def test_garbage2(self): t = ZipFile(f("zip_garbage.zip")) assert t.handles() is True assert not t.f.selected files = t.unpack() assert len(files) == 1 assert not files[0].children assert files[0].mode == "failed"
def extract_archive(cls, f): logger.debug(f"Extracting {f.filename}") content = f.blob if f.password: # Sflock expects byte string pw = f.password.encode("utf-8") else: pw = None if f.extension == "zip": if "v5.1" in f.content_guess: # Unzip is not capable to process this version, 7z is required (Zip7File) archive_file = Zip7File( SflockFile(contents=content, password=pw)) else: archive_file = ZipFile( SflockFile(contents=content, password=pw)) elif f.extension == "rar": archive_file = RarFile(SflockFile(contents=content, password=pw)) elif f.extension == "tar": archive_file = TarFile(SflockFile(contents=content, password=pw)) else: # Fallback to zip archive_file = Zip7File(SflockFile(contents=content, password=pw)) files_in_zip = list(archive_file.unpack(password=pw, duplicates=[])) extracted_files = [] for zf in files_in_zip: h = HashFactory.get_hashstruct_from_bytes(zf.contents) cg = zf.magic fn = zf.filename.decode("utf-8") ext = fn.rsplit(".", 1)[-1] if "." in fn else "" f.extractions.append( Extraction(content_guess=cg, extension=ext, description=fn, hash=h)) file_struct = File( content_guess=cg, extension=ext, encoding='application/octet-stream', # alternative: "hex" filename=fn, hash=h, blob=zf.contents, timestamp=f.timestamp) extracted_files.append(file_struct) logger.info(f"Extracted {zf.filename}") f.is_enriched = True return f, extracted_files
def test_pdf_is_embedded(): buf = io.BytesIO() z = zipfile.ZipFile(buf, "w") z.write("tests/files/pdf_docm.pdf") z.close() m = ZipFile(File(contents=buf.getvalue())) files = list(m.unpack()) assert len(files) == 1 assert files[0].package == "pdf" assert len(files[0].children) == 1 assert files[0].children[0].package == "doc"
def get_new_emails(db): imaplib.IMAP4.debug = imaplib.IMAP4_SSL.debug = 1 conn = imaplib.IMAP4_SSL(email_config.cuckoomx.get("server")) conn.login(email_config.cuckoomx.get("user"), email_config.cuckoomx.get("password")) conn.select("Inbox") (retcode, messages) = conn.search(None, "(UNSEEN)") if retcode == "OK" and messages: for num in messages[0].split(" "): if num: typ, data = conn.fetch(num,"(RFC822)") msg = email.message_from_string(data[0][1]) if msg: email_dict = dict() email_dict["Attachments"] = list() for k, v in msg.items(): email_dict[k] = v if email_dict.get("Subject", ""): print("[+] Procesing email with Subject: {0}".format(email_dict["Subject"])) for part in msg.walk(): attachment = False if part.get_filename(): filename = part.get_filename() content_type = part.get_content_type() attachment = part.get_payload(decode=True) sha256 = hashlib.sha256(attachment).hexdigest() if attachment: #unpack it z = ZipFile(File(contents=attachment, password=email_config.cuckoomx.get("archive_password"))) files = list(z.unpack(password=email_config.cuckoomx.get("archive_password"), duplicates=[])) for file in files: new_file = db.query(CUCKOOMX).filter(CUCKOOMX.sha256 == file.sha256).first() if new_file is None: new_file = CUCKOOMX(sha256=file.sha256) temp_file_path = store_temp_file(file.contents, file.filename) task_id = main_db.add_path( file_path=temp_file_path ) new_file.cuckoo_id = task_id new_file.email = email_dict.get("From", "") db.add(new_file) db.commit() else: send_notification(db, new_file) #mark as seen typ, data = conn.store(num,"+FLAGS","\Seen") conn.close() conn.logout()
def test_zip_encrypted(self): assert "Zip archive" in f("zip_encrypted.zip").magic z = ZipFile(f("zip_encrypted.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack()) assert len(files) == 1 assert files[0].relapath == "sflock.txt" assert files[0].contents == "sflock_encrypted_zip\n" assert files[0].password == "infected" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] assert not files[0].selected
def test_nested2(self): assert "Zip archive" in f(b"zip_nested2.zip").magic z = ZipFile(f(b"zip_nested2.zip")) assert z.handles() is True assert z.f.selected files = list(z.unpack()) assert len(files) == 1 assert files[0].relapath == b"deepfoo/foo/bar.txt" assert files[0].parentdirs == [b"deepfoo", b"foo"] assert files[0].contents == b"hello world\n" assert files[0].magic == "ASCII text" assert not files[0].selected
def test_nested2(self): assert "Zip archive" in f("zip_nested2.zip").magic z = ZipFile(f("zip_nested2.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack()) assert len(files) == 1 assert files[0].relapath == "deepfoo/foo/bar.txt" assert files[0].parentdirs == ["deepfoo", "foo"] assert files[0].contents == "hello world\n" assert not files[0].password assert files[0].magic == "ASCII text" assert not files[0].selected
def test_zip_encrypted(self): assert "Zip archive" in f("zip_encrypted.zip").magic z = ZipFile(f("zip_encrypted.zip")) assert z.handles() is True files = list(z.unpack()) assert len(files) == 1 assert files[0].filepath == "sflock.txt" assert files[0].contents == "sflock_encrypted_zip\n" assert files[0].password == "infected" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] s = f("zip_encrypted.zip").get_signature() assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
def test_nested2(self): assert "Zip archive" in f("zip_nested2.zip").magic z = ZipFile(f("zip_nested2.zip")) assert z.handles() is True files = list(z.unpack()) assert len(files) == 1 assert files[0].filepath == "deepfoo/foo/bar.txt" assert files[0].parentdirs == ["deepfoo", "foo"] assert files[0].contents == "hello world\n" assert not files[0].password assert files[0].magic == "ASCII text" s = f("zip_nested2.zip").get_signature() assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
def test_zip_plain(self): assert "Zip archive" in f(b"zip_plain.zip").magic z = ZipFile(f(b"zip_plain.zip")) assert z.handles() is True assert z.f.selected assert z.f.preview is True files = list(z.unpack()) assert len(files) == 1 assert not files[0].filepath assert files[0].relapath == b"sflock.txt" assert files[0].contents == b"sflock_plain_zip\n" assert files[0].password == "infected" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] assert not files[0].selected assert files[0].preview is True
def test_zip_encrypted2(self): assert "Zip archive" in f("zip_encrypted2.zip").magic z = ZipFile(f("zip_encrypted2.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack()) assert len(files) == 1 assert files[0].mode == "failed" assert files[0].description == "Error decrypting file" assert files[0].magic is "" assert files[0].parentdirs == [] assert not files[0].selected z = ZipFile(f("zip_encrypted2.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack("sflock")) assert len(files) == 1 assert files[0].relapath == "sflock.txt" assert files[0].contents == "sflock_encrypted_zip\n" assert files[0].password == "sflock" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] assert not files[0].selected
def test_garbage(self): t = ZipFile(f("garbage.bin")) assert t.handles() is False assert not t.f.selected assert not t.unpack() assert t.f.mode == "failed"
def test_garbage(self): t = ZipFile(f("garbage.bin")) assert t.handles() is False assert not t.f.selected assert t.unpack() == [] assert t.f.mode == Errors.INVALID_ARCHIVE
def test_partial(self): t = ZipFile(f(b"partial.zip")) assert t.handles() assert not t.unpack()
def test_docx1(self): t = ZipFile(f(b"doc_1.docx_")) assert t.handles()
def test_partial(self): # Has PK header, but is an invalid archive. t = ZipFile(f("partial.zip")) assert not t.handles() assert not t.unpack()
def test_zip_encrypted2(self): assert "Zip archive" in f("zip_encrypted2.zip").magic z = ZipFile(f("zip_encrypted2.zip")) assert z.handles() is True assert not z.f.selected with pytest.raises(DecryptionFailedError) as e: z.unpack() assert e.value.state == Errors.DECRYPTION_FAILED z = ZipFile(f("zip_encrypted2.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack(password="******")) assert len(files) == 1 assert files[0].relapath == "sflock.txt" assert files[0].contents == b"sflock_encrypted_zip\n" assert files[0].password == "sflock" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] assert not files[0].selected z = ZipFile(f("zip_encrypted2.zip")) assert z.handles() is True assert not z.f.selected files = list(z.unpack(password=["sflock"])) assert len(files) == 1 assert files[0].relapath == "sflock.txt" assert files[0].contents == b"sflock_encrypted_zip\n" assert files[0].password == "sflock" assert files[0].magic == "ASCII text" assert files[0].parentdirs == [] assert not files[0].selected
def test_zip_suffix(self): assert "Zip archive" in f(b"zip_suffix.docx").magic z = ZipFile(f(b"zip_suffix.docx")) assert z.handles() is True assert z.f.package == "zip" assert z.f.preview is True
def test_garbage(self): t = ZipFile(f("garbage.bin")) assert t.handles() is False with pytest.raises(UnpackException): t.unpack()