コード例 #1
0
 def from_dict(findings_bundle_list_dict):
     if not findings_bundle_list_dict:
         return None
     findings_bundle_list_ = FindingsBundleList()
     findings_bundle_list_.meta_analysis = MetaAnalysis.from_dict(findings_bundle_list_dict.get('meta_analysis'))
     findings_bundle_list_.bundles = [Bundle.from_dict(x) for x in findings_bundle_list_dict.get('bundles', [])]
     findings_bundle_list_.bundle_external_references = [x for x in findings_bundle_list_dict.get('bundle_external_references', [])]
     return findings_bundle_list_
コード例 #2
0
 def from_obj(findings_bundle_list_obj):
     if not findings_bundle_list_obj:
         return None
     findings_bundle_list_ = FindingsBundleList()
     findings_bundle_list_.meta_analysis = MetaAnalysis.from_obj(findings_bundle_list_obj.get_Meta_Analysis())
     findings_bundle_list_.bundles = [Bundle.from_obj(x) for x in findings_bundle_list_obj.get_Bundle()]
     findings_bundle_list_.bundle_external_references = [x for x in findings_bundle_list_obj.get_Bundle_External_Reference()]
     return findings_bundle_list_
コード例 #3
0
 def generate_malware_subjects(self):
     entry_dict = self.pefile_parser.entry_dict
     malware_subject = MalwareSubject()
     entry_dict['id'] = malware_subject
     static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
     self.populate(entry_dict, static_bundle, malware_subject)
     malware_subject.add_analysis(self.generate_analysis(static_bundle))
     if self.bundle_has_content(static_bundle):
         malware_subject.add_findings_bundle(static_bundle)
     self.package.add_malware_subject(malware_subject)
コード例 #4
0
ファイル: run_comparator.py プロジェクト: ceh04/python-maec
def main():
    infilenames = []
    list_mode = False
    directoryname = ''
    # List of Bundle instances to compare
    bundle_list = []

    #Get the command-line arguments
    args = sys.argv[1:]
    
    if len(args) < 2:
        print USAGE_TEXT
        sys.exit(1)
        
    for i in range(0,len(args)):
        if args[i] == '-l':
            list_mode = True
        elif args[i] == '-d':
            directoryname = args[i+1]

    # Parse the input files and get the MAEC Bundles from each
    if list_mode:
        files = args[1:]
        for file in files:
            process_maec_file(file, bundle_list)
    elif directoryname != '':
        for filename in os.listdir(directoryname):
            if '.xml' not in filename:
                pass
            else:
                process_maec_file(os.path.join(directoryname, filename), bundle_list)

    # Matching properties dictionary
    match_on_dictionary = {'FileObjectType': ['file_path'],
                           'WindowsRegistryKeyObjectType': ['hive', 'key'],
                           'WindowsMutexObjectType': ['name'],
                           'WindowsProcessObjectType': ['name']}
    # Perform the comparison and get the results
    comparison_results = Bundle.compare(bundle_list, match_on = match_on_dictionary, case_sensitive = False)
    # Pretty print the common and unique Objects
    print "******Common Objects:*******\n"
    pprint.pprint(comparison_results.get_common())
    print "****************************"
    print "******Unique Objects:*******\n"
    pprint.pprint(comparison_results.get_unique())
    print "****************************"
コード例 #5
0
def main():
    parser = argparse.ArgumentParser(description=USAGE_TEXT)
    mutex_group = parser.add_mutually_exclusive_group(required=True)
    mutex_group.add_argument(
        '-l',
        '--list',
        nargs='+',
        help='single whitespace separated list of MAEC files')
    mutex_group.add_argument('-d', '--directory', help='directory name')
    args = parser.parse_args()

    # List of Bundle instances to compare
    bundle_list = []

    # Parse the input files and get the MAEC Bundles from each
    if args.list:
        for file in args.list:
            process_maec_file(file, bundle_list)
    elif args.directory:
        for filename in os.listdir(args.directory):
            if '.xml' not in filename:
                pass
            else:
                process_maec_file(os.path.join(args.directory, filename),
                                  bundle_list)

    # Matching properties dictionary
    match_on_dictionary = {
        'FileObjectType': ['file_path'],
        'WindowsRegistryKeyObjectType': ['hive', 'key'],
        'WindowsMutexObjectType': ['name'],
        'WindowsProcessObjectType': ['name']
    }
    # Perform the comparison and get the results
    comparison_results = Bundle.compare(bundle_list,
                                        match_on=match_on_dictionary,
                                        case_sensitive=False)
    # Pretty print the common and unique Objects
    print "******Common Objects:*******\n"
    pprint.pprint(comparison_results.get_common())
    print "****************************"
    print "******Unique Objects:*******\n"
    pprint.pprint(comparison_results.get_unique())
    print "****************************"
コード例 #6
0
def main():
    parser = argparse.ArgumentParser(description=USAGE_TEXT)
    mutex_group = parser.add_mutually_exclusive_group(required=True)
    mutex_group.add_argument(
        '-l', '--list', nargs='+',
        help='single whitespace separated list of MAEC files'
    )
    mutex_group.add_argument(
        '-d', '--directory',
        help='directory name'
    )
    args = parser.parse_args()

    # List of Bundle instances to compare
    bundle_list = []
        
    # Parse the input files and get the MAEC Bundles from each
    if args.list:
        for file in args.list:
            process_maec_file(file, bundle_list)
    elif args.directory:
        for filename in os.listdir(args.directory):
            if '.xml' not in filename:
                pass
            else:
                process_maec_file(os.path.join(args.directory, filename), bundle_list)

    # Matching properties dictionary
    match_on_dictionary = {'FileObjectType': ['file_path'],
                           'WindowsRegistryKeyObjectType': ['hive', 'key'],
                           'WindowsMutexObjectType': ['name'],
                           'WindowsProcessObjectType': ['name']}
    # Perform the comparison and get the results
    comparison_results = Bundle.compare(bundle_list, match_on = match_on_dictionary, case_sensitive = False)
    # Pretty print the common and unique Objects
    print "******Common Objects:*******\n"
    pprint.pprint(comparison_results.get_common())
    print "****************************"
    print "******Unique Objects:*******\n"
    pprint.pprint(comparison_results.get_unique())
    print "****************************"
コード例 #7
0
ファイル: parser.py プロジェクト: iurnah/python-maec
    def parse_xml(self, xml_file, check_version=True):
        """Creates a python-maec Bundle or Package object from the supplied xml_file.

        Arguments:
        xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document
        check_version -- Inspect the version before parsing.
        """
        parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False)
        tree = etree.parse(xml_file, parser=parser)

        api_obj = None
        binding_obj = self.parse_xml_to_obj(xml_file, check_version)
        if self.is_package:
            from maec.package.package import Package # resolve circular dependencies
            api_obj = Package.from_obj(binding_obj)
        elif self.is_bundle:
            from maec.bundle.bundle import Bundle # resolve circular dependencies
            api_obj = Bundle.from_obj(binding_obj)
        self._apply_input_namespaces(tree, api_obj)

        return api_obj
コード例 #8
0
    def generate_oval(self):
        #Basic input file checking
        if os.path.isfile(self.infilename):    
            #Try parsing the MAEC file with both bindings
            package_obj = package_binding.parse(self.infilename)
            bundle_obj = bundle_binding.parse(self.infilename)
            try:
                sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...')
                #Test whether the input is a Package or Bundle and process accordingly
                if bundle_obj.hasContent_():
                    maec_bundle = Bundle.from_obj(bundle_obj)
                    self.process_bundle(maec_bundle)
                elif package_obj.hasContent_():
                    maec_package = Package.from_obj(package_obj)
                    for malware_subject in maec_package.malware_subjects:
                        for maec_bundle in malware_subject.findings_bundles.bundles:
                            self.process_bundle(maec_bundle)

                #Build up the OVAL document from the parsed data and corresponding objects
                self.__build_oval_document()

                if len(self.converted_ids) > 0:
                    #Export to the output file
                    outfile = open(self.outfilename, 'w')
                    self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"')
                    sys.stdout.write('Done\n')
                else:
                    sys.stdout.write('no OVAL output written; 0 actions were converted.\n')
                if self.stat_mode:
                    print '\n**Converted Actions**'
                    for action_id in self.converted_ids:
                        print 'Action ' + action_id + ' converted successfully'
                    print '**Skipped Actions**'
                    for action_id in self.skipped_actions:
                        print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes'

            except Exception, err:
                print('\nError: %s\n' % str(err))
                if self.verbose_mode:
                    traceback.print_exc()
コード例 #9
0
# Code for MAEC Dynamic Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_mutex_object import WinMutex
from cybox.common import ToolInformation, VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
    "B6C39FF68346DCC8B67AA060DEFE40C2")
ms.malware_instance_object_attributes.properties.add_hash(
    "D55B0FB96FAD96D203D10850469489FC03E6F2F7")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
コード例 #10
0
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['full_name'],
                       'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
                       'WindowsMutexObjectType': ['name']}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2], match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
コード例 #11
0
# Code for MAEC Basic Bundle Idiom
from maec.bundle.bundle import Bundle
from cybox.core import Object
from cybox.objects.pdf_file_object import PDFFile

# Instantiate the Bundle and populate its required attributes
# The ID generation is handled automatically by python-maec
b = Bundle()
b.defined_subject = "True"

# Populate the Malware_Instance_Object_Attributes of the Bundle with the properties of the PDF file
b.malware_instance_object_attributes = Object()
b.malware_instance_object_attributes.properties = PDFFile()
b.malware_instance_object_attributes.properties.file_name = "User_Manual.pdf"
b.malware_instance_object_attributes.properties.size_in_bytes = "509328"
b.malware_instance_object_attributes.properties.version = "1.6"

print b.to_xml()
コード例 #12
0
from cybox.common import Hash, HashList
from cybox.objects.file_object import File
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from cybox.utils import Namespace
import maec.utils

# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
コード例 #13
0
ファイル: example1.py プロジェクト: akreffett/python-maec
##A single Action embedded in the Bundle

from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object 
from cybox.core.associated_object import AssociatedObject

#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
コード例 #14
0
# Code for MAEC Static Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis, Source
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader
from cybox.common import ToolInformation
from maec.bundle.bundle import Bundle

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.summary = "A basic static triage of the subject binary using PEiD."
a.set_findings_bundle(b.id_)
a.source = Source()
a.source.name = "Frankie Li"
a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
t = ToolInformation()
コード例 #15
0
# Code for MAEC Process Tree Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "251904"
ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221")
ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "Anubis"
t.vendor = "ISECLab"
コード例 #16
0
    def test_add_collections(self):
        o = Bundle()

        o.add_named_action_collection("Actions")
        ma = MalwareAction()
        o.add_action(ma, "Actions")
        self.assertTrue(o.collections.action_collections.has_collection("Actions"))

        o.add_named_object_collection("Objects")
        obj = Object()
        o.add_object(obj, "Objects")
        self.assertTrue(o.collections.object_collections.has_collection("Objects"))

        o.add_named_behavior_collection("Behaviors")
        b = Behavior()
        o.add_behavior(b, "Behaviors")
        self.assertTrue(o.collections.behavior_collections.has_collection("Behaviors"))

        o.add_named_candidate_indicator_collection("Indicators")
        ci = CandidateIndicator()
        o.add_candidate_indicator(ci, "Indicators")
        self.assertTrue(o.collections.candidate_indicator_collections.has_collection("Indicators"))
コード例 #17
0
# Code for MAEC AV Classification Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.av_classification import AVClassification
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.add_hash("076e5b2bae0b4b3a3d81c85610b95cd4")
ms.malware_instance_object_attributes.properties.add_hash("4484e08903744ceeaedd8f5e1bfc06b2c4688e76")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.set_findings_bundle(b.id_)

# Set the requisite attributes on the Bundle
b.defined_subject = False
b.content_type = "static analysis tool output"

# Create the AV Classifications
コード例 #18
0
    def test_add_collections(self):
        o = Bundle()

        o.add_named_action_collection("Actions")
        ma = MalwareAction()
        o.add_action(ma, "Actions")
        self.assertTrue(
            o.collections.action_collections.has_collection("Actions"))

        o.add_named_object_collection("Objects")
        obj = Object()
        o.add_object(obj, "Objects")
        self.assertTrue(
            o.collections.object_collections.has_collection("Objects"))

        o.add_named_behavior_collection("Behaviors")
        b = Behavior()
        o.add_behavior(b, "Behaviors")
        self.assertTrue(
            o.collections.behavior_collections.has_collection("Behaviors"))

        o.add_named_candidate_indicator_collection("Indicators")
        ci = CandidateIndicator()
        o.add_candidate_indicator(ci, "Indicators")
        self.assertTrue(
            o.collections.candidate_indicator_collections.has_collection(
                "Indicators"))
コード例 #19
0
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)

# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
b.defined_subject = False
コード例 #20
0
ファイル: seminor.py プロジェクト: geliefan/Python_mycode
import maec.utils
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString

# サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)

# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()


# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)

# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
コード例 #21
0
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
    "B6C39FF68346DCC8B67AA060DEFE40C2")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)

# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
コード例 #22
0
    def test_round_trip(self):
        o = MalwareSubject()
        o.add_findings_bundle(Bundle())
        o2 = round_trip(o)

        self.assertEqual(o.to_dict(), o2.to_dict())
コード例 #23
0
 def test_id_autoset(self):
     o = Bundle()
     self.assertNotEqual(o.id_, None)
コード例 #24
0
def vt_report_to_maec_package(vt_report_input, options = None):
    """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
    NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
    maec.utils.set_id_namespace(NS)
    
    package = Package()

    # if only one result, make it a list of one result
    if type(vt_report_input) != list:
        vt_report_list = [vt_report_input]
    else:
        vt_report_list = vt_report_input

    for idx, vt_report in enumerate(vt_report_list):
        # if VirusTotal has never seen this MD5
        if vt_report["response_code"] == 0:
            sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
            sys.stderr.flush();
            continue
        if vt_report["response_code"] == -1:
            sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
                             vt_report.get("verbose_message", "no message provided") + "\n")
            sys.stderr.flush();
            continue
        
        malware_subject = MalwareSubject()
        
        # create the file object and add hashes
        file_dict = {}
        file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
        file_dict['hashes'] = [
            {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
            {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
            {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
        ]
        
        # set the object as the defined object
        object_dict = {}
        object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
        object_dict['properties'] = file_dict
        
        # bind the object to the malware subject object
        malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
        
        # create the analysis and add it to the subject
        analysis = Analysis()
        analysis.type_ = 'triage'
        analysis.method = 'static'
        analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
        analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
                           'vendor' : 'VirusTotal',
                           'name' : 'VirusTotal' }))
        malware_subject.add_analysis(analysis)
        
        bundle_obj = Bundle()
        
        for vendor, scan in vt_report["scans"].items():
            if scan["result"] is not None:
                bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
        
        # add bundle to subject, bundle to analysis, and subject to package
        malware_subject.add_findings_bundle(bundle_obj)
        analysis.set_findings_bundle(bundle_obj.id_)
        package.add_malware_subject(malware_subject)
        
        package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
        
        if options:
            if options.normalize_bundles:
                malware_subject.normalize_bundles()
            if options.deduplicate_bundles:
                malware_subject.deduplicate_bundles()
            if options.dereference_bundles:
                malware_subject.dereference_bundles()
        
    return package
コード例 #25
0
    def test_round_trip(self):
        o = Bundle()
        o2 = round_trip(o, True)

        self.assertEqual(o.to_dict(), o2.to_dict())
コード例 #26
0
# Code for MAEC Static Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis, Source
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader
from cybox.common import ToolInformation
from maec.bundle.bundle import Bundle

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms.malware_instance_object_attributes.properties.add_hash(
    "4EC0027BEF4D7E1786A04D021FA8A67F")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.summary = "A basic static triage of the subject binary using PEiD."
a.set_findings_bundle(b.id_)
a.source = Source()
a.source.name = "Frankie Li"
a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
コード例 #27
0
ファイル: APIexample.py プロジェクト: geliefan/Python_mycode
# Import the required APIs
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.utils import IDGenerator, set_id_method
from cybox.core import Object, AssociatedObjects, AssociatedObject, AssociationType
from cybox.objects.file_object import File

# Instantiate the MAEC/CybOX Entities
set_id_method(IDGenerator.METHOD_INT)
b = Bundle()
a = MalwareAction()
ao = AssociatedObject()

# Build the Associated Object for use in the Action
ao.properties = File()
ao.properties.file_name = "badware.exe"
ao.properties.size_in_bytes = "123456"
ao.association_type = AssociationType()
ao.association_type.value = 'output'
ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'

# Build the Action and add the Associated Object to it
a.name = 'create file'
a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)

# Add the Action to the Bundle
b.add_action(a)

# Output the Bundle to stdout
コード例 #28
0
    def test_round_trip(self):
        o = Bundle()
        o2 = round_trip(o, True)

        self.assertEqual(o.to_dict(), o2.to_dict())