def _run(self, scanObject, result, depth, args):
moduleResult = []
minFileSize = 0 #Explode everything!
useUnvalidatedFilenames = 0
if 'minFileSize' in args:
try:
minFileSize = int(args['minFileSize'])
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
pass
if 'useUnvalidatedFilenames' in args:
try:
minFileSize = int(args['useUnvalidatedFilenames'])
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
pass
file = StringIO.StringIO()
file.write(scanObject.buffer)
file.flush()
file.seek(0)
ole = olefile.OleFileIO(file)
lstStreams = ole.listdir()
numStreams = 0
for stream in lstStreams:
try:
if ole.get_size(stream) >= minFileSize:
numStreams += 1
streamF = ole.openstream(stream)
childBuffer = streamF.read()
if childBuffer:
filename = "e_ole_stream_" + str(numStreams)
try:
u = unicode(str(stream), "utf-8")
filename = u.encode("utf-8")
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
pass #keep ole_stream_number as filename
moduleResult.append(
ModuleObject(
buffer=childBuffer,
externalVars=ExternalVars(filename=filename)))
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
log_module("MSG", self.module_name, 0, scanObject, result,
"ERROR EXTRACTING STREAM: " + str(stream))
ole.close()
file.close()
return moduleResult
def _run(self, scanObject, result, depth, args):
moduleResult = []
try:
vbaparser = olevba.VBA_Parser(
scanObject.objectHash,
data=scanObject.buffer) #load ole into olevba
if vbaparser.detect_vba_macros(): #VBA Macro Found
# Loop to parse VBA Macro
for (filename, stream_path, vba_filename, vba_code
) in vbaparser.extract_macros(): # macro extraction
macrofilesdict = {}
macrofilesdict.update({
'Type': vbaparser.type,
'VBA_project': vbaparser.vba_projects,
'OLE_stream': stream_path,
'VBA_filename': vba_filename
})
scanObject.addMetadata(self.module_name,
"Parsed_Macros_Metadata",
macrofilesdict)
explodevbafilename = 'e_vba_%s_%s' % (
scanObject.objectHash, vba_filename
) # Exploded file name contains source hash
moduleResult.append(
ModuleObject(buffer=vba_code,
externalVars=ExternalVars(
filename=explodevbafilename)))
# Loop to parse VBA Forms
combinedstring = ""
formfilesdlist = set()
for (filename, stream_path,
form_string) in vbaparser.extract_form_strings():
formfilesdlist.add(
stream_path
) #set because stream_path could be the same over and over again
combinedstring += " %s" % form_string #combining all found forms text into a single variable
if combinedstring: #form text found
scanObject.addMetadata(self.module_name,
"VBA_Forms_Found_Streams",
formfilesdlist)
explodeformsfilename = 'e_vba_%s_combined_forms.txt' % (
scanObject.objectHash)
moduleResult.append(
ModuleObject(buffer=combinedstring,
externalVars=ExternalVars(
filename=explodeformsfilename)))
vbaparser.close()
except olevba.OlevbaBaseException as e: # exceptions from olevba import will raise
olevbaerror = 'e_vba:err:%s' % e
#scanObject.addFlag(olevbaerror)
log_module("MSG", self.module_name, 0, scanObject, result,
olevbaerror)
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
return moduleResult
def _run(self, scanObject, result, depth, args):
moduleResult = []
minFileSize = 0 #Explode everything!
useUnvalidatedFilenames = 0
if 'minFileSize' in args:
try:
minFileSize = int(args['minFileSize'])
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
pass
if 'useUnvalidatedFilenames' in args:
try:
minFileSize = int(args['useUnvalidatedFilenames'])
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
pass
file = StringIO.StringIO()
file.write(scanObject.buffer)
file.flush()
file.seek(0)
ole = olefile.OleFileIO(file)
lstStreams = ole.listdir()
numStreams = 0
for stream in lstStreams:
try:
if ole.get_size(stream) >= minFileSize:
numStreams += 1
streamF = ole.openstream(stream)
childBuffer = streamF.read()
if childBuffer:
filename = "e_ole_stream_"+str(numStreams)
try:
u = unicode( str(stream), "utf-8" )
filename = u.encode( "utf-8" )
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
pass #keep ole_stream_number as filename
moduleResult.append(ModuleObject(buffer=childBuffer,
externalVars=ExternalVars(filename=filename)))
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
log_module("MSG", self.module_name, 0, scanObject, result, "ERROR EXTRACTING STREAM: "+str(stream))
ole.close()
file.close()
return moduleResult
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID)
resultDict['Input_Flags'] = flag_rollup
if verbose:
log_module("MSG",
self.module_name,
0,
scanObject,
result,
msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules,
' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(
self.module_name, scanObject, result,
"Error Compiling YARA rules file at: " +
config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID )
resultDict['Input_Flags'] = flag_rollup
if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
logging.debug("tactical: args: %s" % repr(args))
moduleResult = []
output = ''
script_path = None
timeout = "30";
if 'timeout' in args:
timeout = args['timeout']
# Option to remove directory containing temp files
unlinkDir = False
if 'unlinkDir' in args:
if args['unlinkDir'].upper() == 'TRUE':
unlinkDir = True
#only do something if script is defined in dispatcher--without external script this does nothing
if 'script' in args:
script_path = args['script']
#temp_file_h, temp_file_name = tempfile.mkstemp()
with tempfile.NamedTemporaryFile(dir=self.TEMP_DIR) as temp_file:
temp_file_name = temp_file.name
temp_file.write(scanObject.buffer)
temp_file.flush()
#use timeout command in the command, if available on the system?
output = self._collect("timeout %s %s %s %s" % (timeout, script_path, temp_file_name, self.TEMP_DIR), shell=True)
logging.debug(output)
tmp_dirs = []
for line in output.splitlines():
#need to process the lines
line_type = line[:5]
line_value = line[5:].strip()
if line_type == "FLAG:":
#not doing any validation on the flags, but truncating on length
scanObject.addFlag(line_value[:20])
elif line_type == "META:":
(meta_key, meta_sep, meta_value) = line_value.partition('=')
scanObject.addMetadata(self.module_name, meta_key, meta_value)
elif line_type == "FILE:":
# Check to see if the file is actually a directory (silly 7zip)
if os.path.isdir(line_value):
# If the file is a directory and we don't already know about it, add it to the list
if line_value not in tmp_dirs:
tmp_dirs.append(line_value)
# Skip this since it's a directory
continue
# If we don't already know about this directory, add it to the list
if os.path.dirname(line_value) not in tmp_dirs:
file_path = os.path.dirname(line_value)
tmp_dirs.append(file_path)
try:
with open(line_value, 'r') as result_file:
moduleResult.append(ModuleObject(buffer=result_file.read(),externalVars=ExternalVars(filename=os.path.basename(line_value))))
except:
raise
finally:
#make sure the incoming file is deleted, or at least we try....
logging.debug("Trying to unlink file: %s" % (line_value))
os.unlink(line_value)
else:
pass
if unlinkDir:
logging.debug("Attempting to remove temp directories: %s" % (tmp_dirs))
# Loop through the directories and remove them, starting with the deepest level (by length)
for tmp_dir in sorted(tmp_dirs, key=len, reverse=True):
try:
rmtree(tmp_dir)
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
log_module("MSG", self.module_name, 0, scanObject, result, "Could not remove tmp dir %s" % (tmp_dir))
logging.exception("Unable to remove temp directory: %s" % (tmp_dir))
return moduleResult
def _run(self, scanObject, result, depth, args):
logging.debug("tactical: args: %s" % repr(args))
moduleResult = []
output = ''
script_path = None
timeout = "30"
if 'timeout' in args:
timeout = args['timeout']
# Option to remove directory containing temp files
unlinkDir = False
if 'unlinkDir' in args:
if args['unlinkDir'].upper() == 'TRUE':
unlinkDir = True
#only do something if script is defined in dispatcher--without external script this does nothing
if 'script' in args:
script_path = args['script']
#temp_file_h, temp_file_name = tempfile.mkstemp()
with tempfile.NamedTemporaryFile(dir=self.TEMP_DIR) as temp_file:
temp_file_name = temp_file.name
temp_file.write(scanObject.buffer)
temp_file.flush()
#use timeout command in the command, if available on the system?
output = self._collect(
"timeout %s %s %s %s" %
(timeout, script_path, temp_file_name, self.TEMP_DIR),
shell=True)
logging.debug(output)
tmp_dirs = []
for line in output.splitlines():
#need to process the lines
line_type = line[:5]
line_value = line[5:].strip()
if line_type == "FLAG:":
#not doing any validation on the flags, but truncating on length
scanObject.addFlag(line_value[:20])
elif line_type == "META:":
(meta_key, meta_sep,
meta_value) = line_value.partition('=')
scanObject.addMetadata(self.module_name, meta_key,
meta_value)
elif line_type == "FILE:":
# Check to see if the file is actually a directory (silly 7zip)
if os.path.isdir(line_value):
# If the file is a directory and we don't already know about it, add it to the list
if line_value not in tmp_dirs:
tmp_dirs.append(line_value)
# Skip this since it's a directory
continue
# If we don't already know about this directory, add it to the list
if os.path.dirname(line_value) not in tmp_dirs:
file_path = os.path.dirname(line_value)
tmp_dirs.append(file_path)
try:
with open(line_value, 'r') as result_file:
moduleResult.append(
ModuleObject(buffer=result_file.read(),
externalVars=ExternalVars(
filename=os.path.basename(
line_value))))
except:
raise
finally:
#make sure the incoming file is deleted, or at least we try....
logging.debug("Trying to unlink file: %s" %
(line_value))
os.unlink(line_value)
else:
pass
if unlinkDir:
logging.debug("Attempting to remove temp directories: %s" %
(tmp_dirs))
# Loop through the directories and remove them, starting with the deepest level (by length)
for tmp_dir in sorted(tmp_dirs, key=len, reverse=True):
try:
rmtree(tmp_dir)
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
log_module(
"MSG", self.module_name, 0, scanObject, result,
"Could not remove tmp dir %s" % (tmp_dir))
logging.exception(
"Unable to remove temp directory: %s" %
(tmp_dir))
return moduleResult
def run(self, scanObject, result, depth, args):
"""Wrapper method around _run for error handling"""
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the _module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the _module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warning("quitting scan while running _module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
def run(self, scanObject, result, depth, args):
'''Wrapper method around _run for error handling'''
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warn("quitting scan while running module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
