def from_obj(bundle_obj):
if not bundle_obj:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_obj.get_id()
bundle_.schema_version = bundle_obj.get_schema_version()
bundle_.defined_subject = bundle_obj.get_defined_subject()
bundle_.content_type = bundle_obj.get_content_type()
bundle_.timestamp = bundle_obj.get_timestamp()
bundle_.malware_instance_object_attributes = Object.from_obj(
bundle_obj.get_Malware_Instance_Object_Attributes()
)
if bundle_obj.get_AV_Classifications() is not None:
bundle_.av_classifications = AVClassifications.from_obj(bundle_obj.get_AV_Classifications())
bundle_.process_tree = ProcessTree.from_obj(bundle_obj.get_Process_Tree())
if bundle_obj.get_Behaviors() is not None:
bundle_.behaviors = BehaviorList.from_obj(bundle_obj.get_Behaviors())
if bundle_obj.get_Capabilities() is not None:
bundle_.capabilities = CapabilityList.from_obj(bundle_obj.get_Capabilities())
if bundle_obj.get_Actions() is not None:
bundle_.actions = ActionList.from_obj(bundle_obj.get_Actions())
if bundle_obj.get_Objects() is not None:
bundle_.objects = ObjectList.from_obj(bundle_obj.get_Objects())
if bundle_obj.get_Candidate_Indicators() is not None:
bundle_.candidate_indicators = CandidateIndicatorList.from_obj(bundle_obj.get_Candidate_Indicators())
bundle_.collections = Collections.from_obj(bundle_obj.get_Collections())
return bundle_
def test_round_trip(self):
o = ProcessTree()
root = ProcessTreeNode()
spawned_child1 = ProcessTreeNode()
spawned_child2 = ProcessTreeNode()
injected_child = ProcessTreeNode()
spawned_grandchild = ProcessTreeNode()
o.set_root_process(root)
root.add_spawned_process(spawned_child1)
root.add_spawned_process(spawned_child2)
root.add_injected_process(injected_child)
spawned_child1.add_spawned_process(spawned_grandchild)
o2 = round_trip(o, True)
self.assertEqual(o.to_dict(), o2.to_dict())
def test_round_trip(self):
o = ProcessTree()
root = ProcessTreeNode()
spawned_child1 = ProcessTreeNode()
spawned_child2 = ProcessTreeNode()
injected_child = ProcessTreeNode()
spawned_grandchild = ProcessTreeNode()
o.set_root_process(root)
root.add_spawned_process(spawned_child1)
root.add_spawned_process(spawned_child2)
root.add_injected_process(injected_child)
spawned_child1.add_spawned_process(spawned_grandchild)
o2 = round_trip(o, True)
self.assertEqual(o.to_dict(), o2.to_dict())
def from_dict(bundle_dict):
if not bundle_dict:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_dict.get('id')
bundle_.schema_version = bundle_dict.get('schema_version')
bundle_.defined_subject = bundle_dict.get('defined_subject')
bundle_.content_type = bundle_dict.get('content_type')
bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f")
bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes'))
bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications'))
bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree'))
bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors'))
bundle_.actions = ActionList.from_list(bundle_dict.get('actions'))
bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators'))
bundle_.collections = Collections.from_dict(bundle_dict.get('collections'))
return bundle_
def from_dict(bundle_dict):
if not bundle_dict:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_dict.get("id")
bundle_.schema_version = bundle_dict.get("schema_version")
bundle_.defined_subject = bundle_dict.get("defined_subject")
bundle_.content_type = bundle_dict.get("content_type")
bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get("timestamp"), "%Y-%m-%dT%H:%M:%S.%f")
bundle_.malware_instance_object_attributes = Object.from_dict(
bundle_dict.get("malware_instance_object_attributes")
)
bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get("av_classifications"))
bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get("process_tree"))
bundle_.behaviors = BehaviorList.from_list(bundle_dict.get("behaviors", []))
bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get("capabilities"))
bundle_.actions = ActionList.from_list(bundle_dict.get("actions", []))
bundle_.objects = ObjectList.from_list(bundle_dict.get("objects", []))
bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get("candidate_indicators", []))
bundle_.collections = Collections.from_dict(bundle_dict.get("collections"))
return bundle_
# Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p)
# Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p)
#Create the root Process
p_node = ProcessTreeNode()
p_node.add_initiated_action(act1.id_)
p_node.pid = 3408
p_node.name = "word.exe"
#プロセスの設定
P2 = ProcessTreeNode()
P2.pid = 3768
P2.parent_pid = 3408
P2.name = "SenPen.exe"
p_node.add_spawned_process(P2)
#ProcessTreeの設定
p_tree = ProcessTree()
p_tree.set_root_process(p_node)
#Check
#p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"})
# パッケージへMalwareSubjectを追加
package.add_malware_subject(subject)
# バンドルへActionを追加
bundle.add_action(act1)
bundle.set_process_tree(p_tree)
# Add the Bundle to the Malware Subject
# Malware Subjectへバンドルを追加
subject.add_findings_bundle(bundle)
subject.add_analysis(analysis)
# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
