def test_namespace_count(self):
h = HashList()
h.append(EMPTY_MD5)
h.append(EMPTY_SHA1)
h.append(EMPTY_SHA224)
h.append(EMPTY_SHA256)
h.append(EMPTY_SHA384)
h.append(EMPTY_SHA512)
logger.info(h.to_xml())
ns_list = cybox.test.round_trip(h, list_=True)._get_namespaces()
logger.info(ns_list)
# Only "common" and "vocabs" should be here. "xsi" is only added later
self.assertEqual(2, len(ns_list))
def from_obj(file_obj, file_class=None):
if not file_obj:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_obj(file_obj, file_)
file_.is_packed = file_obj.get_is_packed()
file_.file_name = String.from_obj(file_obj.get_File_Name())
file_.file_path = FilePath.from_obj(file_obj.get_File_Path())
file_.device_path = String.from_obj(file_obj.get_Device_Path())
file_.full_path = String.from_obj(file_obj.get_Full_Path())
file_.file_extension = String.from_obj(file_obj.get_File_Extension())
file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes())
file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number())
file_.file_format = String.from_obj(file_obj.get_File_Format())
file_.hashes = HashList.from_obj(file_obj.get_Hashes())
file_.extracted_features = ExtractedFeatures.from_obj(file_obj.get_Extracted_Features())
#TODO: why are there two Strings and one DateTime here?
file_.modified_time = String.from_obj(file_obj.get_Modified_Time())
file_.accessed_time = String.from_obj(file_obj.get_Accessed_Time())
file_.created_time = DateTime.from_obj(file_obj.get_Created_Time())
return file_
def from_dict(file_dict, file_class=None):
if not file_dict:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_dict(file_dict, file_)
file_.is_packed = file_dict.get('is_packed')
file_.file_name = String.from_dict(file_dict.get('file_name'))
file_.file_path = FilePath.from_dict(file_dict.get('file_path'))
file_.device_path = String.from_dict(file_dict.get('device_path'))
file_.full_path = String.from_dict(file_dict.get('full_path'))
file_.file_extension = String.from_dict(file_dict.get('file_extension'))
file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes'))
file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number'))
file_.file_format = String.from_dict(file_dict.get('file_format'))
file_.hashes = HashList.from_list(file_dict.get('hashes'))
file_.extracted_features = ExtractedFeatures.from_dict(file_dict.get('extracted_features'))
file_.modified_time = String.from_dict(file_dict.get('modified_time'))
file_.accessed_time = String.from_dict(file_dict.get('accessed_time'))
file_.created_time = DateTime.from_dict(file_dict.get('created_time'))
return file_
def from_dict(toolinfo_dict, tool_class=None):
if not toolinfo_dict:
return None
if not tool_class:
toolinfo = ToolInformation()
else:
toolinfo = tool_class
toolinfo.id_ = toolinfo_dict.get('id')
toolinfo.idref = toolinfo_dict.get('idref')
toolinfo.name = toolinfo_dict.get('name')
toolinfo.type_ = [
ToolType.from_dict(x) for x in toolinfo_dict.get('type', [])
]
toolinfo.description = StructuredText.from_dict(
toolinfo_dict.get('description'))
toolinfo.vendor = toolinfo_dict.get('vendor')
toolinfo.version = toolinfo_dict.get('version')
toolinfo.service_pack = toolinfo_dict.get('service_pack')
toolinfo.tool_hashes = HashList.from_list(
toolinfo_dict.get('tool_hashes'))
return toolinfo
def test_hash_lookup(self):
h = HashList()
self.assertEqual(None, h.md5)
self.assertEqual(None, h.sha1)
self.assertEqual(None, h.sha224)
self.assertEqual(None, h.sha256)
self.assertEqual(None, h.sha384)
self.assertEqual(None, h.sha512)
def test_hashlist_set_get(self):
md5_hash = "25BA4574F3090456C1AAE37F4D2D59B8"
sha256_hash = "B64C18B336A8319EFAC43FE5E6DB78B0969E696C1C149BA56CFD69CE72F1898F"
sha512_hash = "2A3459EE6C2FC3D7533F2D1AF6963A21337552D4ACD52D76A09B53BF36A27C3C357F1B41952582CFD0EDC7F8AEFC6DC939C38DF4CCED0F57320AB3480EC042D9"
ssdeep_hash = "3:AXGBicFlgVNhBGcL6wCrFQEv:AXGHsNhxLsr2C"
h = HashList()
h.ssdeep = ssdeep_hash
h.md5 = md5_hash
h.sha256 = sha256_hash
h.sha512 = sha512_hash
self.assertEqual(h.md5, md5_hash)
self.assertEqual(h.sha256, sha256_hash)
self.assertEqual(h.sha512, sha512_hash)
self.assertEqual(h.ssdeep, ssdeep_hash)
def dict_from_object(cls, byterun_obj):
"""Parse and return a dictionary for a ByteRun object"""
byterun_dict = {}
if byterun_obj.get_Offset() is not None: byterun_dict['offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Offset())
if byterun_obj.get_File_System_Offset() is not None: byterun_dict['file_system_offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_File_System_Offset())
if byterun_obj.get_Image_Offset() is not None: byterun_dict['image_offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Image_Offset())
if byterun_obj.get_Length() is not None: byterun_dict['length'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Length())
if byterun_obj.get_Hashes() is not None: byterun_dict['hashes'] = HashList.dict_from_object(byterun_obj.get_Hashes())
if byterun_obj.get_Byte_Run_Data() is not None: byterun_dict['byte_run_data'] = {'value' : byterun_obj.get_Byte_Run_Data()}
return byterun_dict
def dict_from_object(cls, defined_object):
"""Parse and return a dictionary for a Memory Object object"""
defined_object_dict = {}
if defined_object.get_is_injected() is not None: defined_object_dict['is_injected'] = {'value' : defined_object.get_is_injected()}
if defined_object.get_is_mapped() is not None: defined_object_dict['is_mapped'] = {'value' : defined_object.get_is_mapped()}
if defined_object.get_is_protected() is not None: defined_object_dict['is_protected'] = {'value' : defined_object.get_is_protected()}
if defined_object.get_Hashes() is not None: defined_object_dict['hashes'] = HashList.dict_from_object(defined_object.get_Hashes())
if defined_object.get_Name() is not None: defined_object_dict['name'] = Base_Object_Attribute.dict_from_object(defined_object.get_Name())
if defined_object.get_Region_Size() is not None: defined_object_dict['region_size'] = Base_Object_Attribute.dict_from_object(defined_object.get_Region_Size())
if defined_object.get_Region_Start_Address() is not None: defined_object_dict['region_start_address'] = Base_Object_Attribute.dict_from_object(defined_object.get_Region_Start_Address())
return defined_object_dict
def from_obj(extracted_string_obj):
if not extracted_string_obj:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_obj(extracted_string_obj.get_Encoding())
extracted_string_.string_value = String.from_obj(extracted_string_obj.get_String_Value())
extracted_string_.byte_string_value = HexBinary.from_obj(extracted_string_obj.get_Byte_String_Value())
extracted_string_.hashes = HashList.from_obj(extracted_string_obj.get_Hashes())
extracted_string_.address = HexBinary.from_obj(extracted_string_obj.get_Address())
extracted_string_.length = PositiveInteger.from_obj(extracted_string_obj.get_Length())
extracted_string_.language = String.from_obj(extracted_string_obj.get_Language())
extracted_string_.english_translation = String.from_obj(extracted_string_obj.get_English_Translation())
return extracted_string_
def from_dict(extracted_string_dict):
if not extracted_string_dict:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_dict(extracted_string_dict.get('encoding'))
extracted_string_.string_value = String.from_dict(extracted_string_dict.get('string_value'))
extracted_string_.byte_string_value = HexBinary.from_dict(extracted_string_dict.get('byte_string_value'))
extracted_string_.hashes = HashList.from_list(extracted_string_dict.get('hashes'))
extracted_string_.address = HexBinary.from_dict(extracted_string_dict.get('address'))
extracted_string_.length = PositiveInteger.from_dict(extracted_string_dict.get('length'))
extracted_string_.language = String.from_dict(extracted_string_dict.get('language'))
extracted_string_.english_translation = String.from_dict(extracted_string_dict.get('english_translation'))
return extracted_string_
def from_dict(memory_dict):
if not memory_dict:
return None
memory_ = Memory()
memory_.is_injected = memory_dict.get('is_injected')
memory_.is_mapped = memory_dict.get('is_mapped')
memory_.is_protected = memory_dict.get('is_protected')
memory_.hashes = HashList.from_list(memory_dict.get('hashes'))
memory_.name = String.from_dict(memory_dict.get('name'))
memory_.region_size = UnsignedLong.from_dict(memory_dict.get('region_size'))
memory_.region_start_address = HexBinary.from_dict(memory_dict.get('region_start_address'))
memory_.extracted_features = None
return memory_
def from_obj(memory_obj):
if not memory_obj:
return None
memory_ = Memory()
memory_.is_injected = memory_obj.get_is_injected()
memory_.is_mapped = memory_obj.get_is_mapped()
memory_.is_protected = memory_obj.get_is_protected()
memory_.hashes = HashList.from_obj(memory_obj.get_Hashes())
memory_.name = String.from_obj(memory_obj.get_Name())
memory_.region_size = UnsignedLong.from_obj(memory_obj.get_Region_Size())
memory_.region_start_address = HexBinary.from_obj(memory_obj.get_Region_Start_Address())
memory_.extracted_features = None
return memory_
def object_from_dict(cls, byterun_dict):
"""Create the ByteRun object representation from an input dictionary"""
byterun_obj = common_types_binding.ByteRunType()
for key, value in byterun_dict.items():
if key == 'offset' :
byterun_obj.set_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value))
elif key == 'file_system_offset' :
byterun_obj.set_File_System_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value))
elif key == 'image_offset' :
byterun_obj.set_Image_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value))
elif key == 'length' :
byterun_obj.set_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value))
elif key == 'hashes' :
byterun_obj.set_Hashes(HashList.object_from_dict(value))
elif key == 'byte_run_data':
byterun_obj.set_Byte_Run_Data(value)
return byterun_obj
def object_from_dict(cls, memory_attributes):
"""Create the Memory Object object representation from an input dictionary"""
mem_object = memory_binding.MemoryObjectType()
mem_object.set_anyAttributes_({'xsi:type' : 'MemoryObj:MemoryObjectType'})
for key,value in memory_attributes.items():
if key == 'is_injected' and utils.test_value(value): mem_object.set_is_injected(value.get('value'))
elif key == 'is_mapped' and utils.test_value(value): mem_object.set_is_mapped(value.get('value'))
elif key == 'is_protected' and utils.test_value(value): mem_object.set_is_injected(value.get('value'))
elif key == 'region_start_address' and utils.test_value(value):
mem_object.set_Region_Start_Address(Base_Object_Attribute.object_from_dict(common_types_binding.HexBinaryObjectAttributeType(datatype='hexBinary'),value))
elif key == 'region_size' and utils.test_value(value):
mem_object.set_Region_Size(Base_Object_Attribute.object_from_dict(common_types_binding.UnsignedLongObjectAttributeType(datatype='UnsignedLong'),value))
elif key == 'name' and utils.test_value(value):
mem_object.set_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'hashes':
mem_object.set_Hashes(HashList.object_from_dict(value))
return mem_object
def from_obj(file_obj):
if not file_obj:
return None
file_ = File()
file_.is_packed = file_obj.get_is_packed()
file_.file_name = String.from_obj(file_obj.get_File_Name())
file_.file_path = FilePath.from_obj(file_obj.get_File_Path())
file_.device_path = String.from_obj(file_obj.get_Device_Path())
file_.full_path = String.from_obj(file_obj.get_Full_Path())
file_.file_extension = String.from_obj(file_obj.get_File_Extension())
file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes())
file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number())
file_.file_format = String.from_obj(file_obj.get_File_Format())
file_.hashes = HashList.from_obj(file_obj.get_Hashes())
return file_
def from_dict(file_dict):
if not file_dict:
return None
file_ = File()
file_.is_packed = file_dict.get('is_packed')
file_.file_name = String.from_dict(file_dict.get('file_name'))
file_.file_path = FilePath.from_dict(file_dict.get('file_path'))
file_.device_path = String.from_dict(file_dict.get('device_path'))
file_.full_path = String.from_dict(file_dict.get('full_path'))
file_.file_extension = String.from_dict(file_dict.get('file_extension'))
file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes'))
file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number'))
file_.file_format = String.from_dict(file_dict.get('file_format'))
file_.hashes = HashList.from_dict(file_dict.get('hashes'))
return file_
def object_from_dict(cls, tool_information_dict):
"""Create the ToolInformation object representation from an input dictionary"""
tool_information_obj = common_types_binding.ToolInformationType()
for key, value in tool_information_dict.items():
if key == 'id' and utils.test_value(value) : tool_information_obj.set_id(value)
elif key == 'idref' and utils.test_value(value) : tool_information_obj.set_idref(value)
elif key == 'description': pass
elif key == 'vendor' and utils.test_value(value): tool_information_obj.set_Vendor(value)
elif key == 'name' and utils.test_value(value): tool_information_obj.set_Name(value)
elif key == 'version' and utils.test_value(value): tool_information_obj.set_Version(value)
elif key == 'service_pack' and utils.test_value(value): tool_information_obj.set_Service_Pack(value)
elif key == 'tool-specific_data' : pass
elif key == 'tool_hashes':
hashes_obj = HashList.object_from_dict(value)
if hashes_obj.hasContent_() : tool_information_obj.set_Tool_Hashes(hashes_obj)
elif key == 'tool_configuration' : pass
elif key == 'execution_environment' : pass
elif key == 'errors' : pass
elif key == 'metadata' : pass
return tool_information_obj
def from_obj(toolinfo_obj, toolinfo=None):
if not toolinfo_obj:
return None
if not toolinfo:
toolinfo = ToolInformation()
toolinfo.id_ = toolinfo_obj.id
toolinfo.idref = toolinfo_obj.idref
toolinfo.name = toolinfo_obj.Name
toolinfo.type_ = [VocabString.from_obj(x) for x in toolinfo_obj.Type]
toolinfo.description = StructuredText.from_obj(toolinfo_obj.Description)
toolinfo.vendor = toolinfo_obj.Vendor
toolinfo.version = toolinfo_obj.Version
toolinfo.service_pack = toolinfo_obj.Service_Pack
toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.Tool_Hashes)
return toolinfo
def from_obj(toolinfo_obj, tool_class = None):
if not toolinfo_obj:
return None
if not tool_class:
toolinfo = ToolInformation()
else:
toolinfo = tool_class
toolinfo.id_ = toolinfo_obj.get_id()
toolinfo.idref = toolinfo_obj.get_idref()
toolinfo.name = toolinfo_obj.get_Name()
toolinfo.type_ = [ToolType.from_obj(x) for x in toolinfo_obj.get_Type()]
toolinfo.description = StructuredText.from_obj(toolinfo_obj.get_Description())
toolinfo.vendor = toolinfo_obj.get_Vendor()
toolinfo.version = toolinfo_obj.get_Version()
toolinfo.service_pack = toolinfo_obj.get_Service_Pack()
toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.get_Tool_Hashes())
return toolinfo
def from_dict(toolinfo_dict, toolinfo=None):
if not toolinfo_dict:
return None
if not toolinfo:
toolinfo = ToolInformation()
toolinfo.id_ = toolinfo_dict.get('id')
toolinfo.idref = toolinfo_dict.get('idref')
toolinfo.name = toolinfo_dict.get('name')
toolinfo.type_ = [VocabString.from_dict(x) for x in toolinfo_dict.get('type', [])]
toolinfo.description = StructuredText.from_dict(toolinfo_dict.get('description'))
toolinfo.vendor = toolinfo_dict.get('vendor')
toolinfo.version = toolinfo_dict.get('version')
toolinfo.service_pack = toolinfo_dict.get('service_pack')
toolinfo.tool_hashes = HashList.from_list(toolinfo_dict.get('tool_hashes'))
return toolinfo
def object_from_dict(cls, extracted_string_dict):
"""Create the Extracted String object representation from an input dictionary"""
extracted_string_object = common_types_binding.ExtractedStringType()
for key, value in extracted_string_dict.items():
if key == 'encoding' :
extracted_string_object.set_encoding(value.get('value'))
elif key == 'string_value' :
extracted_string_object.set_String_Value(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'hashes' :
extracted_string_object.set_Hashes(HashList.object_from_dict(value))
elif key == 'address' :
extracted_string_object.set_Address(Base_Object_Attribute.object_from_dict(common_types_binding.HexBinaryObjectAttributeType(datatype='hexBinary'),value))
elif key == 'length' :
extracted_string_object.set_Length(Base_Object_Attribute.object_from_dict(common_types_binding.PositiveIntegerObjectAttributeType(datatype='PositiveInteger'),value))
elif key == 'language' :
extracted_string_object.set_Language(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'english_translation' :
extracted_string_object.set_English_Translation(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
return extracted_string_object
def from_obj(toolinfo_obj, toolinfo=None):
if not toolinfo_obj:
return None
if not toolinfo:
toolinfo = ToolInformation()
toolinfo.id_ = toolinfo_obj.id
toolinfo.idref = toolinfo_obj.idref
toolinfo.name = toolinfo_obj.Name
toolinfo.type_ = [VocabString.from_obj(x) for x in toolinfo_obj.Type]
toolinfo.description = StructuredText.from_obj(
toolinfo_obj.Description)
toolinfo.vendor = toolinfo_obj.Vendor
toolinfo.version = toolinfo_obj.Version
toolinfo.service_pack = toolinfo_obj.Service_Pack
toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.Tool_Hashes)
return toolinfo
def test_hashlist_set_get(self):
md5_hash = "25BA4574F3090456C1AAE37F4D2D59B8"
sha256_hash = "B64C18B336A8319EFAC43FE5E6DB78B0969E696C1C149BA56CFD69CE72F1898F"
sha512_hash = "2A3459EE6C2FC3D7533F2D1AF6963A21337552D4ACD52D76A09B53BF36A27C3C357F1B41952582CFD0EDC7F8AEFC6DC939C38DF4CCED0F57320AB3480EC042D9"
ssdeep_hash = "3:AXGBicFlgVNhBGcL6wCrFQEv:AXGHsNhxLsr2C"
h = HashList()
h.ssdeep = ssdeep_hash
h.md5 = md5_hash
h.sha256 = sha256_hash
h.sha512 = sha512_hash
self.assertEqual(h.md5, md5_hash)
self.assertEqual(h.sha256, sha256_hash)
self.assertEqual(h.sha512, sha512_hash)
self.assertEqual(h.ssdeep, ssdeep_hash)
def from_dict(win_service_dict):
if not win_service_dict:
return None
win_service_ = WinProcess.from_dict(win_service_dict, WinService())
win_service_.service_dll_signature_exists = win_service_dict.get('service_dll_signature_exists')
win_service_.service_dll_signature_verified = win_service_dict.get('service_dll_signature_verified')
win_service_.description_list = [String.from_dict(x) for x in win_service_dict.get('description_list', [])]
win_service_.display_name = String.from_dict(win_service_dict.get('display_name'))
win_service_.group_name = String.from_dict(win_service_dict.get('group_name'))
win_service_.service_name = String.from_dict(win_service_dict.get('service_name'))
win_service_.service_dll = String.from_dict(win_service_dict.get('service_dll'))
win_service_.service_dll_certificate_issuer = String.from_dict(win_service_dict.get('service_dll_certificate_issuer'))
win_service_.service_dll_certificate_subject = String.from_dict(win_service_dict.get('service_dll_certificate_subject'))
win_service_.service_dll_hashes = HashList.from_list(win_service_dict.get('service_dll_hashes'))
win_service_.service_dll_signature_description = String.from_dict(win_service_dict.get('service_dll_signature_description'))
win_service_.startup_command_line = String.from_dict(win_service_dict.get('startup_command_line'))
win_service_.startup_type = String.from_dict(win_service_dict.get('startup_type'))
win_service_.service_status = String.from_dict(win_service_dict.get('service_status'))
win_service_.service_type = String.from_dict(win_service_dict.get('service_type'))
win_service_.started_as = String.from_dict(win_service_dict.get('started_as'))
return win_service_
def from_dict(extracted_string_dict):
if not extracted_string_dict:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_dict(
extracted_string_dict.get('encoding'))
extracted_string_.string_value = String.from_dict(
extracted_string_dict.get('string_value'))
extracted_string_.byte_string_value = HexBinary.from_dict(
extracted_string_dict.get('byte_string_value'))
extracted_string_.hashes = HashList.from_list(
extracted_string_dict.get('hashes'))
extracted_string_.address = HexBinary.from_dict(
extracted_string_dict.get('address'))
extracted_string_.length = PositiveInteger.from_dict(
extracted_string_dict.get('length'))
extracted_string_.language = String.from_dict(
extracted_string_dict.get('language'))
extracted_string_.english_translation = String.from_dict(
extracted_string_dict.get('english_translation'))
return extracted_string_
def from_obj(extracted_string_obj):
if not extracted_string_obj:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_obj(
extracted_string_obj.get_Encoding())
extracted_string_.string_value = String.from_obj(
extracted_string_obj.get_String_Value())
extracted_string_.byte_string_value = HexBinary.from_obj(
extracted_string_obj.get_Byte_String_Value())
extracted_string_.hashes = HashList.from_obj(
extracted_string_obj.get_Hashes())
extracted_string_.address = HexBinary.from_obj(
extracted_string_obj.get_Address())
extracted_string_.length = PositiveInteger.from_obj(
extracted_string_obj.get_Length())
extracted_string_.language = String.from_obj(
extracted_string_obj.get_Language())
extracted_string_.english_translation = String.from_obj(
extracted_string_obj.get_English_Translation())
return extracted_string_
def from_obj(win_service_obj):
if not win_service_obj:
return None
win_service_ = WinProcess.from_obj(win_service_obj, WinService())
win_service_.service_dll_signature_exists = win_service_obj.get_service_dll_signature_exists()
win_service_.service_dll_signature_verified = win_service_obj.get_service_dll_signature_verified()
if win_service_obj.get_Description_List() is not None:
win_service_.description_list = [String.from_obj(x) for x in win_service_obj.get_Description_List().get_Description()]
win_service_.display_name = String.from_obj(win_service_obj.get_Display_Name())
win_service_.group_name = String.from_obj(win_service_obj.get_Group_Name())
win_service_.service_name = String.from_obj(win_service_obj.get_Service_Name())
win_service_.service_dll = String.from_obj(win_service_obj.get_Service_DLL())
win_service_.service_dll_certificate_issuer = String.from_obj(win_service_obj.get_Service_DLL_Certificate_Issuer())
win_service_.service_dll_certificate_subject = String.from_obj(win_service_obj.get_Service_DLL_Certificate_Subject())
win_service_.service_dll_hashes = HashList.from_obj(win_service_obj.get_Service_DLL_Hashes())
win_service_.service_dll_signature_description = String.from_obj(win_service_obj.get_Service_DLL_Signature_Description())
win_service_.startup_command_line = String.from_obj(win_service_obj.get_Startup_Command_Line())
win_service_.startup_type = String.from_obj(win_service_obj.get_Startup_Type())
win_service_.service_status = String.from_obj(win_service_obj.get_Service_Status())
win_service_.service_type = String.from_obj(win_service_obj.get_Service_Type())
win_service_.started_as = String.from_obj(win_service_obj.get_Started_As())
return win_service_
def from_obj(toolinfo_obj, tool_class=None):
if not toolinfo_obj:
return None
if not tool_class:
toolinfo = ToolInformation()
else:
toolinfo = tool_class
toolinfo.id_ = toolinfo_obj.get_id()
toolinfo.idref = toolinfo_obj.get_idref()
toolinfo.name = toolinfo_obj.get_Name()
toolinfo.type_ = [
ToolType.from_obj(x) for x in toolinfo_obj.get_Type()
]
toolinfo.description = StructuredText.from_obj(
toolinfo_obj.get_Description())
toolinfo.vendor = toolinfo_obj.get_Vendor()
toolinfo.version = toolinfo_obj.get_Version()
toolinfo.service_pack = toolinfo_obj.get_Service_Pack()
toolinfo.tool_hashes = HashList.from_obj(
toolinfo_obj.get_Tool_Hashes())
return toolinfo
def sha384(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha384 = value
def test_round_trip(self):
hashlist_list = TEST_HASH_LIST
hashlist_obj = HashList.object_from_list(hashlist_list)
hashlist_list2 = HashList.list_from_object(hashlist_obj)
self.assertEqual(hashlist_list, hashlist_list2)
class File(ObjectProperties):
_binding = file_binding
_binding_class = file_binding.FileObjectType
_namespace = 'http://cybox.mitre.org/objects#FileObject-2'
_XSI_NS = "FileObj"
_XSI_TYPE = "FileObjectType"
is_packed = cybox.TypedField("is_packed")
is_masqueraded = cybox.TypedField("is_masqueraded")
file_name = cybox.TypedField("File_Name", String)
file_path = cybox.TypedField("File_Path", FilePath)
device_path = cybox.TypedField("Device_Path", String)
full_path = cybox.TypedField("Full_Path", String)
file_extension = cybox.TypedField("File_Extension", String)
size_in_bytes = cybox.TypedField("Size_In_Bytes", UnsignedLong)
magic_number = cybox.TypedField("Magic_Number", HexBinary)
file_format = cybox.TypedField("File_Format", String)
hashes = cybox.TypedField("Hashes", HashList)
digital_signatures = cybox.TypedField("Digital_Signatures",
DigitalSignatureList)
modified_time = cybox.TypedField("Modified_Time", DateTime)
accessed_time = cybox.TypedField("Accessed_Time", DateTime)
created_time = cybox.TypedField("Created_Time", DateTime)
# Subclasses must redefine these, since the abstract types
# cannot be instantiated.
file_attributes_list = cybox.TypedField("File_Attributes_List",
FileAttribute) # abstract
permissions = cybox.TypedField("Permissions", FilePermissions) # abstract
user_owner = cybox.TypedField("User_Owner", String)
packer_list = cybox.TypedField("Packer_List", PackerList)
peak_entropy = cybox.TypedField("Peak_Entropy", Double)
sym_links = cybox.TypedField("Sym_Links", SymLinksList)
byte_runs = cybox.TypedField("Byte_Runs", ByteRuns)
extracted_features = cybox.TypedField("Extracted_Features",
ExtractedFeatures)
encryption_algorithm = cybox.TypedField("Encryption_Algorithm", String)
decryption_key = cybox.TypedField("Decryption_Key", String)
compression_method = cybox.TypedField("Compression_Method", String)
compression_version = cybox.TypedField("Compression_Version", String)
compression_comment = cybox.TypedField("Compression_Comment", String)
def __init__(self):
super(File, self).__init__()
self.is_packed = None
@property
def md5(self):
if self.hashes is None:
return None
return self.hashes.md5
@md5.setter
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
@property
def sha1(self):
if self.hashes is None:
return None
return self.hashes.sha1
@sha1.setter
def sha1(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha1 = value
@property
def sha224(self):
if self.hashes is None:
return None
return self.hashes.sha224
@sha224.setter
def sha224(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha224 = value
@property
def sha256(self):
if self.hashes is None:
return None
return self.hashes.sha256
@sha256.setter
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
@property
def sha384(self):
if self.hashes is None:
return None
return self.hashes.sha384
@sha384.setter
def sha384(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha384 = value
@property
def sha512(self):
if self.hashes is None:
return None
return self.hashes.sha512
@sha512.setter
def sha512(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha512 = value
@property
def size(self):
"""`size` is an alias for `size_in_bytes`"""
return self.size_in_bytes
@size.setter
def size(self, value):
"""`size` is an alias for `size_in_bytes`"""
self.size_in_bytes = value
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
exports.exported_functions = PEExportedFunctions() exports.exports_time_stamp = DateTime() exports.name = String() exports.number_of_addresses = Long() exports.number_of_functions = Integer() exports.number_of_names = Long() # The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary. extraneous_bytes = Integer() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEHeaders headers = PEHeaders() headers.dos_header = DOSHeader() headers.entropy = Entropy() headers.file_header = PEFileHeader() headers.hashes = HashList() headers.optional_header = PEOptionalHeader() headers.signature = HexBinary() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEImportList imports = PEImportList() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEChecksum pe_checksum = PEChecksum() pe_checksum.pe_computed_api = Long() pe_checksum.pe_file_api = Long() pe_checksum.pe_file_raw = Long() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEResourceList resources = PEResourceList()
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
def merge_binned_malware_subjects(merged_malware_subject, binned_list,
id_mappings_dict):
'''Merge a list of input binned (related) Malware Subjects'''
# Merge the Malware_Instance_Object_Attributes
mal_inst_obj_list = [
x.malware_instance_object_attributes for x in binned_list
]
merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
# Give the merged Object a new ID
merged_inst_obj.id_ = idgen.create_id('object')
# Deduplicate the hash values, if they exist
if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
hashes = merged_inst_obj.properties.hashes
hashes = HashList(
deduplicate_vocabulary_list(hashes,
value_name='simple_hash_value'))
hashes = HashList(
deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value'))
merged_inst_obj.properties.hashes = hashes
# Merge and deduplicate the labels
merged_labels = list(
itertools.chain(*[x.label for x in binned_list if x.label]))
deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
# Merge the configuration details
config_details_list = [
x.configuration_details for x in binned_list if x.configuration_details
]
merged_config_details = None
if config_details_list:
merged_config_details = MalwareConfigurationDetails.from_dict(
merge_entities(config_details_list))
# Merge the minor variants
merged_minor_variants = list(
itertools.chain(
*[x.minor_variants for x in binned_list if x.minor_variants]))
# Merge the field data # TODO: Add support. Not implemented in the APIs.
# Merge the analyses
merged_analyses = list(
itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
# Merge the findings bundles
merged_findings_bundles = merge_findings_bundles(
[x.findings_bundles for x in binned_list if x.findings_bundles])
# Merge the relationships
merged_relationships = list(
itertools.chain(
*[x.relationships for x in binned_list if x.relationships]))
# Merge the compatible platforms
merged_compatible_platforms = list(
itertools.chain(*[
x.compatible_platform for x in binned_list if x.compatible_platform
]))
# Build the merged Malware Subject
merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
if merged_config_details:
merged_malware_subject.configuration_details = merged_config_details
if merged_minor_variants:
merged_malware_subject.minor_variants = MinorVariants(
merged_minor_variants)
if merged_analyses:
merged_malware_subject.analyses = Analyses(merged_analyses)
if merged_findings_bundles:
merged_malware_subject.findings_bundles = merged_findings_bundles
if merged_relationships:
merged_malware_subject.relationships = MalwareSubjectRelationshipList(
merged_relationships)
if merged_compatible_platforms:
merged_malware_subject.compatible_platform = merged_compatible_platforms
def test_namespace_count(self):
h = HashList()
h.append(EMPTY_MD5)
h.append(EMPTY_SHA1)
h.append(EMPTY_SHA224)
h.append(EMPTY_SHA256)
h.append(EMPTY_SHA384)
h.append(EMPTY_SHA512)
print h.to_xml()
ns_list = cybox.test.round_trip(h, list_=True)._get_namespaces()
print ns_list
# Only "common" and "vocabs" should be here. "xsi" is only added later
self.assertEqual(2, len(ns_list))
def dict_from_object(cls, extracted_string_obj):
"""Parse and return a dictionary for an Extracted String object"""
extracted_string_dict = {}
if extracted_string_obj.get_encoding() is not None: extracted_string_dict['encoding'] = {'value' : element.get_encoding()}
if extracted_string_obj.get_String_Value() is not None: extracted_string_dict['string_value'] = Base_Object_Attribute.dict_from_object(defined_object.get_String_Value())
if extracted_string_obj.get_Hashes() is not None: extracted_string_dict['hashes'] = HashList.dict_from_object(element.get_Hashes())
if extracted_string_obj.get_Address() is not None: extracted_string_dict['address'] = Base_Object_Attribute.dict_from_object(defined_object.get_Address())
if extracted_string_obj.get_Length() is not None: extracted_string_dict['length'] = Base_Object_Attribute.dict_from_object(defined_object.get_Length())
if extracted_string_obj.get_Language() is not None: extracted_string_dict['language'] = Base_Object_Attribute.dict_from_object(defined_object.get_Language())
if extracted_string_obj.get_English_Translation() is not None: extracted_string_dict['english_translation'] = Base_Object_Attribute.dict_from_object(defined_object.get_English_Translation())
return extracted_string_dict
class File(ObjectProperties):
_binding = file_binding
_binding_class = file_binding.FileObjectType
_namespace = 'http://cybox.mitre.org/objects#FileObject-2'
_XSI_NS = "FileObj"
_XSI_TYPE = "FileObjectType"
is_packed = cybox.TypedField("is_packed")
file_name = cybox.TypedField("File_Name", String)
file_path = cybox.TypedField("File_Path", FilePath)
device_path = cybox.TypedField("Device_Path", String)
full_path = cybox.TypedField("Full_Path", String)
file_extension = cybox.TypedField("File_Extension", String)
size_in_bytes = cybox.TypedField("Size_In_Bytes", UnsignedLong)
magic_number = cybox.TypedField("Magic_Number", HexBinary)
file_format = cybox.TypedField("File_Format", String)
modified_time = cybox.TypedField("Modified_Time", String)
accessed_time = cybox.TypedField("Accessed_Time", String)
created_time = cybox.TypedField("Created_Time", DateTime)
hashes = cybox.TypedField("Hashes", HashList)
extracted_features = cybox.TypedField("Extracted_Features",
ExtractedFeatures)
# Not supported yet:
# - Digital_Signatures
# - File_Attributes_List
# - Permissions
# - User_Owner
# - Packer_List
# - Peak_Entropy
# - Sym_Links
# - Extracted_Features
# - Byte Runs
def __init__(self):
super(File, self).__init__()
self.is_packed = None
@property
def md5(self):
if self.hashes is None:
return None
return self.hashes.md5
@md5.setter
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
@property
def sha1(self):
if self.hashes is None:
return None
return self.hashes.sha1
@sha1.setter
def sha1(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha1 = value
@property
def sha256(self):
if self.hashes is None:
return None
return self.hashes.sha256
@sha256.setter
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
@property
def size(self):
"""`size` is an alias for `size_in_bytes`"""
return self.size_in_bytes
@size.setter
def size(self, value):
"""`size` is an alias for `size_in_bytes`"""
self.size_in_bytes = value
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
def sha512(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha512 = value
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
def sha512(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha512 = value
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
class File(ObjectProperties):
_binding = file_binding
_binding_class = file_binding.FileObjectType
_namespace = 'http://cybox.mitre.org/objects#FileObject-2'
_XSI_NS = "FileObj"
_XSI_TYPE = "FileObjectType"
is_packed = fields.TypedField("is_packed")
is_masqueraded = fields.TypedField("is_masqueraded")
file_name = fields.TypedField("File_Name", String)
file_path = fields.TypedField("File_Path", FilePath)
device_path = fields.TypedField("Device_Path", String)
full_path = fields.TypedField("Full_Path", String)
file_extension = fields.TypedField("File_Extension", String)
size_in_bytes = fields.TypedField("Size_In_Bytes", UnsignedLong)
magic_number = fields.TypedField("Magic_Number", HexBinary)
file_format = fields.TypedField("File_Format", String)
hashes = fields.TypedField("Hashes", HashList)
digital_signatures = fields.TypedField("Digital_Signatures",
DigitalSignatureList)
modified_time = fields.TypedField("Modified_Time", DateTime)
accessed_time = fields.TypedField("Accessed_Time", DateTime)
created_time = fields.TypedField("Created_Time", DateTime)
# Subclasses must redefine these, since the abstract types
# cannot be instantiated.
file_attributes_list = fields.TypedField("File_Attributes_List",
FileAttribute) # abstract
permissions = fields.TypedField("Permissions", FilePermissions) # abstract
user_owner = fields.TypedField("User_Owner", String)
packer_list = fields.TypedField("Packer_List", PackerList)
peak_entropy = fields.TypedField("Peak_Entropy", Double)
sym_links = fields.TypedField("Sym_Links", SymLinksList)
byte_runs = fields.TypedField("Byte_Runs", ByteRuns)
extracted_features = fields.TypedField("Extracted_Features",
ExtractedFeatures)
encryption_algorithm = fields.TypedField("Encryption_Algorithm", String)
decryption_key = fields.TypedField("Decryption_Key", String)
compression_method = fields.TypedField("Compression_Method", String)
compression_version = fields.TypedField("Compression_Version", String)
compression_comment = fields.TypedField("Compression_Comment", String)
def __init__(self):
super(File, self).__init__()
self.is_packed = None
@property
def md5(self):
if self.hashes is None:
return None
return self.hashes.md5
@md5.setter
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
@property
def sha1(self):
if self.hashes is None:
return None
return self.hashes.sha1
@sha1.setter
def sha1(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha1 = value
@property
def sha224(self):
if self.hashes is None:
return None
return self.hashes.sha224
@sha224.setter
def sha224(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha224 = value
@property
def sha256(self):
if self.hashes is None:
return None
return self.hashes.sha256
@sha256.setter
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
@property
def sha384(self):
if self.hashes is None:
return None
return self.hashes.sha384
@sha384.setter
def sha384(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha384 = value
@property
def sha512(self):
if self.hashes is None:
return None
return self.hashes.sha512
@sha512.setter
def sha512(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha512 = value
@property
def size(self):
"""`size` is an alias for `size_in_bytes`"""
return self.size_in_bytes
@size.setter
def size(self, value):
"""`size` is an alias for `size_in_bytes`"""
self.size_in_bytes = value
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
def test_round_trip(self):
hashlist_list = TEST_HASH_LIST
hashlist_obj = HashList.object_from_list(hashlist_list)
hashlist_list2 = HashList.list_from_object(hashlist_obj)
self.assertEqual(hashlist_list, hashlist_list2)
def tool_hashes(self):
if self._tool_hashes is None:
self._tool_hashes = HashList()
return self._tool_hashes
def ssdeep(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.ssdeep = value
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
def map_attribtue(self, instance, attribute):
definition_name = attribute.definition.name
if hasattr(instance, definition_name.lower()):
setattr(instance, definition_name.lower(), attribute.value)
value = getattr(instance, definition_name.lower())
value.condition = self.get_condition(attribute)
else:
if 'hash' in definition_name:
if attribute.condition.value:
if attribute.condition.value:
if attribute.condition.value == "Equals":
exact = True
else:
exact = False
else:
exact = False
else:
exact = True
h = Hash(attribute.value, exact=exact)
h.condition = attribute.condition
if instance.hashes is None:
instance.hashes = HashList()
instance.hashes.append(h)
pass
elif 'email' in definition_name:
self.populate_email(instance, attribute)
elif definition_name == 'url':
instance.type_ = URI.TYPE_URL
instance.value = attribute.value
instance.value.condition = self.get_condition(attribute)
elif 'Full_Path' and isinstance(instance, Process):
# TODO: check why this is set?!?
pass
elif definition_name == 'WindowsRegistryKey_Key':
instance.key = attribute.value
instance.key.condition = self.get_condition(attribute)
elif definition_name == 'WindowsRegistryKey_Hive':
instance.hive = attribute.value
instance.hive.condition = self.get_condition(attribute)
elif 'WindowsRegistryKey_RegistryValue' in definition_name:
value = RegistryValue()
if definition_name == 'WindowsRegistryKey_RegistryValue_Data':
value.data = attribute.value
value.data.condition = self.get_condition(attribute)
elif definition_name == 'WindowsRegistryKey_RegistryValue_Data':
value.name = attribute.value
value.name.condition = self.get_condition(attribute)
if not instance.values:
instance.values = RegistryValues()
instance.values.append(value)
instance.data = attribute.value
elif definition_name == 'ipv4_addr':
instance.category = definition_name.replace('_', '-')
instance.address_value = attribute.value
instance.address_value.condition = self.get_condition(
attribute)
elif definition_name == 'DomainName_Value':
instance.value = attribute.value
elif definition_name == 'Raw_Artifact':
path = '{0}/{1}'.format(self.fh.get_base_path(),
attribute.value)
if isfile(path):
with open(path, 'r') as f:
bin_string = f.read()
instance.data = bin_string
# TODO find the corect type
instance.type_ = Artifact.TYPE_GENERIC
instance.packaging.append(Base64Encoding())
else:
instance.data = 'MIA'
instance.type_ = Artifact.TYPE_GENERIC
instance.packaging.append(Base64Encoding())
elif definition_name == 'content_type':
instance.type_ = attribute.value
elif definition_name == 'URIType':
instance.type_ = attribute.value
elif not attribute.definition.cybox_std:
self.add_custom_property(instance, attribute)
elif isinstance(instance,
NetworkConnection) and definition_name in [
'is_type', 'Port'
]:
# TODO: check why this is set?!?
pass
else:
raise Ce1susStixMapperException(
'Cannot map {1} on object type {0}'.format(
instance.__class__.__name__, definition_name))
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
def sha384(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha384 = value
