def directory_learn(args):
""" Learns an entire directory and its inner directories to db
Runs through a folder and extends all of its folders, and
adds them all to Malfunction database """
path = args.PATH
if not path.endswith("/"):
path += "/"
directory_path = path
directory = os.listdir(path)
for file in directory:
try:
path = directory_path + file
# Check for links so we don't accidently get an infinite loop.
if os.path.islink(path):
continue
# Extend the list of files by one layer.
if os.path.isdir(path):
inner_directory = os.listdir(path)
inner_directory = [file+"/"+x for x in inner_directory]
directory.extend(inner_directory)
continue
# Learn the sigs if path isn't to a folder or link.
if args.sigsOnly is True:
f = open(path, "r")
binary_hash = f.readline().strip()
hash_list = [x.strip() for x in f]
f.close()
check_format(binary_hash, hash_list)
else:
hash_tuple, sizes = malget.malget(path, args.unpack)
binary_hash = hash_tuple[0]
hash_list = [x.strip() for x in hash_tuple[1]]
print("Adding {0} to database...".format(path))
args.filenames = directory_path+file
filetype = get_filetype(path)
mallearn(args, binary_hash, hash_list, filetype)
print("-"*30)
except ValueError:
print("That file cannot be disassembled")
print("-"*30)
continue
except Warning:
print("That file is already in the database, use the -o flag to "
"overwrite")
print("-"*30)
continue
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
print("-"*30)
continue
def main():
""" Learns the given binary to the database. Used if you know if a binary is
good or bad (Notepad vs. a known malware)
Usage:
python3 mallearn malware.exe blacklist -a 'Bad Guy' -c 'Some malware'
python3 mallearn notepad.exe whitelist -a 'Microsoft' -D 'test.db'"""
args = argparse_setup()
# Check if path is a directory, if so, run mal-get and mal-learn
# for the entire directory
is_directory = os.path.isdir(args.PATH)
if is_directory:
directory_learn(args)
return True
else:
try:
path = args.PATH
# This makes sure if sigsOnly is used that it follows
# the binary_hash, hash_list format
if args.sigsOnly is True:
f = open(path, "r")
binary_hash = f.readline().strip()
hash_list = [x.strip() for x in f]
f.close()
check_format(binary_hash, hash_list)
else:
hash_tuple, sizes = malget.malget(path, args.unpack)
binary_hash = hash_tuple[0]
hash_list = [x.strip() for x in hash_tuple[1]]
if args.filenames == 'unknown':
args.filenames = path
filetype = get_filetype(path)
mallearn(args, binary_hash, hash_list, filetype)
return True
except ValueError:
print("That file cannot be disassembled")
return False
except Warning:
print("That file is already in the database, use the -o flag to "
"overwrite")
return False
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
return False
return True
def main():
""" Run malfunction, a tool for software analysis
Usage: python3 malfunction.py <file> """
args = argparse_setup()
# TODO: Make files with spaces compatible
if "\ " in args.PATH or " " in args.PATH:
print("The radare2 commands we are using for disassembly do not "
"play nice with spaces in the filename. Rename the file")
return False
cursor = prepare_database(args.leave_db_on_disk, args.database)
path = args.PATH
dir_check = os.path.isdir(path)
if dir_check:
directory_malfunction(args, cursor)
else:
try:
hash_tuple, size_list = malget.malget(path, args.unpack)
filetype = get_filetype(path)
compute_score(cursor, hash_tuple, size_list, filetype,
args.add_strong_matches, args.all, args.debug)
except ValueError:
print("That file cannot be disassembled")
return False
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
return False
except Warning:
print("That file is already in the database.")
return False
return True
def directory_malfunction(args, cursor):
""" Runs malfunction on a folder and all files within """
path = args.PATH
if not path.endswith("/"):
path += "/"
directory = os.listdir(path)
for file in directory:
try:
# Don't follow links so we don't end up in loops.
if os.path.islink(path + file):
continue
# Extend the list if the path points to a directory
if os.path.isdir(path + file):
inner_directory = os.listdir(path + file)
inner_directory = [file+"/"+x for x in inner_directory]
directory.extend(inner_directory)
continue
hash_tuple, size_list = malget.malget(path + file,
args.unpack)
filetype = get_filetype(path+file)
compute_score(cursor, hash_tuple, size_list, filetype,
args.add_strong_matches, args.all, args.debug)
print("-"*30)
except ValueError:
print("That file cannot be disassembled")
print("-"*30)
continue
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
print("-"*30)
continue
except Warning:
print("That file is already in the database.")
print("-"*30)
continue
def main():
""" Run malfunction, a tool for software analysis
Usage: python3 malfunction.py <file> """
args = argparse_setup()
# TODO: Make files with spaces compatible
if "\ " in args.PATH or " " in args.PATH:
print("The radare2 commands we are using for disassembly do not "
"play nice with spaces in the filename. Rename the file")
return False
cursor = prepare_database(args.leave_db_on_disk, args.database)
path = args.PATH
dir_check = os.path.isdir(path)
if dir_check:
directory_malfunction(args, cursor)
else:
try:
hash_tuple, size_list = malget.malget(path, args.unpack)
filetype = get_filetype(path)
compute_score(cursor, hash_tuple, size_list, filetype,
args.add_strong_matches, args.all, args.debug)
except ValueError:
print("That file cannot be disassembled")
return False
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
return False
except Warning:
print("That file is already in the database.")
return False
return True
def directory_malfunction(args, cursor):
""" Runs malfunction on a folder and all files within """
path = args.PATH
if not path.endswith("/"):
path += "/"
directory = os.listdir(path)
for file in directory:
try:
# Don't follow links so we don't end up in loops.
if os.path.islink(path + file):
continue
# Extend the list if the path points to a directory
if os.path.isdir(path + file):
inner_directory = os.listdir(path + file)
inner_directory = [file + "/" + x for x in inner_directory]
directory.extend(inner_directory)
continue
hash_tuple, size_list = malget.malget(path + file, args.unpack)
filetype = get_filetype(path + file)
compute_score(cursor, hash_tuple, size_list, filetype,
args.add_strong_matches, args.all, args.debug)
print("-" * 30)
except ValueError:
print("That file cannot be disassembled")
print("-" * 30)
continue
except Exception as err:
print("There was an error reading that file, are you sure it "
"was an executable?\nError Information:")
print('\t', type(err))
print('\t', err)
print("-" * 30)
continue
except Warning:
print("That file is already in the database.")
print("-" * 30)
continue