def delete_file(file_hash):
success = False
key = ''
if len(file_hash) == 32:
key = 'md5'
elif len(file_hash) == 64:
key = 'sha256'
else:
return HTTPError(400, 'Invalid hash format (use md5 or sha256)')
db = Database()
rows = db.find(key=key, value=file_hash)
if not rows:
raise HTTPError(404, 'File not found in the database')
if rows:
malware_id = rows[0].id
path = get_sample_path(rows[0].sha256)
if db.delete(malware_id):
success = True
else:
raise HTTPError(404, 'File not found in repository')
path = get_sample_path(rows[0].sha256)
if not path:
raise HTTPError(404, 'File not found in file system')
else:
success=os.remove(path)
if success:
return jsonize({'message' : 'deleted'})
else:
return HTTPError(500, 'Unable to delete file')
def cmd_delete(self, *args):
parser = argparse.ArgumentParser(prog='delete', description="Delete a file")
parser.add_argument('-a', '--all', action='store_true', help="Delete ALL files in this project")
parser.add_argument('-f', '--find', action="store_true", help="Delete ALL files from last find")
try:
args = parser.parse_args(args)
except:
return
while True:
choice = input("Are you sure? It can't be reverted! [y/n] ")
if choice == 'y':
break
elif choice == 'n':
return
if args.all:
if __sessions__.is_set():
__sessions__.close()
samples = self.db.find('all')
for sample in samples:
self.db.delete_file(sample.id)
os.remove(get_sample_path(sample.sha256))
self.log('info', "Deleted a total of {} files.".format(len(samples)))
elif args.find:
if __sessions__.find:
samples = __sessions__.find
for sample in samples:
self.db.delete_file(sample.id)
os.remove(get_sample_path(sample.sha256))
self.log('info', "Deleted {} files.".format(len(samples)))
else:
self.log('error', "No find result")
else:
if __sessions__.is_set():
rows = self.db.find('sha256', __sessions__.current.file.sha256)
if rows:
malware_id = rows[0].id
if self.db.delete_file(malware_id):
self.log("success", "File deleted")
else:
self.log('error', "Unable to delete file")
os.remove(__sessions__.current.file.path)
__sessions__.close()
self.log('info', "Deleted opened file.")
else:
self.log('error', "No session open, and no --all argument. Nothing to delete.")
def run(self, *args):
try:
args = self.parser.parse_args(args)
except SystemExit:
return
while True:
choice = input("Are you sure? It can't be reverted! [y/n] ")
if choice == 'y':
break
elif choice == 'n':
return
db = Database()
if args.all:
if __sessions__.is_set():
__sessions__.close()
samples = db.find('all')
for sample in samples:
db.delete_file(sample.id)
os.remove(get_sample_path(sample.sha256))
self.log('info', "Deleted a total of {} files.".format(len(samples)))
elif args.find:
if __sessions__.find:
samples = __sessions__.find
for sample in samples:
db.delete_file(sample.id)
os.remove(get_sample_path(sample.sha256))
self.log('info', "Deleted {} files.".format(len(samples)))
else:
self.log('error', "No find result")
else:
if __sessions__.is_set():
rows = db.find('sha256', __sessions__.current.file.sha256)
if rows:
malware_id = rows[0].id
if db.delete_file(malware_id):
self.log("success", "File deleted")
else:
self.log('error', "Unable to delete file")
os.remove(__sessions__.current.file.path)
__sessions__.close()
self.log('info', "Deleted opened file.")
else:
self.log('error', "No session open, and no --all argument. Nothing to delete.")
def destroy(self, request, project=None, db=None, *args, **kwargs):
"""Delete a Malware instance"""
instance = self.get_object()
try:
log.debug("deleting (os.remove) Malware sample at path: {}".format(get_sample_path(instance.sha256)))
os.remove(get_sample_path(instance.sha256))
except OSError:
log.error("failed to delete Malware sample: {}".format(get_sample_path(instance.sha256)))
log.debug("deleting (db.delete_file) from DB for Malware ID: {}".format(instance.id))
db.delete_file(instance.id)
return Response(status=status.HTTP_204_NO_CONTENT)
def run_module():
project = request.forms.get('project')
if project:
__project__.open(project)
sha256 = request.forms.get('sha256')
if sha256:
file_path = get_sample_path(sha256)
if file_path:
__sessions__.new(file_path)
module_name = request.forms.get('module')
if module_name in __modules__:
module = __modules__[module_name]['obj']()
module.run()
module_output = copy.deepcopy(module.output)
del (module.output[:])
if module_output:
return jsonize(
dict(project=project,
module=module_name,
sha256=sha256,
output=module_output))
def hex_viewer():
# get post data
file_hash = request.forms.get('file_hash')
try:
hex_offset = int(request.forms.get('hex_start'))
except:
return '<p class="text-danger">Error Generating Request</p>'
hex_length = 256
# get file path
hex_path = get_sample_path(file_hash)
# create the command string
hex_cmd = 'hd -s {0} -n {1} {2}'.format(hex_offset, hex_length, hex_path)
# get the output
hex_string = getoutput(hex_cmd)
# Format the data
html_string = ''
hex_rows = hex_string.split('\n')
for row in hex_rows:
if len(row) > 9:
off_str = row[0:8]
hex_str = row[9:58]
asc_str = row[58:78]
asc_str = asc_str.replace('"', '"')
asc_str = asc_str.replace('<', '<')
asc_str = asc_str.replace('>', '>')
html_string += '<div class="row"><span class="text-primary mono">{0}</span> <span class="text-muted mono">{1}</span> <span class="text-success mono">{2}</span></div>'.format(
off_str, hex_str, asc_str)
# return the data
return html_string
def file_download(file_hash, project=False):
if project in project_list():
__project__.open(project)
else:
__project__.open('default')
project = 'default'
# Open the Database
db = Database()
# Open a session
rows = db.find(key='sha256', value=file_hash)
if not rows:
return template(
'error.tpl',
error="{0} Does not match any hash in the Database".format(
file_hash))
path = get_sample_path(rows[0].sha256)
if not path:
return template('error.tpl', error="File not found on disk")
response.content_length = os.path.getsize(path)
response.content_type = 'application/octet-stream; charset=UTF-8'
data = ''
for chunk in File(path).get_chunks():
data += chunk
return data
def add_file(obj, tags=None):
if get_sample_path(obj.sha256):
self.log('warning', "Skip, file \"{0}\" appears to be already stored".format(obj.name))
return False
if __sessions__.is_attached_misp(quiet=True):
if tags is not None:
tags += ',misp:{}'.format(__sessions__.current.misp_event.event.id)
else:
tags = 'misp:{}'.format(__sessions__.current.misp_event.event.id)
# Try to store file object into database.
status = db.add(obj=obj, tags=tags)
if status:
# If succeeds, store also in the local repository.
# If something fails in the database (for example unicode strings)
# we don't want to have the binary lying in the repository with no
# associated database record.
new_path = store_sample(obj)
self.log("success", "Stored file \"{0}\" to {1}".format(obj.name, new_path))
else:
return False
# Delete the file if requested to do so.
if args.delete:
try:
os.unlink(obj.path)
except Exception as e:
self.log('warning', "Failed deleting file: {0}".format(e))
return True
def get_files_from_last_find(self):
files = []
if __sessions__.find:
for item in __sessions__.find:
path = get_sample_path(item.sha256)
files.append((path, item.name))
return files
def hex_view(request):
# get post data
file_hash = request.POST['file_hash']
try:
hex_offset = int(request.POST['hex_start'])
except:
return '<p class="text-danger">Error Generating Request</p>'
hex_length = 256
# get file path
hex_path = get_sample_path(file_hash)
# create the command string
hex_cmd = 'hd -s {0} -n {1} {2}'.format(hex_offset, hex_length, hex_path)
# get the output
hex_string = getoutput(hex_cmd)
# Format the data
html_string = ''
hex_rows = hex_string.split('\n')
for row in hex_rows:
if len(row) > 9:
off_str = row[0:8]
hex_str = row[9:58]
asc_str = row[58:78]
asc_str = asc_str.replace('"', '"')
asc_str = asc_str.replace('<', '<')
asc_str = asc_str.replace('>', '>')
html_string += '<div class="row"><span class="text-primary mono">{0}</span> \
<span class="text-muted mono">{1}</span> <span class="text-success mono"> \
{2}</span></div>'.format(off_str, hex_str, asc_str)
# return the data
return HttpResponse(html_string)
def size_cluster(self):
db = Database()
samples = db.find(key='all')
cluster = {}
for sample in samples:
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_size = os.path.getsize(sample_path)
except Exception as e:
self.log('error',
"Error {0} for sample {1}".format(e, sample.sha256))
continue
if cur_size not in cluster:
cluster[cur_size] = []
cluster[cur_size].append([sample.md5, sample.name])
for cluster_name, cluster_members in cluster.items():
# Skipping clusters with only one entry.
if len(cluster_members) == 1:
continue
self.log(
'info', "Cluster size {0} with {1} elements".format(
bold(cluster_name), len(cluster_members)))
self.log('table', dict(header=['MD5', 'Name'],
rows=cluster_members))
def run(self, *args):
try:
args = self.parser.parse_args(args)
except SystemExit:
return
if not __sessions__.is_set():
self.log('error', "No open session")
return
if not __project__.name:
src_project = "default"
else:
src_project = __project__.name
db.copied_id_sha256 = []
res = db.copy(__sessions__.current.file.id,
src_project=src_project, dst_project=args.project,
copy_analysis=True, copy_notes=True, copy_tags=True, copy_children=args.children)
if args.delete:
__sessions__.close()
for item_id, item_sha256 in db.copied_id_sha256:
db.delete_file(item_id)
os.remove(get_sample_path(item_sha256))
self.log('info', "Deleted: {}".format(item_sha256))
if res:
self.log('success', "Successfully copied sample(s)")
return True
else:
self.log('error', "Something went wrong")
return False
def peid(self):
def get_signatures():
with file(os.path.join(VIPER_ROOT, 'data/peid/UserDB.TXT'),
'rt') as f:
sig_data = f.read()
signatures = peutils.SignatureDatabase(data=sig_data)
return signatures
def get_matches(pe, signatures):
matches = signatures.match_all(pe, ep_only=True)
return matches
if not self.__check_session():
return
signatures = get_signatures()
peid_matches = get_matches(self.pe, signatures)
if peid_matches:
self.log('info', "PEiD Signatures:")
for sig in peid_matches:
if type(sig) is list:
self.log('item', sig[0])
else:
self.log('item', sig)
else:
self.log('info', "No PEiD signatures matched.")
if self.args.scan and peid_matches:
self.log('info', "Scanning the repository for matching samples...")
db = Database()
samples = db.find(key='all')
matches = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_pe = pefile.PE(sample_path)
cur_peid_matches = get_matches(cur_pe, signatures)
except:
continue
if peid_matches == cur_peid_matches:
matches.append([sample.name, sample.sha256])
self.log('info',
"{0} relevant matches found".format(bold(len(matches))))
if len(matches) > 0:
self.log('table', dict(header=['Name', 'SHA256'],
rows=matches))
def run(self):
super(Strings, self).run()
if self.args is None:
return
if not (self.args.all or self.args.files or self.args.hosts or self.args.network or self.args.interesting or self.args.search_string):
self.log('error', 'At least one of the parameters is required')
self.usage()
return
if self.args.scan:
db = Database()
samples = db.find(key='all')
for sample in samples:
sample_path = get_sample_path(sample.sha256)
strings = self.get_strings_base(sample_path, xor_key=self.args.xor, rabin_extract=self.args.rabin2)
self.process_strings(strings, sample.name)
else:
if not __sessions__.is_set():
self.log('error', "No open session. This command expects a file to be open.")
return
if os.path.exists(__sessions__.current.file.path):
strings = self.get_strings_base(__sessions__.current.file.path, xor_key=self.args.xor, rabin_extract=self.args.rabin2)
self.process_strings(strings)
def hex_viewer():
# get post data
file_hash = request.forms.get("file_hash")
try:
hex_offset = int(request.forms.get("hex_start"))
except:
return '<p class="text-danger">Error Generating Request</p>'
hex_length = 256
# get file path
hex_path = get_sample_path(file_hash)
# create the command string
hex_cmd = "hd -s {0} -n {1} {2}".format(hex_offset, hex_length, hex_path)
# get the output
hex_string = getoutput(hex_cmd)
# Format the data
html_string = ""
hex_rows = hex_string.split("\n")
for row in hex_rows:
if len(row) > 9:
off_str = row[0:8]
hex_str = row[9:58]
asc_str = row[58:78]
asc_str = asc_str.replace('"', """)
asc_str = asc_str.replace("<", "<")
asc_str = asc_str.replace(">", ">")
html_string += '<div class="row"><span class="text-primary mono">{0}</span> <span class="text-muted mono">{1}</span> <span class="text-success mono">{2}</span></div>'.format(
off_str, hex_str, asc_str
)
# return the data
return html_string
def size_scan(self):
db = Database()
samples = db.find(key='all')
rows = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_size = os.path.getsize(sample_path)
except Exception:
continue
if self.file_size == cur_size:
rows.append([sample.md5, sample.name])
if len(rows) > 0:
self.log(
'info', "Following are samples with size {0}".format(
bold(self.file_size)))
self.log('table', dict(header=['MD5', 'Name'], rows=rows))
def autorun_module(file_hash):
if not file_hash:
return
# We need an open session
if not __sessions__.is_set():
# Open session
__sessions__.new(get_sample_path(file_hash))
for cmd_line in cfg.autorun.commands.split(','):
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse(split_command)
try:
if root in __modules__:
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
print_info("Running Command {0}".format(split_command))
if cfg.modules.store_output and __sessions__.is_set():
Database().add_analysis(file_hash, split_command, module.output)
if cfg.autorun.verbose:
print_output(module.output)
del(module.output[:])
else:
print_error('{0} is not a valid command. Please check your viper.conf file.'.format(cmd_line))
except:
print_error('Viper was unable to complete the command {0}'.format(cmd_line))
return
def get_file(file_hash):
key = ''
if len(file_hash) == 32:
key = 'md5'
elif len(file_hash) == 64:
key = 'sha256'
else:
return HTTPError(400, 'Invalid hash format (use md5 or sha256)')
db = Database()
rows = db.find(key=key, value=file_hash)
if not rows:
raise HTTPError(404, 'File not found in the database')
path = get_sample_path(rows[0].sha256)
if not path:
raise HTTPError(404, 'File not found in the repository')
response.content_length = os.path.getsize(path)
response.content_type = 'application/octet-stream; charset=UTF-8'
data = ''
for chunk in File(path).get_chunks():
data += chunk
return data
def module_cmdline(cmd_line, file_hash):
html = ""
cmd = Commands()
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse(split_command)
try:
if root in cmd.commands:
cmd.commands[root]['obj'](*args)
html += print_output(cmd.output)
del (cmd.output[:])
elif root in __modules__:
# if prev commands did not open a session open one on the current file
if file_hash:
path = get_sample_path(file_hash)
__sessions__.new(path)
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
html += print_output(module.output)
del (module.output[:])
else:
html += '<p class="text-danger">{0} is not a valid command</p>'.format(
cmd_line)
except:
html += '<p class="text-danger">We were unable to complete the command {0}</p>'.format(
cmd_line)
__sessions__.close()
return html
def post(self, request, *args, **kwargs):
# Get the project and hash of the file
project = kwargs.get('project', 'default')
file_hash = request.POST.get('file_hash')
try:
hex_offset = int(request.POST.get('hex_start'))
except Exception:
return '<p class="text-danger">Error Generating Request</p>'
hex_length = 256
# get file path
__project__.open(project)
hex_path = get_sample_path(file_hash)
# create the command string
hex_cmd = 'hd -s {0} -n {1} {2}'.format(hex_offset, hex_length, hex_path)
# get the output
hex_string = getoutput(hex_cmd)
# Format the data
html_string = ''
hex_rows = hex_string.split('\n')
for row in hex_rows:
if len(row) > 9:
off_str = row[0:8]
hex_str = row[9:58]
asc_str = row[58:78]
asc_str = asc_str.replace('"', '"')
asc_str = asc_str.replace('<', '<')
asc_str = asc_str.replace('>', '>')
html_string += '<div class="row"><span class="text-primary mono">{0}</span> \
<span class="text-muted mono">{1}</span> <span class="text-success mono"> \
{2}</span></div>'.format(off_str, hex_str, asc_str)
# return the data
return HttpResponse(html_string)
def add_file(obj, tags=None):
if get_sample_path(obj.sha256):
self.log("warning", 'Skip, file "{0}" appears to be already stored'.format(obj.name))
return False
# Try to store file object into database.
status = self.db.add(obj=obj, tags=tags)
if status:
# If succeeds, store also in the local repository.
# If something fails in the database (for example unicode strings)
# we don't want to have the binary lying in the repository with no
# associated database record.
new_path = store_sample(obj)
self.log("success", 'Stored file "{0}" to {1}'.format(obj.name, new_path))
else:
return False
# Delete the file if requested to do so.
if args.delete:
try:
os.unlink(obj.path)
except Exception as e:
self.log("warning", "Failed deleting file: {0}".format(e))
return True
def get_file(file_hash):
key = ''
if len(file_hash) == 32:
key = 'md5'
elif len(file_hash) == 64:
key = 'sha256'
else:
response.code = 400
return jsonize({'message':'Invalid hash format (use md5 or sha256)'})
db = Database()
rows = db.find(key=key, value=file_hash)
if not rows:
response.code = 404
return jsonize({'message':'File not found in the database'})
path = get_sample_path(rows[0].sha256)
if not path:
response.code = 404
return jsonize({'message':'File not found in the repository'})
response.content_length = os.path.getsize(path)
response.content_type = 'application/octet-stream; charset=UTF-8'
data = ''
for chunk in File(path).get_chunks():
data += chunk
return data
def post(self, request, *args, **kwargs):
# Get the project and hash of the file
project = kwargs.get('project', 'default')
file_hash = request.POST.get('file_hash')
try:
hex_offset = int(request.POST.get('hex_start'))
except:
return '<p class="text-danger">Error Generating Request</p>'
hex_length = 256
# get file path
__project__.open(project)
hex_path = get_sample_path(file_hash)
# create the command string
hex_cmd = 'hd -s {0} -n {1} {2}'.format(hex_offset, hex_length, hex_path)
# get the output
hex_string = getoutput(hex_cmd)
# Format the data
html_string = ''
hex_rows = hex_string.split('\n')
for row in hex_rows:
if len(row) > 9:
off_str = row[0:8]
hex_str = row[9:58]
asc_str = row[58:78]
asc_str = asc_str.replace('"', '"')
asc_str = asc_str.replace('<', '<')
asc_str = asc_str.replace('>', '>')
html_string += '<div class="row"><span class="text-primary mono">{0}</span> \
<span class="text-muted mono">{1}</span> <span class="text-success mono"> \
{2}</span></div>'.format(off_str, hex_str, asc_str)
# return the data
return HttpResponse(html_string)
def add_file(obj, tags=None):
if get_sample_path(obj.sha256):
self.log('warning', "Skip, file \"{0}\" appears to be already stored".format(obj.name))
return False
# Try to store file object into database.
status = self.db.add(obj=obj, tags=tags)
if status:
# If succeeds, store also in the local repository.
# If something fails in the database (for example unicode strings)
# we don't want to have the binary lying in the repository with no
# associated database record.
new_path = store_sample(obj)
self.log("success", "Stored file \"{0}\" to {1}".format(obj.name, new_path))
else:
return False
# Delete the file if requested to do so.
if args.delete:
try:
os.unlink(obj.path)
except Exception as e:
self.log('warning', "Failed deleting file: {0}".format(e))
return True
def module_cmdline(cmd_line, file_hash):
html = ""
cmd = Commands()
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse(split_command)
try:
if root in cmd.commands:
cmd.commands[root]['obj'](*args)
html += print_output(cmd.output)
del (cmd.output[:])
elif root in __modules__:
# if prev commands did not open a session open one on the current file
if file_hash:
path = get_sample_path(file_hash)
__sessions__.new(path)
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
html += print_output(module.output)
if cfg.modules.store_output and __sessions__.is_set():
Database().add_analysis(file_hash, split_command, module.output)
del (module.output[:])
else:
html += '<p class="text-danger">{0} is not a valid command</p>'.format(cmd_line)
except Exception as e:
html += '<p class="text-danger">We were unable to complete the command {0}</p>'.format(cmd_line)
__sessions__.close()
return html
def run(self):
super(Strings, self).run()
if self.args is None:
return
if not (self.args.all or self.args.files or self.args.hosts
or self.args.network or self.args.interesting):
self.log('error', 'At least one of the parameters is required')
self.usage()
return
if self.args.scan:
db = Database()
samples = db.find(key='all')
for sample in samples:
sample_path = get_sample_path(sample.sha256)
strings = self.get_strings(File(sample_path))
self.process_strings(strings, sample.name)
else:
if not __sessions__.is_set():
self.log('error', "No open session")
return
if os.path.exists(__sessions__.current.file.path):
strings = self.get_strings(__sessions__.current.file)
self.process_strings(strings)
def pehash(self):
if not HAVE_PEHASH:
self.log(
'error',
"PEhash is missing. Please copy PEhash to the modules directory of Viper"
)
return
current_pehash = None
if __sessions__.is_set():
current_pehash = calculate_pehash(__sessions__.current.file.path)
self.log('info', "PEhash: {0}".format(bold(current_pehash)))
if self.args.all or self.args.cluster or self.args.scan:
db = Database()
samples = db.find(key='all')
rows = []
for sample in samples:
sample_path = get_sample_path(sample.sha256)
pe_hash = calculate_pehash(sample_path)
if pe_hash:
rows.append((sample.name, sample.md5, pe_hash))
if self.args.all:
self.log('info', "PEhash for all files:")
header = ['Name', 'MD5', 'PEhash']
self.log('table', dict(header=header, rows=rows))
elif self.args.cluster:
self.log('info', "Clustering files by PEhash...")
cluster = {}
for sample_name, sample_md5, pe_hash in rows:
cluster.setdefault(pe_hash,
[]).append([sample_name, sample_md5])
for item in cluster.items():
if len(item[1]) > 1:
self.log(
'info', "PEhash {0} was calculated on files:".format(
bold(item[0])))
self.log('table', dict(header=['Name', 'MD5'],
rows=item[1]))
elif self.args.scan:
if __sessions__.is_set() and current_pehash:
self.log('info', "Finding matching samples...")
matches = []
for row in rows:
if row[1] == __sessions__.current.file.md5:
continue
if row[2] == current_pehash:
matches.append([row[0], row[1]])
if matches:
self.log('table', dict(header=['Name', 'MD5'],
rows=matches))
else:
self.log('info', "No matches found")
def size_cluster(self):
db = Database()
samples = db.find(key='all')
cluster = {}
for sample in samples:
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_size = os.path.getsize(sample_path)
except Exception as e:
self.log('error', "Error {0} for sample {1}".format(e, sample.sha256))
continue
if cur_size not in cluster:
cluster[cur_size] = []
cluster[cur_size].append([sample.md5, sample.name])
for cluster_name, cluster_members in cluster.items():
# Skipping clusters with only one entry.
if len(cluster_members) == 1:
continue
self.log('info', "Cluster size {0} with {1} elements".format(bold(cluster_name), len(cluster_members)))
self.log('table', dict(header=['MD5', 'Name'], rows=cluster_members))
def run(self):
super(Strings, self).run()
if self.args is None:
return
if not (self.args.all or self.args.files or self.args.hosts or self.args.network or self.args.interesting):
self.log('error', 'At least one of the parameters is required')
self.usage()
return
if self.args.scan:
db = Database()
samples = db.find(key='all')
for sample in samples:
sample_path = get_sample_path(sample.sha256)
strings = self.get_strings(File(sample_path))
self.process_strings(strings, sample.name)
else:
if not __sessions__.is_set():
self.log('error', "No open session")
return
if os.path.exists(__sessions__.current.file.path):
strings = self.get_strings(__sessions__.current.file)
self.process_strings(strings)
def get(self, request, *args, **kwargs):
template_name = "viperweb/file.html"
# default to "default" project if none given
project = kwargs.get('project', 'default')
db = open_db(project)
sha256 = kwargs.get('sha256')
if not sha256:
log.error("no sha256 hashed provided")
raise Http404("no sha256 hashed provided")
path = get_sample_path(sha256)
if not path:
raise Http404(
"could not retrieve file for sha256 hash: {}".format(sha256))
# Get additional details for file
malware = db.find(key='sha256', value=sha256)
try:
malware_obj = malware[0]
except IndexError:
raise Http404(
"could not find file for sha256 hash: {}".format(sha256))
note_list = []
notes = malware_obj.note
if notes:
for note in notes:
note_list.append({
'title': note.title,
'body': note.body,
'id': note.id
})
module_history = []
analysis_list = malware_obj.analysis
if analysis_list:
for item in analysis_list:
module_history.append({
'id': item.id,
'cmd_line': item.cmd_line
})
tag_list = db.list_tags_for_malware(sha256)
children = db.list_children(malware_obj.id)
parent = db.get_parent(malware_obj.id)
return render(
request, template_name, {
'malware': malware_obj,
'note_list': note_list,
'tag_list': tag_list,
'children': children,
'parent': parent,
'module_history': module_history,
'project': project,
'projects': get_project_list()
})
def peid(self):
def get_signatures():
with file(os.path.join(VIPER_ROOT, 'data/peid/UserDB.TXT'), 'rt') as f:
sig_data = f.read()
signatures = peutils.SignatureDatabase(data=sig_data)
return signatures
def get_matches(pe, signatures):
matches = signatures.match_all(pe, ep_only=True)
return matches
if not self.__check_session():
return
signatures = get_signatures()
peid_matches = get_matches(self.pe, signatures)
if peid_matches:
self.log('info', "PEiD Signatures:")
for sig in peid_matches:
if type(sig) is list:
self.log('item', sig[0])
else:
self.log('item', sig)
else:
self.log('info', "No PEiD signatures matched.")
if self.args.scan and peid_matches:
self.log('info', "Scanning the repository for matching samples...")
db = Database()
samples = db.find(key='all')
matches = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_pe = pefile.PE(sample_path)
cur_peid_matches = get_matches(cur_pe, signatures)
except:
continue
if peid_matches == cur_peid_matches:
matches.append([sample.name, sample.sha256])
self.log('info', "{0} relevant matches found".format(bold(len(matches))))
if len(matches) > 0:
self.log('table', dict(header=['Name', 'SHA256'], rows=matches))
def file_view(request, sha256=False, project='default'):
if not sha256:
return render(request, '404.html')
print sha256
db = open_db(project)
# Open a session
try:
path = get_sample_path(sha256)
__sessions__.new(path)
except:
return render(request, '404.html')
# Get the file info
file_info = {
'name': __sessions__.current.file.name,
'tags': __sessions__.current.file.tags.split(','),
'path': __sessions__.current.file.path,
'size': __sessions__.current.file.size,
'type': __sessions__.current.file.type,
'mime': __sessions__.current.file.mime,
'md5': __sessions__.current.file.md5,
'sha1': __sessions__.current.file.sha1,
'sha256': __sessions__.current.file.sha256,
'sha512': __sessions__.current.file.sha512,
'ssdeep': __sessions__.current.file.ssdeep,
'crc32': __sessions__.current.file.crc32,
'parent': __sessions__.current.file.parent,
'children': __sessions__.current.file.children.split(',')
}
# Get Any Notes
note_list = []
module_history = []
malware = db.find(key='sha256', value=sha256)
if malware:
notes = malware[0].note
if notes:
for note in notes:
note_list.append({'title': note.title,
'body': note.body,
'id': note.id
})
analysis_list = malware[0].analysis
if analysis_list:
for ana in analysis_list:
module_history.append({'id': ana.id,
'cmd_line': ana.cmd_line
})
# Return the page
return render(request, 'file.html', {'file_info': file_info,
'note_list': note_list,
'error_line': False,
'project': project,
'projects': project_list(),
'module_history': module_history
})
def destroy(self, request, project=None, db=None, *args, **kwargs):
"""Delete a Malware instance"""
instance = self.get_object()
try:
log.debug("deleting (os.remove) Malware sample at path: {}".format(
get_sample_path(instance.sha256)))
os.remove(get_sample_path(instance.sha256))
except OSError:
log.error("failed to delete Malware sample: {}".format(
get_sample_path(instance.sha256)))
log.debug(
"deleting (db.delete_file) from DB for Malware ID: {}".format(
instance.id))
db.delete_file(instance.id)
return Response(status=status.HTTP_204_NO_CONTENT)
def pehash(self):
if not HAVE_PEHASH:
self.log('error', "PEhash is missing. Please copy PEhash to the modules directory of Viper")
return
current_pehash = None
if __sessions__.is_set():
current_pehash = calculate_pehash(__sessions__.current.file.path)
self.log('info', "PEhash: {0}".format(bold(current_pehash)))
if self.args.all or self.args.cluster or self.args.scan:
db = Database()
samples = db.find(key='all')
rows = []
for sample in samples:
sample_path = get_sample_path(sample.sha256)
pe_hash = calculate_pehash(sample_path)
if pe_hash:
rows.append((sample.name, sample.md5, pe_hash))
if self.args.all:
self.log('info', "PEhash for all files:")
header = ['Name', 'MD5', 'PEhash']
self.log('table', dict(header=header, rows=rows))
elif self.args.cluster:
self.log('info', "Clustering files by PEhash...")
cluster = {}
for sample_name, sample_md5, pe_hash in rows:
cluster.setdefault(pe_hash, []).append([sample_name, sample_md5])
for item in cluster.items():
if len(item[1]) > 1:
self.log('info', "PEhash cluster {0}:".format(bold(item[0])))
self.log('table', dict(header=['Name', 'MD5'], rows=item[1]))
elif self.args.scan:
if __sessions__.is_set() and current_pehash:
self.log('info', "Finding matching samples...")
matches = []
for row in rows:
if row[1] == __sessions__.current.file.md5:
continue
if row[2] == current_pehash:
matches.append([row[0], row[1]])
if matches:
self.log('table', dict(header=['Name', 'MD5'], rows=matches))
else:
self.log('info', "No matches found")
def compiletime(self):
def get_compiletime(pe):
return datetime.datetime.fromtimestamp(
pe.FILE_HEADER.TimeDateStamp)
if not self.__check_session():
return
compile_time = get_compiletime(self.pe)
self.log('info', "Compile Time: {0}".format(bold(compile_time)))
if self.args.scan:
self.log('info', "Scanning the repository for matching samples...")
db = Database()
samples = db.find(key='all')
matches = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_pe = pefile.PE(sample_path)
cur_compile_time = get_compiletime(cur_pe)
except:
continue
if compile_time == cur_compile_time:
matches.append([sample.name, sample.md5, cur_compile_time])
else:
if self.args.window:
if cur_compile_time > compile_time:
delta = (cur_compile_time - compile_time)
elif cur_compile_time < compile_time:
delta = (compile_time - cur_compile_time)
delta_minutes = int(delta.total_seconds()) / 60
if delta_minutes <= self.args.window:
matches.append(
[sample.name, sample.md5, cur_compile_time])
self.log('info',
"{0} relevant matches found".format(bold(len(matches))))
if len(matches) > 0:
self.log(
'table',
dict(header=['Name', 'MD5', 'Compile Time'], rows=matches))
def get_file(sha256):
path = get_sample_path(sha256)
if not path:
raise HTTPError(404, 'File not found')
response.content_length = os.path.getsize(path)
response.content_type = 'application/octet-stream; charset=UTF-8'
data = ''
for chunk in File(path).get_chunks():
data += chunk
return data
def file_view(request, sha256, project):
if not sha256:
return JsonResponse({'response': '404', 'data': 'Requires a SHA256'})
db = open_db(project)
# Open a session
try:
path = get_sample_path(sha256)
__sessions__.new(path)
except:
return JsonResponse({'response': '404', 'data': 'Unabel to access file'})
# Get the file info
file_info = {
'name': __sessions__.current.file.name,
'tags': __sessions__.current.file.tags.split(','),
'path': __sessions__.current.file.path,
'size': __sessions__.current.file.size,
'type': __sessions__.current.file.type,
'mime': __sessions__.current.file.mime,
'md5': __sessions__.current.file.md5,
'sha1': __sessions__.current.file.sha1,
'sha256': __sessions__.current.file.sha256,
'sha512': __sessions__.current.file.sha512,
'ssdeep': __sessions__.current.file.ssdeep,
'crc32': __sessions__.current.file.crc32,
'parent': __sessions__.current.file.parent,
'children': __sessions__.current.file.children.split(',')
}
# Get Any Notes
note_list = []
module_history = []
malware = db.find(key='sha256', value=sha256)
if malware:
notes = malware[0].note
if notes:
for note in notes:
note_list.append({'title': note.title,
'body': note.body,
'id': note.id
})
analysis_list = malware[0].analysis
if analysis_list:
for ana in analysis_list:
module_history.append({'id': ana.id,
'cmd_line': ana.cmd_line
})
# Return the page
return JsonResponse({'response': '200', 'data': {'file_info': file_info,
'note_list': note_list,
'module_history': module_history
}})
def _search_local_hashes(self, event, open_session=True):
local = []
samples_count = 0
if isinstance(event, MISPEvent):
misp_event = event
elif event.get('Event') is None:
self.log('error', event)
return
else:
misp_event = MISPEvent()
misp_event.load(event)
if not hasattr(misp_event, 'id'):
# The event doesn't exists upstream, breaking.
return
for a in misp_event.attributes + [
attribute for obj in misp_event.objects
for attribute in obj.attributes
]:
row = None
if a.type == 'malware-sample':
samples_count += 1
if a.type in ('md5', 'sha1', 'sha256'):
row = Database().find(key=a.type, value=a.value)
elif a.type in ('filename|md5', 'filename|sha1',
'filename|sha256'):
row = Database().find(key=a.type.split('|')[1],
value=a.value.split('|')[1])
elif a.type == 'malware-sample':
row = Database().find(key='md5', value=a.value.split('|')[1])
if row:
local.append(row[0])
self.log(
'info',
'Event {} contains {} samples.'.format(misp_event.id,
samples_count))
if not open_session:
return
shas = set([l.sha256 for l in local])
if len(shas) == 1:
__sessions__.new(get_sample_path(shas.pop()),
MispEvent(misp_event, self.offline_mode))
elif len(shas) > 1:
self.log('success',
'The following samples are in this viper instance:')
__sessions__.new(
misp_event=MispEvent(misp_event, self.offline_mode))
for s in shas:
self.log('item', s)
else:
__sessions__.new(
misp_event=MispEvent(misp_event, self.offline_mode))
self.log('info', 'No known (in Viper) samples in that event.')
def delete_file(file_hash):
success = False
key = ''
if len(file_hash) == 32:
key = 'md5'
elif len(file_hash) == 64:
key = 'sha256'
else:
response.code = 400
return jsonize({'message':'Invalid hash format (use md5 or sha256)'})
db = Database()
rows = db.find(key=key, value=file_hash)
if not rows:
response.code = 404
return jsonize({'message':'File not found in the database'})
if rows:
malware_id = rows[0].id
path = get_sample_path(rows[0].sha256)
if db.delete(malware_id):
success = True
else:
response.code = 404
return jsonize({'message':'File not found in repository'})
path = get_sample_path(rows[0].sha256)
if not path:
response.code = 404
return jsonize({'message':'File not found in file system'})
else:
success=os.remove(path)
if success:
return jsonize({'message' : 'deleted'})
else:
response.code = 500
return jsonize({'message':'Unable to delete file'})
def cmd_parent(self, *args):
parser = argparse.ArgumentParser(prog='tags', description="Set the Parent for this file.")
parser.add_argument('-a', '--add', metavar='SHA256', help="Add parent file by sha256")
parser.add_argument('-d', '--delete', action='store_true', help="Delete Parent")
parser.add_argument('-o', '--open', action='store_true', help="Open The Parent")
try:
args = parser.parse_args(args)
except:
return
# This command requires a session to be opened.
if not __sessions__.is_set():
self.log('error', "No open session")
parser.print_usage()
return
# If no arguments are specified, there's not much to do.
if args.add is None and args.delete is None and args.open is None:
parser.print_usage()
return
db = Database()
if not db.find(key='sha256', value=__sessions__.current.file.sha256):
self.log('error', "The opened file is not stored in the database. "
"If you want to add it use the `store` command.")
return
if args.add:
if not db.find(key='sha256', value=args.add):
self.log('error', "the parent file is not found in the database. ")
return
db.add_parent(__sessions__.current.file.sha256, args.add)
self.log('info', "parent added to the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.delete:
db.delete_parent(__sessions__.current.file.sha256)
self.log('info', "parent removed from the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.open:
# Open a session on the parent
if __sessions__.current.file.parent:
__sessions__.new(get_sample_path(__sessions__.current.file.parent[-64:]))
else:
self.log('info', "No parent set for this sample")
def cmd_parent(self, *args):
parser = argparse.ArgumentParser(prog='tags', description="Set the Parent for this file.")
parser.add_argument('-a', '--add', metavar='SHA256', help="Add parent file by sha256")
parser.add_argument('-d', '--delete', action='store_true', help="Delete Parent")
parser.add_argument('-o', '--open', action='store_true', help="Open The Parent")
try:
args = parser.parse_args(args)
except:
return
# This command requires a session to be opened.
if not __sessions__.is_set():
self.log('error', "No open session")
parser.print_usage()
return
# If no arguments are specified, there's not much to do.
if args.add is None and args.delete is None and args.open is None:
parser.print_usage()
return
db = Database()
if not db.find(key='sha256', value=__sessions__.current.file.sha256):
self.log('error', "The opened file is not stored in the database. "
"If you want to add it use the `store` command.")
return
if args.add:
if not db.find(key='sha256', value=args.add):
self.log('error', "the parent file is not found in the database. ")
return
db.add_parent(__sessions__.current.file.sha256, args.add)
self.log('info', "parent added to the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.delete:
db.delete_parent(__sessions__.current.file.sha256)
self.log('info', "parent removed from the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.open:
# Open a session on the parent
if __sessions__.current.file.parent:
__sessions__.new(get_sample_path(__sessions__.current.file.parent[-64:]))
else:
self.log('info', "No parent set for this sample")
def get(self, request, *args, **kwargs):
project = kwargs.get("project", "default")
if project not in get_project_list():
raise Http404("unknown project: {}".format(project))
sha256 = kwargs.get("sha256")
if not sha256:
log.error("no sha256 hashed provided")
raise Http404("no sha256 hashed provided")
# Open a session
try:
path = get_sample_path(sha256)
__sessions__.new(path)
except Exception as err:
log.error("Error: {}".format(err))
return HttpResponse('<span class="alert alert-danger">Invalid Submission</span>'.format())
try:
task_list_url = '{0}/tasks/list'.format(cfg.cuckoo.cuckoo_host)
task_list_response = requests.get(task_list_url)
if task_list_response.status_code == 200:
task_list = task_list_response.json()
task_list_filtered = [x for x in task_list["tasks"] if x["sample"]["sha256"] == sha256]
if task_list_filtered:
task_list_filtered_sorted = sorted(task_list_filtered, key=itemgetter("added_on"), reverse=True)
task_id = task_list_filtered_sorted[0]["id"]
return HttpResponse('<a href="{0}/analysis/{1}/summary/" target="_blank"> Link to latest existing Cukoo Report</a>'.format(cfg.cuckoo.cuckoo_web, str(task_id)))
except Exception as err:
log.error("Error: {}".format(err))
return HttpResponse('<span class="alert alert-danger">Error Connecting To Cuckoo</span>'.format())
# If it doesn't exist, submit it.
# Get the file data from viper
file_data = open(__sessions__.current.file.path, 'rb').read()
file_name = __sessions__.current.file.name
if file_data:
# Submit file data to cuckoo
uri = '{0}{1}'.format(cfg.cuckoo.cuckoo_host, '/tasks/create/file')
options = {'file': (file_name, file_data)}
cuckoo_response = requests.post(uri, files=options)
if cuckoo_response.status_code == 200:
cuckoo_id = dict(cuckoo_response.json())['task_id']
return HttpResponse('<a href="{0}/analysis/pending/" target="_blank"> Link To Cuckoo (pending tasks)</a>'.format(cfg.cuckoo.cuckoo_web, str(cuckoo_id)))
else:
log.error("Cuckoo Response Code: {}".format(cuckoo_response.status_code))
return HttpResponse('<span class="alert alert-danger">Unable to Submit File</span>')
def get(self, request, *args, **kwargs):
template_name = "viperweb/file.html"
# default to "default" project if none given
project = kwargs.get('project', 'default')
db = open_db(project)
sha256 = kwargs.get('sha256')
if not sha256:
log.error("no sha256 hashed provided")
raise Http404("no sha256 hashed provided")
path = get_sample_path(sha256)
if not path:
raise Http404("could not retrieve file for sha256 hash: {}".format(sha256))
# Get additional details for file
malware = db.find(key='sha256', value=sha256)
try:
malware_obj = malware[0]
except IndexError:
raise Http404("could not find file for sha256 hash: {}".format(sha256))
note_list = []
notes = malware_obj.note
if notes:
for note in notes:
note_list.append({'title': note.title,
'body': note.body,
'id': note.id})
module_history = []
analysis_list = malware_obj.analysis
if analysis_list:
for item in analysis_list:
module_history.append({'id': item.id,
'cmd_line': item.cmd_line})
tag_list = db.list_tags_for_malware(sha256)
children = db.list_children(malware_obj.id)
parent = db.get_parent(malware_obj.id)
return render(request, template_name, {'malware': malware_obj,
'note_list': note_list,
'tag_list': tag_list,
'children': children,
'parent': parent,
'module_history': module_history,
'project': project,
'projects': get_project_list()})
def get(self, request, *args, **kwargs):
project = kwargs.get("project", "default")
if project not in get_project_list():
raise Http404("unknown project: {}".format(project))
sha256 = kwargs.get("sha256")
if not sha256:
log.error("no sha256 hashed provided")
raise Http404("no sha256 hashed provided")
# Open a session
try:
path = get_sample_path(sha256)
__sessions__.new(path)
except Exception as err:
log.error("Error: {}".format(err))
return HttpResponse('<span class="alert alert-danger">Invalid Submission</span>'.format())
try:
task_list_url = '{0}/tasks/list'.format(cfg.cuckoo.cuckoo_host)
task_list_response = requests.get(task_list_url)
if task_list_response.status_code == 200:
task_list = task_list_response.json()
task_list_filtered = [x for x in task_list["tasks"] if x["sample"]["sha256"] == sha256]
if task_list_filtered:
task_list_filtered_sorted = sorted(task_list_filtered, key=itemgetter("added_on"), reverse=True)
task_id = task_list_filtered_sorted[0]["id"]
return HttpResponse('<a href="{0}/analysis/{1}/summary/" target="_blank"> Link to latest existing Cukoo Report</a>'.format(cfg.cuckoo.cuckoo_web, str(task_id)))
except Exception as err:
log.error("Error: {}".format(err))
return HttpResponse('<span class="alert alert-danger">Error Connecting To Cuckoo</span>'.format())
# If it doesn't exist, submit it.
# Get the file data from viper
file_data = open(__sessions__.current.file.path, 'rb').read()
file_name = __sessions__.current.file.name
if file_data:
# Submit file data to cuckoo
uri = '{0}{1}'.format(cfg.cuckoo.cuckoo_host, '/tasks/create/file')
options = {'file': (file_name, file_data)}
cuckoo_response = requests.post(uri, files=options)
if cuckoo_response.status_code == 200:
cuckoo_id = dict(cuckoo_response.json())['task_id']
return HttpResponse('<a href="{0}/analysis/pending/" target="_blank"> Link To Cuckoo (pending tasks)</a>'.format(cfg.cuckoo.cuckoo_web, str(cuckoo_id)))
else:
log.error("Cuckoo Response Code: {}".format(cuckoo_response.status_code))
return HttpResponse('<span class="alert alert-danger">Unable to Submit File</span>')
def compiletime(self):
def get_compiletime(pe):
return datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp)
if not self.__check_session():
return
compile_time = get_compiletime(self.pe)
self.log('info', "Compile Time: {0}".format(bold(compile_time)))
if self.args.scan:
self.log('info', "Scanning the repository for matching samples...")
db = Database()
samples = db.find(key='all')
matches = []
for sample in samples:
if sample.sha256 == __sessions__.current.file.sha256:
continue
sample_path = get_sample_path(sample.sha256)
if not os.path.exists(sample_path):
continue
try:
cur_pe = pefile.PE(sample_path)
cur_compile_time = get_compiletime(cur_pe)
except:
continue
if compile_time == cur_compile_time:
matches.append([sample.name, sample.md5, cur_compile_time])
else:
if self.args.window:
if cur_compile_time > compile_time:
delta = (cur_compile_time - compile_time)
elif cur_compile_time < compile_time:
delta = (compile_time - cur_compile_time)
delta_minutes = int(delta.total_seconds()) / 60
if delta_minutes <= self.args.window:
matches.append([sample.name, sample.md5, cur_compile_time])
self.log('info', "{0} relevant matches found".format(bold(len(matches))))
if len(matches) > 0:
self.log('table', dict(header=['Name', 'MD5', 'Compile Time'], rows=matches))
def cuckoo_submit():
# Get Query Strings
project = request.query.project
file_hash = request.query.hash
if project in project_list():
__project__.open(project)
else:
__project__.open("../")
project = "Main"
# Open the Database
db = Database()
# Open a session
try:
path = get_sample_path(file_hash)
__sessions__.new(path)
except:
return '<span class="alert alert-danger">Invalid Submission</span>'
try:
# Return URI For Existing Entry
check_uri = "{0}/files/view/sha256/{1}".format(cuckoo_api, file_hash)
check_file = requests.get(check_uri)
if check_file.status_code == 200:
check_result = dict(check_file.json())
cuckoo_id = check_result["sample"]["id"]
return '<a href="{0}/submit/status/{1}" target="_blank"> Link To Cukoo Report</a>'.format(
cuckoo_web, str(cuckoo_id)
)
except Exception as e:
return '<span class="alert alert-danger">Error Connecting To Cuckoo</span>'
# If it doesn't exist, submit it.
# Get the file data from viper
file_data = open(__sessions__.current.file.path, "rb").read()
file_name = __sessions__.current.file.name
if file_data:
# Submit file data to cuckoo
uri = "{0}{1}".format(cuckoo_api, "/tasks/create/file")
options = {"file": (file_name, file_data)}
cuckoo_response = requests.post(uri, files=options)
if cuckoo_response.status_code == 200:
cuckoo_id = dict(cuckoo_response.json())["task_id"]
return '<a href="{0}/submit/status/{1}" target="_blank"> Link To Cukoo Report</a>'.format(
cuckoo_web, str(cuckoo_id)
)
else:
return '<span class="alert alert-danger">Unable to Submit File</span>'
def file_info(file_hash, project=False):
contents = {}
if project in project_list():
__project__.open(project)
contents['project'] = project
else:
__project__.open('../')
contents['project'] = 'Main'
# Open the Database
db = Database()
# Open a session
try:
path = get_sample_path(file_hash)
__sessions__.new(path)
except:
return template('error.tpl', error="{0} Does not match any hash in the Database".format(file_hash))
# Get the file info
contents['file_info'] = [
__sessions__.current.file.name,
__sessions__.current.file.tags,
__sessions__.current.file.path,
__sessions__.current.file.size,
__sessions__.current.file.type,
__sessions__.current.file.mime,
__sessions__.current.file.md5,
__sessions__.current.file.sha1,
__sessions__.current.file.sha256,
__sessions__.current.file.sha512,
__sessions__.current.file.ssdeep,
__sessions__.current.file.crc32
]
# Get Any Notes
note_list = []
malware = db.find(key='sha256', value=file_hash)
if malware:
notes = malware[0].note
if notes:
rows = []
for note in notes:
note_list.append([note.title, note.body, note.id])
contents['notes'] = note_list
# Close the session
__sessions__.close()
# Return the page
return template('file.tpl', **contents)
def run(self):
# TODO: this function needs to be refactored.
super(Strings, self).run()
if self.args is None:
return
arg_all = self.args.all
arg_hosts = self.args.hosts
arg_scan = self.args.scan
regexp = '[\x20\x30-\x39\x41-\x5a\x61-\x7a\-\.:]{4,}'
if arg_scan:
db = Database()
samples = db.find(key='all')
rows = []
for sample in samples:
sample_path = get_sample_path(sample.sha256)
strings = re.findall(regexp, File(sample_path).data)
results = self.extract_hosts(strings)
if results:
self.log('info', sample.name)
for result in results:
self.log('item', result)
else:
if not __sessions__.is_set():
self.log('error', "No open session")
return
if os.path.exists(__sessions__.current.file.path):
strings = re.findall(regexp, __sessions__.current.file.data)
if arg_all:
for entry in strings:
self.log('', entry)
elif arg_hosts:
results = self.extract_hosts(strings)
for result in results:
self.log('item', result)
if not arg_all and not arg_hosts and not arg_scan:
self.log('error', 'At least one of the parameters is required')
self.usage()
def run(self):
# TODO: this function needs to be refactored.
super(Strings, self).run()
if self.args is None:
return
arg_all = self.args.all
arg_hosts = self.args.hosts
arg_scan = self.args.scan
regexp = '[\x20\x30-\x39\x41-\x5a\x61-\x7a\-\.:]{4,}'
if arg_scan:
db = Database()
samples = db.find(key='all')
rows = []
for sample in samples:
sample_path = get_sample_path(sample.sha256)
strings = re.findall(regexp, File(sample_path).data)
results = self.extract_hosts(strings)
if results:
self.log('info', sample.name)
for result in results:
self.log('item', result)
else:
if not __sessions__.is_set():
self.log('error', "No open session")
return
if os.path.exists(__sessions__.current.file.path):
strings = re.findall(regexp, __sessions__.current.file.data)
if arg_all:
for entry in strings:
self.log('', entry)
elif arg_hosts:
results = self.extract_hosts(strings)
for result in results:
self.log('item', result)
if not arg_all and not arg_hosts and not arg_scan:
self.log('error', 'At least one of the parameters is required')
self.usage()
def download(self, request, *args, ** kwargs):
"""Download a Malware instance as a raw or compressed file"""
# kwargs provided by URLs/Routers: project_name, sha256
# malware_sha256 = self.kwargs.get("sha256", None)
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
# get instance
instance = self.get_object()
dl_file = open(get_sample_path(instance.sha256), 'rb')
# TODO(frennkie) encoding?!?! CLRF, LF ?! XXX
response = HttpResponse(DjangoFile(dl_file), content_type=instance.mime)
response['Content-Disposition'] = 'attachment; filename={}'.format(instance.name)
return response
def cuckoo_submit():
# Get Query Strings
project = request.query.project
file_hash = request.query.hash
if project in project_list():
__project__.open(project)
else:
__project__.open('../')
project = 'Main'
# Open the Database
db = Database()
# Open a session
try:
path = get_sample_path(file_hash)
__sessions__.new(path)
except:
return '<span class="alert alert-danger">Invalid Submission</span>'
try:
# Return URI For Existing Entry
check_uri = '{0}/files/view/sha256/{1}'.format(cuckoo_api, file_hash)
check_file = requests.get(check_uri)
if check_file.status_code == 200:
check_result = dict(check_file.json())
cuckoo_id = check_result['sample']['id']
return '<a href="{0}/analysis/{1}" target="_blank"> Link To Cukoo Report</a>'.format(
cuckoo_web, str(cuckoo_id))
except Exception as e:
return '<span class="alert alert-danger">Error Connecting To Cuckoo</span>'
# If it doesn't exist, submit it.
# Get the file data from viper
file_data = open(__sessions__.current.file.path, 'rb').read()
file_name = __sessions__.current.file.name
if file_data:
# Submit file data to cuckoo
uri = '{0}{1}'.format(cuckoo_api, '/tasks/create/file')
options = {'file': (file_name, file_data)}
cuckoo_response = requests.post(uri, files=options)
if cuckoo_response.status_code == 200:
cuckoo_id = dict(cuckoo_response.json())['task_id']
return '<a href="{0}/analysis/{1}" target="_blank"> Link To Cukoo Report</a>'.format(
cuckoo_web, str(cuckoo_id))
else:
return '<span class="alert alert-danger">Unable to Submit File</span>'
def run(self, *args):
try:
args = self.parser.parse_args(args)
except SystemExit:
return
# This command requires a session to be opened.
if not __sessions__.is_set():
self.log('error', "No open session. This command expects a file to be open.")
self.parser.print_usage()
return
# If no arguments are specified, there's not much to do.
if args.add is None and args.delete is None and args.open is None:
self.parser.print_usage()
return
db = Database()
if not db.find(key='sha256', value=__sessions__.current.file.sha256):
self.log('error', "The opened file is not stored in the database. "
"If you want to add it use the `store` command.")
return
if args.add:
if not db.find(key='sha256', value=args.add):
self.log('error', "the parent file is not found in the database. ")
return
db.add_parent(__sessions__.current.file.sha256, args.add)
self.log('info', "parent added to the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.delete:
db.delete_parent(__sessions__.current.file.sha256)
self.log('info', "parent removed from the currently opened file")
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.open:
# Open a session on the parent
if __sessions__.current.file.parent:
__sessions__.new(get_sample_path(__sessions__.current.file.parent[-64:]))
else:
self.log('info', "No parent set for this sample")
def ScanFile(self, sample):
if isinstance(sample, Malware):
sample_path = get_sample_path(sample.sha256)
else:
sample_path = sample.path
if not os.path.exists(sample_path):
self.log(
'error',
'The file does not exists at path {0}'.format(sample_path))
return
try:
if self.daemon.ping():
with open(sample_path, 'rb') as fd:
results = self.daemon.scan_stream(fd.read())
else:
self.log('error', "Unable to connect to the daemon")
except Exception as ex:
msg = 'Unable to scan file {0} with antivirus daemon, {1}'.format(
sample.sha256, ex)
self.log('error', msg)
return
found = None
name = None
if results:
for item in results:
found = results[item][0]
name = results[item][1]
if found == 'ERROR':
self.log(
'error',
"Check permissions of the binary folder, {0}".format(name))
else:
if name is not None:
if self.args.tag:
self.db.add_tags(sample.sha256, name)
else:
name = 'Threat not found!'
self.log(
'info',
"{0} identify {1} as : {2}".format(self.socket, sample.sha256,
name))
def _search_local_hashes(self, event, open_session=True):
local = []
samples_count = 0
if event.get('Event') is None:
self.log('error', event)
return
for a in event['Event']['Attribute']:
row = None
if a['type'] == 'malware-sample':
samples_count += 1
if a['type'] in ('malware-sample', 'filename|md5', 'md5'):
h = a['value']
if '|' in a['type']:
h = a['value'].split('|')[1]
row = Database().find(key='md5', value=h)
elif a['type'] in ('sha1', 'filename|sha1'):
h = a['value']
if '|' in a['type']:
h = a['value'].split('|')[1]
row = Database().find(key='sha1', value=h)
elif a['type'] in ('sha256', 'filename|sha256'):
h = a['value']
if '|' in a['type']:
h = a['value'].split('|')[1]
row = Database().find(key='sha256', value=h)
if row:
local.append(row[0])
self.log(
'info',
'Event {} contains {} samples.'.format(event['Event']['id'],
samples_count))
if not open_session:
return
shas = set([l.sha256 for l in local])
if len(shas) == 1:
__sessions__.new(get_sample_path(shas.pop()), MispEvent(event))
elif len(shas) > 1:
self.log('success',
'The following samples are in this viper instance:')
__sessions__.new(misp_event=MispEvent(event))
for s in shas:
self.log('item', s)
else:
__sessions__.new(misp_event=MispEvent(event))
self.log('info', 'No known (in Viper) samples in that event.')
def download(self, request, *args, **kwargs):
"""Download a Malware instance as a raw or compressed file"""
# kwargs provided by URLs/Routers: project_name, sha256
# malware_sha256 = self.kwargs.get("sha256", None)
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
# get instance
instance = self.get_object()
dl_file = open(get_sample_path(instance.sha256), 'rb')
# TODO(frennkie) encoding?!?! CLRF, LF ?! XXX
response = HttpResponse(DjangoFile(dl_file),
content_type=instance.mime)
response['Content-Disposition'] = 'attachment; filename={}'.format(
instance.name)
return response
def autorun_module(file_hash):
if not file_hash:
return
# We need an open session
if not __sessions__.is_set():
# Open session
__sessions__.new(get_sample_path(file_hash))
for cmd_line in cfg.autorun.commands.split(','):
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse(split_command)
try:
if root in __modules__:
print_info("Running command \"{0}\"".format(split_command))
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
if cfg.modules.store_output and __sessions__.is_set():
Database().add_analysis(file_hash, split_command,
module.output)
if cfg.autorun.verbose:
print_output(module.output)
del (module.output[:])
else:
print_error(
"\"{0}\" is not a valid command. Please check your viper.conf file."
.format(cmd_line))
except:
print_error(
"Viper was unable to complete the command {0}".format(
cmd_line))
def _process_uploaded(db, uploaded_file_path, file_name, tag_list=None, note_title=None, note_body=None):
"""_process_uploaded add one uploaded file to database and to storage then remove uploaded file"""
log.debug("adding: {} as {}".format(uploaded_file_path, file_name))
malware = File(uploaded_file_path)
malware.name = file_name
if get_sample_path(malware.sha256):
error = {"error": {"code": "DuplicateFileHash",
"message": "File hash exists already: {} (sha256: {})".format(malware.name, malware.sha256)}}
log.error("adding failed: {}".format(error))
raise ValidationError(detail=error) # TODO(frennkie) raise more specific error?! so that we can catch it..?!
# Try to store file object into database
if db.add(obj=malware, tags=tag_list):
# If succeeds, store also in the local repository.
# If something fails in the database (for example unicode strings)
# we don't want to have the binary lying in the repository with no
# associated database record.
malware_stored_path = store_sample(malware)
# run autoruns on the stored sample
if cfg.get('autorun').enabled:
autorun_module(malware.sha256)
log.debug("added file \"{0}\" to {1}".format(malware.name, malware_stored_path))
if note_body and note_title:
db.add_note(malware.sha256, note_title, note_body)
log.debug("added note: \"{0}\"".format(note_title))
else:
error = {"error": {"code": "DatabaseAddFailed",
"message": "Adding File to Database failed: {} (sha256: {})".format(malware.name, malware.sha256)}}
log.error("adding failed: {}".format(error))
raise ValidationError(detail=error)
# clean up
try:
os.remove(uploaded_file_path)
except OSError as err:
log.error("failed to delete temporary file: {}".format(err))
return malware
def cmd_delete(self, *args):
parser = argparse.ArgumentParser(prog='delete', description="Delete a file")
parser.add_argument('-a', '--all', action='store_true', help="Delete ALL files in this project")
try:
args = parser.parse_args(args)
except:
return
while True:
choice = input("Are you sure? It can't be reverted! [y/n] ")
if choice == 'y':
break
elif choice == 'n':
return
if args.all:
if __sessions__.is_set():
__sessions__.close()
samples = self.db.find('all')
for sample in samples:
self.db.delete_file(sample.id)
os.remove(get_sample_path(sample.sha256))
self.log('info', "Deleted a total of {} files.".format(len(samples)))
else:
if __sessions__.is_set():
rows = self.db.find('sha256', __sessions__.current.file.sha256)
if rows:
malware_id = rows[0].id
if self.db.delete_file(malware_id):
self.log("success", "File deleted")
else:
self.log('error', "Unable to delete file")
os.remove(__sessions__.current.file.path)
__sessions__.close()
self.log('info', "Deleted opened file.")
else:
self.log('error', "No session open, and no --all argument. Nothing to delete.")
