def parseFile(filename: str): """ Iterate the list of Mach-Os and call macholibre.parse against each file Argument: the list of lists with Mach-O files """ try: print(f"[ ] Parsing {filename}") data = parse(filename) data["filepath"] = filename data["entropy"] = calculateEntropy(filename) sha256 = data["hashes"]["sha256"] vtresults = client.get_object(f"/files/{sha256}") data["vtresults"] = vtresults packed = pack_file(filename, sha256) if packed: basename = sha256 + ".json" out_file = os.path.join(args.outdir, basename) with open(out_file, "w") as f: f.write(json.dumps(data)) datap = parse(packed) datap["filepath"] = packed datap["entropy"] = calculateEntropy(packed) datap["vtresults"] = vtresults basenamep = sha256 + ".packed.json" out_filep = os.path.join(args.outdir, basenamep) with open(out_filep, "w") as f: f.write(json.dumps(datap)) except Exception as e: print(f"[-] Failed to parse {filename}: {e}")
def scan(self, data, file, options, expire_at): tmp_directory = options.get('tmp_directory', '/tmp/') self.event['total'] = {'objects': 0} self.event.setdefault('abnormalities', []) self.event.setdefault('objects', []) with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data: tmp_data.write(data) tmp_data.flush() macho_dictionary = macholibre.parse(tmp_data.name) for (key, value) in macho_dictionary.items(): if key == 'abnormalities' and value not in self.event[ 'abnormalities']: self.event['abnormalities'].append(value) elif key == 'macho': self.event['total']['objects'] = 1 self._macho_parse(self, value) elif key == 'universal': for (x, y) in value.items(): if key == 'machos': self.event['total']['objects'] = len(y) for macho in y: self._macho_parse(self, macho)
def scan(self, file_object, options): tempfile_directory = options.get("tempfile_directory", "/tmp/") self.metadata["total"] = {"objects": 0} self.metadata.setdefault("abnormalities", []) self.metadata.setdefault("objects", []) with tempfile.NamedTemporaryFile( dir=tempfile_directory) as strelka_file: strelka_filename = strelka_file.name strelka_file.write(file_object.data) strelka_file.flush() macho_dictionary = macholibre.parse(strelka_filename) for (key, value) in macho_dictionary.items(): if key == "abnormalities" and value not in self.metadata[ "abnormalities"]: self.metadata["abnormalities"].append(value) elif key == "macho": self.metadata["total"]["objects"] = 1 self._macho_parse(self, value) elif key == "universal": for (x, y) in value.items(): if key == "machos": self.metadata["total"]["objects"] = len(y) for macho in y: self._macho_parse(self, macho)
def META_MACHO(s, buff): tmpfd, tmpfile = mkstemp() tmpf = os.fdopen(tmpfd, 'wb') try: #Writing the buffer to a temp file tmpf.write(buff) tmpf.close() dictionary = macholibre.parse(tmpfile) finally: #Remove it to save space os.remove(tmpfile) if dictionary.has_key('name'): #The name doesn't make sense with the temp file dictionary.pop('name') # META_BASIC_INFO already hs this informaton if dictionary.has_key('hashes'): dictionary.pop('hashes') if dictionary.has_key('size'): dictionary.pop('size') dictionary['architecutures'] = [] #Macholibre either has macho or universal if dictionary.has_key('macho'): popMachoKeys(dictionary['macho']) dictionary['Universal'] = False macho = dictionary.pop('macho') #I need it twice so there's no point in searching # Makes the key Macho + the cputype from the macho dictionary, if it has that key. Also replaces spaces with '_' machoKey = "macho_" + macho['cputype'].replace( ' ', '_') if macho.has_key('cputype') else 'macho' dictionary['machos'] = [{machoKey: macho}] dictionary['architecutures'].append( macho['subtype'] if macho.has_key('subtype') else '') del macho, machoKey elif dictionary.has_key('universal'): #Universal has embedded machos if dictionary['universal'].has_key('machos'): dictionary['Universal'] = True dictionary['machos'] = [] for index, macho in enumerate(dictionary['universal']['machos']): popMachoKeys(macho) hasCPU = macho.has_key('cputype') # Does the same thing but make sure not to overwrite the indexes if neither has 'cputype' as a key machoKey = "macho_" + macho['cputype'].replace( ' ', '_') if hasCPU else 'macho_' + str(index) if macho.has_key('subtype'): dictionary['architecutures'].append(macho['subtype']) dictionary['machos'].append({machoKey: macho}) dictionary.pop('universal') return dictionary