def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
if os.path.exists(self.dropped_meta_path):
for line in open(self.dropped_meta_path, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta[filepath] = {
"pids": entry["pids"],
"filepath": entry["filepath"],
}
for dir_name, dir_names, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
file_info.update(meta.get(file_info["path"], {}))
dropped_files.append(file_info)
for dir_name, dir_names, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
dropped_files.append(file_info)
return dropped_files
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
if os.path.exists(self.dropped_meta_path):
for line in open(self.dropped_meta_path, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta[filepath] = {
"pids": entry["pids"],
"filepath": entry["filepath"],
}
for dir_name, dir_names, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
file_info.update(meta.get(file_info["path"], {}))
dropped_files.append(file_info)
for dir_name, dir_names, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
dropped_files.append(file_info)
return dropped_files
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
buf = self.options.get("buffer", 8192)
if self.task["category"] in ("pcap", "static"):
return dropped_files
if not os.path.exists(self.dropped_path):
return dropped_files
if os.path.exists(self.files_metadata):
for line in open(self.files_metadata, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta[filepath] = {
"pids": entry["pids"],
"filepath": entry["filepath"],
}
for dir_name, dir_names, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"],
pefile_object)
file_info.update(meta.get(file_info["path"], {}))
guest_path = file_info["filepath"]
guest_name = guest_path.split("\\")[-1]
file_info["guest_paths"] = [guest_path]
file_info["name"] = guest_name
try:
with open(file_info["path"], "r") as drop_open:
filedata = drop_open.read(buf + 1)
if len(filedata) > buf:
file_info["data"] = convert_to_printable(
filedata[:buf] + " <truncated>")
else:
file_info["data"] = convert_to_printable(filedata)
except UnicodeDecodeError as e:
pass
dropped_files.append(file_info)
for dir_name, dir_names, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"],
pefile_object)
dropped_files.append(file_info)
return dropped_files
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
buf = self.options.get("buffer", 8192)
if self.task["category"] in ("pcap", "static"):
return dropped_files
if not os.path.exists(self.dropped_path):
return dropped_files
if os.path.exists(self.files_metadata):
for line in open(self.files_metadata, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta.setdefault(filepath, []).append({
"pids":
entry["pids"],
"filepath":
entry["filepath"],
})
for dir_name, _, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"],
pefile_object)
file_info.update(meta.get(file_info["path"][0], {}))
if file_path in meta:
guest_paths = list(
set([path.get("filepath")
for path in meta[file_path]]))
guest_names = list(
set([
path.get("filepath", "").rsplit("\\", 1)[-1]
for path in meta[file_path]
]))
else:
guest_paths = []
guest_names = []
file_info["guest_paths"] = guest_paths if isinstance(
guest_paths, list) else [guest_paths]
file_info["name"] = guest_names
try:
with open(file_info["path"], "r") as drop_open:
filedata = drop_open.read(buf + 1)
filedata = wide2str(filedata)
if len(filedata) > buf:
file_info["data"] = convert_to_printable(
f"{filedata[:buf]} <truncated>")
else:
file_info["data"] = convert_to_printable(filedata)
except UnicodeDecodeError as e:
pass
dropped_files.append(file_info)
for dir_name, _, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"],
pefile_object)
# Allows to put execute file extractors/unpackers
generic_file_extractors(file_path, self.dropped_path,
file_info.get("type", ""), file_info)
dropped_files.append(file_info)
return dropped_files
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
buf = self.options.get("buffer", 8192)
if self.task["category"] in ("pcap", "static"):
return dropped_files
if not os.path.exists(self.dropped_path):
return dropped_files
if os.path.exists(self.files_metadata):
with open(self.files_metadata, "rb") as f:
for line in f:
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta.setdefault(filepath, []).append(
{
"pids": entry["pids"],
"filepath": entry["filepath"],
}
)
for dir_name, _, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"], pefile_object)
# ToDo should we pass PE object?
static_file_info(
file_info,
file_path,
str(self.task["id"]),
self.task.get("package", ""),
self.task.get("options", ""),
self.dropped_path,
self.results,
)
file_info.update(meta.get(file_info["path"][0], {}))
file_info["guest_paths"] = list({path.get("filepath") for path in meta.get(file_path, [])})
file_info["name"] = list({path.get("filepath", "").rsplit("\\", 1)[-1] for path in meta.get(file_path, [])})
try:
with open(file_info["path"], "r") as drop_open:
filedata = drop_open.read(buf + 1)
filedata = wide2str(filedata)
file_info["data"] = convert_to_printable_and_truncate(filedata, buf)
except UnicodeDecodeError:
pass
dropped_files.append(file_info)
for dir_name, _, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info, pefile_object = File(file_path=file_path).get_all()
if pefile_object:
self.results.setdefault("pefiles", {})
self.results["pefiles"].setdefault(file_info["sha256"], pefile_object)
static_file_info(
file_info,
file_path,
self.task["id"],
self.task.get("package", ""),
self.task.get("options", ""),
self.self_extracted,
)
dropped_files.append(file_info)
return dropped_files
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
buf = self.options.get("buffer", 8192)
if self.task["category"] in ("pcap", "static"):
return dropped_files
if not os.path.exists(self.dropped_path):
return dropped_files
if os.path.exists(self.files_metadata):
for line in open(self.files_metadata, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta[filepath] = {
"pids": entry["pids"],
"filepath": entry["filepath"],
}
for dir_name, dir_names, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
file_info.update(meta.get(file_info["path"], {}))
dropped_files.append(file_info)
for dir_name, dir_names, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
dropped_files.append(file_info)
return dropped_files
# ToDo adapt
textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
is_binary_file = lambda bytes: bool(bytes.translate(None, textchars))
file_names = os.listdir(self.dropped_path)
for file_name in file_names:
file_path = os.path.join(self.dropped_path, file_name)
if not os.path.isfile(file_path):
continue
if file_name.endswith("_info.txt"):
continue
guest_paths = [line.strip() for line in open(file_path + "_info.txt")]
guest_name = guest_paths[0].split("\\")[-1]
file_info = File(file_path=file_path, guest_paths=guest_paths, file_name=guest_name).get_all()
texttypes = [
"ASCII",
"Windows Registry text",
"XML document text",
"Unicode text",
]
readit = False
for texttype in texttypes:
if texttype in file_info["type"]:
readit = True
break
if is_binary_file(open(file_info["path"], 'rb').read(8192)):
pass
else:
if readit:
with open(file_info["path"], "r") as drop_open:
filedata = drop_open.read(buf + 1)
if len(filedata) > buf:
file_info["data"] = convert_to_printable(filedata[:buf] + " <truncated>")
else:
file_info["data"] = convert_to_printable(filedata)
dropped_files.append(file_info)
return dropped_files
