def main():
parser = argparse.ArgumentParser(
prog='xanalyzer', description='Process some files and urls.')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-f',
'--file',
nargs='+',
help='analyze one or more files, can be a folder path')
group.add_argument('-u', '--url', help='analyze the url')
parser.add_argument('-s',
'--save',
action='store_true',
help='save log and data')
args = parser.parse_args()
Config.init(args.save)
init_log()
log.info('=' * 80)
if args.file:
file_paths = []
for the_path in args.file:
if os.path.exists(the_path):
if os.path.isdir(the_path):
for a_path in Path(the_path).iterdir():
if a_path.is_file():
file_paths.append(str(a_path))
else:
log.warning(
f'{a_path} is not a file, will be ignored')
else:
file_paths.append(the_path)
else:
log.warning('{} does not exist!!!'.format(the_path))
for file_path in file_paths:
log.info('processing {}'.format(file_path))
file_analyzer = FileAnalyzer(file_path)
file_analyzer.run()
log.info('-' * 80)
if args.url:
log.info('processing {}'.format(args.url))
url_analyzer = UrlAnalyzer(args.url)
url_analyzer.run()
log.info('-' * 80)
if Config.conf['save_flag']:
log.info('the log and data are saved to {} folder'.format(
Config.conf['analyze_path']))
def test_pe_size():
pe_path = cur_dir_path / 'test_data' / 'HelloCSharp.exe_append_data_'
pe_analyzer = PeAnalyzer(pe_path)
pe_size = pe_analyzer.get_pe_size()
assert pe_size == 0x1200
file_analyzer = FileAnalyzer(pe_path)
assert file_analyzer.file_size == 0x1205
def test_normal_pe_compile_time():
weird_pe_path = cur_dir_path / 'test_data' / 'Hello32.exe_'
file_analyzer = FileAnalyzer(weird_pe_path)
assert file_analyzer.file_type == 'PE32 executable (console) Intel 80386, for MS Windows'
pe_analyzer = PeAnalyzer(weird_pe_path)
compile_time = pe_analyzer.get_compile_time()
assert compile_time == '2022-03-27 14:38:47'
def test_weird_pe_compile_time():
"""
"PE"的位置很奇怪
"""
weird_pe_path = cur_dir_path / 'test_data' / 'a3398f91815a1a025fd19ce86b9fb88160047b5d78973b352d266ef1bd971e6d_zeus_prg_40'
file_analyzer = FileAnalyzer(weird_pe_path)
assert file_analyzer.file_type == 'MS-DOS executable'
pe_analyzer = PeAnalyzer(weird_pe_path)
compile_time = pe_analyzer.get_compile_time()
assert compile_time == '2006-11-06 11:44:05'
def test_upx_packer():
size_result_list = [
(0, '0 字节'),
(1, '1 字节 (1 字节)'),
(999, '999 字节 (999 字节)'),
(1023, '1023 字节 (1,023 字节)'),
(1024, '1.00 KB (1,024 字节)'),
(1025, '1.00 KB (1,025 字节)'),
(2000, '1.95 KB (2,000 字节)'),
(20000, '19.5 KB (20,000 字节)'),
(200000, '195 KB (200,000 字节)'),
(2000000, '1.90 MB (2,000,000 字节)'),
(20000000, '19.0 MB (20,000,000 字节)'),
(2000000000, '1.86 GB (2,000,000,000 字节)'),
]
for the_size, except_formatted_size in size_result_list:
the_formatted_size = FileAnalyzer.get_windows_style_file_size(the_size)
assert the_formatted_size == except_formatted_size
def test_common_filetype():
upxed_path = cur_dir_path / 'test_data' / 'Hello_upx.exe_'
file_analyzer = FileAnalyzer(upxed_path)
assert file_analyzer.file_type == 'PE32 executable (console) Intel 80386, for MS Windows, UPX compressed'
def test_many_filetypes():
filenames = [
# Windows可执行文件
'Hello64.exe_',
'Hello64.dll_',
'Hello64.sys_',
'Hello32.exe_',
'Hello32.dll_',
'Hello32.sys_',
# 安卓
'app-debug.apk_',
# pdf
'hello.pdf_',
# 图片
'hello.png_',
'hello.jpg_',
'hello.bmp_',
'hello.gif_',
# 音频
'hello.mp3_',
# 视频
'hello.mp4_',
'hello.flv_',
'hello.avi_',
# office文档
'office.doc_',
'office.xls_',
'office.ppt_',
'office.docx_',
'office.xlsx_',
'office.pptx_',
# WPS创建的office2007+文档
'wps.docx_',
'wps.xlsx_',
'wps.pptx_',
# 常用压缩包
'hello.zip_',
'hello.7z_',
'hello.rar_',
# 流量包文件
'http.pcap_',
'http.pcapng_',
]
for filename in filenames:
expect_ext = ['.' + filename[:-1].split('.')[1]]
file_path = cur_dir_path / 'test_data' / filename
file_analyzer = FileAnalyzer(file_path)
assert file_analyzer.possible_extension_names == expect_ext
for filename in ['wps.doc_', 'wps.wps_']:
file_path = cur_dir_path / 'test_data' / filename
file_analyzer = FileAnalyzer(file_path)
assert file_analyzer.possible_extension_names == ['.doc', '.wps']
for filename in ['wps.xls_', 'wps.et_']:
file_path = cur_dir_path / 'test_data' / filename
file_analyzer = FileAnalyzer(file_path)
assert file_analyzer.possible_extension_names == ['.xls', '.et']
for filename in ['wps.ppt_', 'wps.dps_']:
file_path = cur_dir_path / 'test_data' / filename
file_analyzer = FileAnalyzer(file_path)
assert file_analyzer.possible_extension_names == ['.ppt', '.dps']
file_path = cur_dir_path / 'test_data' / 'hello.tar.gz_'
file_analyzer = FileAnalyzer(file_path)
assert file_analyzer.possible_extension_names == ['.gz', '.tar.gz']
def test_wps_pptx_filetype():
chinese_name_path = cur_dir_path / 'test_data' / 'wps.pptx_'
file_analyzer = FileAnalyzer(chinese_name_path)
assert file_analyzer.file_type == 'Microsoft PowerPoint 2007+'
def test_wps_xlsx_filetype():
chinese_name_path = cur_dir_path / 'test_data' / 'wps.xlsx_'
file_analyzer = FileAnalyzer(chinese_name_path)
assert file_analyzer.file_type == 'Microsoft Excel 2007+'
def test_chinese_name_filetype():
chinese_name_path = cur_dir_path / 'test_data' / '中文名测试.txt'
file_analyzer = FileAnalyzer(chinese_name_path)
assert file_analyzer.file_type == 'UTF-8 Unicode text, with no line terminators'