def cmd_tags(self, *args):
parser = argparse.ArgumentParser(prog='tags', description="Modify tags of the opened file")
parser.add_argument('-a', '--add', metavar='TAG', help="Add tags to the opened file (comma separated)")
parser.add_argument('-d', '--delete', metavar='TAG', help="Delete a tag from the opened file")
try:
args = parser.parse_args(args)
except:
return
# This command requires a session to be opened.
if not __sessions__.is_set():
self.log('error', "No session opened")
parser.print_usage()
return
# If no arguments are specified, there's not much to do.
# However, it could make sense to also retrieve a list of existing
# tags from this command, and not just from the "find" command alone.
if args.add is None and args.delete is None:
parser.print_usage()
return
# TODO: handle situation where addition or deletion of a tag fail.
db = Database()
if not db.find(key='sha256', value=__sessions__.current.file.sha256):
self.log('error', "The opened file is not stored in the database. "
"If you want to add it use the `store` command.")
return
if args.add:
# Add specified tags to the database's entry belonging to
# the opened file.
db.add_tags(__sessions__.current.file.sha256, args.add)
self.log('info', "Tags added to the currently opened file")
# We refresh the opened session to update the attributes.
# Namely, the list of tags returned by the 'info' command
# needs to be re-generated, or it wouldn't show the new tags
# until the existing session is closed a new one is opened.
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
if args.delete:
# Delete the tag from the database.
db.delete_tag(args.delete, __sessions__.current.file.sha256)
# Refresh the session so that the attributes of the file are
# updated.
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
def scan(self):
def string_printable(line):
line = str(line)
new_line = ''
for c in line:
if c in printstring.printable:
new_line += c
else:
new_line += '\\x' + c.encode('hex')
return new_line
# This means users can just drop or remove rule files without
# having to worry about maintaining the index.
# TODO: make paths absolute.
# TODO: this regenerates the file at every run, perhaps we
# could find a way to optimize this.
def rule_index():
tmp_path = os.path.join(tempfile.gettempdir(), 'index.yara')
with open(tmp_path, 'w') as rules_index:
for rule_file in os.listdir(self.rule_path):
# Skip if the extension is not right, could cause problems.
if not rule_file.endswith('.yar') and not rule_file.endswith('.yara'):
continue
# Skip if it's the index itself.
if rule_file == 'index.yara':
continue
# Add the rule to the index.
line = 'include "{0}"\n'.format(os.path.join(self.rule_path, rule_file))
rules_index.write(line)
return tmp_path
arg_rule = self.args.rule
arg_scan_all = self.args.all
arg_tag = self.args.tag
# If no custom ruleset is specified, we use the default one.
if not arg_rule:
arg_rule = rule_index()
# Check if the selected ruleset actually exists.
if not os.path.exists(arg_rule):
self.log('error', "No valid Yara ruleset at {0}".format(arg_rule))
return
# Compile all rules from given ruleset.
rules = yara.compile(arg_rule)
files = []
# If there is a session open and the user didn't specifically
# request to scan the full repository, we just add the currently
# opened file's path.
if __sessions__.is_set() and not arg_scan_all:
files.append(__sessions__.current.file)
# Otherwise we loop through all files in the repository and queue
# them up for scan.
else:
self.log('info', "Scanning all stored files...")
db = Database()
samples = db.find(key='all')
for sample in samples:
files.append(sample)
for entry in files:
if entry.size == 0:
continue
self.log('info', "Scanning {0} ({1})".format(entry.name, entry.sha256))
# Check if the entry has a path attribute. This happens when
# there is a session open. We need to distinguish this just for
# the cases where we're scanning an opened file which has not been
# stored yet.
if hasattr(entry, 'path'):
entry_path = entry.path
# This should be triggered only when scanning the full repository.
else:
entry_path = get_sample_path(entry.sha256)
# Check if the file exists before running the yara scan.
if not os.path.exists(entry_path):
self.log('error', "The file does not exist at path {0}".format(entry_path))
return
rows = []
tag_list = []
for match in rules.match(entry_path):
# Add a row for each string matched by the rule.
for string in match.strings:
rows.append([match.rule, string_printable(string[1]), string_printable(string[0]), string_printable(string[2])])
# Add matching rules to our list of tags.
# First it checks if there are tags specified in the metadata
# of the Yara rule.
match_tags = match.meta.get('tags')
# If not, use the rule name.
# TODO: as we add more and more yara rules, we might remove
# this option and only tag the file with rules that had
# tags specified in them.
if not match_tags:
match_tags = match.rule
# Add the tags to the list.
tag_list.append([entry.sha256, match_tags])
if rows:
header = [
'Rule',
'String',
'Offset',
'Content'
]
self.log('table', dict(header=header, rows=rows))
# If we selected to add tags do that now.
if rows and arg_tag:
db = Database()
for tag in tag_list:
db.add_tags(tag[0], tag[1])
# If in a session reset the session to see tags.
if __sessions__.is_set() and not arg_scan_all:
self.log('info', "Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
def scan(self):
def string_printable(line):
line = str(line)
new_line = ''
for c in line:
if c in printstring.printable:
new_line += c
else:
new_line += '\\x' + c.encode('hex')
return new_line
# This means users can just drop or remove rule files without
# having to worry about maintaining the index.
# TODO: make paths absolute.
# TODO: this regenerates the file at every run, perhaps we
# could find a way to optimize this.
def rule_index():
tmp_path = os.path.join(tempfile.gettempdir(), 'index.yara')
with open(tmp_path, 'w') as rules_index:
for rule_file in os.listdir(self.rule_path):
# Skip if the extension is not right, could cause problems.
if not rule_file.endswith(
'.yar') and not rule_file.endswith('.yara'):
continue
# Skip if it's the index itself.
if rule_file == 'index.yara':
continue
# Add the rule to the index.
line = 'include "{0}"\n'.format(
os.path.join(self.rule_path, rule_file))
rules_index.write(line)
return tmp_path
arg_rule = self.args.rule
arg_scan_all = self.args.all
arg_tag = self.args.tag
# If no custom ruleset is specified, we use the default one.
if not arg_rule:
arg_rule = rule_index()
# Check if the selected ruleset actually exists.
if not os.path.exists(arg_rule):
self.log('error', "No valid Yara ruleset at {0}".format(arg_rule))
return
# Compile all rules from given ruleset.
rules = yara.compile(arg_rule)
files = []
# If there is a session open and the user didn't specifically
# request to scan the full repository, we just add the currently
# opened file's path.
if __sessions__.is_set() and not arg_scan_all:
files.append(__sessions__.current.file)
# Otherwise we loop through all files in the repository and queue
# them up for scan.
else:
self.log('info', "Scanning all stored files...")
db = Database()
samples = db.find(key='all')
for sample in samples:
files.append(sample)
for entry in files:
if entry.size == 0:
continue
self.log('info',
"Scanning {0} ({1})".format(entry.name, entry.sha256))
# Check if the entry has a path attribute. This happens when
# there is a session open. We need to distinguish this just for
# the cases where we're scanning an opened file which has not been
# stored yet.
if hasattr(entry, 'path'):
entry_path = entry.path
# This should be triggered only when scanning the full repository.
else:
entry_path = get_sample_path(entry.sha256)
# Check if the file exists before running the yara scan.
if not os.path.exists(entry_path):
self.log(
'error',
"The file does not exist at path {0}".format(entry_path))
return
rows = []
tag_list = []
for match in rules.match(entry_path):
# Add a row for each string matched by the rule.
for string in match.strings:
rows.append([
match.rule,
string_printable(string[1]),
string_printable(string[0]),
string_printable(string[2])
])
# Add matching rules to our list of tags.
# First it checks if there are tags specified in the metadata
# of the Yara rule.
match_tags = match.meta.get('tags')
# If not, use the rule name.
# TODO: as we add more and more yara rules, we might remove
# this option and only tag the file with rules that had
# tags specified in them.
if not match_tags:
match_tags = match.rule
# Add the tags to the list.
tag_list.append([entry.sha256, match_tags])
if rows:
header = ['Rule', 'String', 'Offset', 'Content']
self.log('table', dict(header=header, rows=rows))
# If we selected to add tags do that now.
if rows and arg_tag:
db = Database()
for tag in tag_list:
db.add_tags(tag[0], tag[1])
# If in a session reset the session to see tags.
if __sessions__.is_set() and not arg_scan_all:
self.log('info',
"Refreshing session to update attributes...")
__sessions__.new(__sessions__.current.file.path)
