예제 #1
0
 def parse_ida_cmds(self, sid, functions):
     """
         Parse and add IDA commands dumped by AnalyzeIt,
         and updates the functions names if needed
     """
     idac = IDAActionsController()
     funcs = dict.copy(functions)
     fname = self.storage_file + '.idacmd'
     act = None
     if not os.path.exists(fname):
         return funcs
     with open(fname) as fdata:
         for line in fdata:
             if line.startswith('idc.MakeName'):
                 addr, name = self.get_addr_data(line)
                 try:
                     # update functions list with idc.MakeName() information
                     funcs[addr]['name'] = name
                 except KeyError:
                     app.logger.debug("No function found for %x" % (addr))
                 act = idac.add_name(addr, name)
             elif line.startswith('idc.MakeRptCmt'):
                 addr, cmt = self.get_addr_data(line)
                 act = idac.add_comment(addr, cmt)
             else:
                 app.logger.debug("Unknown IDA command %s" % (line))
                 continue
             SampleController.add_idaaction(sid, act)
     return funcs
예제 #2
0
 def parse_ida_cmds(self, sid, functions):
     """
         Parse and add IDA commands dumped by AnalyzeIt,
         and updates the functions names if needed
     """
     idac = IDAActionsController()
     funcs = dict.copy(functions)
     fname = self.storage_file + '.idacmd'
     act = None
     if not os.path.exists(fname):
         return funcs
     with open(fname) as fdata:
         for line in fdata:
             if line.startswith('idc.MakeName'):
                 addr, name = self.get_addr_data(line)
                 try:
                     # update functions list with idc.MakeName() information
                     funcs[addr]['name'] = name
                 except KeyError:
                     app.logger.debug("No function found for %x" % (addr))
                 act = idac.add_name(addr, name)
             elif line.startswith('idc.MakeRptCmt'):
                 addr, cmt = self.get_addr_data(line)
                 act = idac.add_comment(addr, cmt)
             else:
                 app.logger.debug("Unknown IDA command %s" % (line))
                 continue
             with app.app_context():
                 SampleController.add_idaaction(sid, act)
     return funcs
예제 #3
0
    def apply_result(self):
        sc = SampleController()
        idac = IDAActionsController()
        sample = SampleController.get_by_id(self.sid)
        if sample is None:
            app.logger.error(self.tmessage + "Sample has disappeared...")
            raise IOError
        app.logger.debug(self.tmessage + "APPLY_RESULT")

        # TXT report
        app.logger.info("Starting analysis creation")
        SampleController.create_analysis(sample, self.txt_report, "analyzeit",
                                         True)

        # MACHOC report: we load the functions, hashes, etc.
        app.logger.info("Starting functions")
        fname = self.storage_file + '.sign'
        functions = []
        if os.path.exists(fname):
            fdata = open(fname, 'rb').read()
            items = fdata.split(";")
            for i in items:
                if ":" in i:
                    subitems = i.split(":")
                    machoc_h = subitems[0].strip()
                    address = subitems[1].strip()
                    functions.append([address, machoc_h, ""])

        # IDA COMMANDS report:
        # update functions list with idc.MakeName() information
        # TODO: also store comments
        app.logger.info("Starting idacommands")
        fname = self.storage_file + '.idacmd'
        if os.path.exists(fname):
            fdata = open(fname, 'rb').read()
            for line in fdata.split("\n"):
                if line.startswith("idc.MakeName::"):
                    items = line.split("::")
                    if len(items) == 3:
                        addr = items[1]
                        name = items[2]
                        if addr.startswith("0x"):
                            addr = addr[2:]
                        for i in functions:
                            if i[0] == addr:
                                i[2] = name
                        name_action = idac.add_name(int(addr, 16), name)
                        SampleController.add_idaaction(sample.id, name_action)
                elif line.startswith("idc.MakeRptCmt::"):
                    items = line.split("::")
                    if len(items) == 3:
                        addr = items[1]
                        value = items[2]
                        if addr.startswith("0x"):
                            addr = addr[2:]
                        try:
                            addr = int(addr, 16)
                        except Exception:
                            continue
                        act = idac.add_comment(addr, value)
                        SampleController.add_idaaction(sample.id, act)
        # Functions: just push the list
        app.logger.info("Storing actions")
        if len(functions) > 0:
            sc.add_multiple_functions(sample, functions)

        # global machoc match
        app.logger.info("Matching actions")
        sc.match_by_machoc80(sample)
        app.logger.debug(self.tmessage + "END - TIME %i" %
                         (int(time.time()) - self.tstart))

        return True
예제 #4
0
    def apply_result(self):
        sc = SampleController()
        idac = IDAActionsController()
        sample = SampleController.get_by_id(self.sid)
        if sample is None:
            app.logger.error(self.tmessage + "Sample has disappeared...")
            raise IOError
        app.logger.debug(self.tmessage + "APPLY_RESULT")

        # TXT report
        app.logger.info("Starting analysis creation")
        SampleController.create_analysis(
            sample, self.txt_report, "analyzeit", True)

        # MACHOC report: we load the functions, hashes, etc.
        app.logger.info("Starting functions")
        fname = self.storage_file + '.sign'
        functions = []
        if os.path.exists(fname):
            fdata = open(fname, 'rb').read()
            items = fdata.split(";")
            for i in items:
                if ":" in i:
                    subitems = i.split(":")
                    machoc_h = subitems[0].strip()
                    address = subitems[1].strip()
                    functions.append([address, machoc_h, ""])

        # IDA COMMANDS report:
        # update functions list with idc.MakeName() information
        # TODO: also store comments
        app.logger.info("Starting idacommands")
        fname = self.storage_file + '.idacmd'
        if os.path.exists(fname):
            fdata = open(fname, 'rb').read()
            for line in fdata.split("\n"):
                if line.startswith("idc.MakeName::"):
                    items = line.split("::")
                    if len(items) == 3:
                        addr = items[1]
                        name = items[2]
                        if addr.startswith("0x"):
                            addr = addr[2:]
                        for i in functions:
                            if i[0] == addr:
                                i[2] = name
                        name_action = idac.add_name(int(addr, 16), name)
                        SampleController.add_idaaction(sample.id, name_action)
                elif line.startswith("idc.MakeRptCmt::"):
                    items = line.split("::")
                    if len(items) == 3:
                        addr = items[1]
                        value = items[2]
                        if addr.startswith("0x"):
                            addr = addr[2:]
                        try:
                            addr = int(addr, 16)
                        except Exception:
                            continue
                        act = idac.add_comment(addr, value)
                        SampleController.add_idaaction(sample.id, act)
        # Functions: just push the list
        app.logger.info("Storing actions")
        if len(functions) > 0:
            sc.add_multiple_functions(sample, functions)

        # global machoc match
        app.logger.info("Matching actions")
        sc.match_by_machoc80(sample)
        app.logger.debug(self.tmessage + "END - TIME %i" %
                         (int(time.time()) - self.tstart))

        return True