])
flowtab.add_row(["", ""])
if flow["scan"]["yara"]:
if hasattr(flow["scan"]["yara"],
"cts") and flow["scan"]["yara"]["cts"]:
ctsmatches = []
for entry in flow["scan"]["yara"]["cts"]:
ctsmatches.append(entry["rule"])
flowtab.add_row(
["CTS Yara Matches", "\n".join(ctsmatches)])
if hasattr(flow["scan"]["yara"],
"stc") and flow["scan"]["yara"]["stc"]:
stcmatches = []
for entry in flow["scan"]["yara"]["stc"]:
stcmatches.append(entry["rule"])
flowtab.add_row(
["STC Yara Matches", "\n".join(stcmatches)])
flowtab.add_row(["", ""])
result = flowtab.get_string()
if result != "":
summarytab.add_row(["Flows", result])
result = summarytab.get_string()
if result != "":
print "\nPcap Summary:\n%s" % (result)
Manager().register_plugin(pcapsummary)
import os
current_dir = os.path.abspath(os.path.dirname(__file__))
root_dir = os.path.normpath(os.path.join(current_dir, ".."))
sys.path.insert(0, root_dir)
class template(PluginInterface):
name = "template"
enabled = True
def __init__(self):
self.details = utils.objdict({})
self.details.name = self.name
self.details.description = "Plugin template to be used for creating new plugins"
self.details.mimetypes = ["application/x-dosexec"]
self.details.author = "@author"
self.details.version = "0.01"
self.details.date = "15/OCT/2015"
self.details.path = ("" if __file__ is None else os.path.abspath(__file__))
def run(self, report):
if self.details["mimetypes"] and report.meta.filemimetype in self.details["mimetypes"]:
return
return
Manager().register_plugin(template)
whitelisttab.align["Source"] = "l"
whitelisttab.add_row(
["NSRL", report.pe.scan.whitelist["nsrl"]])
whitelisttab.add_row(
["Mandiant", report.pe.scan.whitelist["mandiant"]])
result = whitelisttab.get_string(sortby="Whitelisted",
reversesort=True)
if result != "":
tab.add_row(["Whitelist", result])
tab.add_row(["", ""])
if report.pe.scan.yara:
yaratab = PrettyTable(["Rules"])
yaratab.border = borderflag
yaratab.header = headerflag
yaratab.padding_width = padwidth
yaratab.align["Rules"] = "l"
for rulename in report.pe.scan.yara.keys():
yaratab.add_row([rulename])
result = yaratab.get_string(sortby="Rules",
reversesort=False)
if result != "":
tab.add_row(["Yara", result])
result = tab.get_string()
if result != "":
print "\nScan Results:\n%s" % result
Manager().register_plugin(pesummary)
self.details.name = self.name
self.details.description = "Extract overlay data into report directory"
self.details.mimetypes = ["application/x-dosexec"]
self.details.author = "@7h3rAm"
self.details.version = "0.01"
self.details.date = "19/OCT/2015"
self.details.path = ("" if __file__ is None else
os.path.abspath(__file__))
def run(self, report):
if self.details[
"mimetypes"] and report.meta.filemimetype in self.details[
"mimetypes"]:
if report.pe.static.overlay and report.pe.static.overlay.size:
with open(report.meta.filename, "rb") as fo:
filedata = fo.read()
fileutils.file_save(
filename="%s/%s.overlay" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=filedata[report.pe.static.overlay.
offset:report.pe.static.overlay.offset +
report.pe.static.overlay.size],
mode="w" if report.pe.static.overlay.mimetype
and "text" in report.pe.static.overlay.mimetype else "wb")
return
Manager().register_plugin(extractoverlay)
self.details.author = "@7h3rAm"
self.details.version = "0.01"
self.details.date = "19/OCT/2015"
self.details.path = ("" if __file__ is None else
os.path.abspath(__file__))
def run(self, report):
if self.details[
"mimetypes"] and report.meta.filemimetype in self.details[
"mimetypes"]:
if report.pe.static.authenticode:
if report.pe.static.authenticode.offset > 0 and report.pe.static.authenticode.size > 0:
with open(report.meta.filename, "rb") as fo:
filedata = fo.read()
authenticoderaw = filedata[
report.pe.static.authenticode.
offset:report.pe.static.authenticode.offset +
report.pe.static.authenticode.size]
mtype = utils.data_mimetype(authenticoderaw)
mode = "w" if mtype and "text" in mtype else "wb"
fileutils.file_save(filename="%s/%s.der" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=authenticoderaw,
mode=mode)
return
Manager().register_plugin(extractauthenticode)
yaratab.add_row([rulename, desc, tags])
normalizeddata = yaratab.get_html_string(
sortby="Rule", reversesort=False
).replace("<", "<").replace(">", ">").replace(
"&", "&"
).replace(
"</table>", "</table></div></div></div></div>"
).replace(
"<table>",
"<div class='panel panel-info'>\n<div class='panel-heading'><strong>Yara</strong></div>\n<div class='panel-body'>\n<div class='row'>\n<div class='col-md-12'>\n<table class='table table-condensed table-hover table-striped'>"
)
htmldata += "%s\n" % (normalizeddata)
htmldata += "%s" % (htmlends)
thregex = re.compile(r"<tr>(\s+)<td>(.*)</td>")
htmldata = thregex.sub(r"<tr>\1<th class='col-md-2'>\2</th>",
htmldata)
tdregex = re.compile(r"<td>(.*)</td>")
normalizedhtmldata = tdregex.sub(
r"<td class='highlight_def'>\1</td>", htmldata)
fileutils.file_save(filename="%s/%s.html" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data="%s" % (normalizedhtmldata),
mode="w")
Manager().register_plugin(pehtml)
def run(self, report):
if report.misc.config.enablefilevisualization and report.meta.visual:
fileutils.file_save(
filename="%s/%s.pnggray" % (report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=utils.from_base64(report.meta.visual.pnggray),
mode="wb")
fileutils.file_save(
filename="%s/%s.pngrgb" % (report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=utils.from_base64(report.meta.visual.pngrgb),
mode="wb")
fileutils.file_save(filename="%s/%s.bfh" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=report.meta.visual.bytefreqhistogram,
mode="wb")
if report.meta.visual.identicon:
fileutils.file_save(filename="%s/%s.identicon" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data=utils.from_base64(
report.meta.visual.identicon),
mode="wb")
return
Manager().register_plugin(extractvisual)
def __init__(self):
self.details = utils.objdict({})
self.details.name = self.name
self.details.description = "Extract all subfiles into report directory"
self.details.mimetypes = None
self.details.author = "@7h3rAm"
self.details.version = "0.01"
self.details.date = "19/OCT/2015"
self.details.path = ("" if __file__ is None else
os.path.abspath(__file__))
def run(self, report):
if report.meta.subfiles and len(report.meta.subfiles) > 1:
with open(report.meta.filename, "rb") as fo:
filedata = fo.read()
for entry in report.meta.subfiles:
if entry["offset"] > 0 and entry["size"] and entry["size"] > 0:
fileutils.file_save(
filename="%s/%s_%s" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile,
entry["hashes"]["sha256"]),
data=filedata[entry["offset"]:entry["offset"] +
entry["size"]],
mode="w" if "text" in entry["mimetype"] else "wb")
return
Manager().register_plugin(extractsubfiles)
normalizeddata = flowtab.get_html_string().replace(
"<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>",
""
).replace("<", "<").replace(">", ">").replace(
"&", "&"
).replace(
"</table>", "</table></div></div></div></div>"
).replace(
"<table>",
"<div class='panel panel-info'>\n<div class='panel-heading'><strong>Flow Stats</strong> <span class='badge'>%d</span></div>\n<div class='panel-body'>\n<div class='row'>\n<div class='col-md-12'>\n<table class='table table-condensed table-hover table-striped'>"
% (len(report.pcap.parsed.flows)), 1)
htmldata += "%s\n" % (normalizeddata)
htmldata += "%s" % (htmlends)
thregex = re.compile(r"<tr>(\s+)<td>(.*)</td>")
htmldata = thregex.sub(r"<tr>\1<th class='col-md-2'>\2</th>",
htmldata)
tdregex = re.compile(r"<td>(.*)</td>")
normalizedhtmldata = tdregex.sub(
r"<td class='highlight_def'>\1</td>", htmldata)
fileutils.file_save(filename="%s/%s.html" %
(report.misc.config.currreportpath,
report.misc.config.currreportfile),
data="%s" % (normalizedhtmldata),
mode="w")
Manager().register_plugin(pcaphtml)