def _get_versioninfo(self): """Get version info. @return: info dict or None. """ infos = [] if hasattr(self.pe, "VS_VERSIONINFO"): if hasattr(self.pe, "FileInfo"): for entry in self.pe.FileInfo: try: if hasattr(entry, "StringTable"): for st_entry in entry.StringTable: for str_entry in st_entry.entries.items(): entry = {} entry["name"] = convert_to_printable(str_entry[0]) entry["value"] = convert_to_printable(str_entry[1]) infos.append(entry) elif hasattr(entry, "Var"): for var_entry in entry.Var: if hasattr(var_entry, "entry"): entry = {} entry["name"] = convert_to_printable(var_entry.entry.keys()[0]) entry["value"] = convert_to_printable(var_entry.entry.values()[0]) infos.append(entry) except: continue return infos
def _add_hosts(self, connection): """Add IPs to unique list. @param connection: connection data """ try: # TODO: Perhaps this block should be removed. # If there is a packet from a non-local IP address, which hasn't # been seen before, it means that the connection wasn't initiated # during the time of the current analysis. if connection["src"] not in self.hosts: ip = convert_to_printable(connection["src"]) # We consider the IP only if it hasn't been seen before. if ip not in self.hosts: # If the IP is not a local one, this might be a leftover # packet as described in issue #249. if self._is_private_ip(ip): self.hosts.append(ip) if connection["dst"] not in self.hosts: ip = convert_to_printable(connection["dst"]) if ip not in self.hosts: self.hosts.append(ip) # We add external IPs to the list, only the first time # we see them and if they're the destination of the # first packet they appear in. if not self._is_private_ip( ip) and ip not in self.whitelist_ips: self.unique_hosts.append(ip) except: pass
def _add_hosts(self, connection): """Add IPs to unique list. @param connection: connection data """ try: # TODO: Perhaps this block should be removed. # If there is a packet from a non-local IP address, which hasn't # been seen before, it means that the connection wasn't initiated # during the time of the current analysis. if connection["src"] not in self.hosts: ip = convert_to_printable(connection["src"]) # We consider the IP only if it hasn't been seen before. if ip not in self.hosts: # If the IP is not a local one, this might be a leftover # packet as described in issue #249. if self._is_private_ip(ip): self.hosts.append(ip) if connection["dst"] not in self.hosts: ip = convert_to_printable(connection["dst"]) if ip not in self.hosts: self.hosts.append(ip) # We add external IPs to the list, only the first time # we see them and if they're the destination of the # first packet they appear in. if not self._is_private_ip(ip) and ip not in self.whitelist_ips: self.unique_hosts.append(ip) except: pass
def _unpack(self, buf): """Extract into a list irc messages of a tcp streams. @buf: tcp stream data """ try: f = cStringIO.StringIO(buf) lines = f.readlines() except Exception: log.error("Failed reading tcp stream buffer") return False for element in lines: if not re.match("^:", element) is None: command = "([a-zA-Z]+|[0-9]{3})" params = "(\x20.+)" irc_server_msg = re.findall( "(^:[\w+.{}!@|()]+\x20)" + command + params, element ) if irc_server_msg: self._sc["prefix"] = convert_to_printable(irc_server_msg[0][0].strip()) self._sc["command"] = convert_to_printable(irc_server_msg[0][1].strip()) self._sc["params"] = convert_to_printable(irc_server_msg[0][2].strip()) self._sc["type"] = "server" self._messages.append(dict(self._sc)) else: irc_client_msg = re.findall( "([a-zA-Z]+\x20)(.+[\x0a\0x0d])", element ) if irc_client_msg and irc_client_msg[0][0].strip() in self.__methods_client: self._cc["command"] = convert_to_printable(irc_client_msg[0][0].strip()) self._cc["params"] = convert_to_printable(irc_client_msg[0][1].strip()) self._cc["type"] = "client" self._messages.append(dict(self._cc))
def _get_file_header(self): return { "magic": convert_to_printable(self.elf.e_ident_raw[:4]), "class": describe_ei_class(self.elf.header.e_ident["EI_CLASS"]), "data": describe_ei_data(self.elf.header.e_ident["EI_DATA"]), "ei_version": describe_ei_version(self.elf.header.e_ident["EI_VERSION"]), "os_abi": describe_ei_osabi(self.elf.header.e_ident["EI_OSABI"]), "abi_version": self.elf.header.e_ident["EI_ABIVERSION"], "type": describe_e_type(self.elf.header["e_type"]), "machine": describe_e_machine(self.elf.header["e_machine"]), "version": describe_e_version_numeric(self.elf.header["e_version"]), "entry_point_address": self._print_addr(self.elf.header["e_entry"]), "start_of_program_headers": self.elf.header["e_phoff"], "start_of_section_headers": self.elf.header["e_shoff"], "flags": "{}{}".format( self._print_addr(self.elf.header["e_flags"]), self._decode_flags(self.elf.header["e_flags"]) ), "size_of_this_header": self.elf.header["e_ehsize"], "size_of_program_headers": self.elf.header["e_phentsize"], "number_of_program_headers": self.elf.header["e_phnum"], "size_of_section_headers": self.elf.header["e_shentsize"], "number_of_section_headers": self.elf.header["e_shnum"], "section_header_string_table_index": self.elf.header["e_shstrndx"], }
def _get_file_header(self): return { "magic": convert_to_printable(self.elf.e_ident_raw[:4]), "class": describe_ei_class(self.elf.header.e_ident["EI_CLASS"]), "data": describe_ei_data(self.elf.header.e_ident["EI_DATA"]), "ei_version": describe_ei_version(self.elf.header.e_ident["EI_VERSION"]), "os_abi": describe_ei_osabi(self.elf.header.e_ident["EI_OSABI"]), "abi_version": self.elf.header.e_ident["EI_ABIVERSION"], "type": describe_e_type(self.elf.header["e_type"]), "machine": describe_e_machine(self.elf.header["e_machine"]), "version": describe_e_version_numeric(self.elf.header["e_version"]), "entry_point_address": self._print_addr(self.elf.header["e_entry"]), "start_of_program_headers": self.elf.header["e_phoff"], "start_of_section_headers": self.elf.header["e_shoff"], "flags": "{}{}".format( self._print_addr(self.elf.header["e_flags"]), self._decode_flags(self.elf.header["e_flags"]) ), "size_of_this_header": self.elf.header["e_ehsize"], "size_of_program_headers": self.elf.header["e_phentsize"], "number_of_program_headers": self.elf.header["e_phnum"], "size_of_section_headers": self.elf.header["e_shentsize"], "number_of_section_headers": self.elf.header["e_shnum"], "section_header_string_table_index": self.elf.header["e_shstrndx"], }
def _add_http(self, tcpdata, dport): """Adds an HTTP flow. @param tcpdata: TCP data flow. @param dport: destination port. """ if tcpdata in self.http_requests: self.http_requests[tcpdata]["count"] += 1 return True try: http = dpkt.http.Request() http.unpack(tcpdata) except dpkt.dpkt.UnpackError: pass try: entry = {"count": 1} if "host" in http.headers: entry["host"] = convert_to_printable(http.headers["host"]) else: entry["host"] = "" entry["port"] = dport # Manually deal with cases when destination port is not the # default one and it is not included in host header. netloc = entry["host"] if dport != 80 and ":" not in netloc: netloc += ":" + str(entry["port"]) entry["data"] = convert_to_printable(tcpdata) url = urlparse.urlunparse( ("http", netloc, http.uri, None, None, None)) entry["uri"] = convert_to_printable(url) entry["body"] = convert_to_printable(http.body) entry["path"] = convert_to_printable(http.uri) if "user-agent" in http.headers: entry["user-agent"] = \ convert_to_printable(http.headers["user-agent"]) entry["version"] = convert_to_printable(http.version) entry["method"] = convert_to_printable(http.method) self.http_requests[tcpdata] = entry except Exception: return False return True
def _add_http(self, tcpdata, dport): """Adds an HTTP flow. @param tcpdata: TCP data flow. @param dport: destination port. """ if tcpdata in self.http_requests: self.http_requests[tcpdata]["count"] += 1 return True try: http = dpkt.http.Request() http.unpack(tcpdata) except dpkt.dpkt.UnpackError: pass try: entry = {"count": 1} if "host" in http.headers: entry["host"] = convert_to_printable(http.headers["host"]) else: entry["host"] = "" entry["port"] = dport # Manually deal with cases when destination port is not the # default one and it is not included in host header. netloc = entry["host"] if dport != 80 and ":" not in netloc: netloc += ":" + str(entry["port"]) entry["data"] = convert_to_printable(tcpdata) url = urlparse.urlunparse(("http", netloc, http.uri, None, None, None)) entry["uri"] = convert_to_printable(url) entry["body"] = convert_to_printable(http.body) entry["path"] = convert_to_printable(http.uri) if "user-agent" in http.headers: entry["user-agent"] = \ convert_to_printable(http.headers["user-agent"]) entry["version"] = convert_to_printable(http.version) entry["method"] = convert_to_printable(http.method) self.http_requests[tcpdata] = entry except Exception: return False return True
def _unpack(self, buf): """Extract into a list irc messages of a tcp streams. @buf: tcp stream data """ try: f = cStringIO.StringIO(buf) lines = f.readlines() except Exception: log.error("Failed reading tcp stream buffer") return False for element in lines: if not re.match("^:", element) is None: command = "([a-zA-Z]+|[0-9]{3})" params = "(\x20.+)" irc_server_msg = re.findall( "(^:[\w+.{}!@|()]+\x20)" + command + params, element) if irc_server_msg: self._sc["prefix"] = convert_to_printable( irc_server_msg[0][0].strip()) self._sc["command"] = convert_to_printable( irc_server_msg[0][1].strip()) self._sc["params"] = convert_to_printable( irc_server_msg[0][2].strip()) self._sc["type"] = "server" self._messages.append(dict(self._sc)) else: irc_client_msg = re.findall("([a-zA-Z]+\x20)(.+[\x0a\0x0d])", element) if irc_client_msg and irc_client_msg[0][0].strip( ) in self.__methods_client: self._cc["command"] = convert_to_printable( irc_client_msg[0][0].strip()) self._cc["params"] = convert_to_printable( irc_client_msg[0][1].strip()) self._cc["type"] = "client" self._messages.append(dict(self._cc))
def _get_sections(self): """Gets sections. @return: sections dict or None. """ sections = [] for entry in self.pe.sections: try: section = {} section["name"] = convert_to_printable(entry.Name.strip("\x00")) section["virtual_address"] = "0x{0:08x}".format(entry.VirtualAddress) section["virtual_size"] = "0x{0:08x}".format(entry.Misc_VirtualSize) section["size_of_data"] = "0x{0:08x}".format(entry.SizeOfRawData) section["entropy"] = entry.get_entropy() sections.append(section) except: continue return sections
def _get_imported_symbols(self): """Gets imported symbols. @return: imported symbols dict or None. """ imports = [] for entry in getattr(self.pe, "DIRECTORY_ENTRY_IMPORT", []): try: symbols = [] for imported_symbol in entry.imports: symbols.append({ "address": hex(imported_symbol.address), "name": imported_symbol.name, }) imports.append({ "dll": convert_to_printable(entry.dll), "imports": symbols, }) except: log.exception("Unable to parse imported symbols.") return imports
def _icmp_dissect(self, conn, data): """Runs all ICMP dissectors. @param conn: connection. @param data: payload data. """ if self._check_icmp(data): # If ICMP packets are coming from the host, it probably isn't # relevant traffic, hence we can skip from reporting it. if conn["src"] == config("cuckoo:resultserver:ip"): return entry = {} entry["src"] = conn["src"] entry["dst"] = conn["dst"] entry["type"] = data.type # Extract data from dpkg.icmp.ICMP. try: entry["data"] = convert_to_printable(data.data.data) except: entry["data"] = "" self.icmp_requests.append(entry)
def _icmp_dissect(self, conn, data): """Runs all ICMP dissectors. @param conn: connection. @param data: payload data. """ if self._check_icmp(data): # If ICMP packets are coming from the host, it probably isn't # relevant traffic, hence we can skip from reporting it. if conn["src"] == config("cuckoo:resultserver:ip"): return entry = {} entry["src"] = conn["src"] entry["dst"] = conn["dst"] entry["type"] = data.type # Extract data from dpkg.icmp.ICMP. try: entry["data"] = convert_to_printable(data.data.data) except: entry["data"] = "" self.icmp_requests.append(entry)
def test_utf(self): assert "\\xe9" == utils.convert_to_printable(u"\xe9")
def test_utf(self): assert "\\xe9" == utils.convert_to_printable(u"\xe9")
def test_digit(self): assert "9" == utils.convert_to_printable(u"9")
def test_punctation(self): assert "." == utils.convert_to_printable(".")
def test_literal(self): assert "e" == utils.convert_to_printable("e")
def test_whitespace(self): assert " " == utils.convert_to_printable(" ")
def test_non_printable(self): assert r"\x0b" == utils.convert_to_printable(chr(11))
def test_punctation(self): assert "." == utils.convert_to_printable(".")
def test_literal(self): assert "e" == utils.convert_to_printable("e")
def test_digit(self): assert "9" == utils.convert_to_printable(u"9")
def test_whitespace(self): assert " " == utils.convert_to_printable(" ")
def test_non_printable(self): assert r"\x0b" == utils.convert_to_printable(chr(11))