def _get_versioninfo(self):
"""
Acquires PE32 version info.
@return: PE32 version info
"""
if not self.pe:
return None
infos = []
if hasattr(self.pe, "VS_VERSIONINFO"):
if hasattr(self.pe, "FileInfo"):
for entry in self.pe.FileInfo:
try:
if hasattr(entry, "StringTable"):
for st_entry in entry.StringTable:
for str_entry in st_entry.entries.items():
entry = {}
entry["name"] = convert_to_printable(str_entry[0])
entry["value"] = convert_to_printable(str_entry[1])
infos.append(entry)
elif hasattr(entry, "Var"):
for var_entry in entry.Var:
if hasattr(var_entry, "entry"):
entry = {}
entry["name"] = convert_to_printable(var_entry.entry.keys()[0])
entry["value"] = convert_to_printable(var_entry.entry.values()[0])
infos.append(entry)
except:
continue
return infos
def _add_hosts(self, connection):
"""
Add IPs to unique list.
@param connection: connection data
"""
try:
if connection["src"] not in self.unique_hosts:
self.unique_hosts.append(convert_to_printable(connection["src"]))
if connection["dst"] not in self.unique_hosts:
self.unique_hosts.append(convert_to_printable(connection["dst"]))
except Exception, why:
return False
def _add_http(self, tcpdata, dport):
"""
Adds an HTTP flow.
@param tcpdata: TCP data in flow
@param dport: destination port
"""
http = dpkt.http.Request(tcpdata)
try:
entry = {}
if http.headers.has_key('host'):
entry["host"] = convert_to_printable(http.headers['host'])
else:
entry["host"] = ""
entry["port"] = dport
entry["data"] = convert_to_printable(tcpdata)
if entry["port"] != 80:
host = "%s:%d" % (entry["host"], entry["port"])
else:
host = entry["host"]
entry["uri"] = convert_to_printable(urlunparse(("http", host, http.uri, None, None, None)))
entry["body"] = convert_to_printable(http.body)
entry["path"] = convert_to_printable(http.uri)
if http.headers.has_key("user-agent"):
entry["user-agent"] = convert_to_printable(http.headers["user-agent"])
entry["version"] = convert_to_printable(http.version)
entry["method"] = convert_to_printable(http.method)
self.http_requests.append(entry)
except Exception, why:
return False
def _get_sections(self):
"""
Generates list of binary sections.
@return: list of binary sections
"""
if not self.pe:
return None
sections = []
for entry in self.pe.sections:
try:
section = {}
section["name"] = convert_to_printable(entry.Name.strip())
section["virtual_address"] = hex(entry.VirtualAddress)
section["virtual_size"] = hex(entry.Misc_VirtualSize)
section["size_of_data"] = hex(entry.SizeOfRawData)
section["entropy"] = entry.get_entropy()
sections.append(section)
except:
continue
return sections
def _get_name(self):
"""
Retrieves the original file name of the file.
@return: file name
"""
return convert_to_printable(os.path.basename(self.file_path))
try:
(arg_name, arg_value) = row[index].split("->")
except ValueError, why:
continue
argument["name"] = arg_name
argument["value"] = convert_to_printable(arg_value)
# Add the current argument to the complete arguments list.
arguments.append(argument)
call["timestamp"] = timestamp
call["category"] = category
call["api"] = api_name
call["status"] = status_value
call["return"] = convert_to_printable(return_value)
call["arguments"] = arguments
call["repeated"] = 0
# Check if the current API call is a repetition of the previous one.
if len(self.calls) > 0:
if self.calls[-1]["api"] == call["api"] and \
self.calls[-1]["status"] == call["status"] and \
self.calls[-1]["arguments"] == call["arguments"] and \
self.calls[-1]["return"] == call["return"]:
self.calls[-1]["repeated"] += 1
return True
# If it's a new one, add it to the list.
self.calls.append(call)
