def _get_versioninfo(self): """Get version info. @return: info dict or None. """ if not self.pe: return None infos = [] if hasattr(self.pe, "VS_VERSIONINFO"): if hasattr(self.pe, "FileInfo"): for entry in self.pe.FileInfo: try: if hasattr(entry, "StringTable"): for st_entry in entry.StringTable: for str_entry in st_entry.entries.items(): entry = {} entry["name"] = convert_to_printable( str_entry[0]) entry["value"] = convert_to_printable( str_entry[1]) infos.append(entry) elif hasattr(entry, "Var"): for var_entry in entry.Var: if hasattr(var_entry, "entry"): entry = {} entry["name"] = convert_to_printable( var_entry.entry.keys()[0]) entry["value"] = convert_to_printable( var_entry.entry.values()[0]) infos.append(entry) except: continue return infos
class ircMessage(object): """IRC Protocol Request.""" # client commands __methods_client = dict.fromkeys( ('PASS', 'JOIN', 'USER', 'OPER', 'MODE', 'SERVICE', 'QUIT', 'SQUIT', 'PART', 'TOPIC', 'NAMES', 'LIST', 'INVITE', 'KICK', 'PRIVMSG', 'NOTICE', 'MOTD', 'LUSERS', 'VERSION', 'STATS', 'LINKS', 'TIME', 'CONNECT', 'TRACE', 'ADMIN', 'INFO', 'SERVLIST', 'SQUERY', 'WHO', 'WHOIS', 'WHOWAS', 'KILL', 'PING', 'PONG', 'ERROR', 'AWAY', 'REHASH', 'DIE', 'RESTART', 'SUMMON', 'USERS', 'WALLOPS', 'USERHOST', 'NICK', 'ISON')) def __init__(self): self._messages = [] # Server commandis : prefix - command - params self._sc = {} # Client commands : command - params self._cc = {} log = logging.getLogger("Processing.Pcap.irc.protocol") def _unpack(self, buf): """ Extract into a list irc messages of a tcp streams @buf: tcp stream data """ try: f = cStringIO.StringIO(buf) lines = f.readlines() except Exception, why: log.error("Failed reading tcp stream buffer") return False for element in lines: if re.match('^:', element) != None: command = '([a-zA-Z]+|[0-9]{3})' params = '(\x20.+)' irc_server_msg = re.findall( '(^:[\w+.{}!@|()]+\x20)' + command + params, element) if irc_server_msg: self._sc['prefix'] = convert_to_printable( irc_server_msg[0][0].strip()) self._sc['command'] = convert_to_printable( irc_server_msg[0][1].strip()) self._sc['params'] = convert_to_printable( irc_server_msg[0][2].strip()) self._sc['type'] = 'server' self._messages.append(dict(self._sc)) else: irc_client_msg = re.findall('([a-zA-Z]+\x20)(.+[\x0a\0x0d])', element) if irc_client_msg and irc_client_msg[0][0].strip( ) in self.__methods_client: self._cc['command'] = convert_to_printable( irc_client_msg[0][0].strip()) self._cc['params'] = convert_to_printable( irc_client_msg[0][1].strip()) self._cc['type'] = 'client' self._messages.append(dict(self._cc))
def _parse(self, row): """Parse log row. @param row: row data. @return: parsed information dict. """ call = {} arguments = [] try: timestamp = row[0] # Timestamp of current API call invocation. thread_id = row[1] # Thread ID. category = row[2] # Win32 function category. api_name = row[3] # Name of the Windows API. status_value = row[4] # Success or Failure? return_value = row[5] # Value returned by the function. except IndexError as e: log.debug("Unable to parse process log row: %s", e) return None # Now walk through the remaining columns, which will contain API # arguments. for index in range(6, len(row)): argument = {} # Split the argument name with its value based on the separator. try: (arg_name, arg_value) = row[index] except ValueError as e: log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e) continue argument["name"] = arg_name argument["value"] = convert_to_printable( str(arg_value)).lstrip("\\??\\") arguments.append(argument) call["timestamp"] = timestamp call["thread_id"] = str(thread_id) call["category"] = category call["api"] = api_name call["status"] = bool(int(status_value)) if isinstance(return_value, int): call["return"] = "0x%.08x" % return_value else: call["return"] = convert_to_printable(str(return_value)) call["arguments"] = arguments call["repeated"] = 0 return call
def _add_hosts(self, connection): """Add IPs to unique list. @param connection: connection data """ try: if connection["src"] not in self.unique_hosts: self.unique_hosts.append(convert_to_printable(connection["src"])) if connection["dst"] not in self.unique_hosts: self.unique_hosts.append(convert_to_printable(connection["dst"])) except Exception: return False return True
def _parse(self, row): """Parse log row. @param row: row data. @return: parsed information dict. """ call = {} arguments = [] try: timestamp = row[0] # Timestamp of current API call invocation. thread_id = row[1] # Thread ID. category = row[2] # Win32 function category. api_name = row[3] # Name of the Windows API. status_value = row[4] # Success or Failure? return_value = row[5] # Value returned by the function. except IndexError as e: log.debug("Unable to parse process log row: %s", e) return None # Now walk through the remaining columns, which will contain API # arguments. for index in range(6, len(row)): argument = {} # Split the argument name with its value based on the separator. try: (arg_name, arg_value) = row[index] except ValueError as e: log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e) continue argument["name"] = arg_name argument["value"] = convert_to_printable(str(arg_value)).lstrip("\\??\\") arguments.append(argument) call["timestamp"] = timestamp call["thread_id"] = str(thread_id) call["category"] = category call["api"] = api_name call["status"] = bool(int(status_value)) if isinstance(return_value, int): call["return"] = "0x%.08x" % return_value else: call["return"] = convert_to_printable(str(return_value)) call["arguments"] = arguments call["repeated"] = 0 return call
def _add_hosts(self, connection): """Add IPs to unique list. @param connection: connection data """ try: if connection["src"] not in self.unique_hosts: self.unique_hosts.append( convert_to_printable(connection["src"])) if connection["dst"] not in self.unique_hosts: self.unique_hosts.append( convert_to_printable(connection["dst"])) except Exception: return False return True
def _add_http(self, tcpdata, dport): """Adds an HTTP flow. @param tcpdata: TCP data flow. @param dport: destination port. """ try: http = dpkt.http.Request() http.unpack(tcpdata) except dpkt.dpkt.UnpackError: pass try: entry = {} if "host" in http.headers: entry["host"] = convert_to_printable(http.headers["host"]) else: entry["host"] = "" entry["port"] = dport entry["data"] = convert_to_printable(tcpdata) entry["uri"] = convert_to_printable( urlunparse( ("http", entry["host"], http.uri, None, None, None))) entry["body"] = convert_to_printable(http.body) entry["path"] = convert_to_printable(http.uri) if "user-agent" in http.headers: entry["user-agent"] = convert_to_printable( http.headers["user-agent"]) entry["version"] = convert_to_printable(http.version) entry["method"] = convert_to_printable(http.method) self.http_requests.append(entry) except Exception: return False return True
def _add_http(self, tcpdata, dport): """Adds an HTTP flow. @param tcpdata: TCP data flow. @param dport: destination port. """ try: http = dpkt.http.Request() http.unpack(tcpdata) except dpkt.dpkt.UnpackError: pass try: entry = {} if "host" in http.headers: entry["host"] = convert_to_printable(http.headers["host"]) else: entry["host"] = "" entry["port"] = dport entry["data"] = convert_to_printable(tcpdata) entry["uri"] = convert_to_printable(urlunparse(("http", entry["host"], http.uri, None, None, None))) entry["body"] = convert_to_printable(http.body) entry["path"] = convert_to_printable(http.uri) if "user-agent" in http.headers: entry["user-agent"] = convert_to_printable(http.headers["user-agent"]) entry["version"] = convert_to_printable(http.version) entry["method"] = convert_to_printable(http.method) self.http_requests.append(entry) except Exception: return False return True
def _get_sections(self): """Gets sections. @return: sections dict or None. """ if not self.pe: return None sections = [] for entry in self.pe.sections: try: section = {} section["name"] = convert_to_printable( entry.Name.strip("\x00")) section["virtual_address"] = hex(entry.VirtualAddress) section["virtual_size"] = hex(entry.Misc_VirtualSize) section["size_of_data"] = hex(entry.SizeOfRawData) section["entropy"] = entry.get_entropy() sections.append(section) except: continue return sections
def test_literal(self): assert_equal("e", utils.convert_to_printable("e"))
def test_non_printable(self): assert_equal("\x0b", utils.convert_to_printable(chr(11)))
def test_whitespace(self): assert_equal(" ", utils.convert_to_printable(" "))
def test_punctation(self): assert_equal(".", utils.convert_to_printable("."))
def test_digit(self): assert_equal("9", utils.convert_to_printable(u"9"))
def test_utf(self): assert_equal("\\xe9", utils.convert_to_printable(u"\xe9"))