예제 #1
0
def directory_learn(args):
    """ Learns an entire directory and its inner directories to db

    Runs through a folder and extends all of its folders, and
    adds them all to Malfunction database """

    path = args.PATH
    if not path.endswith("/"):
        path += "/"
    directory_path = path
    directory = os.listdir(path)
    for file in directory:
        try:
            path = directory_path + file
            # Check for links so we don't accidently get an infinite loop.
            if os.path.islink(path):
                continue
            # Extend the list of files by one layer.
            if os.path.isdir(path):
                inner_directory = os.listdir(path)
                inner_directory = [file+"/"+x for x in inner_directory]
                directory.extend(inner_directory)
                continue
            # Learn the sigs if path isn't to a folder or link.
            if args.sigsOnly is True:
                f = open(path, "r")
                binary_hash = f.readline().strip()
                hash_list = [x.strip() for x in f]
                f.close()
                check_format(binary_hash, hash_list)
            else:
                hash_tuple, sizes = malget.malget(path, args.unpack)
                binary_hash = hash_tuple[0]
                hash_list = [x.strip() for x in hash_tuple[1]]
            print("Adding {0} to database...".format(path))
            args.filenames = directory_path+file
            filetype = get_filetype(path)
            mallearn(args, binary_hash, hash_list, filetype)
            print("-"*30)
        except ValueError:
            print("That file cannot be disassembled")
            print("-"*30)
            continue
        except Warning:
            print("That file is already in the database, use the -o flag to "
                  "overwrite")
            print("-"*30)
            continue
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            print("-"*30)
            continue
예제 #2
0
def main():
    """ Learns the given binary to the database. Used if you know if a binary is
    good or bad (Notepad vs. a known malware)

    Usage:
       python3 mallearn malware.exe blacklist -a 'Bad Guy' -c 'Some malware'
       python3 mallearn notepad.exe whitelist -a 'Microsoft' -D 'test.db'"""

    args = argparse_setup()

    # Check if path is a directory, if so, run mal-get and mal-learn
    # for the entire directory
    is_directory = os.path.isdir(args.PATH)
    if is_directory:
        directory_learn(args)
        return True
    else:
        try:
            path = args.PATH
            # This makes sure if sigsOnly is used that it follows
            # the binary_hash, hash_list format
            if args.sigsOnly is True:
                f = open(path, "r")
                binary_hash = f.readline().strip()
                hash_list = [x.strip() for x in f]
                f.close()
                check_format(binary_hash, hash_list)
            else:
                    hash_tuple, sizes = malget.malget(path, args.unpack)
                    binary_hash = hash_tuple[0]
                    hash_list = [x.strip() for x in hash_tuple[1]]
            if args.filenames == 'unknown':
                args.filenames = path
            filetype = get_filetype(path)
            mallearn(args, binary_hash, hash_list, filetype)
            return True
        except ValueError:
            print("That file cannot be disassembled")
            return False
        except Warning:
            print("That file is already in the database, use the -o flag to "
                  "overwrite")
            return False
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            return False

    return True
예제 #3
0
def main():
    """ Run malfunction, a tool for software analysis

    Usage: python3 malfunction.py <file> """

    args = argparse_setup()

    # TODO: Make files with spaces compatible
    if "\ " in args.PATH or " " in args.PATH:
        print("The radare2 commands we are using for disassembly do not "
              "play nice with spaces in the filename. Rename the file")
        return False

    cursor = prepare_database(args.leave_db_on_disk, args.database)

    path = args.PATH
    dir_check = os.path.isdir(path)

    if dir_check:
        directory_malfunction(args, cursor)
    else:
        try:
            hash_tuple, size_list = malget.malget(path, args.unpack)
            filetype = get_filetype(path)
            compute_score(cursor, hash_tuple, size_list, filetype,
                          args.add_strong_matches, args.all, args.debug)
        except ValueError:
            print("That file cannot be disassembled")
            return False
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            return False
        except Warning:
            print("That file is already in the database.")
            return False
    return True
예제 #4
0
def directory_malfunction(args, cursor):
    """ Runs malfunction on a folder and all files within """

    path = args.PATH
    if not path.endswith("/"):
        path += "/"
    directory = os.listdir(path)
    for file in directory:
        try:
            # Don't follow links so we don't end up in loops.
            if os.path.islink(path + file):
                continue
            # Extend the list if the path points to a directory
            if os.path.isdir(path + file):
                inner_directory = os.listdir(path + file)
                inner_directory = [file+"/"+x for x in inner_directory]
                directory.extend(inner_directory)
                continue
            hash_tuple, size_list = malget.malget(path + file,
                                                  args.unpack)
            filetype = get_filetype(path+file)
            compute_score(cursor, hash_tuple, size_list, filetype,
                          args.add_strong_matches, args.all, args.debug)
            print("-"*30)
        except ValueError:
            print("That file cannot be disassembled")
            print("-"*30)
            continue
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            print("-"*30)
            continue
        except Warning:
            print("That file is already in the database.")
            print("-"*30)
            continue
예제 #5
0
def main():
    """ Run malfunction, a tool for software analysis

    Usage: python3 malfunction.py <file> """

    args = argparse_setup()

    # TODO: Make files with spaces compatible
    if "\ " in args.PATH or " " in args.PATH:
        print("The radare2 commands we are using for disassembly do not "
              "play nice with spaces in the filename. Rename the file")
        return False

    cursor = prepare_database(args.leave_db_on_disk, args.database)

    path = args.PATH
    dir_check = os.path.isdir(path)

    if dir_check:
        directory_malfunction(args, cursor)
    else:
        try:
            hash_tuple, size_list = malget.malget(path, args.unpack)
            filetype = get_filetype(path)
            compute_score(cursor, hash_tuple, size_list, filetype,
                          args.add_strong_matches, args.all, args.debug)
        except ValueError:
            print("That file cannot be disassembled")
            return False
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            return False
        except Warning:
            print("That file is already in the database.")
            return False
    return True
예제 #6
0
def directory_malfunction(args, cursor):
    """ Runs malfunction on a folder and all files within """

    path = args.PATH
    if not path.endswith("/"):
        path += "/"
    directory = os.listdir(path)
    for file in directory:
        try:
            # Don't follow links so we don't end up in loops.
            if os.path.islink(path + file):
                continue
            # Extend the list if the path points to a directory
            if os.path.isdir(path + file):
                inner_directory = os.listdir(path + file)
                inner_directory = [file + "/" + x for x in inner_directory]
                directory.extend(inner_directory)
                continue
            hash_tuple, size_list = malget.malget(path + file, args.unpack)
            filetype = get_filetype(path + file)
            compute_score(cursor, hash_tuple, size_list, filetype,
                          args.add_strong_matches, args.all, args.debug)
            print("-" * 30)
        except ValueError:
            print("That file cannot be disassembled")
            print("-" * 30)
            continue
        except Exception as err:
            print("There was an error reading that file, are you sure it "
                  "was an executable?\nError Information:")
            print('\t', type(err))
            print('\t', err)
            print("-" * 30)
            continue
        except Warning:
            print("That file is already in the database.")
            print("-" * 30)
            continue