def _run(self, scanObject, result, depth, args): moduleResult = [] minFileSize = 0 #Explode everything! useUnvalidatedFilenames = 0 if 'minFileSize' in args: try: minFileSize = int(args['minFileSize']) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass if 'useUnvalidatedFilenames' in args: try: minFileSize = int(args['useUnvalidatedFilenames']) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass file = StringIO.StringIO() file.write(scanObject.buffer) file.flush() file.seek(0) ole = olefile.OleFileIO(file) lstStreams = ole.listdir() numStreams = 0 for stream in lstStreams: try: if ole.get_size(stream) >= minFileSize: numStreams += 1 streamF = ole.openstream(stream) childBuffer = streamF.read() if childBuffer: filename = "e_ole_stream_" + str(numStreams) try: u = unicode(str(stream), "utf-8") filename = u.encode("utf-8") except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass #keep ole_stream_number as filename moduleResult.append( ModuleObject( buffer=childBuffer, externalVars=ExternalVars(filename=filename))) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: log_module("MSG", self.module_name, 0, scanObject, result, "ERROR EXTRACTING STREAM: " + str(stream)) ole.close() file.close() return moduleResult
def _run(self, scanObject, result, depth, args): moduleResult = [] try: vbaparser = olevba.VBA_Parser( scanObject.objectHash, data=scanObject.buffer) #load ole into olevba if vbaparser.detect_vba_macros(): #VBA Macro Found # Loop to parse VBA Macro for (filename, stream_path, vba_filename, vba_code ) in vbaparser.extract_macros(): # macro extraction macrofilesdict = {} macrofilesdict.update({ 'Type': vbaparser.type, 'VBA_project': vbaparser.vba_projects, 'OLE_stream': stream_path, 'VBA_filename': vba_filename }) scanObject.addMetadata(self.module_name, "Parsed_Macros_Metadata", macrofilesdict) explodevbafilename = 'e_vba_%s_%s' % ( scanObject.objectHash, vba_filename ) # Exploded file name contains source hash moduleResult.append( ModuleObject(buffer=vba_code, externalVars=ExternalVars( filename=explodevbafilename))) # Loop to parse VBA Forms combinedstring = "" formfilesdlist = set() for (filename, stream_path, form_string) in vbaparser.extract_form_strings(): formfilesdlist.add( stream_path ) #set because stream_path could be the same over and over again combinedstring += " %s" % form_string #combining all found forms text into a single variable if combinedstring: #form text found scanObject.addMetadata(self.module_name, "VBA_Forms_Found_Streams", formfilesdlist) explodeformsfilename = 'e_vba_%s_combined_forms.txt' % ( scanObject.objectHash) moduleResult.append( ModuleObject(buffer=combinedstring, externalVars=ExternalVars( filename=explodeformsfilename))) vbaparser.close() except olevba.OlevbaBaseException as e: # exceptions from olevba import will raise olevbaerror = 'e_vba:err:%s' % e #scanObject.addFlag(olevbaerror) log_module("MSG", self.module_name, 0, scanObject, result, olevbaerror) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise return moduleResult
def _run(self, scanObject, result, depth, args): moduleResult = [] minFileSize = 0 #Explode everything! useUnvalidatedFilenames = 0 if 'minFileSize' in args: try: minFileSize = int(args['minFileSize']) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass if 'useUnvalidatedFilenames' in args: try: minFileSize = int(args['useUnvalidatedFilenames']) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass file = StringIO.StringIO() file.write(scanObject.buffer) file.flush() file.seek(0) ole = olefile.OleFileIO(file) lstStreams = ole.listdir() numStreams = 0 for stream in lstStreams: try: if ole.get_size(stream) >= minFileSize: numStreams += 1 streamF = ole.openstream(stream) childBuffer = streamF.read() if childBuffer: filename = "e_ole_stream_"+str(numStreams) try: u = unicode( str(stream), "utf-8" ) filename = u.encode( "utf-8" ) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: pass #keep ole_stream_number as filename moduleResult.append(ModuleObject(buffer=childBuffer, externalVars=ExternalVars(filename=filename))) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: log_module("MSG", self.module_name, 0, scanObject, result, "ERROR EXTRACTING STREAM: "+str(stream)) ole.close() file.close() return moduleResult
def _run(self, scanObject, result, depth, args): #Initialization moduleResult = [] verbose = False resultDict = {} strMatches = "" #Read arguments if 'verbose' in args: verbose = True #Populate static metadata resultDict['Disposition_File'] = config.yaradispositionrules resultDict['Result'] = "Disposition Not Initialized" #Get scanObject uID for flag_rollup and rollup flags myUID = get_scanObjectUID(scanObject) flag_rollup = self._rollupToMe(result, myUID) resultDict['Input_Flags'] = flag_rollup if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup) try: matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup)) lstStrMatches = [str(match) for match in matches] resultDict['Matches'] = lstStrMatches if matches: strMatches = ' '.join(lstStrMatches) except SyntaxError: log_module_error( self.module_name, scanObject, result, "Error Compiling YARA rules file at: " + config.yaradispositionrules) resultDict['Result'] = "YARA RULE SYNTAX ERROR" resultDict['Result'] = "Accept" for match in resultDict['Matches']: if match.startswith("Deny"): resultDict['Result'] = "Deny" scanObject.addMetadata(self.module_name, 'Disposition', resultDict) return moduleResult
def _run(self, scanObject, result, depth, args): #Initialization moduleResult = [] verbose = False resultDict = {} strMatches = "" #Read arguments if 'verbose' in args: verbose = True #Populate static metadata resultDict['Disposition_File'] = config.yaradispositionrules resultDict['Result'] = "Disposition Not Initialized" #Get scanObject uID for flag_rollup and rollup flags myUID = get_scanObjectUID(scanObject) flag_rollup = self._rollupToMe(result, myUID ) resultDict['Input_Flags'] = flag_rollup if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup) try: matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup)) lstStrMatches = [str(match) for match in matches] resultDict['Matches'] = lstStrMatches if matches: strMatches = ' '.join(lstStrMatches) except SyntaxError: log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules) resultDict['Result'] = "YARA RULE SYNTAX ERROR" resultDict['Result'] = "Accept" for match in resultDict['Matches']: if match.startswith("Deny"): resultDict['Result'] = "Deny" scanObject.addMetadata(self.module_name, 'Disposition', resultDict) return moduleResult
def _run(self, scanObject, result, depth, args): logging.debug("tactical: args: %s" % repr(args)) moduleResult = [] output = '' script_path = None timeout = "30"; if 'timeout' in args: timeout = args['timeout'] # Option to remove directory containing temp files unlinkDir = False if 'unlinkDir' in args: if args['unlinkDir'].upper() == 'TRUE': unlinkDir = True #only do something if script is defined in dispatcher--without external script this does nothing if 'script' in args: script_path = args['script'] #temp_file_h, temp_file_name = tempfile.mkstemp() with tempfile.NamedTemporaryFile(dir=self.TEMP_DIR) as temp_file: temp_file_name = temp_file.name temp_file.write(scanObject.buffer) temp_file.flush() #use timeout command in the command, if available on the system? output = self._collect("timeout %s %s %s %s" % (timeout, script_path, temp_file_name, self.TEMP_DIR), shell=True) logging.debug(output) tmp_dirs = [] for line in output.splitlines(): #need to process the lines line_type = line[:5] line_value = line[5:].strip() if line_type == "FLAG:": #not doing any validation on the flags, but truncating on length scanObject.addFlag(line_value[:20]) elif line_type == "META:": (meta_key, meta_sep, meta_value) = line_value.partition('=') scanObject.addMetadata(self.module_name, meta_key, meta_value) elif line_type == "FILE:": # Check to see if the file is actually a directory (silly 7zip) if os.path.isdir(line_value): # If the file is a directory and we don't already know about it, add it to the list if line_value not in tmp_dirs: tmp_dirs.append(line_value) # Skip this since it's a directory continue # If we don't already know about this directory, add it to the list if os.path.dirname(line_value) not in tmp_dirs: file_path = os.path.dirname(line_value) tmp_dirs.append(file_path) try: with open(line_value, 'r') as result_file: moduleResult.append(ModuleObject(buffer=result_file.read(),externalVars=ExternalVars(filename=os.path.basename(line_value)))) except: raise finally: #make sure the incoming file is deleted, or at least we try.... logging.debug("Trying to unlink file: %s" % (line_value)) os.unlink(line_value) else: pass if unlinkDir: logging.debug("Attempting to remove temp directories: %s" % (tmp_dirs)) # Loop through the directories and remove them, starting with the deepest level (by length) for tmp_dir in sorted(tmp_dirs, key=len, reverse=True): try: rmtree(tmp_dir) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: log_module("MSG", self.module_name, 0, scanObject, result, "Could not remove tmp dir %s" % (tmp_dir)) logging.exception("Unable to remove temp directory: %s" % (tmp_dir)) return moduleResult
def _run(self, scanObject, result, depth, args): logging.debug("tactical: args: %s" % repr(args)) moduleResult = [] output = '' script_path = None timeout = "30" if 'timeout' in args: timeout = args['timeout'] # Option to remove directory containing temp files unlinkDir = False if 'unlinkDir' in args: if args['unlinkDir'].upper() == 'TRUE': unlinkDir = True #only do something if script is defined in dispatcher--without external script this does nothing if 'script' in args: script_path = args['script'] #temp_file_h, temp_file_name = tempfile.mkstemp() with tempfile.NamedTemporaryFile(dir=self.TEMP_DIR) as temp_file: temp_file_name = temp_file.name temp_file.write(scanObject.buffer) temp_file.flush() #use timeout command in the command, if available on the system? output = self._collect( "timeout %s %s %s %s" % (timeout, script_path, temp_file_name, self.TEMP_DIR), shell=True) logging.debug(output) tmp_dirs = [] for line in output.splitlines(): #need to process the lines line_type = line[:5] line_value = line[5:].strip() if line_type == "FLAG:": #not doing any validation on the flags, but truncating on length scanObject.addFlag(line_value[:20]) elif line_type == "META:": (meta_key, meta_sep, meta_value) = line_value.partition('=') scanObject.addMetadata(self.module_name, meta_key, meta_value) elif line_type == "FILE:": # Check to see if the file is actually a directory (silly 7zip) if os.path.isdir(line_value): # If the file is a directory and we don't already know about it, add it to the list if line_value not in tmp_dirs: tmp_dirs.append(line_value) # Skip this since it's a directory continue # If we don't already know about this directory, add it to the list if os.path.dirname(line_value) not in tmp_dirs: file_path = os.path.dirname(line_value) tmp_dirs.append(file_path) try: with open(line_value, 'r') as result_file: moduleResult.append( ModuleObject(buffer=result_file.read(), externalVars=ExternalVars( filename=os.path.basename( line_value)))) except: raise finally: #make sure the incoming file is deleted, or at least we try.... logging.debug("Trying to unlink file: %s" % (line_value)) os.unlink(line_value) else: pass if unlinkDir: logging.debug("Attempting to remove temp directories: %s" % (tmp_dirs)) # Loop through the directories and remove them, starting with the deepest level (by length) for tmp_dir in sorted(tmp_dirs, key=len, reverse=True): try: rmtree(tmp_dir) except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError): raise except: log_module( "MSG", self.module_name, 0, scanObject, result, "Could not remove tmp dir %s" % (tmp_dir)) logging.exception( "Unable to remove temp directory: %s" % (tmp_dir)) return moduleResult
def run(self, scanObject, result, depth, args): """Wrapper method around _run for error handling""" moduleLoggingBool = config.modulelogging try: starttime = time.time() if moduleLoggingBool: log_module("START", self.module_name, 0, scanObject, result) # Get a configured timeout timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600)) with timeout(timeout_seconds, exception=GlobalModuleTimeoutError): moduleResult = self._run(scanObject, result, depth, args) if moduleLoggingBool: log_module("END", self.module_name, time.time() - starttime, scanObject, result) if type(moduleResult) is not list: msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult)) logging.debug(msg) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, msg) return [] return moduleResult except GlobalScanTimeoutError: raise except GlobalModuleTimeoutError: # If the _module times out, add a flag and continue as a normal error scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name) exc_type, exc_value, exc_traceback = sys.exc_info() logging.exception("error on %s running _module %s. exception details below: ", get_scanObjectUID(getRootObject(result)), self.module_name) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, repr(traceback.format_exception(exc_type, exc_value, exc_traceback))) return [] except QuitScanException: # If the _module is terminated early, add a flag and proceed the exception up the stack scanObject.addFlag("dispatch:err:quit_scan") logging.warning("quitting scan while running _module %s", self.module_name) raise except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() logging.exception("error on %s running _module %s. exception details below: ", get_scanObjectUID(getRootObject(result)), self.module_name) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, repr(traceback.format_exception(exc_type, exc_value, exc_traceback))) return []
def run(self, scanObject, result, depth, args): '''Wrapper method around _run for error handling''' moduleLoggingBool = config.modulelogging try: starttime = time.time() if moduleLoggingBool: log_module("START", self.module_name, 0, scanObject, result) # Get a configured timeout timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600)) with timeout(timeout_seconds, exception=GlobalModuleTimeoutError): moduleResult = self._run(scanObject, result, depth, args) if moduleLoggingBool: log_module("END", self.module_name, time.time() - starttime, scanObject, result) if type(moduleResult) is not list: msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult)) logging.debug(msg) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, msg) return [] return moduleResult except GlobalScanTimeoutError: raise except GlobalModuleTimeoutError: # If the module times out, add a flag and continue as a normal error scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name) exc_type, exc_value, exc_traceback = sys.exc_info() logging.exception("error on %s running module %s. exception details below: ", get_scanObjectUID(getRootObject(result)), self.module_name) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, repr(traceback.format_exception(exc_type, exc_value, exc_traceback))) return [] except QuitScanException: # If the module is terminated early, add a flag and proceed the exception up the stack scanObject.addFlag("dispatch:err:quit_scan") logging.warn("quitting scan while running module %s", self.module_name) raise except Exception: exc_type, exc_value, exc_traceback = sys.exc_info() logging.exception("error on %s running module %s. exception details below: ", get_scanObjectUID(getRootObject(result)), self.module_name) if moduleLoggingBool: log_module_error(self.module_name, scanObject, result, repr(traceback.format_exception(exc_type, exc_value, exc_traceback))) return []