def new(self, path=None, misp_event=None):
if not path and not misp_event:
print_error("You have to open a session on a path or on a misp event.")
return
session = Session()
total = len(self.sessions)
session.id = total + 1
if path:
if self.is_set() and misp_event is None and self.current.misp_event:
session.misp_event = self.current.misp_event
# Open a section on the given file.
session.file = File(path)
# Try to lookup the file in the database. If it is already present
# we get its database ID, file name, and tags.
row = Database().find(key='sha256', value=session.file.sha256)
if row:
session.file.id = row[0].id
session.file.name = row[0].name
session.file.tags = ', '.join(tag.to_dict()['tag'] for tag in row[0].tag)
if row[0].parent:
session.file.parent = '{0} - {1}'.format(row[0].parent.name, row[0].parent.sha256)
session.file.children = Database().get_children(row[0].id)
print_info("Session opened on {0}".format(path))
if misp_event:
if self.is_set() and path is None and self.current.file:
session.file = self.current.file
refresh = False
if (self.current is not None and self.current.misp_event is not None and
self.current.misp_event.event.id is not None and
self.current.misp_event.event.id == misp_event.event.id):
refresh = True
session.misp_event = misp_event
if refresh:
print_info("Session on MISP event {0} refreshed.".format(misp_event.event.id))
elif not misp_event.event.id:
print_info("Session opened on a new local MISP event.")
else:
print_info("Session opened on MISP event {0}.".format(misp_event.event.id))
if session.file:
# Loop through all existing sessions and check whether there's another
# session open on the same file and delete it. This is to avoid
# duplicates in sessions.
# NOTE: in the future we might want to remove this if sessions have
# unique attributes (for example, an history just for each of them).
for entry in self.sessions:
if entry.file and entry.file.sha256 == session.file.sha256:
self.sessions.remove(entry)
# Add new session to the list.
self.sessions.append(session)
# Mark the new session as the current one.
self.current = session
def extract_embedded(zip_data):
raw_embedded = None
archive = StringIO(zip_data)
with ZipFile(archive) as zip:
for name in zip.namelist(): # get all the file names
if name == "load/ID": # contains first part of key
partial_key = zip.read(name)
enckey = partial_key + 'DESW7OWKEJRU4P2K' # complete key
print_info("Encryption Key {0}".format(zip.read(name)))
if name == "load/MANIFEST.MF": # this is the embedded jar
raw_embedded = zip.read(name)
if raw_embedded is not None:
# Decrypt The raw file
dec_embedded = decrypt_arc4(enckey, raw_embedded)
return dec_embedded
else:
return None
def extract_embedded(zip_data):
raw_embedded = None
archive = StringIO(zip_data)
with ZipFile(archive) as zip:
for name in zip.namelist(): # get all the file names
if name == "load/ID": # contains first part of key
partial_key = zip.read(name)
enckey = partial_key + 'DESW7OWKEJRU4P2K' # complete key
print_info("Encryption Key {0}".format(zip.read(name)))
if name == "load/MANIFEST.MF": # this is the embedded jar
raw_embedded = zip.read(name)
if raw_embedded != None:
# Decrypt The raw file
dec_embedded = decrypt_arc4(enckey, raw_embedded)
return dec_embedded
else:
return None
def check_and_deploy_peid():
"""PEID: check whether PEID dir exist - if not copy default to directory"""
peid_path = os.path.join(__project__.base_path, "peid")
if os.path.exists(peid_path):
print_info("Using PEID info from directory: {}".format(peid_path))
else:
# Prio 1: peid info if Viper was installed with pip
peid_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_PEID)
# Prio 2: peid info if Viper was checkout from repo
peid_path_repo = os.path.join(VIPER_ROOT, "data", "peid")
if os.path.exists(peid_path_setup_utils):
shutil.copytree(peid_path_setup_utils, peid_path)
elif os.path.exists(peid_path_repo):
shutil.copytree(peid_path_repo, peid_path)
else:
pass
def autorun_module(file_hash):
if not file_hash:
return
if not __sessions__.is_set():
__sessions__.new(get_sample_path(file_hash))
for cmd_line in cfg.autorun.commands.split(','):
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse_commands(split_command)
try:
if root in __modules__:
print_info("Running command \"{0}\"".format(split_command))
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
if cfg.modules.store_output and __sessions__.is_set():
Database().add_analysis(file_hash, split_command,
module.output)
if cfg.autorun.verbose:
print_output(module.output)
del (module.output[:])
else:
print_error(
"\"{0}\" is not a valid command. Please check your viper.conf file."
.format(cmd_line))
except:
print_error(
"Viper was unable to complete the command {0}".format(
cmd_line))
def check_and_deploy_yara_rules():
"""Yara: check whether rule path exist - if not copy default set of rules to directory"""
yara_rules_path = os.path.join(__project__.base_path, "yara")
if os.path.exists(yara_rules_path):
print_info("Using Yara rules from directory: {}".format(yara_rules_path))
else:
# Prio 1: rules if Viper was installed with pip
yara_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_YARA_RULES)
# Prio 2: rules if Viper was checkout from repo
yara_path_repo = os.path.join(VIPER_ROOT, "data", "yara")
if os.path.exists(yara_path_setup_utils):
print_warning("Yara rule directory not found - copying default "
"rules ({}) to: {}".format(yara_path_setup_utils, yara_rules_path))
shutil.copytree(yara_path_setup_utils, yara_rules_path)
elif os.path.exists(yara_path_repo):
print_warning("Yara rule directory not found - copying default "
"rules ({}) to: {}".format(yara_path_repo, yara_rules_path))
shutil.copytree(yara_path_repo, yara_rules_path)
else:
print_error("No default Yara rules found")
def autorun_module(file_hash):
if not file_hash:
return
if not __sessions__.is_set():
__sessions__.new(get_sample_path(file_hash))
for cmd_line in cfg.autorun.commands.split(','):
split_commands = cmd_line.split(';')
for split_command in split_commands:
split_command = split_command.strip()
if not split_command:
continue
root, args = parse_commands(split_command)
try:
if root in __modules__:
print_info("Running command \"{0}\"".format(split_command))
module = __modules__[root]['obj']()
module.set_commandline(args)
module.run()
if cfg.modules.store_output and __sessions__.is_set():
Database().add_analysis(file_hash, split_command, module.output)
if cfg.autorun.verbose:
print_output(module.output)
del(module.output[:])
else:
print_error("\"{0}\" is not a valid command. Please check your viper.conf file.".format(cmd_line))
except:
print_error("Viper was unable to complete the command {0}".format(cmd_line))
def switch(self, session):
self.current = session
print_info("Switched to session #{0} on {1}".format(
self.current.id, self.current.file.path))
def switch(self, session):
self.current = session
print_info("Switched to session #{0} on {1}".format(self.current.id, self.current.file.path))
