def test_multiple(self): ym = YaraMatch({ "name": "foo", "meta": {}, "offsets": { "a": [ (1, 0), (2, 2), ], "b": [ (3, 1), ], }, "strings": [ "bar".encode("base64"), "baz".encode("base64"), "foo".encode("base64"), ], }) assert ym.string("a", 0) == "bar" assert ym.string("a", 1) == "foo" assert ym.string("b", 0) == "baz" assert ym.strings("a") == ["bar", "foo"] assert ym.strings("b") == ["baz"]
def test_basics(self): ym = YaraMatch({ "name": "foo", "meta": {}, "offsets": { "a": [ (1, 0), ], }, "strings": [ "bar".encode("base64"), ], }) assert ym.string("a", 0) == "bar" assert ym.string("a") == "bar"
def loop_yara(category, filepath, matches): for match in matches: match = YaraMatch(match, category) for sig in self.signatures: self.call_signature( sig, sig.on_yara, category, filepath, match )
def push_blob(self, blob, category, externals, info=None): filepath = self.write_extracted("blob", blob) if not filepath: return yara_matches = File(filepath).get_yara(category, externals) self.items.append({ "category": category, "raw": filepath, "yara": yara_matches, "info": info or {}, }) for match in yara_matches: match = YaraMatch(match, category) self.handle_yara(filepath, match)
def test_cfgextr(): set_cwd(tempfile.mkdtemp()) cuckoo_create() class Trigger1(Extractor): yara_rules = "Trigger1" def handle_yara(self, filepath, match): self.push_config({ "family": "barfoo", "version": "baz", }) ExtractManager.init_once() mkdir(cwd(analysis=1)) em = ExtractManager(1) em.handle_yara( None, YaraMatch({ "name": "Trigger1", "meta": None, "offsets": None, "strings": [], })) assert len(em.items) == 1 results = { "extracted": em.results(), "metadata": {}, "info": {}, } RunSignatures(results).run() assert results == { "info": { "score": 10.0, }, "metadata": { "cfgextr": [{ "family": "barfoo", "version": "baz", }], }, "extracted": mock.ANY, "signatures": [], }
def push_shellcode(self, sc): filepath = self.write_extracted("bin", sc) if not filepath: return # This file contains a plaintext representation of the shellcode. open("%s.txt" % filepath, "wb").write(egghatch.as_text(sc)) yara_matches = File(filepath).get_yara("shellcode") self.items.append({ "category": "shellcode", "raw": filepath, "shellcode": "%s.txt" % filepath, "yara": yara_matches, }) for match in yara_matches: match = YaraMatch(match, "shellcode") self.handle_yara(filepath, match)
def push_script(self, process, command): filepath = self.write_extracted(command.ext, command.get_script().encode("utf8")) if not filepath: return yara_matches = File(filepath).get_yara("scripts") self.items.append({ "category": "script", "program": command.program, "pid": process["pid"], "first_seen": process["first_seen"], "script": filepath, "yara": yara_matches, }) for match in yara_matches: match = YaraMatch(match, "script") self.handle_yara(filepath, match)
def peek_procmem(self, process): for match in process["yara"]: self.handle_yara(process["file"], YaraMatch(match))