def _get_versioninfo(self):
"""Get version info.
@return: info dict or None.
"""
infos = []
if hasattr(self.pe, "VS_VERSIONINFO"):
if hasattr(self.pe, "FileInfo"):
for entry in self.pe.FileInfo:
try:
if hasattr(entry, "StringTable"):
for st_entry in entry.StringTable:
for str_entry in st_entry.entries.items():
entry = {}
entry["name"] = convert_to_printable(str_entry[0])
entry["value"] = convert_to_printable(str_entry[1])
infos.append(entry)
elif hasattr(entry, "Var"):
for var_entry in entry.Var:
if hasattr(var_entry, "entry"):
entry = {}
entry["name"] = convert_to_printable(var_entry.entry.keys()[0])
entry["value"] = convert_to_printable(var_entry.entry.values()[0])
infos.append(entry)
except:
continue
return infos
def _add_hosts(self, connection):
"""Add IPs to unique list.
@param connection: connection data
"""
try:
# TODO: Perhaps this block should be removed.
# If there is a packet from a non-local IP address, which hasn't
# been seen before, it means that the connection wasn't initiated
# during the time of the current analysis.
if connection["src"] not in self.hosts:
ip = convert_to_printable(connection["src"])
# We consider the IP only if it hasn't been seen before.
if ip not in self.hosts:
# If the IP is not a local one, this might be a leftover
# packet as described in issue #249.
if self._is_private_ip(ip):
self.hosts.append(ip)
if connection["dst"] not in self.hosts:
ip = convert_to_printable(connection["dst"])
if ip not in self.hosts:
self.hosts.append(ip)
# We add external IPs to the list, only the first time
# we see them and if they're the destination of the
# first packet they appear in.
if not self._is_private_ip(
ip) and ip not in self.whitelist_ips:
self.unique_hosts.append(ip)
except:
pass
def _add_hosts(self, connection):
"""Add IPs to unique list.
@param connection: connection data
"""
try:
# TODO: Perhaps this block should be removed.
# If there is a packet from a non-local IP address, which hasn't
# been seen before, it means that the connection wasn't initiated
# during the time of the current analysis.
if connection["src"] not in self.hosts:
ip = convert_to_printable(connection["src"])
# We consider the IP only if it hasn't been seen before.
if ip not in self.hosts:
# If the IP is not a local one, this might be a leftover
# packet as described in issue #249.
if self._is_private_ip(ip):
self.hosts.append(ip)
if connection["dst"] not in self.hosts:
ip = convert_to_printable(connection["dst"])
if ip not in self.hosts:
self.hosts.append(ip)
# We add external IPs to the list, only the first time
# we see them and if they're the destination of the
# first packet they appear in.
if not self._is_private_ip(ip) and ip not in self.whitelist_ips:
self.unique_hosts.append(ip)
except:
pass
def _unpack(self, buf):
"""Extract into a list irc messages of a tcp streams.
@buf: tcp stream data
"""
try:
f = cStringIO.StringIO(buf)
lines = f.readlines()
except Exception:
log.error("Failed reading tcp stream buffer")
return False
for element in lines:
if not re.match("^:", element) is None:
command = "([a-zA-Z]+|[0-9]{3})"
params = "(\x20.+)"
irc_server_msg = re.findall(
"(^:[\w+.{}!@|()]+\x20)" + command + params, element
)
if irc_server_msg:
self._sc["prefix"] = convert_to_printable(irc_server_msg[0][0].strip())
self._sc["command"] = convert_to_printable(irc_server_msg[0][1].strip())
self._sc["params"] = convert_to_printable(irc_server_msg[0][2].strip())
self._sc["type"] = "server"
self._messages.append(dict(self._sc))
else:
irc_client_msg = re.findall(
"([a-zA-Z]+\x20)(.+[\x0a\0x0d])", element
)
if irc_client_msg and irc_client_msg[0][0].strip() in self.__methods_client:
self._cc["command"] = convert_to_printable(irc_client_msg[0][0].strip())
self._cc["params"] = convert_to_printable(irc_client_msg[0][1].strip())
self._cc["type"] = "client"
self._messages.append(dict(self._cc))
def _get_file_header(self):
return {
"magic": convert_to_printable(self.elf.e_ident_raw[:4]),
"class": describe_ei_class(self.elf.header.e_ident["EI_CLASS"]),
"data": describe_ei_data(self.elf.header.e_ident["EI_DATA"]),
"ei_version": describe_ei_version(self.elf.header.e_ident["EI_VERSION"]),
"os_abi": describe_ei_osabi(self.elf.header.e_ident["EI_OSABI"]),
"abi_version": self.elf.header.e_ident["EI_ABIVERSION"],
"type": describe_e_type(self.elf.header["e_type"]),
"machine": describe_e_machine(self.elf.header["e_machine"]),
"version": describe_e_version_numeric(self.elf.header["e_version"]),
"entry_point_address": self._print_addr(self.elf.header["e_entry"]),
"start_of_program_headers": self.elf.header["e_phoff"],
"start_of_section_headers": self.elf.header["e_shoff"],
"flags": "{}{}".format(
self._print_addr(self.elf.header["e_flags"]),
self._decode_flags(self.elf.header["e_flags"])
),
"size_of_this_header": self.elf.header["e_ehsize"],
"size_of_program_headers": self.elf.header["e_phentsize"],
"number_of_program_headers": self.elf.header["e_phnum"],
"size_of_section_headers": self.elf.header["e_shentsize"],
"number_of_section_headers": self.elf.header["e_shnum"],
"section_header_string_table_index": self.elf.header["e_shstrndx"],
}
def _get_file_header(self):
return {
"magic": convert_to_printable(self.elf.e_ident_raw[:4]),
"class": describe_ei_class(self.elf.header.e_ident["EI_CLASS"]),
"data": describe_ei_data(self.elf.header.e_ident["EI_DATA"]),
"ei_version": describe_ei_version(self.elf.header.e_ident["EI_VERSION"]),
"os_abi": describe_ei_osabi(self.elf.header.e_ident["EI_OSABI"]),
"abi_version": self.elf.header.e_ident["EI_ABIVERSION"],
"type": describe_e_type(self.elf.header["e_type"]),
"machine": describe_e_machine(self.elf.header["e_machine"]),
"version": describe_e_version_numeric(self.elf.header["e_version"]),
"entry_point_address": self._print_addr(self.elf.header["e_entry"]),
"start_of_program_headers": self.elf.header["e_phoff"],
"start_of_section_headers": self.elf.header["e_shoff"],
"flags": "{}{}".format(
self._print_addr(self.elf.header["e_flags"]),
self._decode_flags(self.elf.header["e_flags"])
),
"size_of_this_header": self.elf.header["e_ehsize"],
"size_of_program_headers": self.elf.header["e_phentsize"],
"number_of_program_headers": self.elf.header["e_phnum"],
"size_of_section_headers": self.elf.header["e_shentsize"],
"number_of_section_headers": self.elf.header["e_shnum"],
"section_header_string_table_index": self.elf.header["e_shstrndx"],
}
def _add_http(self, tcpdata, dport):
"""Adds an HTTP flow.
@param tcpdata: TCP data flow.
@param dport: destination port.
"""
if tcpdata in self.http_requests:
self.http_requests[tcpdata]["count"] += 1
return True
try:
http = dpkt.http.Request()
http.unpack(tcpdata)
except dpkt.dpkt.UnpackError:
pass
try:
entry = {"count": 1}
if "host" in http.headers:
entry["host"] = convert_to_printable(http.headers["host"])
else:
entry["host"] = ""
entry["port"] = dport
# Manually deal with cases when destination port is not the
# default one and it is not included in host header.
netloc = entry["host"]
if dport != 80 and ":" not in netloc:
netloc += ":" + str(entry["port"])
entry["data"] = convert_to_printable(tcpdata)
url = urlparse.urlunparse(
("http", netloc, http.uri, None, None, None))
entry["uri"] = convert_to_printable(url)
entry["body"] = convert_to_printable(http.body)
entry["path"] = convert_to_printable(http.uri)
if "user-agent" in http.headers:
entry["user-agent"] = \
convert_to_printable(http.headers["user-agent"])
entry["version"] = convert_to_printable(http.version)
entry["method"] = convert_to_printable(http.method)
self.http_requests[tcpdata] = entry
except Exception:
return False
return True
def _add_http(self, tcpdata, dport):
"""Adds an HTTP flow.
@param tcpdata: TCP data flow.
@param dport: destination port.
"""
if tcpdata in self.http_requests:
self.http_requests[tcpdata]["count"] += 1
return True
try:
http = dpkt.http.Request()
http.unpack(tcpdata)
except dpkt.dpkt.UnpackError:
pass
try:
entry = {"count": 1}
if "host" in http.headers:
entry["host"] = convert_to_printable(http.headers["host"])
else:
entry["host"] = ""
entry["port"] = dport
# Manually deal with cases when destination port is not the
# default one and it is not included in host header.
netloc = entry["host"]
if dport != 80 and ":" not in netloc:
netloc += ":" + str(entry["port"])
entry["data"] = convert_to_printable(tcpdata)
url = urlparse.urlunparse(("http", netloc, http.uri,
None, None, None))
entry["uri"] = convert_to_printable(url)
entry["body"] = convert_to_printable(http.body)
entry["path"] = convert_to_printable(http.uri)
if "user-agent" in http.headers:
entry["user-agent"] = \
convert_to_printable(http.headers["user-agent"])
entry["version"] = convert_to_printable(http.version)
entry["method"] = convert_to_printable(http.method)
self.http_requests[tcpdata] = entry
except Exception:
return False
return True
def _unpack(self, buf):
"""Extract into a list irc messages of a tcp streams.
@buf: tcp stream data
"""
try:
f = cStringIO.StringIO(buf)
lines = f.readlines()
except Exception:
log.error("Failed reading tcp stream buffer")
return False
for element in lines:
if not re.match("^:", element) is None:
command = "([a-zA-Z]+|[0-9]{3})"
params = "(\x20.+)"
irc_server_msg = re.findall(
"(^:[\w+.{}!@|()]+\x20)" + command + params, element)
if irc_server_msg:
self._sc["prefix"] = convert_to_printable(
irc_server_msg[0][0].strip())
self._sc["command"] = convert_to_printable(
irc_server_msg[0][1].strip())
self._sc["params"] = convert_to_printable(
irc_server_msg[0][2].strip())
self._sc["type"] = "server"
self._messages.append(dict(self._sc))
else:
irc_client_msg = re.findall("([a-zA-Z]+\x20)(.+[\x0a\0x0d])",
element)
if irc_client_msg and irc_client_msg[0][0].strip(
) in self.__methods_client:
self._cc["command"] = convert_to_printable(
irc_client_msg[0][0].strip())
self._cc["params"] = convert_to_printable(
irc_client_msg[0][1].strip())
self._cc["type"] = "client"
self._messages.append(dict(self._cc))
def _get_sections(self):
"""Gets sections.
@return: sections dict or None.
"""
sections = []
for entry in self.pe.sections:
try:
section = {}
section["name"] = convert_to_printable(entry.Name.strip("\x00"))
section["virtual_address"] = "0x{0:08x}".format(entry.VirtualAddress)
section["virtual_size"] = "0x{0:08x}".format(entry.Misc_VirtualSize)
section["size_of_data"] = "0x{0:08x}".format(entry.SizeOfRawData)
section["entropy"] = entry.get_entropy()
sections.append(section)
except:
continue
return sections
def _get_imported_symbols(self):
"""Gets imported symbols.
@return: imported symbols dict or None.
"""
imports = []
for entry in getattr(self.pe, "DIRECTORY_ENTRY_IMPORT", []):
try:
symbols = []
for imported_symbol in entry.imports:
symbols.append({
"address": hex(imported_symbol.address),
"name": imported_symbol.name,
})
imports.append({
"dll": convert_to_printable(entry.dll),
"imports": symbols,
})
except:
log.exception("Unable to parse imported symbols.")
return imports
def _icmp_dissect(self, conn, data):
"""Runs all ICMP dissectors.
@param conn: connection.
@param data: payload data.
"""
if self._check_icmp(data):
# If ICMP packets are coming from the host, it probably isn't
# relevant traffic, hence we can skip from reporting it.
if conn["src"] == config("cuckoo:resultserver:ip"):
return
entry = {}
entry["src"] = conn["src"]
entry["dst"] = conn["dst"]
entry["type"] = data.type
# Extract data from dpkg.icmp.ICMP.
try:
entry["data"] = convert_to_printable(data.data.data)
except:
entry["data"] = ""
self.icmp_requests.append(entry)
def _icmp_dissect(self, conn, data):
"""Runs all ICMP dissectors.
@param conn: connection.
@param data: payload data.
"""
if self._check_icmp(data):
# If ICMP packets are coming from the host, it probably isn't
# relevant traffic, hence we can skip from reporting it.
if conn["src"] == config("cuckoo:resultserver:ip"):
return
entry = {}
entry["src"] = conn["src"]
entry["dst"] = conn["dst"]
entry["type"] = data.type
# Extract data from dpkg.icmp.ICMP.
try:
entry["data"] = convert_to_printable(data.data.data)
except:
entry["data"] = ""
self.icmp_requests.append(entry)
def test_utf(self):
assert "\\xe9" == utils.convert_to_printable(u"\xe9")
def test_utf(self):
assert "\\xe9" == utils.convert_to_printable(u"\xe9")
def test_digit(self):
assert "9" == utils.convert_to_printable(u"9")
def test_punctation(self):
assert "." == utils.convert_to_printable(".")
def test_literal(self):
assert "e" == utils.convert_to_printable("e")
def test_whitespace(self):
assert " " == utils.convert_to_printable(" ")
def test_non_printable(self):
assert r"\x0b" == utils.convert_to_printable(chr(11))
def test_punctation(self):
assert "." == utils.convert_to_printable(".")
def test_literal(self):
assert "e" == utils.convert_to_printable("e")
def test_digit(self):
assert "9" == utils.convert_to_printable(u"9")
def test_whitespace(self):
assert " " == utils.convert_to_printable(" ")
def test_non_printable(self):
assert r"\x0b" == utils.convert_to_printable(chr(11))
