class TestFile:
def setUp(self):
self.tmp = tempfile.mkstemp()
self.file = File(self.tmp[1])
def test_get_name(self):
assert_equal(self.tmp[1].split("/")[-1], self.file.get_name())
def test_get_data(self):
assert_equal("", self.file.get_data())
def test_get_size(self):
assert_equal(0, self.file.get_size())
def test_get_crc32(self):
assert_equal("00000000", self.file.get_crc32())
def test_get_md5(self):
assert_equal("d41d8cd98f00b204e9800998ecf8427e", self.file.get_md5())
def test_get_sha1(self):
assert_equal("da39a3ee5e6b4b0d3255bfef95601890afd80709",
self.file.get_sha1())
def test_get_sha256(self):
assert_equal(
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
self.file.get_sha256())
def test_get_sha512(self):
assert_equal(
"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
self.file.get_sha512())
def test_get_ssdeep(self):
try:
import pydeep
assert_not_equal(None, self.file.get_ssdeep())
except ImportError:
assert_equal(None, self.file.get_ssdeep())
def test_get_type(self):
assert_equal("empty", self.file.get_type())
def test_get_content_type(self):
assert_in(self.file.get_content_type(),
["inode/x-empty", "application/x-empty"])
def test_get_all_type(self):
assert isinstance(self.file.get_all(), dict)
def test_get_all_keys(self):
for key in [
"name", "size", "crc32", "md5", "sha1", "sha256", "sha512",
"ssdeep", "type"
]:
assert key in self.file.get_all()
def tearDown(self):
os.remove(self.tmp[1])
class TestFile:
def setUp(self):
self.tmp = tempfile.mkstemp()
self.file = File(self.tmp[1])
def test_get_name(self):
assert_equal(self.tmp[1].split("/")[-1], self.file.get_name())
def test_get_data(self):
assert_equal("", self.file.get_data())
def test_get_size(self):
assert_equal(0, self.file.get_size())
def test_get_crc32(self):
assert_equal("00000000", self.file.get_crc32())
def test_get_md5(self):
assert_equal("d41d8cd98f00b204e9800998ecf8427e", self.file.get_md5())
def test_get_sha1(self):
assert_equal("da39a3ee5e6b4b0d3255bfef95601890afd80709",
self.file.get_sha1())
def test_get_sha256(self):
assert_equal(
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
self.file.get_sha256())
def test_get_sha512(self):
assert_equal(
"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
self.file.get_sha512())
def test_get_ssdeep(self):
try:
import pydeep
assert_not_equal(None, self.file.get_ssdeep())
except ImportError:
assert_equal(None, self.file.get_ssdeep())
def test_get_type(self):
assert_equal("empty", self.file.get_type())
def test_get_all_type(self):
assert isinstance(self.file.get_all(), dict)
def test_get_all_keys(self):
for key in [
"name", "size", "crc32", "md5", "sha1", "sha256", "sha512",
"ssdeep", "type"
]:
assert key in self.file.get_all()
def tearDown(self):
os.remove(self.tmp[1])
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
do_strings = self.options.get("strings", False)
nulltermonly = self.options.get("nullterminated_only", True)
minchars = str(self.options.get("minchars", 5)).encode()
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
# if we're re-processing this task, this means if zips are enabled, we won't do any reprocessing on the
# process dumps (only matters for now for Yara)
if not dmp.endswith(".dmp"):
continue
dmp_path = os.path.join(self.pmemory_path, dmp)
if os.path.getsize(dmp_path) == 0:
continue
dmp_file = File(dmp_path)
process_name = ""
process_path = ""
process_id = int(
os.path.splitext(os.path.basename(dmp_path))[0])
for process in self.results.get("behavior",
{}).get("processes", []):
if process_id == process["process_id"]:
process_name = process["process_name"]
process_path = process["module_path"]
procdump = ProcDump(dmp_path, pretty=True)
proc = dict(
path=dmp_path,
sha256=dmp_file.get_sha256(),
pid=process_id,
name=process_name,
proc_path=process_path,
yara=dmp_file.get_yara(category="memory"),
cape_yara=dmp_file.get_yara(category="CAPE"),
address_space=procdump.pretty_print(),
)
for hit in proc["cape_yara"]:
hit["memblocks"] = {}
for item in hit["addresses"]:
memblock = self.get_yara_memblock(
proc["address_space"], hit["addresses"][item])
if memblock:
hit["memblocks"][item] = memblock
# if self.options.get("extract_pe", False)
extracted_pes = self.get_procmemory_pe(proc)
endlimit = b"" if HAVE_RE2 else b"8192"
if do_strings:
if nulltermonly:
apat = b"([\x20-\x7e]{" + minchars + b"," + endlimit + b"})\x00"
upat = b"((?:[\x20-\x7e][\x00]){" + minchars + b"," + endlimit + b"})\x00\x00"
else:
apat = b"[\x20-\x7e]{" + minchars + b"," + endlimit + b"}"
upat = b"(?:[\x20-\x7e][\x00]){" + minchars + b"," + endlimit + b"}"
matchdict = procdump.search(apat, all=True)
strings = matchdict["matches"]
matchdict = procdump.search(upat, all=True)
ustrings = matchdict["matches"]
for ws in ustrings:
strings.append(ws.decode("utf-16le").encode())
proc["strings_path"] = f"{dmp_path}.strings"
proc["extracted_pe"] = extracted_pes
with open(proc["strings_path"], "wb") as f:
f.write(b"\n".join(strings))
procdump.close()
results.append(proc)
if processing_conf.detections.yara:
cape_name = cape_name_from_yara(proc, process_id,
self.results)
if cape_name:
add_family_detection(self.results, cape_name, "Yara",
proc["sha256"])
return results
