def new(self, path=None, misp_event=None): if not path and not misp_event: print_error("You have to open a session on a path or on a misp event.") return session = Session() total = len(self.sessions) session.id = total + 1 if path: if self.is_set() and misp_event is None and self.current.misp_event: session.misp_event = self.current.misp_event # Open a section on the given file. session.file = File(path) # Try to lookup the file in the database. If it is already present # we get its database ID, file name, and tags. row = Database().find(key='sha256', value=session.file.sha256) if row: session.file.id = row[0].id session.file.name = row[0].name session.file.tags = ', '.join(tag.to_dict()['tag'] for tag in row[0].tag) if row[0].parent: session.file.parent = '{0} - {1}'.format(row[0].parent.name, row[0].parent.sha256) session.file.children = Database().get_children(row[0].id) print_info("Session opened on {0}".format(path)) if misp_event: if self.is_set() and path is None and self.current.file: session.file = self.current.file refresh = False if (self.current is not None and self.current.misp_event is not None and self.current.misp_event.event.id is not None and self.current.misp_event.event.id == misp_event.event.id): refresh = True session.misp_event = misp_event if refresh: print_info("Session on MISP event {0} refreshed.".format(misp_event.event.id)) elif not misp_event.event.id: print_info("Session opened on a new local MISP event.") else: print_info("Session opened on MISP event {0}.".format(misp_event.event.id)) if session.file: # Loop through all existing sessions and check whether there's another # session open on the same file and delete it. This is to avoid # duplicates in sessions. # NOTE: in the future we might want to remove this if sessions have # unique attributes (for example, an history just for each of them). for entry in self.sessions: if entry.file and entry.file.sha256 == session.file.sha256: self.sessions.remove(entry) # Add new session to the list. self.sessions.append(session) # Mark the new session as the current one. self.current = session
def extract_embedded(zip_data): raw_embedded = None archive = StringIO(zip_data) with ZipFile(archive) as zip: for name in zip.namelist(): # get all the file names if name == "load/ID": # contains first part of key partial_key = zip.read(name) enckey = partial_key + 'DESW7OWKEJRU4P2K' # complete key print_info("Encryption Key {0}".format(zip.read(name))) if name == "load/MANIFEST.MF": # this is the embedded jar raw_embedded = zip.read(name) if raw_embedded is not None: # Decrypt The raw file dec_embedded = decrypt_arc4(enckey, raw_embedded) return dec_embedded else: return None
def extract_embedded(zip_data): raw_embedded = None archive = StringIO(zip_data) with ZipFile(archive) as zip: for name in zip.namelist(): # get all the file names if name == "load/ID": # contains first part of key partial_key = zip.read(name) enckey = partial_key + 'DESW7OWKEJRU4P2K' # complete key print_info("Encryption Key {0}".format(zip.read(name))) if name == "load/MANIFEST.MF": # this is the embedded jar raw_embedded = zip.read(name) if raw_embedded != None: # Decrypt The raw file dec_embedded = decrypt_arc4(enckey, raw_embedded) return dec_embedded else: return None
def check_and_deploy_peid(): """PEID: check whether PEID dir exist - if not copy default to directory""" peid_path = os.path.join(__project__.base_path, "peid") if os.path.exists(peid_path): print_info("Using PEID info from directory: {}".format(peid_path)) else: # Prio 1: peid info if Viper was installed with pip peid_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_PEID) # Prio 2: peid info if Viper was checkout from repo peid_path_repo = os.path.join(VIPER_ROOT, "data", "peid") if os.path.exists(peid_path_setup_utils): shutil.copytree(peid_path_setup_utils, peid_path) elif os.path.exists(peid_path_repo): shutil.copytree(peid_path_repo, peid_path) else: pass
def autorun_module(file_hash): if not file_hash: return if not __sessions__.is_set(): __sessions__.new(get_sample_path(file_hash)) for cmd_line in cfg.autorun.commands.split(','): split_commands = cmd_line.split(';') for split_command in split_commands: split_command = split_command.strip() if not split_command: continue root, args = parse_commands(split_command) try: if root in __modules__: print_info("Running command \"{0}\"".format(split_command)) module = __modules__[root]['obj']() module.set_commandline(args) module.run() if cfg.modules.store_output and __sessions__.is_set(): Database().add_analysis(file_hash, split_command, module.output) if cfg.autorun.verbose: print_output(module.output) del (module.output[:]) else: print_error( "\"{0}\" is not a valid command. Please check your viper.conf file." .format(cmd_line)) except: print_error( "Viper was unable to complete the command {0}".format( cmd_line))
def check_and_deploy_yara_rules(): """Yara: check whether rule path exist - if not copy default set of rules to directory""" yara_rules_path = os.path.join(__project__.base_path, "yara") if os.path.exists(yara_rules_path): print_info("Using Yara rules from directory: {}".format(yara_rules_path)) else: # Prio 1: rules if Viper was installed with pip yara_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_YARA_RULES) # Prio 2: rules if Viper was checkout from repo yara_path_repo = os.path.join(VIPER_ROOT, "data", "yara") if os.path.exists(yara_path_setup_utils): print_warning("Yara rule directory not found - copying default " "rules ({}) to: {}".format(yara_path_setup_utils, yara_rules_path)) shutil.copytree(yara_path_setup_utils, yara_rules_path) elif os.path.exists(yara_path_repo): print_warning("Yara rule directory not found - copying default " "rules ({}) to: {}".format(yara_path_repo, yara_rules_path)) shutil.copytree(yara_path_repo, yara_rules_path) else: print_error("No default Yara rules found")
def autorun_module(file_hash): if not file_hash: return if not __sessions__.is_set(): __sessions__.new(get_sample_path(file_hash)) for cmd_line in cfg.autorun.commands.split(','): split_commands = cmd_line.split(';') for split_command in split_commands: split_command = split_command.strip() if not split_command: continue root, args = parse_commands(split_command) try: if root in __modules__: print_info("Running command \"{0}\"".format(split_command)) module = __modules__[root]['obj']() module.set_commandline(args) module.run() if cfg.modules.store_output and __sessions__.is_set(): Database().add_analysis(file_hash, split_command, module.output) if cfg.autorun.verbose: print_output(module.output) del(module.output[:]) else: print_error("\"{0}\" is not a valid command. Please check your viper.conf file.".format(cmd_line)) except: print_error("Viper was unable to complete the command {0}".format(cmd_line))
def switch(self, session): self.current = session print_info("Switched to session #{0} on {1}".format( self.current.id, self.current.file.path))
def switch(self, session): self.current = session print_info("Switched to session #{0} on {1}".format(self.current.id, self.current.file.path))