def _get_versioninfo(self): """ Acquires PE32 version info. @return: PE32 version info """ if not self.pe: return None infos = [] if hasattr(self.pe, "VS_VERSIONINFO"): if hasattr(self.pe, "FileInfo"): for entry in self.pe.FileInfo: try: if hasattr(entry, "StringTable"): for st_entry in entry.StringTable: for str_entry in st_entry.entries.items(): entry = {} entry["name"] = convert_to_printable(str_entry[0]) entry["value"] = convert_to_printable(str_entry[1]) infos.append(entry) elif hasattr(entry, "Var"): for var_entry in entry.Var: if hasattr(var_entry, "entry"): entry = {} entry["name"] = convert_to_printable(var_entry.entry.keys()[0]) entry["value"] = convert_to_printable(var_entry.entry.values()[0]) infos.append(entry) except: continue return infos
def _add_hosts(self, connection): """ Add IPs to unique list. @param connection: connection data """ try: if connection["src"] not in self.unique_hosts: self.unique_hosts.append(convert_to_printable(connection["src"])) if connection["dst"] not in self.unique_hosts: self.unique_hosts.append(convert_to_printable(connection["dst"])) except Exception, why: return False
def _add_http(self, tcpdata, dport): """ Adds an HTTP flow. @param tcpdata: TCP data in flow @param dport: destination port """ http = dpkt.http.Request(tcpdata) try: entry = {} if http.headers.has_key('host'): entry["host"] = convert_to_printable(http.headers['host']) else: entry["host"] = "" entry["port"] = dport entry["data"] = convert_to_printable(tcpdata) if entry["port"] != 80: host = "%s:%d" % (entry["host"], entry["port"]) else: host = entry["host"] entry["uri"] = convert_to_printable(urlunparse(("http", host, http.uri, None, None, None))) entry["body"] = convert_to_printable(http.body) entry["path"] = convert_to_printable(http.uri) if http.headers.has_key("user-agent"): entry["user-agent"] = convert_to_printable(http.headers["user-agent"]) entry["version"] = convert_to_printable(http.version) entry["method"] = convert_to_printable(http.method) self.http_requests.append(entry) except Exception, why: return False
def _get_sections(self): """ Generates list of binary sections. @return: list of binary sections """ if not self.pe: return None sections = [] for entry in self.pe.sections: try: section = {} section["name"] = convert_to_printable(entry.Name.strip()) section["virtual_address"] = hex(entry.VirtualAddress) section["virtual_size"] = hex(entry.Misc_VirtualSize) section["size_of_data"] = hex(entry.SizeOfRawData) section["entropy"] = entry.get_entropy() sections.append(section) except: continue return sections
def _get_name(self): """ Retrieves the original file name of the file. @return: file name """ return convert_to_printable(os.path.basename(self.file_path))
try: (arg_name, arg_value) = row[index].split("->") except ValueError, why: continue argument["name"] = arg_name argument["value"] = convert_to_printable(arg_value) # Add the current argument to the complete arguments list. arguments.append(argument) call["timestamp"] = timestamp call["category"] = category call["api"] = api_name call["status"] = status_value call["return"] = convert_to_printable(return_value) call["arguments"] = arguments call["repeated"] = 0 # Check if the current API call is a repetition of the previous one. if len(self.calls) > 0: if self.calls[-1]["api"] == call["api"] and \ self.calls[-1]["status"] == call["status"] and \ self.calls[-1]["arguments"] == call["arguments"] and \ self.calls[-1]["return"] == call["return"]: self.calls[-1]["repeated"] += 1 return True # If it's a new one, add it to the list. self.calls.append(call)