def get_sections(self, machos, fbuffer) -> list: ''' get sections ''' _list = [] for h in machos.headers: for lc, cmd, data in h.commands: if hasattr(cmd, "segname"): #fbuffer[cmd.fileoff:cmd.filesize] with BytesIO(fbuffer) as bio: bio.seek(cmd.fileoff) x = bio.read(cmd.filesize) sus = "No" entropy = get_entropy_float_ret(x) if entropy > 6 or entropy >= 0 and entropy <= 1: sus = "True, {}".format(entropy) elif cmd.filesize == 0: sus = "True, section size 0" seg = cmd.segname[:cmd.segname.find(b'\x00')].decode( "utf-8", errors="ignore") if seg == "__PAGEZERO": sus = "" _list.append({ "Section": seg, "Suspicious": sus, "Size": cmd.filesize, "Entropy": get_entropy(x), "MD5": md5(x).hexdigest(), "Description": "" }) return _list
def get_sections(self, pe_info) -> list: ''' get sections ''' temp_list = [] for section in pe_info.sections: is_sus = "No" entropy = get_entropy_float_ret(section.get_data()) if entropy > 6 or (0 <= entropy <= 1): is_sus = "True, {}".format(entropy) elif section.SizeOfRawData == 0: is_sus = "True, section size 0" temp_list.append({ "Section": section.Name.decode("utf-8", errors="ignore").strip("\00"), "Suspicious": is_sus, "Size": section.SizeOfRawData, "MD5": section.get_hash_md5(), "Entropy": get_entropy(section.get_data()), "Description": "" }) return temp_list
def get_scripts(self, data, soup): scripts = soup.findAll("script") for script in scripts: if script.text != "": entropy = get_entropy(script.text) else: entropy = None data.append({ "line": script.sourceline, "Entropy": entropy, "type": script.get("type"), "src": script.get("src"), "text": script.text })
def get_detailes(self, data, _path): ''' get general details of file ''' data["Details"] = deepcopy(self.datastruct) temp_f = open(_path, "rb").read() open(_path, "rb").read(4) data["Details"]["Properties"] = {"Name": path.basename(_path).lower(), "md5": md5(temp_f).hexdigest(), "sha1": sha1(temp_f).hexdigest(), "sha256": sha256(temp_f).hexdigest(), "ssdeep": hash_from_file(_path), "size": convert_size(path.getsize(_path)), "bytes": path.getsize(_path), "mime": from_file(_path, mime=True), "extension": guess_type(_path)[0], "Entropy": get_entropy(temp_f)}
def get_scripts(self, data, soup): ''' get all scripts (maybe add script analysis later on) ''' scripts = soup.findAll("script") for script in scripts: if script.text != "": entropy = get_entropy(script.text) else: entropy = None data.append({ "line": script.sourceline, "Entropy": entropy, "type": script.get("type"), "src": script.get("src"), "text": script.text })
def analyze(self, data): ''' start analyzing elf logic, add description to strings and get words and wordsstripped from the file ''' with open(data["Location"]["File"], 'rb') as file_1, open(data["Location"]["File"], 'rb') as file_2: data["ELF"] = deepcopy(self.datastruct) elf = ELFFile(file_1) data["ELF"]["General"] = {"ELF Type" :elf.header.e_type, "ELF Machine" :elf.header.e_machine, "Entropy":get_entropy(file_2.read()), "Entrypoint":hex(elf.header.e_entry), "Interpreter":self.get_iter(elf)} data["ELF"]["Sections"] = self.get_section(elf) data["ELF"]["Dynamic"] = self.get_dynamic(elf) data["ELF"]["Symbols"] = self.get_symbols(elf) data["ELF"]["Relocations"] = self.get_relocations(elf) add_description("ManHelp", data["ELF"]["Symbols"], "Symbol") add_description("LinuxSections", data["ELF"]["Sections"], "Section") get_words(data, data["Location"]["File"])
def get_section(self, elf) -> list: ''' get all sections of elf ''' temp_list = [] for section in elf.iter_sections(): if section.name != "": sus = "No" entropy = get_entropy_float_ret(section.data()) if entropy > 6 or (0 <= entropy <= 1): sus = "True, {}".format(entropy) elif section.data_size == 0: sus = "True, section size 0" temp_list.append({"Section":section.name, "Suspicious":sus, "Size":section.data_size, "MD5":md5(section.data()).hexdigest(), "Entropy":get_entropy(section.data()), "Description":""}) return temp_list