def create_maec(inputfile, outpath, verbose_error_mode): if os.path.isfile(inputfile): #Create the main parser object parser = gparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis package.add_malware_subject(parser.malware_subject) #Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
def merge_packages(package_list, output_file): '''Merge a list of input MAEC Packages and write them to an output Package file''' malware_subjects = [] # Instantiate the ID generator class (for automatic ID generation) NS = Namespace("https://github.com/MAECProject/python-maec", "merged") maec.utils.set_id_namespace(NS) # Build the list of Malware Subjects for package in package_list: for malware_subject in package.malware_subjects: malware_subjects.append(malware_subject) # Merge the Malware Subjects merged_subjects = merge_malware_subjects(malware_subjects) # Create a new Package with the merged Malware Subjects merged_package = Package() merged_package.malware_subjects = MalwareSubjectList(merged_subjects) # Write the Package to the output file merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def create_maec(inputfile, outpath, verbose_error_mode, options): if os.path.isfile(inputfile): #Create the main parser object parser = anparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis for subject in parser.maec_subjects: package.add_malware_subject(subject) if options: if options.normalize_bundles: subject.normalize_bundles() if options.deduplicate_bundles: subject.deduplicate_bundles() if options.dereference_bundles: subject.dereference_bundles() ##Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from maec.id_generator import Generator from maec.utils import MAECNamespaceParser from cybox.core.object import Object from cybox.core.associated_object import AssociatedObject #Instantiate the ID generator class (for automatic ID generation) with our example namespace generator = Generator('example1') #Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False) package = Package(id=generator.generate_package_id()) subject = MalwareSubject(id=generator.generate_malware_subject_id()) analysis = Analysis(id=generator.generate_analysis_id()) #Create the Subject Object Dictionary for use in the Malware Instance Object Attributes subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}} #Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict)) #Create the Associated Object Dictionary for use in the Action associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}} #Create the Action from another dictionary action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]}) #Add the Action to the buundle bundle.add_action(action) #Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) #Add the Malware Subject to the Package package.add_malware_subject(subject) #Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('example1.xml')
p_node.pid = 3408 p_node.name = "word.exe" #プロセスの設定 P2 = ProcessTreeNode() P2.pid = 3768 P2.parent_pid = 3408 P2.name = "SenPen.exe" p_node.add_spawned_process(P2) #ProcessTreeの設定 p_tree = ProcessTree() p_tree.set_root_process(p_node) #Check #p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"}) # パッケージへMalwareSubjectを追加 package.add_malware_subject(subject) # バンドルへActionを追加 bundle.add_action(act1) bundle.set_process_tree(p_tree) # Add the Bundle to the Malware Subject # Malware Subjectへバンドルを追加 subject.add_findings_bundle(bundle) subject.add_analysis(analysis) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('MalAnalyze_seminor.xml', {"http://LIFT-S.com/":"LIFT-S"}) print "Wrote to sample_maec_package.xml"
P4.parent_pid = 5128 P4.name = "reg.exe" p_node.add_spawned_process(P2) p_node.add_spawned_process(P3) p_node.add_spawned_process(P4) #ProcessTreeの設定 p_tree = ProcessTree() p_tree.set_root_process(p_node) #Check #p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"}) # パッケージへMalwareSubjectを追加 package.add_malware_subject(subject) # バンドルへActionを追加 bundle.add_action(act1) bundle.add_action(act2) bundle.set_process_tree(p_tree) # Add the Bundle to the Malware Subject # Malware Subjectへバンドルを追加 subject.add_findings_bundle(bundle) subject.add_analysis(analysis) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('MalAnalyze_ShinoBOT.xml', {"http://LIFT-S.com/":"LIFT-S"}) print "Wrote to sample_maec_package.xml"
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = "abcd.dll" associated_object.properties.size_in_bytes = "123456" associated_object.association_type = AssociationType() associated_object.association_type.value = "output" associated_object.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" # Create the Action from another dictionary action = MalwareAction() action.name = "create file" action.name.xsi_type = "maecVocabs:FileActionNameVocab-1.0" action.associated_objects = AssociatedObjects() action.associated_objects.append(associated_object) # Add the Action to the Bundle bundle.add_action(action) # Create the Capability from another dictionary capability = Capability() capability.name = "persistence" # Add the Capability to the Bundle bundle.add_capability(capability) # Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) # Add the Malware Subject to the Package package.add_malware_subject(subject) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file("sample_maec_package.xml", {"http://example.com/": "example"}) print "Wrote to sample_maec_package.xml"