def analyze(self,data): ''' start analyzing exe logic, add descriptions and get words and wordsstripped from the file ''' data["PE"] = deepcopy(self.datastruct) data["ICONS"] = {"ICONS":[]} pe = PE(data["Location"]["File"]) ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint section = self.find_entry_point_function(pe,ep) sig = section.get_data(ep, 12) singinhex = "".join("{:02x}".format(x) for x in sig) data["PE"]["General"] = { "PE Type" : self.what_type(pe), "Entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint, "Entrypoint Section":section.Name.decode("utf-8",errors="ignore").strip("\00"), "Header checksum": hex(pe.OPTIONAL_HEADER.CheckSum), "Verify checksum": hex(pe.generate_checksum()), "Match checksum":pe.verify_checksum(), "Sig":singinhex, "imphash":pe.get_imphash(), "warning":pe.get_warnings() if len(pe.get_warnings())> 0 else "None", "Timestamp":datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S')} data["PE"]["Characteristics"] = self.get_characteristics(pe) data["PE"]["Singed"],data["PE"]["SignatureExtracted"] = self.check_if_singed(pe) data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe) data["PE"]["Sections"] = self.get_sections(pe) data["PE"]["Dlls"] = self.get_dlls(pe) data["PE"]["Resources"],data["PE"]["Manifest"],data["ICONS"]["ICONS"] = self.get_recourse(pe) data["PE"]["Imported functions"] = self.get_imported_functions(pe) data["PE"]["Exported functions"] = self.get_exported_functions(pe) add_description("WinApis",data["PE"]["Imported functions"],"Function") add_description("ManHelp",data["PE"]["Imported functions"],"Function") add_description("WinDlls",data["PE"]["Dlls"],"Dll") add_description("WinSections",data["PE"]["Sections"],"Section") add_description("WinResources",data["PE"]["Resources"],"Resource") get_words(data,data["Location"]["File"])
def analyze_apk(self, data): ''' start analyzing apk logic (r2p timeout = 10) for all dex files add description to strings, get words and wordsstripped from the packed files ''' data["APK"] = { "General": {}, "Permissions": [], "_General": {}, "_Permissions": ["Permission", "Description"] } for index, item in enumerate(data["Packed"]["Files"]): if item["Name"].lower() == "androidmanifest.xml": #self.readpepackage(v["Path"]) data["APK"]["Permissions"] = self.read_permissions( data, item["Path"]) if "classes" in item["Name"].lower() and item["Name"].lower( ).endswith(".dex"): r2p = r2open(item["Path"], flags=['-2']) r2p.cmd("e anal.timeout = 5") r2p.cmd("aaaa;") self.dex_wrapper(data, r2p, 'APK_DEX_{}'.format(index)) add_description("AndroidPermissions", data["APK"]["Permissions"], "Permission") get_words_multi_files(data, data["Packed"]["Files"]) r2p.quit()
def analyze_macho(self, data): ''' start analyzing macho logic, add descriptions and get words and wordsstripped from the file ''' macho = MachO.MachO(data["Location"]["File"]) data["MACHO"] = deepcopy(self.datastruct) fbuffer = data["FilesDumps"][data["Location"]["File"]] data["MACHO"]["General"]: {} data["MACHO"]["Sections"] = self.get_sections(macho, fbuffer) data["MACHO"]["Libraries"] = self.get_libs(macho) data["MACHO"]["Symbols"] = self.get_symbols(macho) data["MACHO"]["Undefined Symbols"] = self.get_undef_symbols(macho) data["MACHO"]["External Symbols"] = self.get_extdef_symbols(macho) data["MACHO"]["Local Symbols"] = self.get_local_symbols(macho) add_description("ManHelp", data["MACHO"]["Symbols"], "Symbol") get_words(data, data["Location"]["File"])
def analyze_apk(self, data): ''' start analyzing apk logic (r2p timeout = 10) for all dex files add description to strings, get words and wordsstripped from the packed files ''' data["APK"] = { "General": {}, "Permissions": [], "_General": {}, "_Permissions": ["Permission", "Description"] } for i, v in enumerate(data["Packed"]["Files"]): if v["Name"].lower() == "androidmanifest.xml": #self.readpepackage(v["Path"]) data["APK"]["Permissions"] = self.read_permissions( data, v["Path"]) if "classes" in v["Name"].lower() and v["Name"].lower().endswith( ".dex"): r2p = r2open(v["Path"], flags=['-2']) r2p.cmd("e anal.timeout = 5") r2p.cmd("aaaa;") k = 'APK_DEX_{}'.format(i) data[k] = { "Classes": [], "Externals": [], "Symbols": [], "Bigfunctions": [], "Suspicious": [], "_Classes": ["Type", "Name"], "_Externals": ["Type", "Name"], "_Symbols": ["Type", "Address", "X", "Name"], "_Bigfunctions": ["Size", "Name"], "_Suspicious": ["Location", "Function", "Xrefs"] } data[k]["Classes"] = self.get_all_classes(r2p) data[k]["Externals"] = self.get_all_externals(r2p) data[k]["Symbols"] = self.get_all_symbols(r2p) data[k]["Bigfunctions"] = self.big_functions(r2p) data[k]["Suspicious"] = self.check_sus(r2p) add_description("AndroidPermissions", data["APK"]["Permissions"], "Permission") get_words_multi_files(data, data["Packed"]["Files"]) #future plan; force closing - try,except r2p.quit()
def analyze(self, data): ''' start analyzing elf logic, add description to strings and get words and wordsstripped from the file ''' with open(data["Location"]["File"], 'rb') as file_1, open(data["Location"]["File"], 'rb') as file_2: data["ELF"] = deepcopy(self.datastruct) elf = ELFFile(file_1) data["ELF"]["General"] = {"ELF Type" :elf.header.e_type, "ELF Machine" :elf.header.e_machine, "Entropy":get_entropy(file_2.read()), "Entrypoint":hex(elf.header.e_entry), "Interpreter":self.get_iter(elf)} data["ELF"]["Sections"] = self.get_section(elf) data["ELF"]["Dynamic"] = self.get_dynamic(elf) data["ELF"]["Symbols"] = self.get_symbols(elf) data["ELF"]["Relocations"] = self.get_relocations(elf) add_description("ManHelp", data["ELF"]["Symbols"], "Symbol") add_description("LinuxSections", data["ELF"]["Sections"], "Section") get_words(data, data["Location"]["File"])
def analyze(self, data): ''' start analyzing pcap logic, add descriptions and get words and wordsstripped from the file ''' data["PCAP"] = deepcopy(self.datastruct) packets = scapy.rdpcap(data["Location"]["File"]) _all, ports, ips, rarp, rdns, _http, urlshttp, domains = self.read_all_packets( packets) data["PCAP"]["Domains"] = domains data["PCAP"]["URLs"] = urlshttp data["PCAP"]["ARP"] = rarp data["PCAP"]["DNS"] = rdns data["PCAP"]["HTTP"] = _http data["PCAP"]["ALL"] = _all data["PCAP"]["PORTS"] = ports data["PCAP"]["IP4S"] = ips self.waf.analyze(data["PCAP"]["HTTP"], data["PCAP"]["WAF"], "waf.json") add_description("Ports", data["PCAP"]["ALL"], "SourcePort") add_description("Ports", data["PCAP"]["ALL"], "DestinationPort") add_description("Ports", data["PCAP"]["PORTS"], "Port") add_description("DNSServers", data["PCAP"]["IP4S"], "IP") add_description("ReservedIP", data["PCAP"]["IP4S"], "IP") add_description("CountriesIPs", data["PCAP"]["IP4S"], "IP") get_words(data, data["Location"]["File"])
def analyze(self, data): ''' start pattern analysis for words and wordsstripped ''' data["Patterns"] = deepcopy(self.datastruct) self.words = data["StringsRAW"]["wordsinsensitive"] self.wordsstripped = data["StringsRAW"]["wordsstripped"] self.check_link(data["Patterns"]["LINKS"]) self.check_ip4(data["Patterns"]["IP4S"]) self.check_ip4_ports(data["Patterns"]["IP4SANDPORT"]) self.check_ip6(data["Patterns"]["IP6S"]) self.check_email(data["Patterns"]["EMAILS"]) self.check_tags(data["Patterns"]["TAGS"]) self.check_hex(data["Patterns"]["HEX"]) add_description("URLshorteners", data["Patterns"]["LINKS"], "Link") add_description("DNSServers", data["Patterns"]["IP4S"], "IP") add_description("ReservedIP", data["Patterns"]["IP4S"], "IP") add_description("CountriesIPs", data["Patterns"]["IP4S"], "IP") add_description("Ports", data["Patterns"]["IP4SANDPORT"], "Port") add_description("Emails", data["Patterns"]["EMAILS"], "EMAIL")
def analyze(self, data): ''' start analyzing exe logic, add descriptions and get words and wordsstripped from the file ''' data["PE"] = deepcopy(self.datastruct) data["ICONS"] = {"ICONS": []} pe_info = PE(data["Location"]["File"]) ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint section = self.find_entry_point_function(pe_info, ep_info) singinhex = "UnKnown" en_section_name = "UnKnown" sig_instructions = "UnKnown" with ignore_excpetion(Exception): sig = section.get_data(ep_info, 52) singinhex = "".join("{:02x}".format(x) for x in sig) r2p = r2open("-", flags=['-2']) r2p.cmd("e anal.timeout = 5") temp_sig_instructions = r2p.cmd( "pad {}".format(singinhex)).split("\n")[:8] sig_instructions = "\n".join(temp_sig_instructions) with ignore_excpetion(Exception): en_section_name = section.Name.decode("utf-8", errors="ignore").strip("\00") data["PE"]["General"] = { "PE Type": self.what_type(pe_info), "Entrypoint": pe_info.OPTIONAL_HEADER.AddressOfEntryPoint, "Entrypoint Section": en_section_name, "Header checksum": hex(pe_info.OPTIONAL_HEADER.CheckSum), "Verify checksum": hex(pe_info.generate_checksum()), "Match checksum": pe_info.verify_checksum(), "Sig": singinhex, "imphash": pe_info.get_imphash(), "warning": pe_info.get_warnings() if len(pe_info.get_warnings()) > 0 else "None", "Timestamp": datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime( '%Y-%m-%d %H:%M:%S') } data["PE"]["Characteristics"] = self.get_characteristics(pe_info) data["PE"]["Singed"], data["PE"][ "SignatureExtracted"] = self.check_if_singed(pe_info) data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info) data["PE"]["Sections"] = self.get_sections(pe_info) data["PE"]["Dlls"] = self.get_dlls(pe_info) data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][ "ICONS"] = self.get_recourse(pe_info) data["PE"]["Imported functions"] = self.get_imported_functions(pe_info) data["PE"]["Exported functions"] = self.get_exported_functions(pe_info) data["PE"]["Entrypoint"] = sig_instructions add_description("WinApis", data["PE"]["Imported functions"], "Function") add_description("ManHelp", data["PE"]["Imported functions"], "Function") add_description("WinDlls", data["PE"]["Dlls"], "Dll") add_description("WinSections", data["PE"]["Sections"], "Section") add_description("WinResources", data["PE"]["Resources"], "Resource") get_words(data, data["Location"]["File"])