def parse(module, message, data): if(message['plugin'] == "library"): logging.debug("Library !") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) library = Library(message['name']) library.application_id = module.application.id logging.debug(repr(library)) query = session.query(Library).filter(Library.application_id==library.application_id).filter(Library.name==library.name) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(library) session.commit()
def parse(module, message, data): if (message.startswith("file:")): logging.debug("FileInteraction !") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) method = message[len("file:"):message.index("|")] name = message[message.index("|") + 1:] fileInteraction = File(method, name) fileInteraction.application_id = module.application.id logging.debug(repr(fileInteraction)) query = session.query(File).filter( File.application_id == module.application.id).filter( File.name == fileInteraction.name).filter( File.method == fileInteraction.method) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(fileInteraction) session.commit()
def parse(module, message, data): if (message['plugin'] == "proxyURL"): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) proxyURL = ProxyURL(message) proxyURL.application_id = module.application.id logging.debug(repr(proxyURL)) query = session.query(ProxyURL).filter( ProxyURL.application_id == module.application.id).filter( ProxyURL.response_code == proxyURL.response_code).filter( ProxyURL.req_method == proxyURL.req_method).filter( ProxyURL.url == proxyURL.url).filter( ProxyURL.request == proxyURL.request).filter( ProxyURL.response == proxyURL.response) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(proxyURL) session.commit()
def parse(module, message, data): if(message['plugin'] == "sharedprefs"): logging.debug("SharedPreferences edited !") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) shared_pref = SharedPreferences(message['method'], message['file'], message['value']) shared_pref.application_id = module.application.id logging.debug(repr(shared_pref)) query = session.query(SharedPreferences).filter(SharedPreferences.application_id==module.application.id).filter(SharedPreferences.value==shared_pref.value).filter(SharedPreferences.method==shared_pref.method).filter(SharedPreferences.file_path==shared_pref.file_path) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(shared_pref) session.commit()
def parse(module, message, data): if (message['plugin'] == "json"): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) json_value = Json(message['method'], message['value']) json_value.application_id = module.application.id logging.debug(repr(json_value)) query = session.query(Json).filter( Json.application_id == module.application.id).filter( Json.value == json_value.value).filter( Json.method == json_value.method) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(json_value) session.commit()
def parse(module, message, data): if (message.startswith('base64:')): logging.debug("base64:parse()") method = message[len("base64: "):] # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() try: data = data.decode() except Exception as e: data = data.hex() logging.error(f"Base64: {e}") base64Module = Base64(method, data) base64Module.application_id = module.application.id logging.debug(repr(base64Module)) query = session.query(Base64).filter( Base64.application_id == module.application.id).filter( Base64.method == base64Module.method).filter( Base64.value == base64Module.value) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(base64Module) session.commit()
def parse(module, message, data): if (message.startswith('Bypass:')): logging.debug("antiEmulator:parse()") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() property_name = message[len("Bypass:"******"&")] real_value = message[message.index("&")+1:message.index("|")] return_value = message[message.index("|")+1:] antiEmulator = AntiEmulator(property_name, real_value, return_value) antiEmulator.application_id = module.application.id logging.debug(repr(antiEmulator)) query = session.query(AntiEmulator).filter(AntiEmulator.application_id==module.application.id).filter(AntiEmulator.property==antiEmulator.property).filter(AntiEmulator.real_value==antiEmulator.real_value).filter(AntiEmulator.return_value==antiEmulator.return_value) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(antiEmulator) session.commit()
def parse(module, message, data): if (message.startswith('delete file:')): logging.debug("deletedFile:parse()") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() deletedFile = DeletedFiles(message[len("delete file:"):]) deletedFile.application_id = module.application.id logging.debug(repr(deletedFile)) query = session.query(DeletedFiles).filter( DeletedFiles.application_id == module.application.id).filter( DeletedFiles.name == deletedFile.name) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(deletedFile) session.commit()
def parse(module, message, data): if (message.startswith("to_string:")): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) string = String(message[len("to_String:"):]) string.application_id = module.application.id logging.debug(repr(string)) query = session.query(String).filter( String.application_id == module.application.id).filter( String.value == string.value) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(string) session.commit()
def key(self, type, key): ''' Add a key to the database :param type: :param key: :return: ''' # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) application = session.query(Application.Application).get( self.application.id) key = Key(type, key) logging.debug(repr(key)) application.key.append(key) session.add(key) session.add(application) session.commit()
def parse(module, message, data): if (message.startswith("dexclassloader:")): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) args = message[len("dexclassloader:"):].split("|") stackTrace = args[4].split(',') dexclassloader = DexClassLoader(args[0], args[1], args[2], args[3], args[4]) dexclassloader.application_id = module.application.id logging.debug(repr(dexclassloader)) query = session.query(DexClassLoader).filter( DexClassLoader.application_id == module.application.id).filter( DexClassLoader.dexPath == dexclassloader.dexPath).filter( DexClassLoader.optimizedDirectory == dexclassloader.optimizedDirectory).filter( DexClassLoader.librarySearchPath == dexclassloader.librarySearchPath).filter( DexClassLoader.parent == dexclassloader.parent) resultQuery = query.all() if len(resultQuery) == 0: session.add(dexclassloader) session.commit()
def url(self, url): ''' Add an url to the database :param url: :return: ''' logging.debug("ModuleGeneral:url()") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() url = Url(url) # Whitelist Google # whitelist = ['0.0.0.0', '172.', '216.58.'] whitelist = ['0.0.0.0'] add = True if url.ip is not None: for i in whitelist: if url.ip.startswith(i): add = False if add: # Fetch application for this session ( could not use self.application # because the usage must be thread local ) application = session.query(Application.Application).get( self.application.id) logging.debug(repr(url)) query = session.query(Url).filter( Url.application_id == self.application.id).filter( Url.scheme == url.scheme).filter( Url.domain == url.domain).filter( Url.uri == url.uri).filter( Url.ip == url.ip).filter( Url.query == url.query) resultQuery = query.all() if len(resultQuery) == 0: application.url.append(url) session.add(url) session.add(application) else: previous_nb = getattr(url, "nb") setattr(resultQuery[0], "nb", previous_nb + 1) session.commit()
def parse(module,message): if(message.startswith("to_string:")): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) shared_pref = String(message[len("to_String:"):]) shared_pref.application_id = module.application.id logging.debug(repr(shared_pref)) session.add(shared_pref) session.commit()
def key(self, typeOfMsg, key): ''' Add a key to the database :param type: :param key: :return: ''' # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) application = session.query(Application.Application).get( self.application.id) key = Key(typeOfMsg, key.hex()) logging.debug(repr(key)) query = session.query(Key).filter( Key.application_id == self.application.id).filter( Key.type == key.type).filter(Key.value == key.value) resultQuery = query.all() if len(resultQuery) == 0: application.key.append(key) session.add(key) session.add(application) # else: # previous_nb = getattr(key, "nb") # print(previous_nb) # print(resultQuery[0]) # setattr(resultQuery[0], "nb", previous_nb+1) # print(getattr(resultQuery[0], "nb")) session.commit()
def url(self, url): ''' Add an url to the database :param url: :return: ''' logging.debug("ModuleGeneral:url()") # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() url = Url(url) whitelist = ['0.0.0.0', '172.', '216.58.'] # whitelist = [] add = True if url.ip is not None: for i in whitelist: if url.ip.startswith(i): add = False if add: # Fetch application for this session ( could not use self.application # because the usage must be thread local ) application = session.query(Application.Application).get( self.application.id) logging.debug(repr(url)) application.url.append(url) session.add(url) session.add(application) session.commit()
def parse(module, message, data): if (message['plugin'] == 'dexclassloader'): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) dexclassloader = DexClassLoader(message['dexPath'], message['optimizedDirectory'], message['librarySearchPath'], message['parent'], message['entrypoint'], message['stack']) dexclassloader.application_id = module.application.id logging.debug(repr(dexclassloader)) query = session.query(DexClassLoader).filter( DexClassLoader.application_id == module.application.id ).filter(DexClassLoader.dexPath == dexclassloader.dexPath).filter( DexClassLoader.optimizedDirectory == dexclassloader.optimizedDirectory).filter( DexClassLoader.librarySearchPath == dexclassloader.librarySearchPath).filter( DexClassLoader.parent == dexclassloader.parent).filter( DexClassLoader.entrypoint == dexclassloader.entrypoint) resultQuery = query.all() if len(resultQuery) == 0: session.add(dexclassloader) session.commit()
def parse(module, message, data): if (message['plugin'] == "hash"): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) try: input_value = binascii.unhexlify( message['input_value']).decode('utf-8') except: input_value = binascii.unhexlify(message['input_value']) hash_value = Hash(message['algo'], input_value, binascii.unhexlify(message['output_value']).hex()) hash_value.application_id = module.application.id logging.debug(repr(hash_value)) query = session.query(Hash).filter( Hash.application_id == module.application.id).filter( Hash.algorithm == hash_value.algorithm).filter( Hash.input_value == hash_value.input_value).filter( Hash.output_value == hash_value.output_value) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(hash_value) session.commit()
def parse(module, message, data): if (message['plugin'] == "cipher"): # Create a thread local session engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() # Fetch application for this session ( could not use self.application # because the usage must be thread local ) key_value = binascii.unhexlify(message["key"]).hex() iv = binascii.unhexlify(message["iv"]).hex() # TODO have link from base64 kind_input = filetype.guess(binascii.unhexlify(message["arg"])) kind_result = filetype.guess(binascii.unhexlify(message["result"])) # print('File extension: %s' % kind.extension) # print('File MIME type: %s' % kind.mime) if message["opmode"] == 1: opmode_info = "ENCRYPT_MODE" try: input_value = binascii.unhexlify(message["arg"]).decode('utf8') except: input_value = base64.b64encode( binascii.unhexlify(message["arg"])).decode('utf8') output_value = binascii.unhexlify(message["result"]).hex() elif message["opmode"] == 2: opmode_info = "DECRYPT_MODE" try: output_value = binascii.unhexlify( message["result"]).decode('utf8') except: output_value = base64.b64encode( binascii.unhexlify(message["result"])).decode('utf8') input_value = binascii.unhexlify(message["arg"]).hex() cipher = Cipher(message["algo"], key_value, iv, opmode_info, input_value, output_value, message["stack"]) cipher.application_id = module.application.id logging.debug(repr(cipher)) query = session.query(Cipher).filter( Cipher.application_id == cipher.application_id ).filter(Cipher.algorithm == cipher.algorithm).filter( Cipher.key == cipher.key).filter(Cipher.iv == cipher.iv).filter( Cipher.opmode == cipher.opmode).filter( Cipher.input_value == cipher.input_value).filter( Cipher.output_value == cipher.output_value) resultQuery = query.all() # Prevent duplicates in DB if len(resultQuery) == 0: session.add(cipher) session.commit()
from lib.model.database.Database import Database from lib.model.Analysis import Analysis import uuid import datetime import configparser from lib.report.ReportGenerator import ReportGenerator if __name__ == '__main__': config = configparser.ConfigParser() config.read("../config/config.ini") Database.set_configuration(config) print(Analysis, Application, Url) engine = Database.get_engine() session_factory = sessionmaker(bind=engine) Session = scoped_session(session_factory) session = Session() Session.remove() analysis = session.query(Analysis).all()[0] for i in range(len(analysis.application)): app = Application(analysis.application[i].path) app.url = analysis.application[i].url analysis.application[i] = app generator = ReportGenerator() generator.generate(analysis, )