def render_verbose(doc): ostream = rutils.StringIO() render_meta(ostream, doc) ostream.write("\n") render_rules(ostream, doc) ostream.write("\n") return ostream.getvalue()
def render_default(doc): ostream = rutils.StringIO() render_meta(doc, ostream) ostream.write("\n") render_attack(doc, ostream) ostream.write("\n") render_capabilities(doc, ostream) return ostream.getvalue()
def render_matches_by_function(doc): """ like: function at 0x1000321a with 33 features: - get hostname - initialize Winsock library function at 0x10003286 with 63 features: - create thread - terminate thread function at 0x10003415 with 116 features: - write file - send data - link function at runtime - create HTTP request - get common file path - send HTTP request - connect to HTTP server """ functions_by_bb = {} for function, info in doc["meta"]["analysis"]["layout"]["functions"].items( ): for bb in info["matched_basic_blocks"]: functions_by_bb[bb] = function ostream = rutils.StringIO() matches_by_function = collections.defaultdict(set) for rule in rutils.capability_rules(doc): if rule["meta"]["scope"] == capa.rules.FUNCTION_SCOPE: for va in rule["matches"].keys(): matches_by_function[va].add(rule["meta"]["name"]) elif rule["meta"]["scope"] == capa.rules.BASIC_BLOCK_SCOPE: for va in rule["matches"].keys(): function = functions_by_bb[va] matches_by_function[function].add(rule["meta"]["name"]) else: # file scope pass for va, feature_count in sorted( doc["meta"]["analysis"]["feature_counts"]["functions"].items()): va = int(va) if not matches_by_function.get(va, {}): continue ostream.writeln("function at 0x%X with %d features: " % (va, feature_count)) for rule_name in sorted(matches_by_function[va]): ostream.writeln(" - " + rule_name) return ostream.getvalue()
def render_matches_by_function(doc): """ like: function at 0x1000321a with 33 features: - get hostname - initialize Winsock library function at 0x10003286 with 63 features: - create thread - terminate thread function at 0x10003415 with 116 features: - write file - send data - link function at runtime - create HTTP request - get common file path - send HTTP request - connect to HTTP server """ ostream = rutils.StringIO() matches_by_function = collections.defaultdict(set) for rule in rutils.capability_rules(doc): for va in rule["matches"].keys(): matches_by_function[va].add(rule["meta"]["name"]) for va, feature_count in sorted( doc["meta"]["analysis"]["feature_counts"]["functions"].items()): va = int(va) if not matches_by_function.get(va, {}): continue ostream.writeln("function at 0x%X with %d features: " % (va, feature_count)) for rule_name in matches_by_function[va]: ostream.writeln(" - " + rule_name) ostream.write("\n") return ostream.getvalue()