section = ReportSection(
type='json',
value=json,
report=r
)
s.add(section)
s.commit()
#r._sa_instance_state.session.expunge(r)
return r
def _do_work_wrapper(self, submission_id):
s = Session()
submission = s.query(Submission).filter(Submission.id==submission_id).one()
try:
r = self._do_work(submission)
s.expunge(r)
self.result_queue.put(r)
except Exception as e:
logging.error("Got exception : %s"%e)
r = Report(
module=self.__ModuleName__,
short="Got an exception in module : %s"%e,
full="",
submission=submission
)
s.add(r)
s.expunge(r)
self.result_queue.put(r)
def _do_work(self, submission):
#Do the actual work
report = self.vt.get(submission.file.sha256)
s = Session()
r = Report(
module=self.__ModuleName__,
short="Short desc...",
full="",
submission=submission
)
s.add(r)
new_vt_submission = False
if report is None:
# Unknown in VT
r.short = "Unknown on VT"
if self.module_config['submit_unknown']:
report = self.vt.scan(submission.file.path, reanalyze=True)
report.join()
new_vt_submission = True
try:
assert report.done is True
# Known in VT
r.short = "Detection rate : %s/%s - %s" % (report.positives, report.total, report.verbose_msg)
if new_vt_submission:
r.short += " (First submission in VT)"
if report.positives == 0:
r.threat_level = 0
elif report.positives > 5:
r.threat_level = 100
report_details = report._report
json = JSONEncoder().encode(report_details)
section = ReportSection(
type='json',
value=json,
report=r
)
s.add(section)
except Exception as e:
logging.error("Could not get report from vt : %s"%e)
s.commit()
#r._sa_instance_state.session.expunge(r)
return r
def _do_work(self, submission):
# Do the actual work
metadata = self.exif_tool.get_metadata(submission.file.path)
metadata_hierarchy = {}
for key, value in metadata.iteritems():
parent = metadata_hierarchy
subkeys = key.split(":")
for i in range(len(subkeys) - 1):
current = subkeys[i]
if current not in parent:
parent[current] = {}
parent = parent[current]
current = subkeys[-1]
parent[current] = value
json = JSONEncoder().encode(metadata_hierarchy)
s = Session()
r = Report(module=self.__ModuleName__, short="", full="", submission=submission)
s.add(r)
section = ReportSection(type="json", value=json, report=r)
s.add(section)
s.commit()
# r._sa_instance_state.session.expunge(r)
return r
def _do_work(self, submission):
# Do the actual work
e = EntropyTool(submission.file.path)
(entropy, mean, stdv, max_dev) = e.analyze()
out = os.path.join(self.module_config["output_dir"], "%s.png" % submission.file.sha256)
e.writeimg(out)
mapout = os.path.join(self.module_config["output_dir"], "%s_map.png" % submission.file.sha256)
MapFile().writeimg(submission.file.path, mapout)
r1 = {"path": out.replace("\\", "/"), "comment": "Entropy of the file"}
r2 = {"path": mapout.replace("\\", "/"), "comment": "Mapping of the file"}
json1 = JSONEncoder().encode(r1)
json2 = JSONEncoder().encode(r2)
r = Report(module=self.__ModuleName__, short="%s" % e.FileTypeText(), full="", submission=submission)
Session.add(r)
section1 = ReportSection(type="img", value=json1, report=r)
Session.add(section1)
section2 = ReportSection(type="img", value=json2, report=r)
Session.add(section2)
Session.commit()
return r
def _do_work(self, submission):
a = AnalyzePDF(submission.file.path, toolpath=self.module_config['tool_path'])
sev, comment = a.analyze() # (sev (0-5+), "comment")
r = Report(
module=self.__ModuleName__,
short="%s (%s)" % (sev, comment),
full="",
submission=submission
)
if sev >= 5:
r.threat_level = 100
elif sev >=2:
r.threat_level = 50
else:
r.threat_level = 0
Session.add(r)
section = ReportSection(
type='text',
value=a.anomalies_string,
report=r
)
Session.add(section)
section = ReportSection(
type='text',
value=a.pdfid_str,
report=r
)
Session.add(section)
Session.commit()
#r._sa_instance_state.session.expunge(r)
return r
