def semiInvertedOnInvertedSearch(self, data, message):
results = []
tmpData = data[::-1]
invData = ""
for i in range(0, len(tmpData), 2):
if len(data) > i + 1:
invData = invData + tmpData[i + 1]
invData = invData + tmpData[i]
if len(tmpData) % 2 == 1:
invData = invData + tmpData[-1]
# Search naturally all the possible places of data in message
indice = 0
while indice + len(invData) <= len(message.getStringData()):
if message.getStringData()[indice:len(invData) +
indice] == invData:
# We have a match
searchResult = SearchResult(
message, "4bytes inverted on inverted search")
searchResult.addSegment(indice, len(invData))
results.append(searchResult)
indice = indice + 1
return results
def naturalSearch(self, data, message):
results = []
# Search naturally all the possible places of data in message
indice = 0
while indice + len(data) <= len(message.getStringData()):
if message.getStringData()[indice:len(data) + indice] == data:
# We have a match
searchResult = SearchResult(message, "Natural search")
searchResult.addSegment(indice, len(data))
results.append(searchResult)
indice = indice + 1
return results
def naturalSearch(self, data, message):
results = []
self.log.debug("Natural search of {0} in {1}".format(data, message.getStringData()))
# Search naturally all the possible places of data in message
indice = 0
messageData = message.getStringData()
indice = messageData.find(data, 0)
while indice >= 0:
searchResult = SearchResult(message, "Natural search")
searchResult.addSegment(indice, len(data))
results.append(searchResult)
indice = messageData.find(data, indice + 1)
return results
def naturalSearch(self, data, message):
results = []
self.log.debug("Natural search of {0} in {1}".format(
data, message.getStringData()))
# Search naturally all the possible places of data in message
indice = 0
messageData = message.getStringData()
indice = messageData.find(data, 0)
while indice >= 0:
searchResult = SearchResult(message, "Natural search")
searchResult.addSegment(indice, len(data))
results.append(searchResult)
indice = messageData.find(data, indice + 1)
return results
def inversedSearch(self, data, message):
results = []
invData = data[::-1]
# Search naturally all the possible places of data in message
indice = 0
while indice + len(invData) <= len(message.getStringData()):
if message.getStringData()[indice:len(invData) +
indice] == invData:
# We have a match
searchResult = SearchResult(message, "Inverted search")
searchResult.addSegment(indice, len(invData))
results.append(searchResult)
indice = indice + 1
return results
def semiInvertedOnNaturalSearch(self, data, message):
results = []
invData = ""
for i in range(0, len(data), 2):
if len(data) > i + 1:
invData = invData + data[i + 1]
invData = invData + data[i]
if len(data) % 2 == 1:
invData = invData + data[-1]
# Search naturally all the possible places of data in message
indice = 0
while indice + len(invData) <= len(message.getStringData()):
if message.getStringData()[indice:len(invData) + indice] == invData:
# We have a match
searchResult = SearchResult(message, "4bytes inverted on natural search")
searchResult.addSegment(indice, len(invData))
results.append(searchResult)
indice = indice + 1
return results
def execute(self, symbol):
results = []
toBeAnalyzed = []
if symbol is not None:
toBeAnalyzed.append(symbol)
else:
toBeAnalyzed.extend(self.project.getVocabulary().getSymbols())
for symbol in toBeAnalyzed:
searchTask = SearchTask("URL Data Carver", "((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)", "URL")
## TODO: put this things in a dedicated class
infoCarvers = {
'url': re.compile("((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)"),
'email': re.compile("[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}"),
'ip': re.compile("(((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")
}
foundValues = []
tasks = []
# Execute the search operation in String mode
for (carver, regex) in infoCarvers.items():
currentTask = SearchTask(carver, None, carver)
taskResults = []
for message in symbol.getMessages():
strData = TypeConvertor.netzobRawToString(message.getReducedStringData())
for match in regex.finditer(strData):
if match is None:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(0, len(message.getReducedStringData()))
taskResults.append(taskResult)
else:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(match.start(0) * 2, match.end(0) * 2)
taskResults.append(taskResult)
if len(taskResults) > 0:
currentTask.registerResults(taskResults, "Data Carving: {0}".format(carver))
tasks.append(currentTask)
results.append(tasks)
return results
def execute(self, symbol):
results = []
toBeAnalyzed = []
if symbol is not None:
toBeAnalyzed.append(symbol)
else:
toBeAnalyzed.extend(self.project.getVocabulary().getSymbols())
for symbol in toBeAnalyzed:
searchTask = SearchTask(
"URL Data Carver",
"((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)",
"URL",
)
## TODO: put this things in a dedicated class
infoCarvers = {
"url": re.compile(
"((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)"
),
"email": re.compile("[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}"),
"ip": re.compile(
"(((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"
),
}
foundValues = []
tasks = []
# Execute the search operation in String mode
for (carver, regex) in infoCarvers.items():
currentTask = SearchTask(carver, None, carver)
taskResults = []
for message in symbol.getMessages():
strData = TypeConvertor.netzobRawToString(message.getReducedStringData())
for match in regex.finditer(strData):
if match is None:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(0, len(message.getReducedStringData()))
taskResults.append(taskResult)
else:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(match.start(0) * 2, match.end(0) * 2)
taskResults.append(taskResult)
if len(taskResults) > 0:
currentTask.registerResults(taskResults, "Data Carving: {0}".format(carver))
tasks.append(currentTask)
results.append(tasks)
return results
