def from_obj(win_handle_obj):
if not win_handle_obj:
return None
win_handle_ = WinHandle()
win_handle_.id = UnsignedInteger.from_obj(win_handle_obj.get_ID())
win_handle_.name = String.from_obj(win_handle_obj.get_Name())
win_handle_.type = String.from_obj(win_handle_obj.get_Type())
win_handle_.object_address = UnsignedLong.from_obj(win_handle_obj.get_Object_Address())
win_handle_.access_mask = UnsignedLong.from_obj(win_handle_obj.get_Access_Mask())
win_handle_.pointer_count = UnsignedLong.from_obj(win_handle_obj.get_Pointer_Count())
return win_handle_
def from_dict(win_handle_dict):
if not win_handle_dict:
return None
win_handle_ = WinHandle()
win_handle_.id = UnsignedInteger.from_dict(win_handle_dict.get('id'))
win_handle_.name = String.from_dict(win_handle_dict.get('name'))
win_handle_.type = String.from_dict(win_handle_dict.get('type'))
win_handle_.object_address = UnsignedLong.from_dict(win_handle_dict.get('id'))
win_handle_.access_mask = UnsignedLong.from_dict(win_handle_dict.get('access_mask'))
win_handle_.pointer_count = UnsignedLong.from_dict(win_handle_dict.get('id'))
return win_handle_
def to_cybox(self, exclude=None):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude:
data = self.filedata.read()
if data:
data = base64.b64encode(data)
a = Artifact(data=data, type_=Artifact.TYPE_FILE)
observables.append(Observable(a))
#if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
#f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def from_dict(file_dict, file_class=None):
if not file_dict:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_dict(file_dict, file_)
file_.is_packed = file_dict.get('is_packed')
file_.file_name = String.from_dict(file_dict.get('file_name'))
file_.file_path = FilePath.from_dict(file_dict.get('file_path'))
file_.device_path = String.from_dict(file_dict.get('device_path'))
file_.full_path = String.from_dict(file_dict.get('full_path'))
file_.file_extension = String.from_dict(file_dict.get('file_extension'))
file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes'))
file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number'))
file_.file_format = String.from_dict(file_dict.get('file_format'))
file_.hashes = HashList.from_list(file_dict.get('hashes'))
file_.extracted_features = ExtractedFeatures.from_dict(file_dict.get('extracted_features'))
file_.modified_time = String.from_dict(file_dict.get('modified_time'))
file_.accessed_time = String.from_dict(file_dict.get('accessed_time'))
file_.created_time = DateTime.from_dict(file_dict.get('created_time'))
return file_
def from_obj(file_obj, file_class=None):
if not file_obj:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_obj(file_obj, file_)
file_.is_packed = file_obj.get_is_packed()
file_.file_name = String.from_obj(file_obj.get_File_Name())
file_.file_path = FilePath.from_obj(file_obj.get_File_Path())
file_.device_path = String.from_obj(file_obj.get_Device_Path())
file_.full_path = String.from_obj(file_obj.get_Full_Path())
file_.file_extension = String.from_obj(file_obj.get_File_Extension())
file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes())
file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number())
file_.file_format = String.from_obj(file_obj.get_File_Format())
file_.hashes = HashList.from_obj(file_obj.get_Hashes())
file_.extracted_features = ExtractedFeatures.from_obj(file_obj.get_Extracted_Features())
#TODO: why are there two Strings and one DateTime here?
file_.modified_time = String.from_obj(file_obj.get_Modified_Time())
file_.accessed_time = String.from_obj(file_obj.get_Accessed_Time())
file_.created_time = DateTime.from_obj(file_obj.get_Created_Time())
return file_
def test_numerics(self):
p = PositiveInteger(42)
p2 = cybox.test.round_trip(p)
self.assertEqual(p.to_dict(), p2.to_dict())
i = Integer(42)
i2 = cybox.test.round_trip(i)
self.assertEqual(i.to_dict(), i2.to_dict())
u = UnsignedLong(42)
u2 = cybox.test.round_trip(u)
self.assertEqual(u.to_dict(), u2.to_dict())
u3 = UnsignedLong("42")
self.assertEqual(u3.value, 42)
self.assertNotEqual(u3.value, "42")
self.assertEqual(u3.to_dict(), u.to_dict())
def test_numerics(self):
p = PositiveInteger(42)
p2 = cybox.test.round_trip(p)
self.assertEqual(p.to_dict(), p2.to_dict())
i = Integer(42)
i2 = cybox.test.round_trip(i)
self.assertEqual(i.to_dict(), i2.to_dict())
u = UnsignedLong(42)
u2 = cybox.test.round_trip(u)
self.assertEqual(u.to_dict(), u2.to_dict())
u3 = UnsignedLong("42")
self.assertEqual(u3.value, 42)
self.assertNotEqual(u3.value, "42")
self.assertEqual(u3.to_dict(), u.to_dict())
def from_obj(stream_obj):
if not stream_obj:
return None
stream_ = Stream()
for hash_ in stream_obj.get_Hash():
stream_.add(Hash.from_obj(hash_))
stream_.name = String.from_obj(stream_dict.get('name'))
stream_.size_in_bytes = UnsignedLong.from_obj(stream_dict.get('size_in_bytes'))
return stream_
def from_dict(stream_dict):
if not stream_dict:
return None
stream_ = Stream()
for hash_ in stream_dict.get('hashes',[]):
stream_.add(Hash.from_dict(hash_))
stream_.name = String.from_dict(stream_dict.get('name'))
stream_.size_in_bytes = UnsignedLong.from_dict(stream_dict.get('size_in_bytes'))
return stream_
def from_dict(driver_dict):
if not driver_dict:
return None
driver_ = WinDriver()
driver_.driver_init = UnsignedLong.from_dict(driver_dict.get('driver_init'))
driver_.driver_name = String.from_dict(driver_dict.get('driver_name'))
driver_.driver_object_address = HexBinary.from_dict(driver_dict.get('driver_object_address'))
driver_.driver_start_io = HexBinary.from_dict(driver_dict.get('driver_start_io'))
return driver_
def from_obj(driver_obj):
if not driver_obj:
return None
driver_ = WinDriver()
driver_.driver_init = UnsignedLong.from_obj(driver_obj.get_Driver_Init())
driver_.driver_name = String.from_obj(driver_obj.get_Driver_Name())
driver_.driver_object_address = HexBinary.from_obj(driver_obj.get_Driver_Object_Address())
driver_.driver_start_io = HexBinary.from_obj(driver_obj.get_Driver_Start_IO())
return driver_
def from_obj(win_kernel_hook_obj):
if not win_kernel_hook_obj:
return None
win_kernel_hook_ = WinKernelHook()
win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooking())
win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooked())
win_kernel_hook_.hooked_address = UnsignedLong.from_obj(win_kernel_hook_obj.get_Hooked_Address())
win_kernel_hook_.hook_description = String.from_obj(win_kernel_hook_obj.get_Hook_Description())
win_kernel_hook_.hooked_function = String.from_obj(win_kernel_hook_obj.get_Hooked_Function())
win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_obj.get_Hooked_Module())
win_kernel_hook_.type = String.from_obj(win_kernel_hook_obj.get_Type())
return win_kernel_hook_
def from_dict(win_kernel_hook_dict):
if not win_kernel_hook_dict:
return None
win_kernel_hook_ = WinKernelHook()
win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooking'))
win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooked'))
win_kernel_hook_.hooked_address = UnsignedLong.from_dict(win_kernel_hook_dict.get('hooked_address'))
win_kernel_hook_.hook_description = String.from_dict(win_kernel_hook_dict.get('hook_description'))
win_kernel_hook_.hooked_function = String.from_dict(win_kernel_hook_dict.get('hooked_function'))
win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_dict.get('hooked_module'))
win_kernel_hook_.type = String.from_dict(win_kernel_hook_dict.get('type'))
return win_kernel_hook_
def from_dict(system_dict, system_class = None):
if not system_dict:
return None
if not system_class:
system_ = System()
else:
system_ = system_class
system_.available_physical_memory = UnsignedLong.from_dict(system_dict.get('available_physical_memory'))
system_.bios_info = BIOSInfo.from_dict(system_dict.get('bios_info'))
system_.date = Date.from_dict(system_dict.get('date'))
system_.hostname = String.from_dict(system_dict.get('hostname'))
system_.local_time = Time.from_dict(system_dict.get('local_time'))
system_.network_interface_list = NetworkInterfaceList.from_list(system_dict.get('network_interface_list'))
system_.os = OS.from_dict(system_dict.get('os'))
system_.processor = String.from_dict(system_dict.get('processor'))
system_.processor_architecture = String.from_dict(system_dict.get('processor_architecture'))
system_.system_time = Time.from_dict(system_dict.get('system_time'))
system_.timezone_dst = String.from_dict(system_dict.get('timezone_dst'))
system_.timezone_standard = String.from_dict(system_dict.get('timezone_standard'))
system_.total_physical_memory = UnsignedLong.from_dict(system_dict.get('total_physical_memory'))
system_.uptime = Duration.from_dict(system_dict.get('uptime'))
system_.username = String.from_dict(system_dict.get('username'))
return system_
def from_obj(system_obj, system_class = None):
if not system_obj:
return None
if not system_class:
system_ = System()
else:
system_ = system_class
system_.available_physical_memory = UnsignedLong.from_obj(system_obj.get_Available_Physical_Memory())
system_.bios_info = BIOSInfo.from_obj(system_obj.get_BIOS_Info())
system_.date = Date.from_obj(system_obj.get_Date())
system_.hostname = String.from_obj(system_obj.get_Hostname())
system_.local_time = Time.from_obj(system_obj.get_Local_Time())
system_.network_interface_list = NetworkInterfaceList.from_obj(system_obj.get_Network_Interface_List())
system_.os = OS.from_obj(system_obj.get_OS())
system_.processor = String.from_obj(system_obj.get_Processor())
system_.processor_architecture = String.from_obj(system_obj.get_Processor_Architecture())
system_.system_time = Time.from_obj(system_obj.get_System_Time())
system_.timezone_dst = String.from_obj(system_obj.get_Timezone_DST())
system_.timezone_standard = String.from_obj(system_obj.get_Timezone_Standard())
system_.total_physical_memory = UnsignedLong.from_obj(system_obj.get_Total_Physical_Memory())
system_.uptime = Duration.from_obj(system_obj.get_Uptime())
system_.username = String.from_obj(system_obj.get_Username())
return system_
def from_obj(memory_obj):
if not memory_obj:
return None
memory_ = Memory()
memory_.is_injected = memory_obj.get_is_injected()
memory_.is_mapped = memory_obj.get_is_mapped()
memory_.is_protected = memory_obj.get_is_protected()
memory_.hashes = HashList.from_obj(memory_obj.get_Hashes())
memory_.name = String.from_obj(memory_obj.get_Name())
memory_.region_size = UnsignedLong.from_obj(memory_obj.get_Region_Size())
memory_.region_start_address = HexBinary.from_obj(memory_obj.get_Region_Start_Address())
memory_.extracted_features = None
return memory_
def from_dict(memory_dict):
if not memory_dict:
return None
memory_ = Memory()
memory_.is_injected = memory_dict.get('is_injected')
memory_.is_mapped = memory_dict.get('is_mapped')
memory_.is_protected = memory_dict.get('is_protected')
memory_.hashes = HashList.from_list(memory_dict.get('hashes'))
memory_.name = String.from_dict(memory_dict.get('name'))
memory_.region_size = UnsignedLong.from_dict(memory_dict.get('region_size'))
memory_.region_start_address = HexBinary.from_dict(memory_dict.get('region_start_address'))
memory_.extracted_features = None
return memory_
def from_obj(file_obj):
if not file_obj:
return None
file_ = File()
file_.is_packed = file_obj.get_is_packed()
file_.file_name = String.from_obj(file_obj.get_File_Name())
file_.file_path = FilePath.from_obj(file_obj.get_File_Path())
file_.device_path = String.from_obj(file_obj.get_Device_Path())
file_.full_path = String.from_obj(file_obj.get_Full_Path())
file_.file_extension = String.from_obj(file_obj.get_File_Extension())
file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes())
file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number())
file_.file_format = String.from_obj(file_obj.get_File_Format())
file_.hashes = HashList.from_obj(file_obj.get_Hashes())
return file_
def from_dict(file_dict):
if not file_dict:
return None
file_ = File()
file_.is_packed = file_dict.get('is_packed')
file_.file_name = String.from_dict(file_dict.get('file_name'))
file_.file_path = FilePath.from_dict(file_dict.get('file_path'))
file_.device_path = String.from_dict(file_dict.get('device_path'))
file_.full_path = String.from_dict(file_dict.get('full_path'))
file_.file_extension = String.from_dict(file_dict.get('file_extension'))
file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes'))
file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number'))
file_.file_format = String.from_dict(file_dict.get('file_format'))
file_.hashes = HashList.from_dict(file_dict.get('hashes'))
return file_
def to_cybox_observable(self, exclude=None, bin_fmt="raw"):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude and bin_fmt:
data = self.filedata.read()
if data: # if sample data available
a = Artifact(data,
Artifact.TYPE_FILE) # create artifact w/data
if bin_fmt == "zlib":
a.packaging.append(ZlibCompression())
a.packaging.append(Base64Encoding())
elif bin_fmt == "base64":
a.packaging.append(Base64Encoding())
f.add_related(a, "Child_Of") # relate artifact to file
if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
"""
Convert a CRITs TLO to a CybOX Observable.
:param obj: The TLO to convert.
:type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
:param exclude: Attributes to exclude.
:type exclude: list
:param bin_fmt: The format for the binary (if applicable).
:type bin_fmt: str
"""
type_ = obj._meta['crits_type']
if type_ == 'Certificate':
custom_prop = Property(
) # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obje = File() # represent cert information as file
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.filetype
obje.size_in_bytes = obj.size
obje.custom_properties = CustomProperties()
obje.custom_properties.append(custom_prop)
obs = Observable(obje)
obs.description = obj.description
data = obj.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obje.add_related(a, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'Domain':
obje = DomainName()
obje.value = obj.domain
obje.type_ = obj.record_type
return ([Observable(obje)], obj.releasability)
elif type_ == 'Email':
if exclude == None:
exclude = []
observables = []
obje = EmailMessage()
# Assume there is going to be at least one header
obje.header = EmailHeader()
if 'message_id' not in exclude:
obje.header.message_id = String(obj.message_id)
if 'subject' not in exclude:
obje.header.subject = String(obj.subject)
if 'sender' not in exclude:
obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obje.header.x_originating_ip = Address(obj.x_originating_ip,
Address.CAT_IPV4)
if 'x_mailer' not in exclude:
obje.header.x_mailer = String(obj.x_mailer)
if 'boundary' not in exclude:
obje.header.boundary = String(obj.boundary)
if 'raw_body' not in exclude:
obje.raw_body = obj.raw_body
if 'raw_header' not in exclude:
obje.raw_header = obj.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obje.email_server = String(obj.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obje.header.from_ = EmailAddress(obj.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obje.header.date = DateTime(obj.isodate)
obje.attachments = Attachments()
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'Indicator':
observables = []
obje = make_cybox_object(obj.ind_type, obj.value)
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'IP':
obje = Address()
obje.address_value = obj.ip
if obj.ip_type == IPTypes.IPv4_ADDRESS:
obje.category = "ipv4-addr"
elif obj.ip_type == IPTypes.IPv6_ADDRESS:
obje.category = "ipv6-addr"
elif obj.ip_type == IPTypes.IPv4_SUBNET:
obje.category = "ipv4-net"
elif obj.ip_type == IPTypes.IPv6_SUBNET:
obje.category = "ipv6-subnet"
return ([Observable(obje)], obj.releasability)
elif type_ == 'PCAP':
obje = File()
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.contentType
obje.size_in_bytes = obj.length
obs = Observable(obje)
obs.description = obj.description
art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
art.packaging.append(Base64Encoding())
obje.add_related(art, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'RawData':
obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
obje.packaging.append(Base64Encoding())
obs = Observable(obje)
obs.description = obj.description
return ([obs], obj.releasability)
elif type_ == 'Sample':
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(obj, attr, None)
if val:
setattr(f, attr, val)
if obj.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(obj.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = obj.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude and bin_fmt:
data = obj.filedata.read()
if data: # if sample data available
a = Artifact(data,
Artifact.TYPE_FILE) # create artifact w/data
if bin_fmt == "zlib":
a.packaging.append(ZlibCompression())
a.packaging.append(Base64Encoding())
elif bin_fmt == "base64":
a.packaging.append(Base64Encoding())
f.add_related(a, "Child_Of") # relate artifact to file
if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
f.file_format = obj.filetype
observables.append(Observable(f))
return (observables, obj.releasability)
else:
return (None, None)
