def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: if target_file.get_extension() in ["", ".sh", ".py", ".rb", ".java", ".class", ".pl", ".exe", ".out", ".ps", ".bat", ".air", ".scr", ".vb", ".com", ".dll", ".bin", ".apk", ".app", ".cgi", ".cmd", ".wsf", ".ipa", ".pif", ".gadget", ".docm", ".dotm", ".xlsm", ".xltm", ".pptm", "potm"]: return {"skipped:", "extension not interesting to analyse"} if self.get_params() is None or APIKEY not in self.get_params(): return {"error": APIKEY + " is required"} virus_total_report = virustotalapi.check_hash(self.get_params()[APIKEY], virustotalapi.get_MD5_hash(target_file.get_binary())) if "error" in virus_total_report: return virus_total_report result = {'positives': 0} if virus_total_report['response_code'] == 1: result['positives'] = virus_total_report['positives'] result['total'] = virus_total_report['total'] avDetections = {} for av_name, av_data in virus_total_report['scans'].items(): if av_data['result'] is None: avDetections[av_name] = "None" else: avDetections[av_name] = av_data['result'] result['avDetections'] = avDetections return result
def test_info(self): path = "./tests/examples/importantinfo.txt" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run( target_file, { "strings": { "elements": auxiliar.get_str_utf_8_from_bytes(target_file.get_binary()) } }) self.assertEqual( result["emails"], ['*****@*****.**', '*****@*****.**', '*****@*****.**']) self.assertEqual(result["IBANs"], [ 'ES12 3456 7890 1234 5678 9012', 'ES1234567890123456789012', 'ES12-3456-7890-1234-5678-9011' ]) self.assertEqual(result["URLs"], [ 'http://google.es', 'http://facebook.com', 'ftp://localhost:2222', 'mysql://host:puerto/database', 'http://iamgenmolona.com' ]) self.assertEqual(result["Bitcoin"], ['3KVkBhzGfAH4s4tGZA9yfbUJwhcwHBkdKC'])
def test_string_ignore_extensions(self): path = "./tests/examples/barcode.gif" target_file = TargetFile(path) module = Constructor() module.set_params({"char_min": 5, "ignore_extensions": ".txt,.gif"}) self.assertFalse(module.is_valid_for(target_file)) path = "./tests/examples/wordlist.txt" target_file = TargetFile(path) self.assertFalse(module.is_valid_for(target_file))
def _run(self, target_file: TargetFile, pwd_list: list): result = {} result["new_files"] = [] result["new_path_files"] = [] binary = None decripted_password = None with ZipFile(target_file.get_path(), 'r') as zip: for info in zip.infolist(): if info.filename[-1] == '/': #it is a dir, so ignore, then we create the dirs continue try: with zip.open(info.filename, 'r') as file: binary = file.read() except: pass if not binary: "probamos con contraseña" for pwd in pwd_list: try: binary = self._decrypt_with_password( info.filename, pwd) if binary: decripted_password = pwd break except: pass if not binary: "probamos con contraseña y algoritmo de cifrado AES" for pwd in pwd_list: try: binary = self._decrypt_AES_WithPassword( target_file, info.filename, pwd) if binary: decripted_password = pwd break except: pass if binary: path_saved = Safe.create_file( os.path.join( "./zipextractor", "./" + os.path.join( target_file.get_path(), info.filename)), binary) result["new_files"].append(info.filename) result["new_path_files"].append(path_saved) if decripted_password: result["password"] = decripted_password.decode() else: result[ "error"] = "Bad password or wrong decrypted algorithm" return result
def test_load_from_path(self): collie_path = "./tests/examples/collie.jpg" target_file = TargetFile(collie_path) self.assertEqual(target_file.get_extension(), ".jpg") self.assertTrue("JPEG" in target_file.get_type()) self.assertEqual(target_file.get_name(), "collie.jpg") self.assertEqual(len(target_file.get_binary()), 19863) self.assertEqual(target_file.get_path(), collie_path) self.assertEqual(target_file.get_directory(), "./tests/examples") self.assertEqual(target_file.get_info()["extension"], target_file.get_extension())
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: fullmft = self.parse_mft(target_file.get_path()) mft_objects = [] for key, value, in fullmft.items(): info = self._get_interesing_info(value) if info is not None: info["path"] = target_file.get_path() mft_objects.append(info) piped = utils.pipe_to_another_output(self._params, mft_objects) return { "n_mft_objects": len(mft_objects) } if piped else { "mft": mft_objects }
def test_collie(self): path = "./tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result["shannon"], 7.959996962590177)
def test_gun(self): path = "./tests/examples/gun.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result["shannon"], 7.779575538213808)
def test_parser_mft(self): path = "./tests/examples/MFT" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(len(result["mft"]), 13068)
def test_without_apikey(self): path = "./tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result["error"], "apikey is required")
def test_read_evtx2(self): path = "./tests/examples/evtx/System.evtx" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue(len(result["events"]) != 0)
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: return { "content": self._extract_text(target_file.get_path(), self._get_server_param()) }
def test_unzip_with_password(self): output_safe_directory = "./tests/examples/safe_directory" Safe.safe_output_path = os.path.abspath(output_safe_directory) final_file = os.path.abspath("./tests/examples/safe_directory/") + \ "/zipextractor/" + \ os.path.abspath("./tests/examples/Surprise2.txt.zip/Surprise2.txt").replace(":", "") final_file = os.path.abspath(final_file) if os.path.exists(final_file): os.remove(final_file) self._remove_test_folders(os.path.abspath(output_safe_directory)) self.assertFalse(os.path.exists(final_file)) path = "./tests/examples/Surprise2.txt.zip" target_file = TargetFile(os.path.abspath(path)) module = Constructor() params = {"pwd_dict": "./tests/examples/wordlist.txt"} module.set_params(params) self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue("Surprise2.txt" in result["new_files"]) self.assertTrue(final_file in result["new_path_files"]) self.assertEqual(result["password"], "surprise") self.assertTrue(os.path.exists(final_file)) os.remove(final_file) self._remove_test_folders(os.path.abspath(output_safe_directory))
def test_QR(self): qr_path = "./tests/examples/qrhola.png" target_file = TargetFile(qr_path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result['values'][0], "HOLA")
def test_BC(self): bc_path = "./tests/examples/barcode.gif" target_file = TargetFile(bc_path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result['values'][0], "1234-1234-1234")
def test_collie(self): path = "./tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue("collie" in result["prediction_names"])
def test_SAM(self): path = "./tests/examples/winregistry/SAM" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(len(result["SAM"]["users"]), 3) self.assertEqual(result["SAM"]["users"][0], "Administrator")
def test_pst(self): path = "./tests/examples/emails.pst" target_file = TargetFile(os.path.abspath(path)) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue('messages' in result) self.assertEqual(len(result["messages"]), 532)
def test_NTUSER(self): path = "./tests/examples/winregistry/NTUSER.dat" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual(result["NTUSER"]["persistence"][0], "C:\\WINDOWS\\system32\\ctfmon.exe")
def test_default_der(self): path = "./tests/examples/GeoTrust Global CA.cer" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue("GeoTrust Global CA" in result["issuer"]) self.assertTrue("GeoTrust Global CA" in result["subject"])
def test_ignore_max_size(self): path = "./tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) module.set_params({"ignore_greater_or_equal_than": 19863}) with pytest.raises(IgnoreAnalysisException): module.run(target_file, {'hashes': self._get_collie_hashes()})
def test_default_pem(self): path = "./tests/examples/cert.pem" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue("Santiago de Compostela" in result["issuer"]) self.assertTrue("Santiago de Compostela" in result["subject"])
def test_with_invalid_apikey(self): path = "./tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) module.set_params(params) result = module.run(target_file, {}) self.assertEqual(result["error"], "Invalid API KEY")
def test_ignore_path2(self): path = "tests/examples/collie.jpg" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) module.set_params( {"file_ignore_path": "./tests/examples/ignoredpaths.txt"}) with pytest.raises(IgnoreAnalysisException): module.run(target_file, {'hashes': self._get_collie_hashes()})
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict: decoded_list = decode(Image.open(target_file.get_path())) i = 0 result = {} if len(decoded_list) >0: result["values"] = [] for dec in decoded_list: result["values"].append(dec.data.decode("utf-8")) return result
def _decrypt_AES_WithPassword(self, target_file: TargetFile, file_name, pwd): try: with AESZipFile(target_file.get_path(), 'r') as zf: zf.pwd = pwd binary = zf.read(file_name) return binary except: return None
def test_with_not_info(self): path = "./tests/examples/Prueba.c" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertTrue("emails" not in result) self.assertTrue("URLs" not in result) self.assertTrue("IBANs" not in result)
def test_error_password(self): params = {"pwd_dict": "./tests/examples/Prueba.c"} path = "./tests/examples/Surprise2.txt.zip" target_file = TargetFile(os.path.abspath(path)) module = Constructor() module.set_params(params) self.assertTrue(module.is_valid_for(target_file)) result = module.run(target_file, {}) self.assertEqual("Bad password or wrong decrypted algorithm", result["error"])
def test_string_more_than_5_characters(self): path = "./tests/examples/barcode.gif" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) module.set_params({"char_min": 5}) result = module.run(target_file, {}) self.assertTrue(len(result["elements"]) >= 10) self.assertTrue(result["n_elements"] >= 10)
def test_string_more_than_9_characters(self): path = "./tests/examples/collie.jpg.zip" target_file = TargetFile(path) module = Constructor() self.assertTrue(module.is_valid_for(target_file)) module.set_params({"char_min": 9}) result = module.run(target_file, {}) self.assertEqual(result["elements"][0], "collie.jpg") self.assertTrue(result["n_elements"] >= 4)