def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict:
if target_file.get_extension() in ["", ".sh", ".py", ".rb", ".java", ".class",
".pl", ".exe", ".out", ".ps", ".bat", ".air",
".scr", ".vb", ".com", ".dll", ".bin", ".apk",
".app", ".cgi", ".cmd", ".wsf", ".ipa", ".pif",
".gadget", ".docm", ".dotm", ".xlsm", ".xltm",
".pptm", "potm"]:
return {"skipped:", "extension not interesting to analyse"}
if self.get_params() is None or APIKEY not in self.get_params():
return {"error": APIKEY + " is required"}
virus_total_report = virustotalapi.check_hash(self.get_params()[APIKEY],
virustotalapi.get_MD5_hash(target_file.get_binary()))
if "error" in virus_total_report:
return virus_total_report
result = {'positives': 0}
if virus_total_report['response_code'] == 1:
result['positives'] = virus_total_report['positives']
result['total'] = virus_total_report['total']
avDetections = {}
for av_name, av_data in virus_total_report['scans'].items():
if av_data['result'] is None:
avDetections[av_name] = "None"
else:
avDetections[av_name] = av_data['result']
result['avDetections'] = avDetections
return result
def test_info(self):
path = "./tests/examples/importantinfo.txt"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(
target_file, {
"strings": {
"elements":
auxiliar.get_str_utf_8_from_bytes(target_file.get_binary())
}
})
self.assertEqual(
result["emails"],
['*****@*****.**', '*****@*****.**', '*****@*****.**'])
self.assertEqual(result["IBANs"], [
'ES12 3456 7890 1234 5678 9012', 'ES1234567890123456789012',
'ES12-3456-7890-1234-5678-9011'
])
self.assertEqual(result["URLs"], [
'http://google.es', 'http://facebook.com', 'ftp://localhost:2222',
'mysql://host:puerto/database', 'http://iamgenmolona.com'
])
self.assertEqual(result["Bitcoin"],
['3KVkBhzGfAH4s4tGZA9yfbUJwhcwHBkdKC'])
def test_string_ignore_extensions(self):
path = "./tests/examples/barcode.gif"
target_file = TargetFile(path)
module = Constructor()
module.set_params({"char_min": 5, "ignore_extensions": ".txt,.gif"})
self.assertFalse(module.is_valid_for(target_file))
path = "./tests/examples/wordlist.txt"
target_file = TargetFile(path)
self.assertFalse(module.is_valid_for(target_file))
def _run(self, target_file: TargetFile, pwd_list: list):
result = {}
result["new_files"] = []
result["new_path_files"] = []
binary = None
decripted_password = None
with ZipFile(target_file.get_path(), 'r') as zip:
for info in zip.infolist():
if info.filename[-1] == '/':
#it is a dir, so ignore, then we create the dirs
continue
try:
with zip.open(info.filename, 'r') as file:
binary = file.read()
except:
pass
if not binary:
"probamos con contraseña"
for pwd in pwd_list:
try:
binary = self._decrypt_with_password(
info.filename, pwd)
if binary:
decripted_password = pwd
break
except:
pass
if not binary:
"probamos con contraseña y algoritmo de cifrado AES"
for pwd in pwd_list:
try:
binary = self._decrypt_AES_WithPassword(
target_file, info.filename, pwd)
if binary:
decripted_password = pwd
break
except:
pass
if binary:
path_saved = Safe.create_file(
os.path.join(
"./zipextractor", "./" + os.path.join(
target_file.get_path(), info.filename)),
binary)
result["new_files"].append(info.filename)
result["new_path_files"].append(path_saved)
if decripted_password:
result["password"] = decripted_password.decode()
else:
result[
"error"] = "Bad password or wrong decrypted algorithm"
return result
def test_load_from_path(self):
collie_path = "./tests/examples/collie.jpg"
target_file = TargetFile(collie_path)
self.assertEqual(target_file.get_extension(), ".jpg")
self.assertTrue("JPEG" in target_file.get_type())
self.assertEqual(target_file.get_name(), "collie.jpg")
self.assertEqual(len(target_file.get_binary()), 19863)
self.assertEqual(target_file.get_path(), collie_path)
self.assertEqual(target_file.get_directory(), "./tests/examples")
self.assertEqual(target_file.get_info()["extension"],
target_file.get_extension())
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
fullmft = self.parse_mft(target_file.get_path())
mft_objects = []
for key, value, in fullmft.items():
info = self._get_interesing_info(value)
if info is not None:
info["path"] = target_file.get_path()
mft_objects.append(info)
piped = utils.pipe_to_another_output(self._params, mft_objects)
return {
"n_mft_objects": len(mft_objects)
} if piped else {
"mft": mft_objects
}
def test_collie(self):
path = "./tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result["shannon"], 7.959996962590177)
def test_gun(self):
path = "./tests/examples/gun.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result["shannon"], 7.779575538213808)
def test_parser_mft(self):
path = "./tests/examples/MFT"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(len(result["mft"]), 13068)
def test_without_apikey(self):
path = "./tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result["error"], "apikey is required")
def test_read_evtx2(self):
path = "./tests/examples/evtx/System.evtx"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue(len(result["events"]) != 0)
def run(self, target_file: TargetFile,
result_of_previos_modules: dict) -> dict:
return {
"content":
self._extract_text(target_file.get_path(),
self._get_server_param())
}
def test_unzip_with_password(self):
output_safe_directory = "./tests/examples/safe_directory"
Safe.safe_output_path = os.path.abspath(output_safe_directory)
final_file = os.path.abspath("./tests/examples/safe_directory/") + \
"/zipextractor/" + \
os.path.abspath("./tests/examples/Surprise2.txt.zip/Surprise2.txt").replace(":", "")
final_file = os.path.abspath(final_file)
if os.path.exists(final_file):
os.remove(final_file)
self._remove_test_folders(os.path.abspath(output_safe_directory))
self.assertFalse(os.path.exists(final_file))
path = "./tests/examples/Surprise2.txt.zip"
target_file = TargetFile(os.path.abspath(path))
module = Constructor()
params = {"pwd_dict": "./tests/examples/wordlist.txt"}
module.set_params(params)
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue("Surprise2.txt" in result["new_files"])
self.assertTrue(final_file in result["new_path_files"])
self.assertEqual(result["password"], "surprise")
self.assertTrue(os.path.exists(final_file))
os.remove(final_file)
self._remove_test_folders(os.path.abspath(output_safe_directory))
def test_QR(self):
qr_path = "./tests/examples/qrhola.png"
target_file = TargetFile(qr_path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result['values'][0], "HOLA")
def test_BC(self):
bc_path = "./tests/examples/barcode.gif"
target_file = TargetFile(bc_path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result['values'][0], "1234-1234-1234")
def test_collie(self):
path = "./tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue("collie" in result["prediction_names"])
def test_SAM(self):
path = "./tests/examples/winregistry/SAM"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(len(result["SAM"]["users"]), 3)
self.assertEqual(result["SAM"]["users"][0], "Administrator")
def test_pst(self):
path = "./tests/examples/emails.pst"
target_file = TargetFile(os.path.abspath(path))
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue('messages' in result)
self.assertEqual(len(result["messages"]), 532)
def test_NTUSER(self):
path = "./tests/examples/winregistry/NTUSER.dat"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual(result["NTUSER"]["persistence"][0],
"C:\\WINDOWS\\system32\\ctfmon.exe")
def test_default_der(self):
path = "./tests/examples/GeoTrust Global CA.cer"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue("GeoTrust Global CA" in result["issuer"])
self.assertTrue("GeoTrust Global CA" in result["subject"])
def test_ignore_max_size(self):
path = "./tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
module.set_params({"ignore_greater_or_equal_than": 19863})
with pytest.raises(IgnoreAnalysisException):
module.run(target_file, {'hashes': self._get_collie_hashes()})
def test_default_pem(self):
path = "./tests/examples/cert.pem"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue("Santiago de Compostela" in result["issuer"])
self.assertTrue("Santiago de Compostela" in result["subject"])
def test_with_invalid_apikey(self):
path = "./tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
module.set_params(params)
result = module.run(target_file, {})
self.assertEqual(result["error"], "Invalid API KEY")
def test_ignore_path2(self):
path = "tests/examples/collie.jpg"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
module.set_params(
{"file_ignore_path": "./tests/examples/ignoredpaths.txt"})
with pytest.raises(IgnoreAnalysisException):
module.run(target_file, {'hashes': self._get_collie_hashes()})
def run(self, target_file: TargetFile, result_of_previos_modules: dict) -> dict:
decoded_list = decode(Image.open(target_file.get_path()))
i = 0
result = {}
if len(decoded_list) >0:
result["values"] = []
for dec in decoded_list:
result["values"].append(dec.data.decode("utf-8"))
return result
def _decrypt_AES_WithPassword(self, target_file: TargetFile, file_name,
pwd):
try:
with AESZipFile(target_file.get_path(), 'r') as zf:
zf.pwd = pwd
binary = zf.read(file_name)
return binary
except:
return None
def test_with_not_info(self):
path = "./tests/examples/Prueba.c"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertTrue("emails" not in result)
self.assertTrue("URLs" not in result)
self.assertTrue("IBANs" not in result)
def test_error_password(self):
params = {"pwd_dict": "./tests/examples/Prueba.c"}
path = "./tests/examples/Surprise2.txt.zip"
target_file = TargetFile(os.path.abspath(path))
module = Constructor()
module.set_params(params)
self.assertTrue(module.is_valid_for(target_file))
result = module.run(target_file, {})
self.assertEqual("Bad password or wrong decrypted algorithm", result["error"])
def test_string_more_than_5_characters(self):
path = "./tests/examples/barcode.gif"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
module.set_params({"char_min": 5})
result = module.run(target_file, {})
self.assertTrue(len(result["elements"]) >= 10)
self.assertTrue(result["n_elements"] >= 10)
def test_string_more_than_9_characters(self):
path = "./tests/examples/collie.jpg.zip"
target_file = TargetFile(path)
module = Constructor()
self.assertTrue(module.is_valid_for(target_file))
module.set_params({"char_min": 9})
result = module.run(target_file, {})
self.assertEqual(result["elements"][0], "collie.jpg")
self.assertTrue(result["n_elements"] >= 4)