class TestFile: def setUp(self): self.tmp = tempfile.mkstemp() self.file = File(self.tmp[1]) def test_get_name(self): assert_equal(self.tmp[1].split("/")[-1], self.file.get_name()) def test_get_data(self): assert_equal("", self.file.get_data()) def test_get_size(self): assert_equal(0, self.file.get_size()) def test_get_crc32(self): assert_equal("00000000", self.file.get_crc32()) def test_get_md5(self): assert_equal("d41d8cd98f00b204e9800998ecf8427e", self.file.get_md5()) def test_get_sha1(self): assert_equal("da39a3ee5e6b4b0d3255bfef95601890afd80709", self.file.get_sha1()) def test_get_sha256(self): assert_equal( "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", self.file.get_sha256()) def test_get_sha512(self): assert_equal( "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", self.file.get_sha512()) def test_get_ssdeep(self): try: import pydeep assert_not_equal(None, self.file.get_ssdeep()) except ImportError: assert_equal(None, self.file.get_ssdeep()) def test_get_type(self): assert_equal("empty", self.file.get_type()) def test_get_content_type(self): assert_in(self.file.get_content_type(), ["inode/x-empty", "application/x-empty"]) def test_get_all_type(self): assert isinstance(self.file.get_all(), dict) def test_get_all_keys(self): for key in [ "name", "size", "crc32", "md5", "sha1", "sha256", "sha512", "ssdeep", "type" ]: assert key in self.file.get_all() def tearDown(self): os.remove(self.tmp[1])
class TestFile: def setUp(self): self.tmp = tempfile.mkstemp() self.file = File(self.tmp[1]) def test_get_name(self): assert_equal(self.tmp[1].split("/")[-1], self.file.get_name()) def test_get_data(self): assert_equal("", self.file.get_data()) def test_get_size(self): assert_equal(0, self.file.get_size()) def test_get_crc32(self): assert_equal("00000000", self.file.get_crc32()) def test_get_md5(self): assert_equal("d41d8cd98f00b204e9800998ecf8427e", self.file.get_md5()) def test_get_sha1(self): assert_equal("da39a3ee5e6b4b0d3255bfef95601890afd80709", self.file.get_sha1()) def test_get_sha256(self): assert_equal( "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", self.file.get_sha256()) def test_get_sha512(self): assert_equal( "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", self.file.get_sha512()) def test_get_ssdeep(self): try: import pydeep assert_not_equal(None, self.file.get_ssdeep()) except ImportError: assert_equal(None, self.file.get_ssdeep()) def test_get_type(self): assert_equal("empty", self.file.get_type()) def test_get_all_type(self): assert isinstance(self.file.get_all(), dict) def test_get_all_keys(self): for key in [ "name", "size", "crc32", "md5", "sha1", "sha256", "sha512", "ssdeep", "type" ]: assert key in self.file.get_all() def tearDown(self): os.remove(self.tmp[1])
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] do_strings = self.options.get("strings", False) nulltermonly = self.options.get("nullterminated_only", True) minchars = str(self.options.get("minchars", 5)).encode() if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): # if we're re-processing this task, this means if zips are enabled, we won't do any reprocessing on the # process dumps (only matters for now for Yara) if not dmp.endswith(".dmp"): continue dmp_path = os.path.join(self.pmemory_path, dmp) if os.path.getsize(dmp_path) == 0: continue dmp_file = File(dmp_path) process_name = "" process_path = "" process_id = int( os.path.splitext(os.path.basename(dmp_path))[0]) for process in self.results.get("behavior", {}).get("processes", []): if process_id == process["process_id"]: process_name = process["process_name"] process_path = process["module_path"] procdump = ProcDump(dmp_path, pretty=True) proc = dict( path=dmp_path, sha256=dmp_file.get_sha256(), pid=process_id, name=process_name, proc_path=process_path, yara=dmp_file.get_yara(category="memory"), cape_yara=dmp_file.get_yara(category="CAPE"), address_space=procdump.pretty_print(), ) for hit in proc["cape_yara"]: hit["memblocks"] = {} for item in hit["addresses"]: memblock = self.get_yara_memblock( proc["address_space"], hit["addresses"][item]) if memblock: hit["memblocks"][item] = memblock # if self.options.get("extract_pe", False) extracted_pes = self.get_procmemory_pe(proc) endlimit = b"" if HAVE_RE2 else b"8192" if do_strings: if nulltermonly: apat = b"([\x20-\x7e]{" + minchars + b"," + endlimit + b"})\x00" upat = b"((?:[\x20-\x7e][\x00]){" + minchars + b"," + endlimit + b"})\x00\x00" else: apat = b"[\x20-\x7e]{" + minchars + b"," + endlimit + b"}" upat = b"(?:[\x20-\x7e][\x00]){" + minchars + b"," + endlimit + b"}" matchdict = procdump.search(apat, all=True) strings = matchdict["matches"] matchdict = procdump.search(upat, all=True) ustrings = matchdict["matches"] for ws in ustrings: strings.append(ws.decode("utf-16le").encode()) proc["strings_path"] = f"{dmp_path}.strings" proc["extracted_pe"] = extracted_pes with open(proc["strings_path"], "wb") as f: f.write(b"\n".join(strings)) procdump.close() results.append(proc) if processing_conf.detections.yara: cape_name = cape_name_from_yara(proc, process_id, self.results) if cape_name: add_family_detection(self.results, cape_name, "Yara", proc["sha256"]) return results