def execute(self, symbol):
results = []
toBeAnalyzed = []
if symbol is not None:
toBeAnalyzed.append(symbol)
else:
toBeAnalyzed.extend(self.project.getVocabulary().getSymbols())
for symbol in toBeAnalyzed:
searchTask = SearchTask(
"URL Data Carver",
"((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)",
"URL",
)
## TODO: put this things in a dedicated class
infoCarvers = {
"url": re.compile(
"((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)"
),
"email": re.compile("[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}"),
"ip": re.compile(
"(((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"
),
}
foundValues = []
tasks = []
# Execute the search operation in String mode
for (carver, regex) in infoCarvers.items():
currentTask = SearchTask(carver, None, carver)
taskResults = []
for message in symbol.getMessages():
strData = TypeConvertor.netzobRawToString(message.getReducedStringData())
for match in regex.finditer(strData):
if match is None:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(0, len(message.getReducedStringData()))
taskResults.append(taskResult)
else:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(match.start(0) * 2, match.end(0) * 2)
taskResults.append(taskResult)
if len(taskResults) > 0:
currentTask.registerResults(taskResults, "Data Carving: {0}".format(carver))
tasks.append(currentTask)
results.append(tasks)
return results
def loadFromXML(xmlRoot, namespace_common, version):
if version == "0.1":
idData = xmlRoot.get('id')
nameData = xmlRoot.get('name')
typeData = xmlRoot.get('type')
hexValueData = None
if xmlRoot.find("{" + namespace_common + "}value") is not None:
hexValueData = xmlRoot.find("{" + namespace_common + "}value").text
if hexValueData is None:
valueData = ""
else:
valueData = TypeConvertor.netzobRawToString(hexValueData)
if idData is not None and nameData is not None and typeData is not None and valueData is not None:
return ApplicativeData(uuid.UUID(idData), nameData, typeData, valueData)
else:
return None
return None
def execute(self, symbol):
results = []
toBeAnalyzed = []
if symbol is not None:
toBeAnalyzed.append(symbol)
else:
toBeAnalyzed.extend(self.project.getVocabulary().getSymbols())
for symbol in toBeAnalyzed:
searchTask = SearchTask("URL Data Carver", "((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)", "URL")
## TODO: put this things in a dedicated class
infoCarvers = {
'url': re.compile("((http:\/\/|https:\/\/)?(www\.)?(([a-z0-9\-]){2,}\.){1,4}([a-z]){2,6}(\/([a-z\-_\/\.0-9#:?+%=&;,])*)?)"),
'email': re.compile("[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}"),
'ip': re.compile("(((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")
}
foundValues = []
tasks = []
# Execute the search operation in String mode
for (carver, regex) in infoCarvers.items():
currentTask = SearchTask(carver, None, carver)
taskResults = []
for message in symbol.getMessages():
strData = TypeConvertor.netzobRawToString(message.getReducedStringData())
for match in regex.finditer(strData):
if match is None:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(0, len(message.getReducedStringData()))
taskResults.append(taskResult)
else:
taskResult = SearchResult(message, "Data Carving: {0}".format(carver))
taskResult.addSegment(match.start(0) * 2, match.end(0) * 2)
taskResults.append(taskResult)
if len(taskResults) > 0:
currentTask.registerResults(taskResults, "Data Carving: {0}".format(carver))
tasks.append(currentTask)
results.append(tasks)
return results
def loadFromXML(xmlRoot, namespace_common, version):
if version == "0.1":
idData = xmlRoot.get('id')
nameData = xmlRoot.get('name')
typeData = xmlRoot.get('type')
hexValueData = None
if xmlRoot.find("{" + namespace_common + "}value") is not None:
hexValueData = xmlRoot.find("{" + namespace_common +
"}value").text
if hexValueData is None:
valueData = ""
else:
valueData = TypeConvertor.netzobRawToString(hexValueData)
if idData is not None and nameData is not None and typeData is not None and valueData is not None:
return ApplicativeData(uuid.UUID(idData), nameData, typeData,
valueData)
else:
return None
return None
def apply(self, message):
if self.unitsize != UnitSize.NONE:
# First we apply the unit size
# Default modulo = 2 => 8BITS
if self.unitsize == UnitSize.BIT:
modulo = 1
else:
modulo = UnitSize.getSizeInBits(self.unitsize) / 4
splittedData = []
tmpResult = ""
for i in range(0, len(message)):
if i > 0 and i % modulo == 0:
splittedData.append(tmpResult)
tmpResult = ""
tmpResult = tmpResult + message[i]
splittedData.append(tmpResult)
else:
splittedData = [message]
encodedSplittedData = []
# Now we have the message splitted per unit size
# we apply endianess on it
# we consider the normal mode is big-endian
for i in range(0, len(splittedData)):
origNetzobRaw = splittedData[i]
# SPECIAL CASE : ASCII we do not compute endianess neither signed/unsigned
if not self.formatType == Format.STRING and UnitSize.getSizeInBits(self.unitsize) >= 8 and not self.formatType == Format.BINARY:
tmpVal = UnitSize.getSizeInBits(self.unitsize) / 4 - len(origNetzobRaw)
if self.endianness == Endianess.BIG:
netzobRaw = (tmpVal * "0") + origNetzobRaw
else:
netzobRaw = origNetzobRaw + (tmpVal * "0")
# Convert in Python raw
pythonraw = TypeConvertor.netzobRawToPythonRaw(netzobRaw)
# Create transformer
# - ENDIANESS
transformer = ">"
if self.endianness == Endianess.LITTLE:
transformer = "<"
# - SIGNED/UNISGNED
if self.sign == Sign.SIGNED:
transformer = transformer + (UnitSize.getPackDefiniton(self.unitsize)).lower()
else:
transformer = transformer + (UnitSize.getPackDefiniton(self.unitsize)).upper()
# Apply the transformation
(unpackRaw,) = struct.unpack(transformer, pythonraw)
localResult = ""
fmt = "%" + str(UnitSize.getMaxDigitForTypeAndUnitSize(self.formatType, self.unitsize))
if self.formatType == Format.OCTAL:
localResult = (fmt + "o") % unpackRaw
elif self.formatType == Format.DECIMAL:
localResult = (fmt + "d") % unpackRaw
elif self.formatType == Format.HEX:
localResult = (fmt + "s") % origNetzobRaw
encodedSplittedData.append(localResult)
elif self.formatType == Format.STRING:
encodedSplittedData.append(TypeConvertor.netzobRawToString(origNetzobRaw))
elif self.formatType == Format.BINARY:
encodedSplittedData.append(TypeConvertor.netzobRawToBinary(origNetzobRaw))
elif self.formatType == Format.IPv4:
encodedSplittedData.append(TypeConvertor.netzobRawToIPv4(origNetzobRaw))
elif UnitSize.getSizeInBits(self.unitsize) < UnitSize.getSizeInBits(UnitSize.BITS8):
encodedSplittedData.append(TypeConvertor.encodeNetzobRawToGivenType(origNetzobRaw, self.formatType))
# Before sending back (;D) we join everything
return " ".join(encodedSplittedData)
def apply(self, message):
if self.unitsize != UnitSize.NONE:
# First we apply the unit size
# Default modulo = 2 => 8BITS
if self.unitsize == UnitSize.BIT:
modulo = 1
else:
modulo = UnitSize.getSizeInBits(self.unitsize) / 4
splittedData = []
tmpResult = ""
for i in range(0, len(message)):
if i > 0 and i % modulo == 0:
splittedData.append(tmpResult)
tmpResult = ""
tmpResult = tmpResult + message[i]
splittedData.append(tmpResult)
else:
splittedData = [message]
encodedSplittedData = []
# Now we have the message splitted per unit size
# we apply endianess on it
# we consider the normal mode is big-endian
for i in range(0, len(splittedData)):
origNetzobRaw = splittedData[i]
# SPECIAL CASE : ASCII we do not compute endianess neither signed/unsigned
if not self.formatType == Format.STRING and UnitSize.getSizeInBits(
self.unitsize
) >= 8 and not self.formatType == Format.BINARY:
tmpVal = UnitSize.getSizeInBits(
self.unitsize) / 4 - len(origNetzobRaw)
if self.endianness == Endianess.BIG:
netzobRaw = (tmpVal * "0") + origNetzobRaw
else:
netzobRaw = origNetzobRaw + (tmpVal * "0")
# Convert in Python raw
pythonraw = TypeConvertor.netzobRawToPythonRaw(netzobRaw)
# Create transformer
# - ENDIANESS
transformer = ">"
if self.endianness == Endianess.LITTLE:
transformer = "<"
# - SIGNED/UNISGNED
if self.sign == Sign.SIGNED:
transformer = transformer + (UnitSize.getPackDefiniton(
self.unitsize)).lower()
else:
transformer = transformer + (UnitSize.getPackDefiniton(
self.unitsize)).upper()
# Apply the transformation
(unpackRaw, ) = struct.unpack(transformer, pythonraw)
localResult = ""
fmt = "%" + str(
UnitSize.getMaxDigitForTypeAndUnitSize(
self.formatType, self.unitsize))
if self.formatType == Format.OCTAL:
localResult = (fmt + "o") % unpackRaw
elif self.formatType == Format.DECIMAL:
localResult = (fmt + "d") % unpackRaw
elif self.formatType == Format.HEX:
localResult = (fmt + "s") % origNetzobRaw
encodedSplittedData.append(localResult)
elif self.formatType == Format.STRING:
encodedSplittedData.append(
TypeConvertor.netzobRawToString(origNetzobRaw))
elif self.formatType == Format.BINARY:
encodedSplittedData.append(
TypeConvertor.netzobRawToBinary(origNetzobRaw))
elif self.formatType == Format.IPv4:
encodedSplittedData.append(
TypeConvertor.netzobRawToIPv4(origNetzobRaw))
elif UnitSize.getSizeInBits(
self.unitsize) < UnitSize.getSizeInBits(UnitSize.BITS8):
encodedSplittedData.append(
TypeConvertor.encodeNetzobRawToGivenType(
origNetzobRaw, self.formatType))
# Before sending back (;D) we join everything
return " ".join(encodedSplittedData)
