Пример #1
0
def extract_file_import_names():
    """extract function imports

    1. imports by ordinal:
     - modulename.#ordinal

    2. imports by name, results in two features to support importname-only
       matching:
     - modulename.importname
     - importname
    """
    for (ea, info
         ) in capa.features.extractors.ida.helpers.get_file_imports().items():
        if info[1] and info[2]:
            # e.g. in mimikatz: ('cabinet', 'FCIAddFile', 11L)
            # extract by name here and by ordinal below
            for name in capa.features.extractors.helpers.generate_symbols(
                    info[0], info[1]):
                yield Import(name), ea
            dll = info[0]
            symbol = "#%d" % (info[2])
        elif info[1]:
            dll = info[0]
            symbol = info[1]
        elif info[2]:
            dll = info[0]
            symbol = "#%d" % (info[2])
        else:
            continue

        for name in capa.features.extractors.helpers.generate_symbols(
                dll, symbol):
            yield Import(name), ea
Пример #2
0
def extract_file_import_names(pe: dnfile.dnPE,
                              **kwargs) -> Iterator[Tuple[Import, int]]:
    for (token, imp) in chain(get_dotnet_managed_imports(pe),
                              get_dotnet_unmanaged_imports(pe)):
        if "::" in imp:
            # like System.IO.File::OpenRead
            yield Import(imp), token
        else:
            # like kernel32.CreateFileA
            dll, _, symbol = imp.rpartition(".")
            for symbol_variant in capa.features.extractors.helpers.generate_symbols(
                    dll, symbol):
                yield Import(symbol_variant), token
Пример #3
0
 def gen():
     for addr, (module, f_name,
                _ord) in data.obj.bin.import_functions.items():
         if module.endswith('.dll'):
             module = module[:-4]
         if f_name:
             for symbol in helpers.generate_symbols(module, f_name):
                 yield Import(symbol), addr
         if _ord:
             _ord = str(_ord)
             f_name = "#{}".format(_ord)
             for symbol in helpers.generate_symbols(module, f_name):
                 yield Import(symbol), addr
Пример #4
0
def extract_file_import_names(pe, file_path):
    """
    extract imported function names
    1. imports by ordinal:
     - modulename.#ordinal
    2. imports by name, results in two features to support importname-only matching:
     - modulename.importname
     - importname
    """
    if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
        for dll in pe.DIRECTORY_ENTRY_IMPORT:
            try:
                modname = dll.dll.partition(b"\x00")[0].decode("ascii")
            except UnicodeDecodeError:
                continue

            # strip extension
            modname = modname.rpartition(".")[0].lower()

            for imp in dll.imports:
                if imp.import_by_ordinal:
                    impname = "#%s" % imp.ordinal
                else:
                    try:
                        impname = imp.name.partition(b"\x00")[0].decode(
                            "ascii")
                    except UnicodeDecodeError:
                        continue

                for name in capa.features.extractors.helpers.generate_symbols(
                        modname, impname):
                    yield Import(name), imp.address
Пример #5
0
def extract_file_import_names(smda_report, file_path):
    # extract import table info via LIEF
    lief_binary = lief.parse(file_path)
    if not isinstance(lief_binary, lief.PE.Binary):
        return
    for imported_library in lief_binary.imports:
        library_name = imported_library.name.lower()
        library_name = library_name[:-4] if library_name.endswith(".dll") else library_name
        for func in imported_library.entries:
            va = func.iat_address + smda_report.base_addr
            if func.name:
                for name in capa.features.extractors.helpers.generate_symbols(library_name, func.name):
                    yield Import(name), va
            elif func.is_ordinal:
                for name in capa.features.extractors.helpers.generate_symbols(library_name, "#%s" % func.ordinal):
                    yield Import(name), va
Пример #6
0
def extract_file_import_names():
    """extract function imports

    1. imports by ordinal:
     - modulename.#ordinal

    2. imports by name, results in two features to support importname-only
       matching:
     - modulename.importname
     - importname
    """
    for (ea, info
         ) in capa.features.extractors.ida.helpers.get_file_imports().items():
        if info[1]:
            dll = info[0]
            symbol = info[1]
        elif info[2]:
            dll = info[0]
            symbol = "#%d" % (info[2])
        else:
            continue

        for name in capa.features.extractors.helpers.generate_symbols(
                dll, symbol):
            yield Import(name), ea
Пример #7
0
def extract_file_import_names():
    """extract function imports

    1. imports by ordinal:
     - modulename.#ordinal

    2. imports by name, results in two features to support importname-only
       matching:
     - modulename.importname
     - importname
    """
    for (ea, info
         ) in capa.features.extractors.ida.helpers.get_file_imports().items():
        if info[1]:
            yield Import("%s.%s" % (info[0], info[1])), ea
            yield Import(info[1]), ea
        if info[2]:
            yield Import("%s.#%s" % (info[0], str(info[2]))), ea
Пример #8
0
def extract_file_import_names(vw, file_path):
    """
    extract imported function names
    1. imports by ordinal:
     - modulename.#ordinal
    2. imports by name, results in two features to support importname-only matching:
     - modulename.importname
     - importname
    """
    for va, _, _, tinfo in vw.getImports():
        # vivisect source: tinfo = "%s.%s" % (libname, impname)
        modname, impname = tinfo.split(".")
        if is_viv_ord_impname(impname):
            # replace ord prefix with #
            impname = "#%s" % impname[len("ord"):]
            tinfo = "%s.%s" % (modname, impname)
            yield Import(tinfo), va
        else:
            yield Import(tinfo), va
            yield Import(impname), va
Пример #9
0
def extract_file_import_names(vw, **kwargs):
    """
    extract imported function names
    1. imports by ordinal:
     - modulename.#ordinal
    2. imports by name, results in two features to support importname-only matching:
     - modulename.importname
     - importname
    """
    for va, _, _, tinfo in vw.getImports():
        # vivisect source: tinfo = "%s.%s" % (libname, impname)
        modname, impname = tinfo.split(".", 1)
        if is_viv_ord_impname(impname):
            # replace ord prefix with #
            impname = "#%s" % impname[len("ord") :]

        for name in capa.features.extractors.helpers.generate_symbols(modname, impname):
            yield Import(name), va
Пример #10
0
def extract_file_import_names(elf, **kwargs):
    # see https://github.com/eliben/pyelftools/blob/0664de05ed2db3d39041e2d51d19622a8ef4fb0f/scripts/readelf.py#L372
    symbol_tables = [(idx, s) for idx, s in enumerate(elf.iter_sections()) if isinstance(s, SymbolTableSection)]

    for section_index, section in symbol_tables:
        if not isinstance(section, SymbolTableSection):
            continue

        if section["sh_entsize"] == 0:
            logger.debug("Symbol table '%s' has a sh_entsize of zero!" % (section.name))
            continue

        logger.debug("Symbol table '%s' contains %s entries:" % (section.name, section.num_symbols()))

        for nsym, symbol in enumerate(section.iter_symbols()):
            if symbol.name and symbol.entry.st_info.type == "STT_FUNC":
                # TODO symbol address
                # TODO symbol version info?
                yield Import(symbol.name), 0x0