def test_parsers_descriptions(make_sample_parser):
registry.clear()
parser_path, config_path = make_sample_parser()
source = os.path.abspath(str(parser_path.dirname))
mwcp.register_parser_directory(source, config_file_path=str(config_path))
# Test bogus
descriptions = list(mwcp.get_parser_descriptions('bogus'))
assert descriptions == []
# Test config only
descriptions = list(mwcp.get_parser_descriptions())
assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')]
descriptions = list(mwcp.get_parser_descriptions('Sample'))
assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')]
descriptions = list(mwcp.get_parser_descriptions(source=source))
assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')]
# Test all non-config only
descriptions = list(
mwcp.get_parser_descriptions('Sample', config_only=False))
assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')]
descriptions = list(mwcp.get_parser_descriptions(config_only=False))
assert descriptions == [
('Sample', source, 'Mr. Tester', 'A test parser'),
('Sample.Downloader', source, '', 'TestParser Downloader'),
('Sample.Implant', source, '', 'TestParser Implant'),
]
descriptions = list(
mwcp.get_parser_descriptions('Sample.Downloader', config_only=False))
assert descriptions == [('Sample.Downloader', source, '',
'TestParser Downloader')]
descriptions = list(
mwcp.get_parser_descriptions(source=source, config_only=False))
assert descriptions == [
('Sample', source, 'Mr. Tester', 'A test parser'),
('Sample.Downloader', source, '', 'TestParser Downloader'),
('Sample.Implant', source, '', 'TestParser Implant'),
]
# Test using ":" syntax
descriptions = list(
mwcp.get_parser_descriptions(':Sample', config_only=False))
assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')]
descriptions = list(
mwcp.get_parser_descriptions(source + ':', config_only=False))
assert descriptions == [
('Sample', source, 'Mr. Tester', 'A test parser'),
('Sample.Downloader', source, '', 'TestParser Downloader'),
('Sample.Implant', source, '', 'TestParser Implant'),
]
def test_parsers_descriptions(monkeypatch, test_parser):
monkeypatch.setattr('mwcp.parsers._PARSERS', collections.defaultdict(dict))
mwcp.register_parser_directory(os.path.dirname(test_parser))
descriptions = list(mwcp.get_parser_descriptions('test_parser'))
assert len(descriptions) == 1
assert descriptions[0] == ('test_parser', os.path.dirname(test_parser),
'Mr. Tester', 'A test parser')
def list_(all_, json_):
"""Lists registered malware config parsers."""
descriptions = mwcp.get_parser_descriptions(config_only=not all_)
if json_:
print(json.dumps(descriptions, indent=4))
else:
print(tabulate.tabulate(descriptions, headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def list_(all_, json_):
"""Lists registered malware config parsers."""
descriptions = mwcp.get_parser_descriptions(config_only=not all_)
if json_:
print(json.dumps(descriptions, indent=4))
else:
print(tabulate.tabulate(descriptions, headers=["NAME", "SOURCE", "AUTHOR", "DESCRIPTION"]))
def _print_parsers(json_output=False, config_only=True):
"""
Prints a table of registered parsers to stdout.
:param json_output: Print json
:param config_only: Whether to only print parsers listed in configuration file.
"""
descriptions = mwcp.get_parser_descriptions(config_only=config_only)
if json_output:
print(json.dumps(descriptions, indent=4))
else:
print(tabulate.tabulate(descriptions, headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def descriptions():
"""
List descriptions of parser modules
"""
try:
response.content_type = "application/json"
return json.dumps(mwcp.get_parser_descriptions(), indent=4)
except Exception:
output = {'errors': [traceback.format_exc()]}
logger.error("descriptions %s" % (traceback.format_exc()))
return output
def descriptions():
"""
List descriptions of parser modules
"""
try:
response.content_type = "application/json"
return json.dumps(mwcp.get_parser_descriptions(), indent=4)
except Exception:
output = {'errors': [traceback.format_exc()]}
logger.error("descriptions %s" % (traceback.format_exc()))
return output
def descriptions():
"""
List descriptions of parser modules.
This is for backwards compatibility purposes.
Always a JSON response.
"""
return f.jsonify(
[
(parser_info.name, parser_info.author, parser_info.description)
for parser_info in mwcp.get_parser_descriptions()
]
)
def _print_parsers(json_output=False, config_only=True):
"""
Prints a table of registered parsers to stdout.
:param json_output: Print json
:param config_only: Whether to only print parsers listed in configuration file.
"""
descriptions = mwcp.get_parser_descriptions(config_only=config_only)
if json_output:
print(json.dumps(descriptions, indent=4))
else:
print(
tabulate.tabulate(
descriptions,
headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def descriptions():
"""
List descriptions of parser modules
"""
try:
response.content_type = "application/json"
reporter = mwcp.Reporter(base64outputfiles=True,
disableoutputfiles=True,
parserdir=PARSERDIR)
return json.dumps(mwcp.get_parser_descriptions(), indent=4)
except Exception:
output = {'errors': [traceback.format_exc()]}
logger.error("descriptions %s" % (traceback.format_exc()))
return output
def _print_parsers(json_output=False):
"""
Prints a table of registered parsers to stdout.
:param json_output: Print json
"""
descriptions = mwcp.get_parser_descriptions()
if json_output:
print(json.dumps(descriptions, indent=4))
else:
# TODO: Use a library like tabulate to print this.
format = '%-25s %-50s %-15s %s'
print(format % ('NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION'))
print('-' * 150)
for name, source, author, description in descriptions:
print(format % (name, source, author, description))
def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]:
if not process_cfg.mwcp.enabled:
return {}, False
# Import All config parsers
try:
import mwcp
logging.getLogger("mwcp").setLevel(logging.CRITICAL)
mwcp.register_parser_directory(
os.path.join(CUCKOO_ROOT, process_cfg.mwcp.modules_path))
_malware_parsers = {
block.name.rsplit(".", 1)[-1]: block.name
for block in mwcp.get_parser_descriptions(config_only=False)
}
assert "MWCP_TEST" in _malware_parsers
return _malware_parsers, mwcp
except ImportError as e:
log.info("Missed MWCP -> pip3 install mwcp\nDetails: %s", e)
return {}, False
def parsers_list():
"""
List of configured parsers with names, sources, authors, and descriptions.
Normally an HTML table, but if `application/json` is the best mimetype set
in the `Accept` header, the response will be in JSON.
"""
name_filter = f.request.args.get("name", type=str)
source_filter = f.request.args.get("source", type=str)
headers = ("Name", "Source", "Author", "Description")
parsers_info = mwcp.get_parser_descriptions(name=name_filter, source=source_filter)
if f.request.accept_mimetypes.best == "application/json":
return f.jsonify(
{"parsers": [parser_info._asdict() for parser_info in parsers_info]}
)
f.g.title = "Parsers"
return f.render_template("parsers.html", headers=headers, parsers=parsers_info)
# first, import mwcp
import mwcp
# create an instance of the Reporter class
reporter = mwcp.Reporter()
"""
The Reporter object is the primary DC3-MWCP framework object, containing most input and output data
and controlling execution of the parser modules.
The most common parameters to provide are parserdir and resourcedir, depending upon your installation.
"""
# view location of resource and parser directories
print(reporter.parserdir)
# view available parsers
print(mwcp.get_parser_descriptions())
# run the dummy config parser, view the output
reporter.run_parser("foo", "README.md")
# alternate, run on provided buffer:
reporter.run_parser("foo", data=b"lorem ipsum")
# Print results.
reporter.print_report()
# access output files
for filename in reporter.outputfiles:
print("%s: %i bytes" % (reporter.outputfiles[filename]['path'],
len(reporter.outputfiles[filename]['data'])))
def parsers():
yield mwcp.get_parser_descriptions()
import tempfile
import hashlib
import subprocess
from io import BytesIO
from collections import Mapping, Iterable
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.objects import CAPE_YARA_RULEPATH, File
malware_parsers = {}
#Import All config parsers
try:
import mwcp
mwcp.register_parser_directory(os.path.join(CUCKOO_ROOT, "modules", "processing", "parsers", "mwcp"))
malware_parsers = {block.name.split(".")[-1]:block.name for block in mwcp.get_parser_descriptions(config_only=False)}
HAS_MWCP = True
#disable logging
#[mwcp.parser] WARNING: Missing identify() function for: a35a622d01f83b53d0407a3960768b29.Emotet.Emotet
except ImportError as e:
HAS_MWCP = False
print("Missed MWCP -> pip3 install git+https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP\nDetails: {}".format(e))
try:
from malwareconfig import fileparser
from malwareconfig.modules import __decoders__, __preprocessors__
HAS_MALWARECONFIGS = True
except ImportError:
HAS_MALWARECONFIGS = False
print("Missed RATDecoders -> pip3 install git+https://github.com/kevthehermit/RATDecoders")
from lib.cuckoo.common.config import Config
from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.objects import CAPE_YARA_RULEPATH, File
log = logging.getLogger(__name__)
malware_parsers = dict()
cape_malware_parsers = dict()
#Import All config parsers
try:
import mwcp
mwcp.register_parser_directory(
os.path.join(CUCKOO_ROOT, "modules", "processing", "parsers", "mwcp"))
malware_parsers = {
block.name.split(".")[-1]: block.name
for block in mwcp.get_parser_descriptions(config_only=False)
}
HAS_MWCP = True
#disable logging
#[mwcp.parser] WARNING: Missing identify() function for: a35a622d01f83b53d0407a3960768b29.Emotet.Emotet
except ImportError as e:
HAS_MWCP = False
log.info(
"Missed MWCP -> pip3 install git+https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP\nDetails: {}"
.format(e))
try:
from malwareconfig import fileparser
from malwareconfig.modules import __decoders__, __preprocessors__
HAS_MALWARECONFIGS = True
def upload():
"""Upload page"""
f.g.title = "Upload"
parsers_info = mwcp.get_parser_descriptions()
return f.render_template("upload.html", parsers=parsers_info)
