def __init__(self, file, data=None):
self.file = file
if data != None:
self.infile = DataIO(data)
elif file == '':
self.infile = sys.stdin
elif file.lower().startswith('http://') or file.lower().startswith(
'https://'):
try:
if sys.hexversion >= 0x020601F0:
self.infile = urllib23.urlopen(file, timeout=5)
else:
self.infile = urllib23.urlopen(file)
except urllib23.HTTPError:
print('Error accessing URL %s' % file)
print(sys.exc_info()[1])
sys.exit()
elif file.lower().endswith('.zip'):
try:
self.zipfile = zipfile.ZipFile(file, 'r')
self.infile = self.zipfile.open(self.zipfile.infolist()[0],
'r', C2BIP3('infected'))
except:
print('Error opening file %s' % file)
print(sys.exc_info()[1])
sys.exit()
else:
try:
self.infile = open(file, 'rb')
except:
print('Error opening file %s' % file)
print(sys.exc_info()[1])
sys.exit()
self.ungetted = []
def __init__(self, filename, zippassword='******', noextraction=False, literalfilename=False):
self.filename = filename
self.zippassword = zippassword
self.noextraction = noextraction
self.literalfilename = literalfilename
self.oZipfile = None
fch, data = FilenameCheckHash(self.filename, self.literalfilename)
if fch == FCH_ERROR:
raise Exception('Error %s parsing filename: %s' % (data, self.filename))
if self.filename == '':
if sys.platform == 'win32':
import msvcrt
msvcrt.setmode(sys.stdin.fileno(), os.O_BINARY)
self.fIn = sys.stdin
elif fch == FCH_DATA:
self.fIn = DataIO(data)
elif not self.noextraction and self.filename.lower().endswith('.zip'):
self.oZipfile = zipfile.ZipFile(self.filename, 'r')
if len(self.oZipfile.infolist()) == 1:
self.fIn = self.oZipfile.open(self.oZipfile.infolist()[0], 'r', self.zippassword)
else:
self.oZipfile.close()
self.oZipfile = None
self.fIn = open(self.filename, 'rb')
elif not self.noextraction and self.filename.lower().endswith('.gz'):
self.fIn = gzip.GzipFile(self.filename, 'rb')
else:
self.fIn = open(self.filename, 'rb')
def DecodeBitstream(bitstream):
bitstream += ((8 - len(bitstream) % 8) % 8) * b'0'
oResult = DataIO()
position = 0
while position < len(bitstream):
oResult.write(C2BIP3(chr(int(bitstream[position:position + 8], 2))))
position += 8
return oResult.getvalue()
def scanzip(f, options):
if not check_yara(options):
return
rules = YARACompile(options.yara)
zipfilename = f
oZipfile = zipfile.ZipFile(zipfilename, 'r')
zippassword = options.password
counter = 0
stat_result = os.stat(f)
zipmsum, zipssum = gen_sum_file(zipfilename)
global decoders
decoders = []
LoadDecoders(options.decoders, options.decoderdir, True)
if not options.regular and len(oZipfile.infolist()) == 1:
try:
if oZipfile.open(oZipfile.infolist()[0], 'r',
C2BIP3(zippassword)).read(2) == b'PK':
oZipfile2 = zipfile.ZipFile(
DataIO(
oZipfile.open(oZipfile.infolist()[0], 'r',
C2BIP3(zippassword)).read()), 'r')
oZipfile.close()
oZipfile = oZipfile2
except:
pass
results = []
for oZipInfo in oZipfile.infolist():
counter += 1
if DecideToSelect(options.select, counter, oZipInfo.filename):
file = oZipfile.open(oZipInfo, 'r', C2BIP3(zippassword))
filecontent = file.read()
file.close()
# md5sum, sha2sum = gen_sum(filecontent)
# encrypted = oZipInfo.flag_bits & 1
# timestamp = '%04d-%02d-%02d %02d:%02d:%02d' % oZipInfo.date_time
oDecoders = [cIdentity(filecontent, None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(filecontent, options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' % cDecoder.name)
if options.verbose:
raise e
return
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
yaraout = fmtyarastrings(result.strings)
for out in yaraout:
r = Result()
r.zipfile = True
r.filename = zipfilename
r.decoder = oDecoder.Name()
r.sha2sum = zipssum
r.md5sum = zipmsum
r.namespace = result.namespace
r.rule = result.rule
r.yaraidentifier = out[0]
r.yarastring = out[1]
fillfinfo(stat_result, r)
results.append(r)
return results
