def get_sections(self, machos, fbuffer) -> list:
'''
get sections
'''
_list = []
for h in machos.headers:
for lc, cmd, data in h.commands:
if hasattr(cmd, "segname"):
#fbuffer[cmd.fileoff:cmd.filesize]
with BytesIO(fbuffer) as bio:
bio.seek(cmd.fileoff)
x = bio.read(cmd.filesize)
sus = "No"
entropy = get_entropy_float_ret(x)
if entropy > 6 or entropy >= 0 and entropy <= 1:
sus = "True, {}".format(entropy)
elif cmd.filesize == 0:
sus = "True, section size 0"
seg = cmd.segname[:cmd.segname.find(b'\x00')].decode(
"utf-8", errors="ignore")
if seg == "__PAGEZERO":
sus = ""
_list.append({
"Section": seg,
"Suspicious": sus,
"Size": cmd.filesize,
"Entropy": get_entropy(x),
"MD5": md5(x).hexdigest(),
"Description": ""
})
return _list
def get_sections(self, pe_info) -> list:
'''
get sections
'''
temp_list = []
for section in pe_info.sections:
is_sus = "No"
entropy = get_entropy_float_ret(section.get_data())
if entropy > 6 or (0 <= entropy <= 1):
is_sus = "True, {}".format(entropy)
elif section.SizeOfRawData == 0:
is_sus = "True, section size 0"
temp_list.append({
"Section":
section.Name.decode("utf-8", errors="ignore").strip("\00"),
"Suspicious":
is_sus,
"Size":
section.SizeOfRawData,
"MD5":
section.get_hash_md5(),
"Entropy":
get_entropy(section.get_data()),
"Description":
""
})
return temp_list
def get_scripts(self, data, soup):
scripts = soup.findAll("script")
for script in scripts:
if script.text != "":
entropy = get_entropy(script.text)
else:
entropy = None
data.append({
"line": script.sourceline,
"Entropy": entropy,
"type": script.get("type"),
"src": script.get("src"),
"text": script.text
})
def get_detailes(self, data, _path):
'''
get general details of file
'''
data["Details"] = deepcopy(self.datastruct)
temp_f = open(_path, "rb").read()
open(_path, "rb").read(4)
data["Details"]["Properties"] = {"Name": path.basename(_path).lower(),
"md5": md5(temp_f).hexdigest(),
"sha1": sha1(temp_f).hexdigest(),
"sha256": sha256(temp_f).hexdigest(),
"ssdeep": hash_from_file(_path),
"size": convert_size(path.getsize(_path)),
"bytes": path.getsize(_path),
"mime": from_file(_path, mime=True),
"extension": guess_type(_path)[0],
"Entropy": get_entropy(temp_f)}
def get_scripts(self, data, soup):
'''
get all scripts (maybe add script analysis later on)
'''
scripts = soup.findAll("script")
for script in scripts:
if script.text != "":
entropy = get_entropy(script.text)
else:
entropy = None
data.append({
"line": script.sourceline,
"Entropy": entropy,
"type": script.get("type"),
"src": script.get("src"),
"text": script.text
})
def analyze(self, data):
'''
start analyzing elf logic, add description to strings and get words and wordsstripped from the file
'''
with open(data["Location"]["File"], 'rb') as file_1, open(data["Location"]["File"], 'rb') as file_2:
data["ELF"] = deepcopy(self.datastruct)
elf = ELFFile(file_1)
data["ELF"]["General"] = {"ELF Type" :elf.header.e_type,
"ELF Machine" :elf.header.e_machine,
"Entropy":get_entropy(file_2.read()),
"Entrypoint":hex(elf.header.e_entry),
"Interpreter":self.get_iter(elf)}
data["ELF"]["Sections"] = self.get_section(elf)
data["ELF"]["Dynamic"] = self.get_dynamic(elf)
data["ELF"]["Symbols"] = self.get_symbols(elf)
data["ELF"]["Relocations"] = self.get_relocations(elf)
add_description("ManHelp", data["ELF"]["Symbols"], "Symbol")
add_description("LinuxSections", data["ELF"]["Sections"], "Section")
get_words(data, data["Location"]["File"])
def get_section(self, elf) -> list:
'''
get all sections of elf
'''
temp_list = []
for section in elf.iter_sections():
if section.name != "":
sus = "No"
entropy = get_entropy_float_ret(section.data())
if entropy > 6 or (0 <= entropy <= 1):
sus = "True, {}".format(entropy)
elif section.data_size == 0:
sus = "True, section size 0"
temp_list.append({"Section":section.name,
"Suspicious":sus,
"Size":section.data_size,
"MD5":md5(section.data()).hexdigest(),
"Entropy":get_entropy(section.data()),
"Description":""})
return temp_list
