def test_add_collections(self):
o = Bundle()
o.add_named_action_collection("Actions")
ma = MalwareAction()
o.add_action(ma, "Actions")
self.assertTrue(
o.collections.action_collections.has_collection("Actions"))
o.add_named_object_collection("Objects")
obj = Object()
o.add_object(obj, "Objects")
self.assertTrue(
o.collections.object_collections.has_collection("Objects"))
o.add_named_behavior_collection("Behaviors")
b = Behavior()
o.add_behavior(b, "Behaviors")
self.assertTrue(
o.collections.behavior_collections.has_collection("Behaviors"))
o.add_named_candidate_indicator_collection("Indicators")
ci = CandidateIndicator()
o.add_candidate_indicator(ci, "Indicators")
self.assertTrue(
o.collections.candidate_indicator_collections.has_collection(
"Indicators"))
def mkActionList(subject,mkclass):
token= {
"registry_reads": registry_reads,
"file_reads": file_reads,
"loaded_libraries": loaded_libraries,
#"process": process_action,
#"overview": overview,
"registry_deletions": registry_deletions,
"file_writes": file_writes,
#"process_interactions": process_interactions,
#"raised_exceptions": raised_exceptions,
"mutex_opens": mutex_opens,
"dns_queries": dns_queries,
"mutex_creates": mutex_create,
"file_deletes": file_delete,
"modified_libraries" : modified_libraries,
"http_conversations" : http_conversations
}
b = Behavior()
ba = BehavioralAction()
bas = BehavioralActions()
#ba.behavioral_ordering
bas.action = ba
b.description = subject['overview']['analysis_reason']
bls = []
als = []
for k,v in subject.items():
if token.has_key(k):
actions = []
for n in v:
act = token[k](n) # ActionListの作成
mkclass.bundle.actions.append(act)
actions.append(act)
mkclass.bundle.als.append(act)
else: # Bundleにまとめる
if len(actions) == 0:
print "action Null:", k
bas.action = actions
b.action_composition = bas
bls.append(b)
else:
print "This Key is not Checked:",k
else:
if als is None :
print "ActionListNone:",subject['overview']
mkSubject.xmlwrite(ActionList(als),BehaviorList(bls))
def create_behavior(self,id=None,description=None,ordinal_position=None,status=None,duration=None,behavior_purpose=None,discovery_method=None,action=None,action_equivalence_reference=None,
action_reference=None,associated_code=None):
behavior = Behavior(id=id,description=description)
behavior.ordinal_position = ordinal_position
behavior.status = status
behavior.duration = duration
if isinstance(behavior_purpose,BehaviorPurpose):
behavior.purpose = behavior_purpose
behavior.discovery_method = discovery_method
if action is not None or action_equivalence_reference is not None or action_reference is not None:
behavior.action_composition= BehavioralActions()
behavior.action_composition.action= action
behavior.action_composition.action_reference= action_reference
behavior.action_composition.action_equivalence_reference = action_equivalence_reference
if associated_code is not None:
behavior.associated_code = AssociatedCode()
for code in associated_code:
if isinstance(code,Code):
behavior.associated_code.append(code)
return behavior
def test_to_xml_no_encoding(self):
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml(encoding=None)
self.assertTrue(isinstance(xml, unicode))
self.assertTrue(UNICODE_STR in xml)
def test_to_xml_default_encoded(self):
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml()
self.assertTrue(UNICODE_STR in xml.decode('utf-8'))
def test_to_xml_utf16_encoded(self):
encoding = 'utf-16'
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml(encoding=encoding)
self.assertTrue(UNICODE_STR in xml.decode(encoding))
def test_behavior(self):
behavior = Behavior()
behavior.description = UNICODE_STR
behavior2 = round_trip(behavior)
self.assertEqual(behavior.description, behavior2.description)
def test_to_xml_no_encoding(self):
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml(encoding=None)
self.assertTrue(isinstance(xml, text_type))
self.assertTrue(UNICODE_STR in xml)
def test_to_xml_default_encoded(self):
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml()
self.assertTrue(UNICODE_STR in xml.decode('utf-8'))
def test_to_xml_utf16_encoded(self):
encoding = 'utf-16'
b = Behavior()
b.description = UNICODE_STR
xml = b.to_xml(encoding=encoding)
self.assertTrue(UNICODE_STR in xml.decode(encoding))
def test_behavior(self):
behavior = Behavior()
behavior.description = UNICODE_STR
behavior2 = round_trip(behavior)
self.assertEqual(behavior.description, behavior2.description)
# Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj)
# Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj)