def parse(module, message, data):
if(message['plugin'] == "library"):
logging.debug("Library !")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
library = Library(message['name'])
library.application_id = module.application.id
logging.debug(repr(library))
query = session.query(Library).filter(Library.application_id==library.application_id).filter(Library.name==library.name)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(library)
session.commit()
def parse(module, message, data):
if (message.startswith("file:")):
logging.debug("FileInteraction !")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
method = message[len("file:"):message.index("|")]
name = message[message.index("|") + 1:]
fileInteraction = File(method, name)
fileInteraction.application_id = module.application.id
logging.debug(repr(fileInteraction))
query = session.query(File).filter(
File.application_id == module.application.id).filter(
File.name == fileInteraction.name).filter(
File.method == fileInteraction.method)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(fileInteraction)
session.commit()
def parse(module, message, data):
if (message['plugin'] == "proxyURL"):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
proxyURL = ProxyURL(message)
proxyURL.application_id = module.application.id
logging.debug(repr(proxyURL))
query = session.query(ProxyURL).filter(
ProxyURL.application_id == module.application.id).filter(
ProxyURL.response_code == proxyURL.response_code).filter(
ProxyURL.req_method == proxyURL.req_method).filter(
ProxyURL.url == proxyURL.url).filter(
ProxyURL.request == proxyURL.request).filter(
ProxyURL.response == proxyURL.response)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(proxyURL)
session.commit()
def parse(module, message, data):
if(message['plugin'] == "sharedprefs"):
logging.debug("SharedPreferences edited !")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
shared_pref = SharedPreferences(message['method'], message['file'], message['value'])
shared_pref.application_id = module.application.id
logging.debug(repr(shared_pref))
query = session.query(SharedPreferences).filter(SharedPreferences.application_id==module.application.id).filter(SharedPreferences.value==shared_pref.value).filter(SharedPreferences.method==shared_pref.method).filter(SharedPreferences.file_path==shared_pref.file_path)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(shared_pref)
session.commit()
def parse(module, message, data):
if (message['plugin'] == "json"):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
json_value = Json(message['method'], message['value'])
json_value.application_id = module.application.id
logging.debug(repr(json_value))
query = session.query(Json).filter(
Json.application_id == module.application.id).filter(
Json.value == json_value.value).filter(
Json.method == json_value.method)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(json_value)
session.commit()
def parse(module, message, data):
if (message.startswith('base64:')):
logging.debug("base64:parse()")
method = message[len("base64: "):]
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
try:
data = data.decode()
except Exception as e:
data = data.hex()
logging.error(f"Base64: {e}")
base64Module = Base64(method, data)
base64Module.application_id = module.application.id
logging.debug(repr(base64Module))
query = session.query(Base64).filter(
Base64.application_id == module.application.id).filter(
Base64.method == base64Module.method).filter(
Base64.value == base64Module.value)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(base64Module)
session.commit()
def parse(module, message, data):
if (message.startswith('Bypass:')):
logging.debug("antiEmulator:parse()")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
property_name = message[len("Bypass:"******"&")]
real_value = message[message.index("&")+1:message.index("|")]
return_value = message[message.index("|")+1:]
antiEmulator = AntiEmulator(property_name, real_value, return_value)
antiEmulator.application_id = module.application.id
logging.debug(repr(antiEmulator))
query = session.query(AntiEmulator).filter(AntiEmulator.application_id==module.application.id).filter(AntiEmulator.property==antiEmulator.property).filter(AntiEmulator.real_value==antiEmulator.real_value).filter(AntiEmulator.return_value==antiEmulator.return_value)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(antiEmulator)
session.commit()
def parse(module, message, data):
if (message.startswith('delete file:')):
logging.debug("deletedFile:parse()")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
deletedFile = DeletedFiles(message[len("delete file:"):])
deletedFile.application_id = module.application.id
logging.debug(repr(deletedFile))
query = session.query(DeletedFiles).filter(
DeletedFiles.application_id == module.application.id).filter(
DeletedFiles.name == deletedFile.name)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(deletedFile)
session.commit()
def parse(module, message, data):
if (message.startswith("to_string:")):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
string = String(message[len("to_String:"):])
string.application_id = module.application.id
logging.debug(repr(string))
query = session.query(String).filter(
String.application_id == module.application.id).filter(
String.value == string.value)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(string)
session.commit()
def key(self, type, key):
'''
Add a key to the database
:param type:
:param key:
:return:
'''
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
application = session.query(Application.Application).get(
self.application.id)
key = Key(type, key)
logging.debug(repr(key))
application.key.append(key)
session.add(key)
session.add(application)
session.commit()
def parse(module, message, data):
if (message.startswith("dexclassloader:")):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
args = message[len("dexclassloader:"):].split("|")
stackTrace = args[4].split(',')
dexclassloader = DexClassLoader(args[0], args[1], args[2], args[3],
args[4])
dexclassloader.application_id = module.application.id
logging.debug(repr(dexclassloader))
query = session.query(DexClassLoader).filter(
DexClassLoader.application_id == module.application.id).filter(
DexClassLoader.dexPath == dexclassloader.dexPath).filter(
DexClassLoader.optimizedDirectory ==
dexclassloader.optimizedDirectory).filter(
DexClassLoader.librarySearchPath ==
dexclassloader.librarySearchPath).filter(
DexClassLoader.parent == dexclassloader.parent)
resultQuery = query.all()
if len(resultQuery) == 0:
session.add(dexclassloader)
session.commit()
def url(self, url):
'''
Add an url to the database
:param url:
:return:
'''
logging.debug("ModuleGeneral:url()")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
url = Url(url)
# Whitelist Google
# whitelist = ['0.0.0.0', '172.', '216.58.']
whitelist = ['0.0.0.0']
add = True
if url.ip is not None:
for i in whitelist:
if url.ip.startswith(i):
add = False
if add:
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
application = session.query(Application.Application).get(
self.application.id)
logging.debug(repr(url))
query = session.query(Url).filter(
Url.application_id == self.application.id).filter(
Url.scheme == url.scheme).filter(
Url.domain == url.domain).filter(
Url.uri == url.uri).filter(
Url.ip == url.ip).filter(
Url.query == url.query)
resultQuery = query.all()
if len(resultQuery) == 0:
application.url.append(url)
session.add(url)
session.add(application)
else:
previous_nb = getattr(url, "nb")
setattr(resultQuery[0], "nb", previous_nb + 1)
session.commit()
def parse(module,message):
if(message.startswith("to_string:")):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
shared_pref = String(message[len("to_String:"):])
shared_pref.application_id = module.application.id
logging.debug(repr(shared_pref))
session.add(shared_pref)
session.commit()
def key(self, typeOfMsg, key):
'''
Add a key to the database
:param type:
:param key:
:return:
'''
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
application = session.query(Application.Application).get(
self.application.id)
key = Key(typeOfMsg, key.hex())
logging.debug(repr(key))
query = session.query(Key).filter(
Key.application_id == self.application.id).filter(
Key.type == key.type).filter(Key.value == key.value)
resultQuery = query.all()
if len(resultQuery) == 0:
application.key.append(key)
session.add(key)
session.add(application)
# else:
# previous_nb = getattr(key, "nb")
# print(previous_nb)
# print(resultQuery[0])
# setattr(resultQuery[0], "nb", previous_nb+1)
# print(getattr(resultQuery[0], "nb"))
session.commit()
def url(self, url):
'''
Add an url to the database
:param url:
:return:
'''
logging.debug("ModuleGeneral:url()")
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
url = Url(url)
whitelist = ['0.0.0.0', '172.', '216.58.']
# whitelist = []
add = True
if url.ip is not None:
for i in whitelist:
if url.ip.startswith(i):
add = False
if add:
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
application = session.query(Application.Application).get(
self.application.id)
logging.debug(repr(url))
application.url.append(url)
session.add(url)
session.add(application)
session.commit()
def parse(module, message, data):
if (message['plugin'] == 'dexclassloader'):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
dexclassloader = DexClassLoader(message['dexPath'],
message['optimizedDirectory'],
message['librarySearchPath'],
message['parent'],
message['entrypoint'],
message['stack'])
dexclassloader.application_id = module.application.id
logging.debug(repr(dexclassloader))
query = session.query(DexClassLoader).filter(
DexClassLoader.application_id == module.application.id
).filter(DexClassLoader.dexPath == dexclassloader.dexPath).filter(
DexClassLoader.optimizedDirectory ==
dexclassloader.optimizedDirectory).filter(
DexClassLoader.librarySearchPath ==
dexclassloader.librarySearchPath).filter(
DexClassLoader.parent == dexclassloader.parent).filter(
DexClassLoader.entrypoint == dexclassloader.entrypoint)
resultQuery = query.all()
if len(resultQuery) == 0:
session.add(dexclassloader)
session.commit()
def parse(module, message, data):
if (message['plugin'] == "hash"):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
try:
input_value = binascii.unhexlify(
message['input_value']).decode('utf-8')
except:
input_value = binascii.unhexlify(message['input_value'])
hash_value = Hash(message['algo'], input_value,
binascii.unhexlify(message['output_value']).hex())
hash_value.application_id = module.application.id
logging.debug(repr(hash_value))
query = session.query(Hash).filter(
Hash.application_id == module.application.id).filter(
Hash.algorithm == hash_value.algorithm).filter(
Hash.input_value == hash_value.input_value).filter(
Hash.output_value == hash_value.output_value)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(hash_value)
session.commit()
def parse(module, message, data):
if (message['plugin'] == "cipher"):
# Create a thread local session
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
# Fetch application for this session ( could not use self.application
# because the usage must be thread local )
key_value = binascii.unhexlify(message["key"]).hex()
iv = binascii.unhexlify(message["iv"]).hex()
# TODO have link from base64
kind_input = filetype.guess(binascii.unhexlify(message["arg"]))
kind_result = filetype.guess(binascii.unhexlify(message["result"]))
# print('File extension: %s' % kind.extension)
# print('File MIME type: %s' % kind.mime)
if message["opmode"] == 1:
opmode_info = "ENCRYPT_MODE"
try:
input_value = binascii.unhexlify(message["arg"]).decode('utf8')
except:
input_value = base64.b64encode(
binascii.unhexlify(message["arg"])).decode('utf8')
output_value = binascii.unhexlify(message["result"]).hex()
elif message["opmode"] == 2:
opmode_info = "DECRYPT_MODE"
try:
output_value = binascii.unhexlify(
message["result"]).decode('utf8')
except:
output_value = base64.b64encode(
binascii.unhexlify(message["result"])).decode('utf8')
input_value = binascii.unhexlify(message["arg"]).hex()
cipher = Cipher(message["algo"], key_value, iv, opmode_info,
input_value, output_value, message["stack"])
cipher.application_id = module.application.id
logging.debug(repr(cipher))
query = session.query(Cipher).filter(
Cipher.application_id == cipher.application_id
).filter(Cipher.algorithm == cipher.algorithm).filter(
Cipher.key == cipher.key).filter(Cipher.iv == cipher.iv).filter(
Cipher.opmode == cipher.opmode).filter(
Cipher.input_value == cipher.input_value).filter(
Cipher.output_value == cipher.output_value)
resultQuery = query.all()
# Prevent duplicates in DB
if len(resultQuery) == 0:
session.add(cipher)
session.commit()
from lib.model.database.Database import Database
from lib.model.Analysis import Analysis
import uuid
import datetime
import configparser
from lib.report.ReportGenerator import ReportGenerator
if __name__ == '__main__':
config = configparser.ConfigParser()
config.read("../config/config.ini")
Database.set_configuration(config)
print(Analysis, Application, Url)
engine = Database.get_engine()
session_factory = sessionmaker(bind=engine)
Session = scoped_session(session_factory)
session = Session()
Session.remove()
analysis = session.query(Analysis).all()[0]
for i in range(len(analysis.application)):
app = Application(analysis.application[i].path)
app.url = analysis.application[i].url
analysis.application[i] = app
generator = ReportGenerator()
generator.generate(analysis, )