def _get_versioninfo(self):
"""Get version info.
@return: info dict or None.
"""
if not self.pe:
return None
infos = []
if hasattr(self.pe, "VS_VERSIONINFO"):
if hasattr(self.pe, "FileInfo"):
for entry in self.pe.FileInfo:
try:
if hasattr(entry, "StringTable"):
for st_entry in entry.StringTable:
for str_entry in st_entry.entries.items():
entry = {}
entry["name"] = convert_to_printable(
str_entry[0])
entry["value"] = convert_to_printable(
str_entry[1])
infos.append(entry)
elif hasattr(entry, "Var"):
for var_entry in entry.Var:
if hasattr(var_entry, "entry"):
entry = {}
entry["name"] = convert_to_printable(
var_entry.entry.keys()[0])
entry["value"] = convert_to_printable(
var_entry.entry.values()[0])
infos.append(entry)
except:
continue
return infos
class ircMessage(object):
"""IRC Protocol Request."""
# client commands
__methods_client = dict.fromkeys(
('PASS', 'JOIN', 'USER', 'OPER', 'MODE', 'SERVICE', 'QUIT', 'SQUIT',
'PART', 'TOPIC', 'NAMES', 'LIST', 'INVITE', 'KICK', 'PRIVMSG',
'NOTICE', 'MOTD', 'LUSERS', 'VERSION', 'STATS', 'LINKS', 'TIME',
'CONNECT', 'TRACE', 'ADMIN', 'INFO', 'SERVLIST', 'SQUERY', 'WHO',
'WHOIS', 'WHOWAS', 'KILL', 'PING', 'PONG', 'ERROR', 'AWAY', 'REHASH',
'DIE', 'RESTART', 'SUMMON', 'USERS', 'WALLOPS', 'USERHOST', 'NICK',
'ISON'))
def __init__(self):
self._messages = []
# Server commandis : prefix - command - params
self._sc = {}
# Client commands : command - params
self._cc = {}
log = logging.getLogger("Processing.Pcap.irc.protocol")
def _unpack(self, buf):
"""
Extract into a list irc messages of a tcp streams
@buf: tcp stream data
"""
try:
f = cStringIO.StringIO(buf)
lines = f.readlines()
except Exception, why:
log.error("Failed reading tcp stream buffer")
return False
for element in lines:
if re.match('^:', element) != None:
command = '([a-zA-Z]+|[0-9]{3})'
params = '(\x20.+)'
irc_server_msg = re.findall(
'(^:[\w+.{}!@|()]+\x20)' + command + params, element)
if irc_server_msg:
self._sc['prefix'] = convert_to_printable(
irc_server_msg[0][0].strip())
self._sc['command'] = convert_to_printable(
irc_server_msg[0][1].strip())
self._sc['params'] = convert_to_printable(
irc_server_msg[0][2].strip())
self._sc['type'] = 'server'
self._messages.append(dict(self._sc))
else:
irc_client_msg = re.findall('([a-zA-Z]+\x20)(.+[\x0a\0x0d])',
element)
if irc_client_msg and irc_client_msg[0][0].strip(
) in self.__methods_client:
self._cc['command'] = convert_to_printable(
irc_client_msg[0][0].strip())
self._cc['params'] = convert_to_printable(
irc_client_msg[0][1].strip())
self._cc['type'] = 'client'
self._messages.append(dict(self._cc))
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
category = row[2] # Win32 function category.
api_name = row[3] # Name of the Windows API.
status_value = row[4] # Success or Failure?
return_value = row[5] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(6, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
(arg_name, arg_value) = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s",
row[index], e)
continue
argument["name"] = arg_name
argument["value"] = convert_to_printable(
str(arg_value)).lstrip("\\??\\")
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int):
call["return"] = "0x%.08x" % return_value
else:
call["return"] = convert_to_printable(str(return_value))
call["arguments"] = arguments
call["repeated"] = 0
return call
def _add_hosts(self, connection):
"""Add IPs to unique list.
@param connection: connection data
"""
try:
if connection["src"] not in self.unique_hosts:
self.unique_hosts.append(convert_to_printable(connection["src"]))
if connection["dst"] not in self.unique_hosts:
self.unique_hosts.append(convert_to_printable(connection["dst"]))
except Exception:
return False
return True
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
category = row[2] # Win32 function category.
api_name = row[3] # Name of the Windows API.
status_value = row[4] # Success or Failure?
return_value = row[5] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(6, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
(arg_name, arg_value) = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e)
continue
argument["name"] = arg_name
argument["value"] = convert_to_printable(str(arg_value)).lstrip("\\??\\")
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int):
call["return"] = "0x%.08x" % return_value
else:
call["return"] = convert_to_printable(str(return_value))
call["arguments"] = arguments
call["repeated"] = 0
return call
def _add_hosts(self, connection):
"""Add IPs to unique list.
@param connection: connection data
"""
try:
if connection["src"] not in self.unique_hosts:
self.unique_hosts.append(
convert_to_printable(connection["src"]))
if connection["dst"] not in self.unique_hosts:
self.unique_hosts.append(
convert_to_printable(connection["dst"]))
except Exception:
return False
return True
def _add_http(self, tcpdata, dport):
"""Adds an HTTP flow.
@param tcpdata: TCP data flow.
@param dport: destination port.
"""
try:
http = dpkt.http.Request()
http.unpack(tcpdata)
except dpkt.dpkt.UnpackError:
pass
try:
entry = {}
if "host" in http.headers:
entry["host"] = convert_to_printable(http.headers["host"])
else:
entry["host"] = ""
entry["port"] = dport
entry["data"] = convert_to_printable(tcpdata)
entry["uri"] = convert_to_printable(
urlunparse(
("http", entry["host"], http.uri, None, None, None)))
entry["body"] = convert_to_printable(http.body)
entry["path"] = convert_to_printable(http.uri)
if "user-agent" in http.headers:
entry["user-agent"] = convert_to_printable(
http.headers["user-agent"])
entry["version"] = convert_to_printable(http.version)
entry["method"] = convert_to_printable(http.method)
self.http_requests.append(entry)
except Exception:
return False
return True
def _add_http(self, tcpdata, dport):
"""Adds an HTTP flow.
@param tcpdata: TCP data flow.
@param dport: destination port.
"""
try:
http = dpkt.http.Request()
http.unpack(tcpdata)
except dpkt.dpkt.UnpackError:
pass
try:
entry = {}
if "host" in http.headers:
entry["host"] = convert_to_printable(http.headers["host"])
else:
entry["host"] = ""
entry["port"] = dport
entry["data"] = convert_to_printable(tcpdata)
entry["uri"] = convert_to_printable(urlunparse(("http", entry["host"], http.uri, None, None, None)))
entry["body"] = convert_to_printable(http.body)
entry["path"] = convert_to_printable(http.uri)
if "user-agent" in http.headers:
entry["user-agent"] = convert_to_printable(http.headers["user-agent"])
entry["version"] = convert_to_printable(http.version)
entry["method"] = convert_to_printable(http.method)
self.http_requests.append(entry)
except Exception:
return False
return True
def _get_sections(self):
"""Gets sections.
@return: sections dict or None.
"""
if not self.pe:
return None
sections = []
for entry in self.pe.sections:
try:
section = {}
section["name"] = convert_to_printable(
entry.Name.strip("\x00"))
section["virtual_address"] = hex(entry.VirtualAddress)
section["virtual_size"] = hex(entry.Misc_VirtualSize)
section["size_of_data"] = hex(entry.SizeOfRawData)
section["entropy"] = entry.get_entropy()
sections.append(section)
except:
continue
return sections
def test_literal(self):
assert_equal("e", utils.convert_to_printable("e"))
def test_non_printable(self):
assert_equal("\x0b", utils.convert_to_printable(chr(11)))
def test_whitespace(self):
assert_equal(" ", utils.convert_to_printable(" "))
def test_punctation(self):
assert_equal(".", utils.convert_to_printable("."))
def test_literal(self):
assert_equal("e", utils.convert_to_printable("e"))
def test_digit(self):
assert_equal("9", utils.convert_to_printable(u"9"))
def test_utf(self):
assert_equal("\\xe9", utils.convert_to_printable(u"\xe9"))
def test_non_printable(self):
assert_equal("\x0b", utils.convert_to_printable(chr(11)))
def test_whitespace(self):
assert_equal(" ", utils.convert_to_printable(" "))
def test_punctation(self):
assert_equal(".", utils.convert_to_printable("."))
def test_digit(self):
assert_equal("9", utils.convert_to_printable(u"9"))
def test_utf(self):
assert_equal("\\xe9", utils.convert_to_printable(u"\xe9"))
