def run_archive_viewer(self, obj): """ Get data using the archive viewer. """ safe = [ 'pyi_carchive', 'pyi_rth_win32comgenpy', '_pyi_bootstrap', '_pyi_egg_install.py' ] # This doesn't work. Everything is showing as an invalid CArchive file. with self._write_to_file() as tmp_file: try: arch = get_archive(tmp_file) if type(arch.toc) == type({}): toc = arch.toc else: toc = arch.toc.data for t in toc: d = { 'Position': t[0], 'Length': t[1], 'Uncompressed': t[2], 'IsCompressed': t[3], 'Type': t[4], 'RawData': "" } if t[4] == 's' and t[5] not in safe: try: block = self.get_data(t[5], arch).encode( 'utf-8', "ignore") except: self._info( "%s: Block not valid utf-8. Trying utf-16." % t[5]) try: block = self.get_data(t[5], arch).encode( 'utf-16', "ignore") except: self._info( "%s: Block not valid utf-16. Trying utf-32." % t[5]) try: block = self.get_data(t[5], arch).encode( 'utf-32', "ignore") except: self._info( "%s: Block not valid utf-32. Trying latin-1." % t[5]) try: block = self.get_data(t[5], arch).encode( 'latin-1', 'ignore') except: self._info( "%s: Block not valid latin-1. Done trying." % t[5]) block = None if block is not None: bmd5 = md5(block).hexdigest() bsha1 = sha1(block).hexdigest() bsha256 = sha256(block).hexdigest() block = block.replace('http', 'hxxp') description = '"%s" pulled from Sample\n\n' % t[5] description += 'MD5: %s\n' % bmd5 description += 'SHA1: %s\n' % bsha1 description += 'SHA256: %s\n' % bsha256 title = t[5] data_type = "Python" tool_name = "pyinstaller_service" result = handle_raw_data_file( block, obj.source, user=self.current_task.user, description=description, title=title, data_type=data_type, tool_name=tool_name, ) if result['success']: self._info("RawData added for %s" % t[5]) res = obj.add_relationship( rel_item=result['object'], rel_type=RelationshipTypes. CONTAINED_WITHIN, rel_confidence="high", analyst=self.current_task.user) if res['success']: obj.save(username=self.current_task.user. username) result['object'].save( username=self.current_task.user. username) url = reverse('crits-core-views.details', args=('RawData', result['_id'])) url = '<a href="%s">View Raw Data</a>' % url d['RawData'] = url self._info("Relationship added for %s" % t[5]) else: self._info( "Error adding relationship: %s" % res['message']) else: self._info( "RawData addition failed for %s:%s" % (t[5], result['message'])) self._add_result("Info", t[5], d) except Exception, e: self._info("Error: %s" % str(e))
def run_archive_viewer(self, obj): """ Get data using the archive viewer. """ safe = [ 'pyi_carchive', 'pyi_rth_win32comgenpy', '_pyi_bootstrap', '_pyi_egg_install.py' ] # This doesn't work. Everything is showing as an invalid CArchive file. with self._write_to_file() as tmp_file: try: arch = get_archive(tmp_file) if type(arch.toc) == type({}): toc = arch.toc else: toc = arch.toc.data for t in toc: d = {'Position': t[0], 'Length': t[1], 'Uncompressed': t[2], 'IsCompressed': t[3], 'Type': t[4], 'RawData': "" } if t[4] == 's' and t[5] not in safe: try: block = self.get_data(t[5], arch).encode('utf-8', "ignore") except: self._info("%s: Block not valid utf-8. Trying utf-16." % t[5]) try: block = self.get_data(t[5], arch).encode('utf-16', "ignore") except: self._info("%s: Block not valid utf-16. Trying utf-32." % t[5]) try: block = self.get_data(t[5], arch).encode('utf-32', "ignore") except: self._info("%s: Block not valid utf-32. Trying latin-1." % t[5]) try: block = self.get_data(t[5], arch).encode('latin-1', 'ignore') except: self._info("%s: Block not valid latin-1. Done trying." % t[5]) block = None if block is not None: bmd5 = md5(block).hexdigest() bsha1 = sha1(block).hexdigest() bsha256 = sha256(block).hexdigest() block = block.replace('http', 'hxxp') description = '"%s" pulled from Sample\n\n' % t[5] description += 'MD5: %s\n' % bmd5 description += 'SHA1: %s\n' % bsha1 description += 'SHA256: %s\n' % bsha256 title = t[5] data_type = "Python" tool_name = "pyinstaller_service" result = handle_raw_data_file( block, obj.source, user=self.current_task.user, description=description, title=title, data_type=data_type, tool_name=tool_name, ) if result['success']: self._info("RawData added for %s" % t[5]) res = obj.add_relationship( rel_item=result['object'], rel_type=RelationshipTypes.CONTAINED_WITHIN, rel_confidence="high", analyst=self.current_task.user ) if res['success']: obj.save(username=self.current_task.user.username) result['object'].save(username=self.current_task.user.username) url = reverse('crits-core-views.details', args=('RawData', result['_id'])) url = '<a href="%s">View Raw Data</a>' % url d['RawData'] = url self._info("Relationship added for %s" % t[5]) else: self._info("Error adding relationship: %s" % res['message']) else: self._info( "RawData addition failed for %s:%s" % (t[5], result['message']) ) self._add_result("Info", t[5], d) except Exception, e: self._info("Error: %s" % str(e))
try: # Get screen size (linux/osx/stdout redirect) to determine if we should page results. rows = subprocess.Popen(['stty', 'size'], stdout=subprocess.PIPE).communicate()[0].split()[0] except: # If we're unable to get screen size (windows), set it ourselves: rows = 80 return(rows) if __name__ == '__main__': try: filename = sys.argv[1] except: print('Usage: %s [filename]' % __file__) sys.exit() try: fh = archive_viewer.get_archive(filename) except Exception as err: try: manual_warn = ('# Looks like the package has been manipulated. Manually carved - maybe incomplete.') manual_bin = open(filename, 'rb').read() data = patch_zlib(manual_bin) if data: rating = malicious_check(data) data = ('{}\n# Script: {} ({})\n'.format( manual_warn, 'UNKNOWN_NAME', rating) + '\n'.join(['\t' + indent for indent in data.split('\n')])) rows = screen_size() if len(data.split('\n')) > int(rows): pager(data) sys.exit() print(data)