def create_maec(inputfile, outpath, verbose_error_mode):
if os.path.isfile(inputfile):
#Create the main parser object
parser = gparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
package.add_malware_subject(parser.malware_subject)
#Finally, Export the results
package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
def merge_packages(package_list, output_file):
'''Merge a list of input MAEC Packages and write them to an output Package file'''
malware_subjects = []
# Instantiate the ID generator class (for automatic ID generation)
NS = Namespace("https://github.com/MAECProject/python-maec", "merged")
maec.utils.set_id_namespace(NS)
# Build the list of Malware Subjects
for package in package_list:
for malware_subject in package.malware_subjects:
malware_subjects.append(malware_subject)
# Merge the Malware Subjects
merged_subjects = merge_malware_subjects(malware_subjects)
# Create a new Package with the merged Malware Subjects
merged_package = Package()
merged_package.malware_subjects = MalwareSubjectList(merged_subjects)
# Write the Package to the output file
merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def create_maec(inputfile, outpath, verbose_error_mode, options):
if os.path.isfile(inputfile):
#Create the main parser object
parser = anparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
for subject in parser.maec_subjects:
package.add_malware_subject(subject)
if options:
if options.normalize_bundles:
subject.normalize_bundles()
if options.deduplicate_bundles:
subject.deduplicate_bundles()
if options.dereference_bundles:
subject.dereference_bundles()
##Finally, Export the results
package.to_xml_file(outpath,
{"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object
from cybox.core.associated_object import AssociatedObject
#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
#Add the Malware Subject to the Package
package.add_malware_subject(subject)
#Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('example1.xml')
p_node.pid = 3408
p_node.name = "word.exe"
#プロセスの設定
P2 = ProcessTreeNode()
P2.pid = 3768
P2.parent_pid = 3408
P2.name = "SenPen.exe"
p_node.add_spawned_process(P2)
#ProcessTreeの設定
p_tree = ProcessTree()
p_tree.set_root_process(p_node)
#Check
#p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"})
# パッケージへMalwareSubjectを追加
package.add_malware_subject(subject)
# バンドルへActionを追加
bundle.add_action(act1)
bundle.set_process_tree(p_tree)
# Add the Bundle to the Malware Subject
# Malware Subjectへバンドルを追加
subject.add_findings_bundle(bundle)
subject.add_analysis(analysis)
# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('MalAnalyze_seminor.xml', {"http://LIFT-S.com/":"LIFT-S"})
print "Wrote to sample_maec_package.xml"
P4.parent_pid = 5128
P4.name = "reg.exe"
p_node.add_spawned_process(P2)
p_node.add_spawned_process(P3)
p_node.add_spawned_process(P4)
#ProcessTreeの設定
p_tree = ProcessTree()
p_tree.set_root_process(p_node)
#Check
#p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"})
# パッケージへMalwareSubjectを追加
package.add_malware_subject(subject)
# バンドルへActionを追加
bundle.add_action(act1)
bundle.add_action(act2)
bundle.set_process_tree(p_tree)
# Add the Bundle to the Malware Subject
# Malware Subjectへバンドルを追加
subject.add_findings_bundle(bundle)
subject.add_analysis(analysis)
# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('MalAnalyze_ShinoBOT.xml', {"http://LIFT-S.com/":"LIFT-S"})
print "Wrote to sample_maec_package.xml"
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = "abcd.dll"
associated_object.properties.size_in_bytes = "123456"
associated_object.association_type = AssociationType()
associated_object.association_type.value = "output"
associated_object.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
# Create the Action from another dictionary
action = MalwareAction()
action.name = "create file"
action.name.xsi_type = "maecVocabs:FileActionNameVocab-1.0"
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = "persistence"
# Add the Capability to the Bundle
bundle.add_capability(capability)
# Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
# Add the Malware Subject to the Package
package.add_malware_subject(subject)
# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file("sample_maec_package.xml", {"http://example.com/": "example"})
print "Wrote to sample_maec_package.xml"
