def run_archive_viewer(self, obj):
"""
Get data using the archive viewer.
"""
safe = [
'pyi_carchive', 'pyi_rth_win32comgenpy', '_pyi_bootstrap',
'_pyi_egg_install.py'
]
# This doesn't work. Everything is showing as an invalid CArchive file.
with self._write_to_file() as tmp_file:
try:
arch = get_archive(tmp_file)
if type(arch.toc) == type({}):
toc = arch.toc
else:
toc = arch.toc.data
for t in toc:
d = {
'Position': t[0],
'Length': t[1],
'Uncompressed': t[2],
'IsCompressed': t[3],
'Type': t[4],
'RawData': ""
}
if t[4] == 's' and t[5] not in safe:
try:
block = self.get_data(t[5], arch).encode(
'utf-8', "ignore")
except:
self._info(
"%s: Block not valid utf-8. Trying utf-16." %
t[5])
try:
block = self.get_data(t[5], arch).encode(
'utf-16', "ignore")
except:
self._info(
"%s: Block not valid utf-16. Trying utf-32." %
t[5])
try:
block = self.get_data(t[5], arch).encode(
'utf-32', "ignore")
except:
self._info(
"%s: Block not valid utf-32. Trying latin-1." %
t[5])
try:
block = self.get_data(t[5], arch).encode(
'latin-1', 'ignore')
except:
self._info(
"%s: Block not valid latin-1. Done trying." %
t[5])
block = None
if block is not None:
bmd5 = md5(block).hexdigest()
bsha1 = sha1(block).hexdigest()
bsha256 = sha256(block).hexdigest()
block = block.replace('http', 'hxxp')
description = '"%s" pulled from Sample\n\n' % t[5]
description += 'MD5: %s\n' % bmd5
description += 'SHA1: %s\n' % bsha1
description += 'SHA256: %s\n' % bsha256
title = t[5]
data_type = "Python"
tool_name = "pyinstaller_service"
result = handle_raw_data_file(
block,
obj.source,
user=self.current_task.user,
description=description,
title=title,
data_type=data_type,
tool_name=tool_name,
)
if result['success']:
self._info("RawData added for %s" % t[5])
res = obj.add_relationship(
rel_item=result['object'],
rel_type=RelationshipTypes.
CONTAINED_WITHIN,
rel_confidence="high",
analyst=self.current_task.user)
if res['success']:
obj.save(username=self.current_task.user.
username)
result['object'].save(
username=self.current_task.user.
username)
url = reverse('crits-core-views.details',
args=('RawData',
result['_id']))
url = '<a href="%s">View Raw Data</a>' % url
d['RawData'] = url
self._info("Relationship added for %s" %
t[5])
else:
self._info(
"Error adding relationship: %s" %
res['message'])
else:
self._info(
"RawData addition failed for %s:%s" %
(t[5], result['message']))
self._add_result("Info", t[5], d)
except Exception, e:
self._info("Error: %s" % str(e))
def run_archive_viewer(self, obj):
"""
Get data using the archive viewer.
"""
safe = [
'pyi_carchive',
'pyi_rth_win32comgenpy',
'_pyi_bootstrap',
'_pyi_egg_install.py'
]
# This doesn't work. Everything is showing as an invalid CArchive file.
with self._write_to_file() as tmp_file:
try:
arch = get_archive(tmp_file)
if type(arch.toc) == type({}):
toc = arch.toc
else:
toc = arch.toc.data
for t in toc:
d = {'Position': t[0],
'Length': t[1],
'Uncompressed': t[2],
'IsCompressed': t[3],
'Type': t[4],
'RawData': ""
}
if t[4] == 's' and t[5] not in safe:
try:
block = self.get_data(t[5], arch).encode('utf-8',
"ignore")
except:
self._info("%s: Block not valid utf-8. Trying utf-16." % t[5])
try:
block = self.get_data(t[5], arch).encode('utf-16',
"ignore")
except:
self._info("%s: Block not valid utf-16. Trying utf-32." % t[5])
try:
block = self.get_data(t[5], arch).encode('utf-32',
"ignore")
except:
self._info("%s: Block not valid utf-32. Trying latin-1." % t[5])
try:
block = self.get_data(t[5], arch).encode('latin-1',
'ignore')
except:
self._info("%s: Block not valid latin-1. Done trying." % t[5])
block = None
if block is not None:
bmd5 = md5(block).hexdigest()
bsha1 = sha1(block).hexdigest()
bsha256 = sha256(block).hexdigest()
block = block.replace('http', 'hxxp')
description = '"%s" pulled from Sample\n\n' % t[5]
description += 'MD5: %s\n' % bmd5
description += 'SHA1: %s\n' % bsha1
description += 'SHA256: %s\n' % bsha256
title = t[5]
data_type = "Python"
tool_name = "pyinstaller_service"
result = handle_raw_data_file(
block,
obj.source,
user=self.current_task.user,
description=description,
title=title,
data_type=data_type,
tool_name=tool_name,
)
if result['success']:
self._info("RawData added for %s" % t[5])
res = obj.add_relationship(
rel_item=result['object'],
rel_type=RelationshipTypes.CONTAINED_WITHIN,
rel_confidence="high",
analyst=self.current_task.user
)
if res['success']:
obj.save(username=self.current_task.user.username)
result['object'].save(username=self.current_task.user.username)
url = reverse('crits-core-views.details',
args=('RawData',
result['_id']))
url = '<a href="%s">View Raw Data</a>' % url
d['RawData'] = url
self._info("Relationship added for %s" % t[5])
else:
self._info("Error adding relationship: %s" % res['message'])
else:
self._info(
"RawData addition failed for %s:%s" % (t[5],
result['message'])
)
self._add_result("Info", t[5], d)
except Exception, e:
self._info("Error: %s" % str(e))
try: # Get screen size (linux/osx/stdout redirect) to determine if we should page results.
rows = subprocess.Popen(['stty', 'size'], stdout=subprocess.PIPE).communicate()[0].split()[0]
except: # If we're unable to get screen size (windows), set it ourselves:
rows = 80
return(rows)
if __name__ == '__main__':
try:
filename = sys.argv[1]
except:
print('Usage: %s [filename]' % __file__)
sys.exit()
try:
fh = archive_viewer.get_archive(filename)
except Exception as err:
try:
manual_warn = ('# Looks like the package has been manipulated. Manually carved - maybe incomplete.')
manual_bin = open(filename, 'rb').read()
data = patch_zlib(manual_bin)
if data:
rating = malicious_check(data)
data = ('{}\n# Script: {} ({})\n'.format(
manual_warn, 'UNKNOWN_NAME', rating) +
'\n'.join(['\t' + indent for indent in data.split('\n')]))
rows = screen_size()
if len(data.split('\n')) > int(rows):
pager(data)
sys.exit()
print(data)
