def auto_vuler_association(request):
pack_id = ReqParams.one(request, 'pack_id')
task_id = start_check_component_task(pack_id)
if task_id is None:
return sys_app_ok_p("自动组件漏洞关联正在运行中")
return sys_app_ok_p(MyTask.fetch_exec_info(task_id))
def test_bin_info(request):
file_name, load_options = ReqParams.many(request, ['file_name', 'load_options.int'])
file_path = os.path.join(MyPath.samples(), 'bin', file_name)
# bw_result = binwalk.scan(file_path, signature=True, opcodes=True)
bw_result = binwalk.scan('--signature', '--opcodes', file_path)
bw_result = binwalk.scan('--signature', file_path)
return sys_app_ok_p({})
if load_options == 1:
proj = angr.Project(file_path, load_options={
'main_opts': {
'backend': 'blob',
'base_addr': 0x10000,
'entry_point': 0x10000,
'arch': 'ARM',
'offset': 0,
}
})
else:
# proj = angr.Project(file_path)
proj = angr.Project(file_path, load_options={'auto_load_libs': False, 'main_opts': {}, })
boyscout = proj.analyses.BoyScout()
# proj2 = angr.Project(file_path, arch=angr.SimARM(endness="Iend_BE"),
# load_options={
# 'backend': 'blob',
# 'base_addr': 0x10000,
# 'entry_point': 0x10000,
# 'arch': 'ARM',
# 'offset': 0,
# })
# girlscout = proj2.analyses.GirlScout(pickle_intermediate_results=True)
return sys_app_ok_p({'arch': boyscout.arch, 'endianness': boyscout.endianness})
def taintdel(request):
# 从请求中取参数:文件 ID
func_name = ReqParams.one(request, 'func_name')
ret = TaintdictDO.delete(func_name)
# 保存操作日志
LogRecords.save('', category='statistics', action='自定义污点函数-删除',
desc='污点函数(func_name=%s)的信息,' % func_name)
if ret:
return sys_app_ok_p('删除成功')
else:
return sys_app_ok_p('删除失败')
def search_tasks_by_file(request):
# 从请求中取参数:文件 ID
file_id = req_get_param(request, 'file_id')
if file_id is None:
return sys_app_ok_p([])
tasks_list = TasksDAO.search_by_file(file_id)
# 保存查询日志
LogRecords.save(tasks_list, category='query_task', action='查询文件任务',
desc='查询指定的文件(ID=%s)所有的任务信息' % file_id)
return sys_app_ok_p(tasks_list)
def taint_func_list(request):
# 从请求中取参数:文件 ID
file_id = ReqParams.one(request, 'file_id')
# 查找函数列表分析结果
# 查询文件 CFG 分析的标记
is_cfg = CfgAnalyzeService.has_cfg_analyze(file_id)
if not is_cfg:
# 启动分析任务
task_id = CfgAnalyzeService.start_cfg_task(file_id)
# 保存操作日志
LogRecords.save({
'task_id': task_id,
'file_id': file_id
},
category='analysis',
action='分析CFG',
desc='对二进制文件做调用流程图分析')
# 返回响应:任务初始化的信息
return sys_app_ok_p(MyTask.fetch_exec_info(task_id))
# 启动分析任务
functions = FilesService.functions_list(file_id)
if len(functions) == 0:
return sys_app_err(Error.FW_FILE_NO_CFG_ANALYZE)
taint_func_list = []
taint_funcs = []
taint_list = func_taint_col.find()
for taint_info in taint_list:
taint_funcs.append(taint_info.get('func_name'))
for func_info in functions:
func_name = func_info.get('name')
for taint_func_info in taint_funcs:
if taint_func_info == func_name:
taint_func_list.append(taint_func_info)
# 保存操作日志
LogRecords.save('',
category='query',
action='查询污点函数列表',
desc='查询指定固件文件(ID=%s)在代码分析中产生的函数列表' % file_id)
return sys_app_ok_p({
'taint_num': len(taint_func_list),
'taint_func_list': taint_func_list
})
def pack_delete(request):
pack_id = ReqParams.one(request, 'pack_id')
# delete fw_files_storage
# delete fw_files
# delete pack_files_storage
# delete pack_files
file_list = FwFileDO.search_files_of_pack(pack_id)
for file in file_list:
FwFilesStorage.delete(file['file_id'])
# if len(file_list) > 0:
FwFileDO.delete_many_of_pack(pack_id)
pack_info = PackFileDO.fetch_pack(pack_id)
PackFilesStorage.delete(pack_info['file_id'])
PackFileDO.delete(pack_id)
# 保存操作日志
LogRecords.save('',
category='statistics',
action='删除固件包',
desc='删除指定固件包(ID=%s)的信息,' % pack_id)
return sys_app_ok_p([])
def com_sourcecode_files_tree(request):
pack_id, tree_type = ReqParams.many(request, ['pack_id', 'tree_type'])
file_list = SourceCodeFileDO.search_files_of_pack(pack_id)
if tree_type is None or len(tree_type) == 0 or tree_type == 'normal':
tree_type = 'normal'
exec_tree = {}
elif tree_type == 'antd':
exec_tree = []
else:
tree_type = 'normal'
exec_tree = {}
# 对每个文件做树的各级节点定位和创建
for file in file_list:
# 获取文件路径
file_path = file['file_path']
file_id = file['file_id']
if file_path is None or len(file_path) == 0:
continue
if tree_type == 'normal':
MyTree.file_path_insert_into_tree(exec_tree, file_path, file_id)
elif tree_type == 'antd':
MyTree.file_path_insert_into_antd_tree(exec_tree, file_path,
file_id)
# 保存操作日志
LogRecords.save('',
category='statistics',
action='查询组件源码文件目录树',
desc='获取组件源码文件目录树(模式为:%s)' % (tree_type))
return sys_app_ok_p(exec_tree)
def binwalk_file_test(request):
filename = req_get_param(request, 'filename')
try:
for module in binwalk.scan(filename, filesystem=True, quiet=True):
for result in module.results:
if result.file.path in module.extractor.output:
# These are files that binwalk carved out of the original firmware image, a la dd
if result.offset in module.extractor.output[
result.file.path].carved:
print
"Carved data from offset 0x%X to %s" % (
result.offset, module.extractor.output[
result.file.path].carved[result.offset])
# These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
if result.offset in module.extractor.output[
result.file.path].extracted:
print
"Extracted %d files from offset 0x%X to '%s' using '%s'" % (
len(module.extractor.output[result.file.path].
extracted[result.offset].files), result.offset,
module.extractor.output[result.file.path].
extracted[result.offset].files[0],
module.extractor.output[result.file.path].
extracted[result.offset].command)
except binwalk.ModuleException as e:
print("Critical failure:", e)
return sys_app_err('ERROR_INTERNAL_ERROR')
return sys_app_ok_p({
'extract': 'ok',
})
def angr_recognize_func(request):
functions = []
try:
filename = req_get_param(request, 'filename')
arch = getarch(filename)
proj = angr.Project(filename,
load_options={
'auto_load_libs': False,
'main_opts': {
'backend': 'blob',
'base_addr': 0,
'arch': arch,
},
})
cfg = proj.analyses.CFGFast()
for address, func in cfg.functions.items():
print(hex(address), func.name)
functions.append(func.name)
except binwalk.ModuleException as e:
print("Critical failure:", e)
return sys_app_err('ERROR_INTERNAL_ERROR')
return sys_app_ok_p({
'functions': functions,
})
def test_list_squash_fs(request):
pack_id = ReqParams.one(request, 'pack_id')
fs_image = FsImage(pack_id)
fs_image.enum_files()
return sys_app_ok_p({})
def binwalk_scan_opcodes(request):
filename = req_get_param(request, 'filename')
#print(filename)
# filename = "D:/code/work/firmwareanalyze/HC5611.bin"
structure = ''
try:
for module in binwalk.scan(filename, opcodes=True, quiet=True):
print("%s Results:" % module.name)
for result in module.results:
print("\t%s 0x%.8X %s" %
(result.file.path, result.offset, result.description))
if ("X86" in result.description.upper()):
structure = 'X86'
break
elif ("ARM" in result.description.upper()):
structure = "ARM"
break
elif ("MIPS" in result.description.upper()):
structure = "MIPS"
break
else:
structure = "PowerPC"
break
except binwalk.ModuleException as e:
print("Critical failure:", e)
return sys_app_err('ERROR_INTERNAL_ERROR')
return sys_app_ok_p({
'structure': structure,
})
def poc_search(request):
offset = req_get_param_int(request, 'offset')
count = req_get_param_int(request, 'count')
value = req_get_param(request, 'value')
# 查找利用信息
result_cursor = firmware_db.search(value)
item_list = list(result_cursor)
# 获取信息总数,并判断指定偏移量是否越界
total = len(item_list)
if total == 0 or offset >= total:
return app_err_p(Error.NO_MORE_DATA, {'total': total, 'count': 0})
# 读取指定位置和数量的利用信息
if count > total - offset:
count = total - offset
item_list = item_list[offset: offset + count]
# 查询poc信息,添加到漏洞信息中
# poc_list = []
for item in item_list:
poc = firmware_pocs.fetch_no_content(item['firmware_id'])
item['poc'] = poc
# poc_list.append(poc)
#SysLog.success('搜索POC', '成功搜索POC文件,总数={}'.format(len(item_list)))
return sys_app_ok_p({'total': total, 'count': len(item_list), 'items': item_list})
def fwlist(reuqest):
# 获取信息总数
fw_coll = MongoDB(firmware_info_coll)
total = fw_coll.info_count()
# 读取固件信息
docs = fw_coll.query(0, total)
return sys_app_ok_p({'total': total, 'count': len(docs), 'items': docs})
def binwalk_scan_signatureEx(request):
firmware_id = req_get_param(request, 'firmware_id')
try:
# 查询数据库 得到固件名
fw = firmware_db.fetch(firmware_id)
# todo check fw is NULL
if fw['fw_info']['filepath'] is not None:
filename = fw['fw_info']['filepath'] + fw['fw_info']['filename'][0]
else:
return sys_app_ok_p({'decode': 'Null', 'description': "解析文件名出错"})
result_list = list()
offset_list = list()
description_list = list()
index = 0
# try:
for module in binwalk.scan(filename, signature=True, quiet=True):
print("%s Results:" % module.name)
for result in module.results:
result_list.append(
"\t%s 0x%.8X %s" %
(result.file.path, result.offset, result.description))
print("\t%s 0x%.8X %s" %
(result.file.path, result.offset, result.description))
offset_list.append(result.offset)
description_list.append(result.description)
# 将解压缩后的固件文件信息存入mongodb firmware_info
dic = {}
item = {}
for off_set in offset_list:
index += 1
offset = 'offset' + str(index)
description = 'description' + str(index)
dic[offset] = off_set
dic[description] = description_list[index - 1]
item['decode_info'] = dic
firmware_db.update(firmware_id, item)
except binwalk.ModuleException as e:
print("Critical failure:", e)
return sys_app_ok_p({'decode': result_list})
def get_task_result(request):
# 从请求中取参数:文件 ID
task_id = req_get_param(request, 'task_id')
# 从缓存中读取任务执行信息
task_info = MyTask.fetch_exec_info(task_id)
return sys_app_ok_p(task_info)
def list(reuqest):
# 获取信息总数
total = firmware_db.info_count()
# 读取固件信息
docs = firmware_db.query(0, total)
#SysLog.success('查询漏洞', '成功查询漏洞信息,查询到漏洞信息总数={}'.format(len(docs)))
return sys_app_ok_p({'total': total, 'count': len(docs), 'items': docs})
def function_info(request):
# 从请求中取参数:文件 ID、函数地址
file_id, func_addr, extra_info = ReqParams.many(
request, ['file_id', 'func_addr.hex', 'extra_info'])
# 获取指定函数的汇编、中间码等代码信息
codes_dict = FunctionsService.func_codes(file_id, func_addr)
infos_dict = codes_dict
if extra_info is not None:
# 取出首尾空格后分割成列表(用逗号分隔)
extra_list = extra_info.strip().split(',')
if 'props' in extra_list:
# 如指定 props 则附加函数属性信息
props_dict = FunctionsService.func_props(file_id, func_addr)
infos_dict['props'] = props_dict
if 'vars' in extra_list:
# 如指定 props 则附加函数变量信息
vars_dict = VarsService.extract_vars(file_id, func_addr)
infos_dict['vars'] = vars_dict
infos_dict['vulnerabe'] = {
'flag': '0',
'desc': '非脆弱性函数'
} # 0:非脆弱性函数 1:脆弱性函数
infos_dict['taint'] = {'flag': '0', 'desc': '非污点函数'} # 0:非污点函数 1:非污点函数
func_name = infos_dict.get('function_name')
if func_name is not None:
vulner_info = func_vulner_col.find_one(
{'func_name': {
'$regex': func_name
}})
if vulner_info is not None:
infos_dict['vulnerabe'] = {
'flag': '1',
'desc': '脆弱性函数'
} # 0:非脆弱性函数 1:脆弱性函数
taint_info = func_taint_col.find_one(
{'func_name': {
'$regex': func_name
}})
if taint_info is not None:
infos_dict['taint'] = {
'flag': '1',
'desc': '污点函数'
} # 0:非污点函数 1:非污点函数
# 保存操作日志
LogRecords.save('',
category='query',
action='查询函数分析信息',
desc='查询代码分析后的函数信息,文件ID=%s,函数地址=0x%x' %
(file_id, func_addr))
return sys_app_ok_p(infos_dict)
def taintadd(request):
# 从请求中取参数:文件 ID
func_name, hazard, solution = ReqParams.many(request, ['func_name', 'hazard', 'solution'], protocol='POST')
# find func_name in taint_dict
if TaintdictDO.search_func_name(func_name) is None:
print("add func_name")
# 新的 fun ID
fun_id = StrUtils.uuid_str()
TaintdictDO.save(fun_id, func_name, hazard, solution)
# 保存操作日志
LogRecords.save('', category='statistics', action='自定义污点函数-增加',
desc='污点函数(ID=%s)的信息,' % fun_id)
return sys_app_ok_p('添加成功')
else:
print("already has func_name")
return sys_app_ok_p(['函数已存在'])
def query_component(request):
# path('task/query_component', task_view.query_component, name='task_query_component'),
# 读取数据库任务集合
task_id_list = TasksDAO.all_component()
# 保存操作日志
LogRecords.save(task_id_list, category='query', action='查询组件任务状态')
return sys_app_ok_p(task_id_list)
def pack_exec_files_tree(request):
pack_id, tree_type = ReqParams.many(request, ['pack_id', 'tree_type'])
start_check_component_task(pack_id)
# # # 检查组件关联
# # check_component(pack_id, FileType.EXEC_FILE)
# # 修改为任务处理方式进行检查组件关联 关联组件标记,相似度匹配计算,标记漏洞(version/edbid)
# # 启动编译任务
# extra_info = {'task_type': TaskType.COMPONENT_CHECK,
# 'task_name': '检查组件关联',
# 'task_desc': '检查组件关联,相似度匹配计算,标记漏洞(version/edbid)'}
# task = MyTask(check_component, (pack_id,), extra_info=extra_info)
# task_id = task.get_task_id()
# 读取所有可执行文件
exec_list = FwFileDO.search_files_of_pack(pack_id, FileType.EXEC_FILE)
if tree_type is None or len(tree_type) == 0 or tree_type == 'normal':
# file_path_insert_into_tree 树,初始化为字典
tree_type = 'normal'
exec_tree = {}
elif tree_type == 'antd':
# file_path_insert_into_antd_tree 树,初始化为数组
exec_tree = []
else:
tree_type = 'normal'
exec_tree = {}
# 对每个文件做树的各级节点定位和创建
for exec_file in exec_list:
# 获取文件路径
file_path = exec_file['file_path']
file_id = exec_file['file_id']
component = exec_file['component']
# if exec_file['component'] is not None:
# component = exec_file['component']
# else:
# component = 0
if file_path is None or len(file_path) == 0:
continue
if tree_type == 'normal':
MyTree.file_path_insert_into_tree(exec_tree, file_path, file_id,
component)
elif tree_type == 'antd':
MyTree.file_path_insert_into_antd_tree(exec_tree, file_path,
file_id, component)
# 保存操作日志
LogRecords.save('',
category='statistics',
action='读取固件包文件结构',
desc='获取指定固件包(ID=%s)的文件结构(模式为:%s)' % (pack_id, tree_type))
return sys_app_ok_p(exec_tree)
def test_angr_vars(request):
file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex'])
func_parse = FunctionParse(file_id, func_addr)
props = func_parse.get_props()
# _test_func(file_name)
return sys_app_ok_p(props)
def fw_functions_list(request):
# 从请求中取参数:文件 ID
file_id = req_get_param(request, 'file_id')
# 获取代码中的函数列表
func_parse = _get_func_parse(file_id)
functions = func_parse.func_list()
return sys_app_ok_p({'functions_count': len(functions), 'functions': functions})
def func_successors(request):
# 从请求中取参数:文件 ID,函数地址
file_id, func_addr = _req_params(request)
# 获取函数的后继调用
func_parse = _get_func_parse(file_id)
successors = func_parse.func_successors(func_addr)
return sys_app_ok_p({'successors_count': len(successors), 'successors': successors})
def func_vex(request):
# 从请求中取参数:文件 ID,函数地址
file_id, func_addr = _req_params(request)
# 读取函数的中间代码
func_parse = _get_func_parse(file_id)
vex = func_parse.func_vex(func_addr)
print(vex)
return sys_app_ok_p(str(vex))
def func_asm(request):
# 从请求中取参数:文件 ID,函数地址
file_id, func_addr = _req_params(request)
# 读取函数的汇编代码
func_parse = _get_func_parse(file_id)
asm = func_parse.func_asm(func_addr)
print(asm)
return sys_app_ok_p(str(asm))
def taintmodify(request):
# 从请求中取参数:文件 ID
func_name, hazard, solution = ReqParams.many(request, ['func_name', 'hazard', 'solution'], protocol='POST')
TaintdictDO.update(func_name, hazard, solution)
# 保存操作日志
LogRecords.save('', category='statistics', action='自定义污点函数-删除',
desc='污点函数(func_name=%s)的信息,' % func_name)
return sys_app_ok_p([])
def async_fw_functions_list(request):
# 从请求中取参数:文件 ID
file_id = req_get_param(request, 'file_id')
# 启动分析任务
task = MyTask(_proc_fw_functions_list, (file_id, ))
task_id = task.get_task_id()
# 返回响应:任务初始化的信息
return sys_app_ok_p(MyTask.fetch_exec_info(task_id))
def search_tasks_by_pack(request):
# 从请求中取参数:包 ID
pack_id = req_get_param(request, 'pack_id')
if pack_id is None:
return sys_app_ok_p([])
tasks_list = TasksDAO.search_by_pack(pack_id)
task_info_list = []
for task_info in tasks_list:
# 没有执行完成的任务状态,用缓存中任务信息代替
if task_info['task_status'] != TaskStatus.COMPLETE:
task_info = MyTask.fetch_exec_info(task_info['task_id'])
task_info_list.append(task_info)
# 保存查询日志
LogRecords.save(task_info_list, category='query_task', action='查询固件包任务',
desc='查询指定的固件包(ID=%s)所有的任务信息' % pack_id)
return sys_app_ok_p(task_info_list)
def stop_task(request):
# 从请求中取参数:任务 ID
task_id = req_get_param(request, 'task_id')
task_info = MyTask.stop_task(task_id)
# 保存操作日志
LogRecords.save(task_info, category='task', action='停止任务',
desc='停止指定的任务(ID=%s)' % task_id)
return sys_app_ok_p(task_info)
def com_files_list(request):
# 读取所有组件文件
com_list = FwFileDO.search_all_com_files()
print(com_list)
comlist = []
for com in com_list:
print(com)
inverted = com.get('inverted')
cfg_analyze = com.get('cfg_analyze')
file_type_verified = com.get('file_type_verified')
extra_props = com.get('extra_props')
if extra_props is not None:
extra_props.setdefault('name', '')
extra_props.setdefault('version', '')
extra_props.setdefault('edb_id', '')
extra_props.setdefault('similarity', '')
name = extra_props['name']
version = extra_props['version']
edb_id = extra_props['edb_id']
similarity = extra_props['similarity']
else:
name = ""
version = ""
edb_id = ""
similarity = ""
doc = {
'file_id': com['file_id'],
'file_path': com['file_path'],
'component': com['component'],
'create_time': com['create_time'],
'file_name': com['file_name'],
'file_type': com['file_type'],
'pack_id': com['pack_id'],
'version': version,
'name': name,
'edb_id': edb_id,
'file_type_verified': file_type_verified,
'cfg_analyze': cfg_analyze,
'inverted': inverted,
'similarity': similarity,
'fw_name': com['pack_docs'][0]['name']
}
comlist.append(doc)
# 保存操作日志
LogRecords.save('',
category='statistics',
action='查询所有组件文件列表',
desc='查询所有组件文件列表')
return sys_app_ok_p(comlist)