def analyze(self,data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS":[]}
pe = PE(data["Location"]["File"])
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe,ep)
sig = section.get_data(ep, 12)
singinhex = "".join("{:02x}".format(x) for x in sig)
data["PE"]["General"] = { "PE Type" : self.what_type(pe),
"Entrypoint": pe.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":section.Name.decode("utf-8",errors="ignore").strip("\00"),
"Header checksum": hex(pe.OPTIONAL_HEADER.CheckSum),
"Verify checksum": hex(pe.generate_checksum()),
"Match checksum":pe.verify_checksum(),
"Sig":singinhex,
"imphash":pe.get_imphash(),
"warning":pe.get_warnings() if len(pe.get_warnings())> 0 else "None",
"Timestamp":datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp).strftime('%Y-%m-%d %H:%M:%S')}
data["PE"]["Characteristics"] = self.get_characteristics(pe)
data["PE"]["Singed"],data["PE"]["SignatureExtracted"] = self.check_if_singed(pe)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe)
data["PE"]["Sections"] = self.get_sections(pe)
data["PE"]["Dlls"] = self.get_dlls(pe)
data["PE"]["Resources"],data["PE"]["Manifest"],data["ICONS"]["ICONS"] = self.get_recourse(pe)
data["PE"]["Imported functions"] = self.get_imported_functions(pe)
data["PE"]["Exported functions"] = self.get_exported_functions(pe)
add_description("WinApis",data["PE"]["Imported functions"],"Function")
add_description("ManHelp",data["PE"]["Imported functions"],"Function")
add_description("WinDlls",data["PE"]["Dlls"],"Dll")
add_description("WinSections",data["PE"]["Sections"],"Section")
add_description("WinResources",data["PE"]["Resources"],"Resource")
get_words(data,data["Location"]["File"])
def analyze_apk(self, data):
'''
start analyzing apk logic (r2p timeout = 10) for all dex files
add description to strings, get words and wordsstripped from the packed files
'''
data["APK"] = {
"General": {},
"Permissions": [],
"_General": {},
"_Permissions": ["Permission", "Description"]
}
for index, item in enumerate(data["Packed"]["Files"]):
if item["Name"].lower() == "androidmanifest.xml":
#self.readpepackage(v["Path"])
data["APK"]["Permissions"] = self.read_permissions(
data, item["Path"])
if "classes" in item["Name"].lower() and item["Name"].lower(
).endswith(".dex"):
r2p = r2open(item["Path"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
self.dex_wrapper(data, r2p, 'APK_DEX_{}'.format(index))
add_description("AndroidPermissions", data["APK"]["Permissions"],
"Permission")
get_words_multi_files(data, data["Packed"]["Files"])
r2p.quit()
def analyze_macho(self, data):
'''
start analyzing macho logic, add descriptions and get words and wordsstripped from the file
'''
macho = MachO.MachO(data["Location"]["File"])
data["MACHO"] = deepcopy(self.datastruct)
fbuffer = data["FilesDumps"][data["Location"]["File"]]
data["MACHO"]["General"]: {}
data["MACHO"]["Sections"] = self.get_sections(macho, fbuffer)
data["MACHO"]["Libraries"] = self.get_libs(macho)
data["MACHO"]["Symbols"] = self.get_symbols(macho)
data["MACHO"]["Undefined Symbols"] = self.get_undef_symbols(macho)
data["MACHO"]["External Symbols"] = self.get_extdef_symbols(macho)
data["MACHO"]["Local Symbols"] = self.get_local_symbols(macho)
add_description("ManHelp", data["MACHO"]["Symbols"], "Symbol")
get_words(data, data["Location"]["File"])
def analyze_apk(self, data):
'''
start analyzing apk logic (r2p timeout = 10) for all dex files
add description to strings, get words and wordsstripped from the packed files
'''
data["APK"] = {
"General": {},
"Permissions": [],
"_General": {},
"_Permissions": ["Permission", "Description"]
}
for i, v in enumerate(data["Packed"]["Files"]):
if v["Name"].lower() == "androidmanifest.xml":
#self.readpepackage(v["Path"])
data["APK"]["Permissions"] = self.read_permissions(
data, v["Path"])
if "classes" in v["Name"].lower() and v["Name"].lower().endswith(
".dex"):
r2p = r2open(v["Path"], flags=['-2'])
r2p.cmd("e anal.timeout = 5")
r2p.cmd("aaaa;")
k = 'APK_DEX_{}'.format(i)
data[k] = {
"Classes": [],
"Externals": [],
"Symbols": [],
"Bigfunctions": [],
"Suspicious": [],
"_Classes": ["Type", "Name"],
"_Externals": ["Type", "Name"],
"_Symbols": ["Type", "Address", "X", "Name"],
"_Bigfunctions": ["Size", "Name"],
"_Suspicious": ["Location", "Function", "Xrefs"]
}
data[k]["Classes"] = self.get_all_classes(r2p)
data[k]["Externals"] = self.get_all_externals(r2p)
data[k]["Symbols"] = self.get_all_symbols(r2p)
data[k]["Bigfunctions"] = self.big_functions(r2p)
data[k]["Suspicious"] = self.check_sus(r2p)
add_description("AndroidPermissions", data["APK"]["Permissions"],
"Permission")
get_words_multi_files(data, data["Packed"]["Files"])
#future plan; force closing - try,except
r2p.quit()
def analyze(self, data):
'''
start analyzing elf logic, add description to strings and get words and wordsstripped from the file
'''
with open(data["Location"]["File"], 'rb') as file_1, open(data["Location"]["File"], 'rb') as file_2:
data["ELF"] = deepcopy(self.datastruct)
elf = ELFFile(file_1)
data["ELF"]["General"] = {"ELF Type" :elf.header.e_type,
"ELF Machine" :elf.header.e_machine,
"Entropy":get_entropy(file_2.read()),
"Entrypoint":hex(elf.header.e_entry),
"Interpreter":self.get_iter(elf)}
data["ELF"]["Sections"] = self.get_section(elf)
data["ELF"]["Dynamic"] = self.get_dynamic(elf)
data["ELF"]["Symbols"] = self.get_symbols(elf)
data["ELF"]["Relocations"] = self.get_relocations(elf)
add_description("ManHelp", data["ELF"]["Symbols"], "Symbol")
add_description("LinuxSections", data["ELF"]["Sections"], "Section")
get_words(data, data["Location"]["File"])
def analyze(self, data):
'''
start analyzing pcap logic, add descriptions and get words and wordsstripped from the file
'''
data["PCAP"] = deepcopy(self.datastruct)
packets = scapy.rdpcap(data["Location"]["File"])
_all, ports, ips, rarp, rdns, _http, urlshttp, domains = self.read_all_packets(
packets)
data["PCAP"]["Domains"] = domains
data["PCAP"]["URLs"] = urlshttp
data["PCAP"]["ARP"] = rarp
data["PCAP"]["DNS"] = rdns
data["PCAP"]["HTTP"] = _http
data["PCAP"]["ALL"] = _all
data["PCAP"]["PORTS"] = ports
data["PCAP"]["IP4S"] = ips
self.waf.analyze(data["PCAP"]["HTTP"], data["PCAP"]["WAF"], "waf.json")
add_description("Ports", data["PCAP"]["ALL"], "SourcePort")
add_description("Ports", data["PCAP"]["ALL"], "DestinationPort")
add_description("Ports", data["PCAP"]["PORTS"], "Port")
add_description("DNSServers", data["PCAP"]["IP4S"], "IP")
add_description("ReservedIP", data["PCAP"]["IP4S"], "IP")
add_description("CountriesIPs", data["PCAP"]["IP4S"], "IP")
get_words(data, data["Location"]["File"])
def analyze(self, data):
'''
start pattern analysis for words and wordsstripped
'''
data["Patterns"] = deepcopy(self.datastruct)
self.words = data["StringsRAW"]["wordsinsensitive"]
self.wordsstripped = data["StringsRAW"]["wordsstripped"]
self.check_link(data["Patterns"]["LINKS"])
self.check_ip4(data["Patterns"]["IP4S"])
self.check_ip4_ports(data["Patterns"]["IP4SANDPORT"])
self.check_ip6(data["Patterns"]["IP6S"])
self.check_email(data["Patterns"]["EMAILS"])
self.check_tags(data["Patterns"]["TAGS"])
self.check_hex(data["Patterns"]["HEX"])
add_description("URLshorteners", data["Patterns"]["LINKS"], "Link")
add_description("DNSServers", data["Patterns"]["IP4S"], "IP")
add_description("ReservedIP", data["Patterns"]["IP4S"], "IP")
add_description("CountriesIPs", data["Patterns"]["IP4S"], "IP")
add_description("Ports", data["Patterns"]["IP4SANDPORT"], "Port")
add_description("Emails", data["Patterns"]["EMAILS"], "EMAIL")
def analyze(self, data):
'''
start analyzing exe logic, add descriptions and get words and wordsstripped from the file
'''
data["PE"] = deepcopy(self.datastruct)
data["ICONS"] = {"ICONS": []}
pe_info = PE(data["Location"]["File"])
ep_info = pe_info.OPTIONAL_HEADER.AddressOfEntryPoint
section = self.find_entry_point_function(pe_info, ep_info)
singinhex = "UnKnown"
en_section_name = "UnKnown"
sig_instructions = "UnKnown"
with ignore_excpetion(Exception):
sig = section.get_data(ep_info, 52)
singinhex = "".join("{:02x}".format(x) for x in sig)
r2p = r2open("-", flags=['-2'])
r2p.cmd("e anal.timeout = 5")
temp_sig_instructions = r2p.cmd(
"pad {}".format(singinhex)).split("\n")[:8]
sig_instructions = "\n".join(temp_sig_instructions)
with ignore_excpetion(Exception):
en_section_name = section.Name.decode("utf-8",
errors="ignore").strip("\00")
data["PE"]["General"] = {
"PE Type":
self.what_type(pe_info),
"Entrypoint":
pe_info.OPTIONAL_HEADER.AddressOfEntryPoint,
"Entrypoint Section":
en_section_name,
"Header checksum":
hex(pe_info.OPTIONAL_HEADER.CheckSum),
"Verify checksum":
hex(pe_info.generate_checksum()),
"Match checksum":
pe_info.verify_checksum(),
"Sig":
singinhex,
"imphash":
pe_info.get_imphash(),
"warning":
pe_info.get_warnings()
if len(pe_info.get_warnings()) > 0 else "None",
"Timestamp":
datetime.fromtimestamp(pe_info.FILE_HEADER.TimeDateStamp).strftime(
'%Y-%m-%d %H:%M:%S')
}
data["PE"]["Characteristics"] = self.get_characteristics(pe_info)
data["PE"]["Singed"], data["PE"][
"SignatureExtracted"] = self.check_if_singed(pe_info)
data["PE"]["Stringfileinfo"] = self.get_string_file_info(pe_info)
data["PE"]["Sections"] = self.get_sections(pe_info)
data["PE"]["Dlls"] = self.get_dlls(pe_info)
data["PE"]["Resources"], data["PE"]["Manifest"], data["ICONS"][
"ICONS"] = self.get_recourse(pe_info)
data["PE"]["Imported functions"] = self.get_imported_functions(pe_info)
data["PE"]["Exported functions"] = self.get_exported_functions(pe_info)
data["PE"]["Entrypoint"] = sig_instructions
add_description("WinApis", data["PE"]["Imported functions"],
"Function")
add_description("ManHelp", data["PE"]["Imported functions"],
"Function")
add_description("WinDlls", data["PE"]["Dlls"], "Dll")
add_description("WinSections", data["PE"]["Sections"], "Section")
add_description("WinResources", data["PE"]["Resources"], "Resource")
get_words(data, data["Location"]["File"])
