def test_namespace_count(self): h = HashList() h.append(EMPTY_MD5) h.append(EMPTY_SHA1) h.append(EMPTY_SHA224) h.append(EMPTY_SHA256) h.append(EMPTY_SHA384) h.append(EMPTY_SHA512) logger.info(h.to_xml()) ns_list = cybox.test.round_trip(h, list_=True)._get_namespaces() logger.info(ns_list) # Only "common" and "vocabs" should be here. "xsi" is only added later self.assertEqual(2, len(ns_list))
def from_obj(file_obj, file_class=None): if not file_obj: return None if not file_class: file_ = File() else: file_ = file_class ObjectProperties.from_obj(file_obj, file_) file_.is_packed = file_obj.get_is_packed() file_.file_name = String.from_obj(file_obj.get_File_Name()) file_.file_path = FilePath.from_obj(file_obj.get_File_Path()) file_.device_path = String.from_obj(file_obj.get_Device_Path()) file_.full_path = String.from_obj(file_obj.get_Full_Path()) file_.file_extension = String.from_obj(file_obj.get_File_Extension()) file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes()) file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number()) file_.file_format = String.from_obj(file_obj.get_File_Format()) file_.hashes = HashList.from_obj(file_obj.get_Hashes()) file_.extracted_features = ExtractedFeatures.from_obj(file_obj.get_Extracted_Features()) #TODO: why are there two Strings and one DateTime here? file_.modified_time = String.from_obj(file_obj.get_Modified_Time()) file_.accessed_time = String.from_obj(file_obj.get_Accessed_Time()) file_.created_time = DateTime.from_obj(file_obj.get_Created_Time()) return file_
def from_dict(file_dict, file_class=None): if not file_dict: return None if not file_class: file_ = File() else: file_ = file_class ObjectProperties.from_dict(file_dict, file_) file_.is_packed = file_dict.get('is_packed') file_.file_name = String.from_dict(file_dict.get('file_name')) file_.file_path = FilePath.from_dict(file_dict.get('file_path')) file_.device_path = String.from_dict(file_dict.get('device_path')) file_.full_path = String.from_dict(file_dict.get('full_path')) file_.file_extension = String.from_dict(file_dict.get('file_extension')) file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes')) file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number')) file_.file_format = String.from_dict(file_dict.get('file_format')) file_.hashes = HashList.from_list(file_dict.get('hashes')) file_.extracted_features = ExtractedFeatures.from_dict(file_dict.get('extracted_features')) file_.modified_time = String.from_dict(file_dict.get('modified_time')) file_.accessed_time = String.from_dict(file_dict.get('accessed_time')) file_.created_time = DateTime.from_dict(file_dict.get('created_time')) return file_
def from_dict(toolinfo_dict, tool_class=None): if not toolinfo_dict: return None if not tool_class: toolinfo = ToolInformation() else: toolinfo = tool_class toolinfo.id_ = toolinfo_dict.get('id') toolinfo.idref = toolinfo_dict.get('idref') toolinfo.name = toolinfo_dict.get('name') toolinfo.type_ = [ ToolType.from_dict(x) for x in toolinfo_dict.get('type', []) ] toolinfo.description = StructuredText.from_dict( toolinfo_dict.get('description')) toolinfo.vendor = toolinfo_dict.get('vendor') toolinfo.version = toolinfo_dict.get('version') toolinfo.service_pack = toolinfo_dict.get('service_pack') toolinfo.tool_hashes = HashList.from_list( toolinfo_dict.get('tool_hashes')) return toolinfo
def test_hash_lookup(self): h = HashList() self.assertEqual(None, h.md5) self.assertEqual(None, h.sha1) self.assertEqual(None, h.sha224) self.assertEqual(None, h.sha256) self.assertEqual(None, h.sha384) self.assertEqual(None, h.sha512)
def test_hashlist_set_get(self): md5_hash = "25BA4574F3090456C1AAE37F4D2D59B8" sha256_hash = "B64C18B336A8319EFAC43FE5E6DB78B0969E696C1C149BA56CFD69CE72F1898F" sha512_hash = "2A3459EE6C2FC3D7533F2D1AF6963A21337552D4ACD52D76A09B53BF36A27C3C357F1B41952582CFD0EDC7F8AEFC6DC939C38DF4CCED0F57320AB3480EC042D9" ssdeep_hash = "3:AXGBicFlgVNhBGcL6wCrFQEv:AXGHsNhxLsr2C" h = HashList() h.ssdeep = ssdeep_hash h.md5 = md5_hash h.sha256 = sha256_hash h.sha512 = sha512_hash self.assertEqual(h.md5, md5_hash) self.assertEqual(h.sha256, sha256_hash) self.assertEqual(h.sha512, sha512_hash) self.assertEqual(h.ssdeep, ssdeep_hash)
def dict_from_object(cls, byterun_obj): """Parse and return a dictionary for a ByteRun object""" byterun_dict = {} if byterun_obj.get_Offset() is not None: byterun_dict['offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Offset()) if byterun_obj.get_File_System_Offset() is not None: byterun_dict['file_system_offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_File_System_Offset()) if byterun_obj.get_Image_Offset() is not None: byterun_dict['image_offset'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Image_Offset()) if byterun_obj.get_Length() is not None: byterun_dict['length'] = Base_Object_Attribute.dict_from_object(byterun_obj.get_Length()) if byterun_obj.get_Hashes() is not None: byterun_dict['hashes'] = HashList.dict_from_object(byterun_obj.get_Hashes()) if byterun_obj.get_Byte_Run_Data() is not None: byterun_dict['byte_run_data'] = {'value' : byterun_obj.get_Byte_Run_Data()} return byterun_dict
def dict_from_object(cls, defined_object): """Parse and return a dictionary for a Memory Object object""" defined_object_dict = {} if defined_object.get_is_injected() is not None: defined_object_dict['is_injected'] = {'value' : defined_object.get_is_injected()} if defined_object.get_is_mapped() is not None: defined_object_dict['is_mapped'] = {'value' : defined_object.get_is_mapped()} if defined_object.get_is_protected() is not None: defined_object_dict['is_protected'] = {'value' : defined_object.get_is_protected()} if defined_object.get_Hashes() is not None: defined_object_dict['hashes'] = HashList.dict_from_object(defined_object.get_Hashes()) if defined_object.get_Name() is not None: defined_object_dict['name'] = Base_Object_Attribute.dict_from_object(defined_object.get_Name()) if defined_object.get_Region_Size() is not None: defined_object_dict['region_size'] = Base_Object_Attribute.dict_from_object(defined_object.get_Region_Size()) if defined_object.get_Region_Start_Address() is not None: defined_object_dict['region_start_address'] = Base_Object_Attribute.dict_from_object(defined_object.get_Region_Start_Address()) return defined_object_dict
def from_obj(extracted_string_obj): if not extracted_string_obj: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_obj(extracted_string_obj.get_Encoding()) extracted_string_.string_value = String.from_obj(extracted_string_obj.get_String_Value()) extracted_string_.byte_string_value = HexBinary.from_obj(extracted_string_obj.get_Byte_String_Value()) extracted_string_.hashes = HashList.from_obj(extracted_string_obj.get_Hashes()) extracted_string_.address = HexBinary.from_obj(extracted_string_obj.get_Address()) extracted_string_.length = PositiveInteger.from_obj(extracted_string_obj.get_Length()) extracted_string_.language = String.from_obj(extracted_string_obj.get_Language()) extracted_string_.english_translation = String.from_obj(extracted_string_obj.get_English_Translation()) return extracted_string_
def from_dict(extracted_string_dict): if not extracted_string_dict: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_dict(extracted_string_dict.get('encoding')) extracted_string_.string_value = String.from_dict(extracted_string_dict.get('string_value')) extracted_string_.byte_string_value = HexBinary.from_dict(extracted_string_dict.get('byte_string_value')) extracted_string_.hashes = HashList.from_list(extracted_string_dict.get('hashes')) extracted_string_.address = HexBinary.from_dict(extracted_string_dict.get('address')) extracted_string_.length = PositiveInteger.from_dict(extracted_string_dict.get('length')) extracted_string_.language = String.from_dict(extracted_string_dict.get('language')) extracted_string_.english_translation = String.from_dict(extracted_string_dict.get('english_translation')) return extracted_string_
def from_dict(memory_dict): if not memory_dict: return None memory_ = Memory() memory_.is_injected = memory_dict.get('is_injected') memory_.is_mapped = memory_dict.get('is_mapped') memory_.is_protected = memory_dict.get('is_protected') memory_.hashes = HashList.from_list(memory_dict.get('hashes')) memory_.name = String.from_dict(memory_dict.get('name')) memory_.region_size = UnsignedLong.from_dict(memory_dict.get('region_size')) memory_.region_start_address = HexBinary.from_dict(memory_dict.get('region_start_address')) memory_.extracted_features = None return memory_
def from_obj(memory_obj): if not memory_obj: return None memory_ = Memory() memory_.is_injected = memory_obj.get_is_injected() memory_.is_mapped = memory_obj.get_is_mapped() memory_.is_protected = memory_obj.get_is_protected() memory_.hashes = HashList.from_obj(memory_obj.get_Hashes()) memory_.name = String.from_obj(memory_obj.get_Name()) memory_.region_size = UnsignedLong.from_obj(memory_obj.get_Region_Size()) memory_.region_start_address = HexBinary.from_obj(memory_obj.get_Region_Start_Address()) memory_.extracted_features = None return memory_
def object_from_dict(cls, byterun_dict): """Create the ByteRun object representation from an input dictionary""" byterun_obj = common_types_binding.ByteRunType() for key, value in byterun_dict.items(): if key == 'offset' : byterun_obj.set_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value)) elif key == 'file_system_offset' : byterun_obj.set_File_System_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value)) elif key == 'image_offset' : byterun_obj.set_Image_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value)) elif key == 'length' : byterun_obj.set_Offset(Base_Object_Attribute.object_from_dict(common_types_binding.IntegerObjectAttributeType(datatype='Integer'),value)) elif key == 'hashes' : byterun_obj.set_Hashes(HashList.object_from_dict(value)) elif key == 'byte_run_data': byterun_obj.set_Byte_Run_Data(value) return byterun_obj
def object_from_dict(cls, memory_attributes): """Create the Memory Object object representation from an input dictionary""" mem_object = memory_binding.MemoryObjectType() mem_object.set_anyAttributes_({'xsi:type' : 'MemoryObj:MemoryObjectType'}) for key,value in memory_attributes.items(): if key == 'is_injected' and utils.test_value(value): mem_object.set_is_injected(value.get('value')) elif key == 'is_mapped' and utils.test_value(value): mem_object.set_is_mapped(value.get('value')) elif key == 'is_protected' and utils.test_value(value): mem_object.set_is_injected(value.get('value')) elif key == 'region_start_address' and utils.test_value(value): mem_object.set_Region_Start_Address(Base_Object_Attribute.object_from_dict(common_types_binding.HexBinaryObjectAttributeType(datatype='hexBinary'),value)) elif key == 'region_size' and utils.test_value(value): mem_object.set_Region_Size(Base_Object_Attribute.object_from_dict(common_types_binding.UnsignedLongObjectAttributeType(datatype='UnsignedLong'),value)) elif key == 'name' and utils.test_value(value): mem_object.set_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value)) elif key == 'hashes': mem_object.set_Hashes(HashList.object_from_dict(value)) return mem_object
def from_obj(file_obj): if not file_obj: return None file_ = File() file_.is_packed = file_obj.get_is_packed() file_.file_name = String.from_obj(file_obj.get_File_Name()) file_.file_path = FilePath.from_obj(file_obj.get_File_Path()) file_.device_path = String.from_obj(file_obj.get_Device_Path()) file_.full_path = String.from_obj(file_obj.get_Full_Path()) file_.file_extension = String.from_obj(file_obj.get_File_Extension()) file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes()) file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number()) file_.file_format = String.from_obj(file_obj.get_File_Format()) file_.hashes = HashList.from_obj(file_obj.get_Hashes()) return file_
def from_dict(file_dict): if not file_dict: return None file_ = File() file_.is_packed = file_dict.get('is_packed') file_.file_name = String.from_dict(file_dict.get('file_name')) file_.file_path = FilePath.from_dict(file_dict.get('file_path')) file_.device_path = String.from_dict(file_dict.get('device_path')) file_.full_path = String.from_dict(file_dict.get('full_path')) file_.file_extension = String.from_dict(file_dict.get('file_extension')) file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes')) file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number')) file_.file_format = String.from_dict(file_dict.get('file_format')) file_.hashes = HashList.from_dict(file_dict.get('hashes')) return file_
def object_from_dict(cls, tool_information_dict): """Create the ToolInformation object representation from an input dictionary""" tool_information_obj = common_types_binding.ToolInformationType() for key, value in tool_information_dict.items(): if key == 'id' and utils.test_value(value) : tool_information_obj.set_id(value) elif key == 'idref' and utils.test_value(value) : tool_information_obj.set_idref(value) elif key == 'description': pass elif key == 'vendor' and utils.test_value(value): tool_information_obj.set_Vendor(value) elif key == 'name' and utils.test_value(value): tool_information_obj.set_Name(value) elif key == 'version' and utils.test_value(value): tool_information_obj.set_Version(value) elif key == 'service_pack' and utils.test_value(value): tool_information_obj.set_Service_Pack(value) elif key == 'tool-specific_data' : pass elif key == 'tool_hashes': hashes_obj = HashList.object_from_dict(value) if hashes_obj.hasContent_() : tool_information_obj.set_Tool_Hashes(hashes_obj) elif key == 'tool_configuration' : pass elif key == 'execution_environment' : pass elif key == 'errors' : pass elif key == 'metadata' : pass return tool_information_obj
def from_obj(toolinfo_obj, toolinfo=None): if not toolinfo_obj: return None if not toolinfo: toolinfo = ToolInformation() toolinfo.id_ = toolinfo_obj.id toolinfo.idref = toolinfo_obj.idref toolinfo.name = toolinfo_obj.Name toolinfo.type_ = [VocabString.from_obj(x) for x in toolinfo_obj.Type] toolinfo.description = StructuredText.from_obj(toolinfo_obj.Description) toolinfo.vendor = toolinfo_obj.Vendor toolinfo.version = toolinfo_obj.Version toolinfo.service_pack = toolinfo_obj.Service_Pack toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.Tool_Hashes) return toolinfo
def from_obj(toolinfo_obj, tool_class = None): if not toolinfo_obj: return None if not tool_class: toolinfo = ToolInformation() else: toolinfo = tool_class toolinfo.id_ = toolinfo_obj.get_id() toolinfo.idref = toolinfo_obj.get_idref() toolinfo.name = toolinfo_obj.get_Name() toolinfo.type_ = [ToolType.from_obj(x) for x in toolinfo_obj.get_Type()] toolinfo.description = StructuredText.from_obj(toolinfo_obj.get_Description()) toolinfo.vendor = toolinfo_obj.get_Vendor() toolinfo.version = toolinfo_obj.get_Version() toolinfo.service_pack = toolinfo_obj.get_Service_Pack() toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.get_Tool_Hashes()) return toolinfo
def from_dict(toolinfo_dict, toolinfo=None): if not toolinfo_dict: return None if not toolinfo: toolinfo = ToolInformation() toolinfo.id_ = toolinfo_dict.get('id') toolinfo.idref = toolinfo_dict.get('idref') toolinfo.name = toolinfo_dict.get('name') toolinfo.type_ = [VocabString.from_dict(x) for x in toolinfo_dict.get('type', [])] toolinfo.description = StructuredText.from_dict(toolinfo_dict.get('description')) toolinfo.vendor = toolinfo_dict.get('vendor') toolinfo.version = toolinfo_dict.get('version') toolinfo.service_pack = toolinfo_dict.get('service_pack') toolinfo.tool_hashes = HashList.from_list(toolinfo_dict.get('tool_hashes')) return toolinfo
def object_from_dict(cls, extracted_string_dict): """Create the Extracted String object representation from an input dictionary""" extracted_string_object = common_types_binding.ExtractedStringType() for key, value in extracted_string_dict.items(): if key == 'encoding' : extracted_string_object.set_encoding(value.get('value')) elif key == 'string_value' : extracted_string_object.set_String_Value(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value)) elif key == 'hashes' : extracted_string_object.set_Hashes(HashList.object_from_dict(value)) elif key == 'address' : extracted_string_object.set_Address(Base_Object_Attribute.object_from_dict(common_types_binding.HexBinaryObjectAttributeType(datatype='hexBinary'),value)) elif key == 'length' : extracted_string_object.set_Length(Base_Object_Attribute.object_from_dict(common_types_binding.PositiveIntegerObjectAttributeType(datatype='PositiveInteger'),value)) elif key == 'language' : extracted_string_object.set_Language(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value)) elif key == 'english_translation' : extracted_string_object.set_English_Translation(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value)) return extracted_string_object
def from_obj(toolinfo_obj, toolinfo=None): if not toolinfo_obj: return None if not toolinfo: toolinfo = ToolInformation() toolinfo.id_ = toolinfo_obj.id toolinfo.idref = toolinfo_obj.idref toolinfo.name = toolinfo_obj.Name toolinfo.type_ = [VocabString.from_obj(x) for x in toolinfo_obj.Type] toolinfo.description = StructuredText.from_obj( toolinfo_obj.Description) toolinfo.vendor = toolinfo_obj.Vendor toolinfo.version = toolinfo_obj.Version toolinfo.service_pack = toolinfo_obj.Service_Pack toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.Tool_Hashes) return toolinfo
def from_dict(win_service_dict): if not win_service_dict: return None win_service_ = WinProcess.from_dict(win_service_dict, WinService()) win_service_.service_dll_signature_exists = win_service_dict.get('service_dll_signature_exists') win_service_.service_dll_signature_verified = win_service_dict.get('service_dll_signature_verified') win_service_.description_list = [String.from_dict(x) for x in win_service_dict.get('description_list', [])] win_service_.display_name = String.from_dict(win_service_dict.get('display_name')) win_service_.group_name = String.from_dict(win_service_dict.get('group_name')) win_service_.service_name = String.from_dict(win_service_dict.get('service_name')) win_service_.service_dll = String.from_dict(win_service_dict.get('service_dll')) win_service_.service_dll_certificate_issuer = String.from_dict(win_service_dict.get('service_dll_certificate_issuer')) win_service_.service_dll_certificate_subject = String.from_dict(win_service_dict.get('service_dll_certificate_subject')) win_service_.service_dll_hashes = HashList.from_list(win_service_dict.get('service_dll_hashes')) win_service_.service_dll_signature_description = String.from_dict(win_service_dict.get('service_dll_signature_description')) win_service_.startup_command_line = String.from_dict(win_service_dict.get('startup_command_line')) win_service_.startup_type = String.from_dict(win_service_dict.get('startup_type')) win_service_.service_status = String.from_dict(win_service_dict.get('service_status')) win_service_.service_type = String.from_dict(win_service_dict.get('service_type')) win_service_.started_as = String.from_dict(win_service_dict.get('started_as')) return win_service_
def from_dict(extracted_string_dict): if not extracted_string_dict: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_dict( extracted_string_dict.get('encoding')) extracted_string_.string_value = String.from_dict( extracted_string_dict.get('string_value')) extracted_string_.byte_string_value = HexBinary.from_dict( extracted_string_dict.get('byte_string_value')) extracted_string_.hashes = HashList.from_list( extracted_string_dict.get('hashes')) extracted_string_.address = HexBinary.from_dict( extracted_string_dict.get('address')) extracted_string_.length = PositiveInteger.from_dict( extracted_string_dict.get('length')) extracted_string_.language = String.from_dict( extracted_string_dict.get('language')) extracted_string_.english_translation = String.from_dict( extracted_string_dict.get('english_translation')) return extracted_string_
def from_obj(extracted_string_obj): if not extracted_string_obj: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_obj( extracted_string_obj.get_Encoding()) extracted_string_.string_value = String.from_obj( extracted_string_obj.get_String_Value()) extracted_string_.byte_string_value = HexBinary.from_obj( extracted_string_obj.get_Byte_String_Value()) extracted_string_.hashes = HashList.from_obj( extracted_string_obj.get_Hashes()) extracted_string_.address = HexBinary.from_obj( extracted_string_obj.get_Address()) extracted_string_.length = PositiveInteger.from_obj( extracted_string_obj.get_Length()) extracted_string_.language = String.from_obj( extracted_string_obj.get_Language()) extracted_string_.english_translation = String.from_obj( extracted_string_obj.get_English_Translation()) return extracted_string_
def from_obj(win_service_obj): if not win_service_obj: return None win_service_ = WinProcess.from_obj(win_service_obj, WinService()) win_service_.service_dll_signature_exists = win_service_obj.get_service_dll_signature_exists() win_service_.service_dll_signature_verified = win_service_obj.get_service_dll_signature_verified() if win_service_obj.get_Description_List() is not None: win_service_.description_list = [String.from_obj(x) for x in win_service_obj.get_Description_List().get_Description()] win_service_.display_name = String.from_obj(win_service_obj.get_Display_Name()) win_service_.group_name = String.from_obj(win_service_obj.get_Group_Name()) win_service_.service_name = String.from_obj(win_service_obj.get_Service_Name()) win_service_.service_dll = String.from_obj(win_service_obj.get_Service_DLL()) win_service_.service_dll_certificate_issuer = String.from_obj(win_service_obj.get_Service_DLL_Certificate_Issuer()) win_service_.service_dll_certificate_subject = String.from_obj(win_service_obj.get_Service_DLL_Certificate_Subject()) win_service_.service_dll_hashes = HashList.from_obj(win_service_obj.get_Service_DLL_Hashes()) win_service_.service_dll_signature_description = String.from_obj(win_service_obj.get_Service_DLL_Signature_Description()) win_service_.startup_command_line = String.from_obj(win_service_obj.get_Startup_Command_Line()) win_service_.startup_type = String.from_obj(win_service_obj.get_Startup_Type()) win_service_.service_status = String.from_obj(win_service_obj.get_Service_Status()) win_service_.service_type = String.from_obj(win_service_obj.get_Service_Type()) win_service_.started_as = String.from_obj(win_service_obj.get_Started_As()) return win_service_
def from_obj(toolinfo_obj, tool_class=None): if not toolinfo_obj: return None if not tool_class: toolinfo = ToolInformation() else: toolinfo = tool_class toolinfo.id_ = toolinfo_obj.get_id() toolinfo.idref = toolinfo_obj.get_idref() toolinfo.name = toolinfo_obj.get_Name() toolinfo.type_ = [ ToolType.from_obj(x) for x in toolinfo_obj.get_Type() ] toolinfo.description = StructuredText.from_obj( toolinfo_obj.get_Description()) toolinfo.vendor = toolinfo_obj.get_Vendor() toolinfo.version = toolinfo_obj.get_Version() toolinfo.service_pack = toolinfo_obj.get_Service_Pack() toolinfo.tool_hashes = HashList.from_obj( toolinfo_obj.get_Tool_Hashes()) return toolinfo
def sha384(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha384 = value
def test_round_trip(self): hashlist_list = TEST_HASH_LIST hashlist_obj = HashList.object_from_list(hashlist_list) hashlist_list2 = HashList.list_from_object(hashlist_obj) self.assertEqual(hashlist_list, hashlist_list2)
class File(ObjectProperties): _binding = file_binding _binding_class = file_binding.FileObjectType _namespace = 'http://cybox.mitre.org/objects#FileObject-2' _XSI_NS = "FileObj" _XSI_TYPE = "FileObjectType" is_packed = cybox.TypedField("is_packed") is_masqueraded = cybox.TypedField("is_masqueraded") file_name = cybox.TypedField("File_Name", String) file_path = cybox.TypedField("File_Path", FilePath) device_path = cybox.TypedField("Device_Path", String) full_path = cybox.TypedField("Full_Path", String) file_extension = cybox.TypedField("File_Extension", String) size_in_bytes = cybox.TypedField("Size_In_Bytes", UnsignedLong) magic_number = cybox.TypedField("Magic_Number", HexBinary) file_format = cybox.TypedField("File_Format", String) hashes = cybox.TypedField("Hashes", HashList) digital_signatures = cybox.TypedField("Digital_Signatures", DigitalSignatureList) modified_time = cybox.TypedField("Modified_Time", DateTime) accessed_time = cybox.TypedField("Accessed_Time", DateTime) created_time = cybox.TypedField("Created_Time", DateTime) # Subclasses must redefine these, since the abstract types # cannot be instantiated. file_attributes_list = cybox.TypedField("File_Attributes_List", FileAttribute) # abstract permissions = cybox.TypedField("Permissions", FilePermissions) # abstract user_owner = cybox.TypedField("User_Owner", String) packer_list = cybox.TypedField("Packer_List", PackerList) peak_entropy = cybox.TypedField("Peak_Entropy", Double) sym_links = cybox.TypedField("Sym_Links", SymLinksList) byte_runs = cybox.TypedField("Byte_Runs", ByteRuns) extracted_features = cybox.TypedField("Extracted_Features", ExtractedFeatures) encryption_algorithm = cybox.TypedField("Encryption_Algorithm", String) decryption_key = cybox.TypedField("Decryption_Key", String) compression_method = cybox.TypedField("Compression_Method", String) compression_version = cybox.TypedField("Compression_Version", String) compression_comment = cybox.TypedField("Compression_Comment", String) def __init__(self): super(File, self).__init__() self.is_packed = None @property def md5(self): if self.hashes is None: return None return self.hashes.md5 @md5.setter def md5(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.md5 = value @property def sha1(self): if self.hashes is None: return None return self.hashes.sha1 @sha1.setter def sha1(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha1 = value @property def sha224(self): if self.hashes is None: return None return self.hashes.sha224 @sha224.setter def sha224(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha224 = value @property def sha256(self): if self.hashes is None: return None return self.hashes.sha256 @sha256.setter def sha256(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha256 = value @property def sha384(self): if self.hashes is None: return None return self.hashes.sha384 @sha384.setter def sha384(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha384 = value @property def sha512(self): if self.hashes is None: return None return self.hashes.sha512 @sha512.setter def sha512(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha512 = value @property def size(self): """`size` is an alias for `size_in_bytes`""" return self.size_in_bytes @size.setter def size(self, value): """`size` is an alias for `size_in_bytes`""" self.size_in_bytes = value def add_hash(self, hash_): if hash_ is not None: if self.hashes is None: self.hashes = HashList() self.hashes.append(hash_)
exports.exported_functions = PEExportedFunctions() exports.exports_time_stamp = DateTime() exports.name = String() exports.number_of_addresses = Long() exports.number_of_functions = Integer() exports.number_of_names = Long() # The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary. extraneous_bytes = Integer() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEHeaders headers = PEHeaders() headers.dos_header = DOSHeader() headers.entropy = Entropy() headers.file_header = PEFileHeader() headers.hashes = HashList() headers.optional_header = PEOptionalHeader() headers.signature = HexBinary() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEImportList imports = PEImportList() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEChecksum pe_checksum = PEChecksum() pe_checksum.pe_computed_api = Long() pe_checksum.pe_file_api = Long() pe_checksum.pe_file_raw = Long() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEResourceList resources = PEResourceList()
def add_hash(self, hash_): if hash_ is not None: if self.hashes is None: self.hashes = HashList() self.hashes.append(hash_)
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [ x.malware_instance_object_attributes for x in binned_list ] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='simple_hash_value')) hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list( itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [ x.configuration_details for x in binned_list if x.configuration_details ] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict( merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list( itertools.chain( *[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list( itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles( [x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list( itertools.chain( *[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list( itertools.chain(*[ x.compatible_platform for x in binned_list if x.compatible_platform ])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants( merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList( merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def test_namespace_count(self): h = HashList() h.append(EMPTY_MD5) h.append(EMPTY_SHA1) h.append(EMPTY_SHA224) h.append(EMPTY_SHA256) h.append(EMPTY_SHA384) h.append(EMPTY_SHA512) print h.to_xml() ns_list = cybox.test.round_trip(h, list_=True)._get_namespaces() print ns_list # Only "common" and "vocabs" should be here. "xsi" is only added later self.assertEqual(2, len(ns_list))
def dict_from_object(cls, extracted_string_obj): """Parse and return a dictionary for an Extracted String object""" extracted_string_dict = {} if extracted_string_obj.get_encoding() is not None: extracted_string_dict['encoding'] = {'value' : element.get_encoding()} if extracted_string_obj.get_String_Value() is not None: extracted_string_dict['string_value'] = Base_Object_Attribute.dict_from_object(defined_object.get_String_Value()) if extracted_string_obj.get_Hashes() is not None: extracted_string_dict['hashes'] = HashList.dict_from_object(element.get_Hashes()) if extracted_string_obj.get_Address() is not None: extracted_string_dict['address'] = Base_Object_Attribute.dict_from_object(defined_object.get_Address()) if extracted_string_obj.get_Length() is not None: extracted_string_dict['length'] = Base_Object_Attribute.dict_from_object(defined_object.get_Length()) if extracted_string_obj.get_Language() is not None: extracted_string_dict['language'] = Base_Object_Attribute.dict_from_object(defined_object.get_Language()) if extracted_string_obj.get_English_Translation() is not None: extracted_string_dict['english_translation'] = Base_Object_Attribute.dict_from_object(defined_object.get_English_Translation()) return extracted_string_dict
class File(ObjectProperties): _binding = file_binding _binding_class = file_binding.FileObjectType _namespace = 'http://cybox.mitre.org/objects#FileObject-2' _XSI_NS = "FileObj" _XSI_TYPE = "FileObjectType" is_packed = cybox.TypedField("is_packed") file_name = cybox.TypedField("File_Name", String) file_path = cybox.TypedField("File_Path", FilePath) device_path = cybox.TypedField("Device_Path", String) full_path = cybox.TypedField("Full_Path", String) file_extension = cybox.TypedField("File_Extension", String) size_in_bytes = cybox.TypedField("Size_In_Bytes", UnsignedLong) magic_number = cybox.TypedField("Magic_Number", HexBinary) file_format = cybox.TypedField("File_Format", String) modified_time = cybox.TypedField("Modified_Time", String) accessed_time = cybox.TypedField("Accessed_Time", String) created_time = cybox.TypedField("Created_Time", DateTime) hashes = cybox.TypedField("Hashes", HashList) extracted_features = cybox.TypedField("Extracted_Features", ExtractedFeatures) # Not supported yet: # - Digital_Signatures # - File_Attributes_List # - Permissions # - User_Owner # - Packer_List # - Peak_Entropy # - Sym_Links # - Extracted_Features # - Byte Runs def __init__(self): super(File, self).__init__() self.is_packed = None @property def md5(self): if self.hashes is None: return None return self.hashes.md5 @md5.setter def md5(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.md5 = value @property def sha1(self): if self.hashes is None: return None return self.hashes.sha1 @sha1.setter def sha1(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha1 = value @property def sha256(self): if self.hashes is None: return None return self.hashes.sha256 @sha256.setter def sha256(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha256 = value @property def size(self): """`size` is an alias for `size_in_bytes`""" return self.size_in_bytes @size.setter def size(self, value): """`size` is an alias for `size_in_bytes`""" self.size_in_bytes = value def add_hash(self, hash_): if hash_ is not None: if self.hashes is None: self.hashes = HashList() self.hashes.append(hash_)
def sha512(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha512 = value
def sha256(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha256 = value
def md5(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.md5 = value
from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append( Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456' associated_object.association_type = VocabString() associated_object.association_type.value = 'output' associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Create the Action from another dictionary action = MalwareAction() action.name = VocabString()
class File(ObjectProperties): _binding = file_binding _binding_class = file_binding.FileObjectType _namespace = 'http://cybox.mitre.org/objects#FileObject-2' _XSI_NS = "FileObj" _XSI_TYPE = "FileObjectType" is_packed = fields.TypedField("is_packed") is_masqueraded = fields.TypedField("is_masqueraded") file_name = fields.TypedField("File_Name", String) file_path = fields.TypedField("File_Path", FilePath) device_path = fields.TypedField("Device_Path", String) full_path = fields.TypedField("Full_Path", String) file_extension = fields.TypedField("File_Extension", String) size_in_bytes = fields.TypedField("Size_In_Bytes", UnsignedLong) magic_number = fields.TypedField("Magic_Number", HexBinary) file_format = fields.TypedField("File_Format", String) hashes = fields.TypedField("Hashes", HashList) digital_signatures = fields.TypedField("Digital_Signatures", DigitalSignatureList) modified_time = fields.TypedField("Modified_Time", DateTime) accessed_time = fields.TypedField("Accessed_Time", DateTime) created_time = fields.TypedField("Created_Time", DateTime) # Subclasses must redefine these, since the abstract types # cannot be instantiated. file_attributes_list = fields.TypedField("File_Attributes_List", FileAttribute) # abstract permissions = fields.TypedField("Permissions", FilePermissions) # abstract user_owner = fields.TypedField("User_Owner", String) packer_list = fields.TypedField("Packer_List", PackerList) peak_entropy = fields.TypedField("Peak_Entropy", Double) sym_links = fields.TypedField("Sym_Links", SymLinksList) byte_runs = fields.TypedField("Byte_Runs", ByteRuns) extracted_features = fields.TypedField("Extracted_Features", ExtractedFeatures) encryption_algorithm = fields.TypedField("Encryption_Algorithm", String) decryption_key = fields.TypedField("Decryption_Key", String) compression_method = fields.TypedField("Compression_Method", String) compression_version = fields.TypedField("Compression_Version", String) compression_comment = fields.TypedField("Compression_Comment", String) def __init__(self): super(File, self).__init__() self.is_packed = None @property def md5(self): if self.hashes is None: return None return self.hashes.md5 @md5.setter def md5(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.md5 = value @property def sha1(self): if self.hashes is None: return None return self.hashes.sha1 @sha1.setter def sha1(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha1 = value @property def sha224(self): if self.hashes is None: return None return self.hashes.sha224 @sha224.setter def sha224(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha224 = value @property def sha256(self): if self.hashes is None: return None return self.hashes.sha256 @sha256.setter def sha256(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha256 = value @property def sha384(self): if self.hashes is None: return None return self.hashes.sha384 @sha384.setter def sha384(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha384 = value @property def sha512(self): if self.hashes is None: return None return self.hashes.sha512 @sha512.setter def sha512(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.sha512 = value @property def size(self): """`size` is an alias for `size_in_bytes`""" return self.size_in_bytes @size.setter def size(self, value): """`size` is an alias for `size_in_bytes`""" self.size_in_bytes = value def add_hash(self, hash_): if hash_ is not None: if self.hashes is None: self.hashes = HashList() self.hashes.append(hash_)
def tool_hashes(self): if self._tool_hashes is None: self._tool_hashes = HashList() return self._tool_hashes
def ssdeep(self, value): if self.hashes is None: self.hashes = HashList() self.hashes.ssdeep = value
def map_attribtue(self, instance, attribute): definition_name = attribute.definition.name if hasattr(instance, definition_name.lower()): setattr(instance, definition_name.lower(), attribute.value) value = getattr(instance, definition_name.lower()) value.condition = self.get_condition(attribute) else: if 'hash' in definition_name: if attribute.condition.value: if attribute.condition.value: if attribute.condition.value == "Equals": exact = True else: exact = False else: exact = False else: exact = True h = Hash(attribute.value, exact=exact) h.condition = attribute.condition if instance.hashes is None: instance.hashes = HashList() instance.hashes.append(h) pass elif 'email' in definition_name: self.populate_email(instance, attribute) elif definition_name == 'url': instance.type_ = URI.TYPE_URL instance.value = attribute.value instance.value.condition = self.get_condition(attribute) elif 'Full_Path' and isinstance(instance, Process): # TODO: check why this is set?!? pass elif definition_name == 'WindowsRegistryKey_Key': instance.key = attribute.value instance.key.condition = self.get_condition(attribute) elif definition_name == 'WindowsRegistryKey_Hive': instance.hive = attribute.value instance.hive.condition = self.get_condition(attribute) elif 'WindowsRegistryKey_RegistryValue' in definition_name: value = RegistryValue() if definition_name == 'WindowsRegistryKey_RegistryValue_Data': value.data = attribute.value value.data.condition = self.get_condition(attribute) elif definition_name == 'WindowsRegistryKey_RegistryValue_Data': value.name = attribute.value value.name.condition = self.get_condition(attribute) if not instance.values: instance.values = RegistryValues() instance.values.append(value) instance.data = attribute.value elif definition_name == 'ipv4_addr': instance.category = definition_name.replace('_', '-') instance.address_value = attribute.value instance.address_value.condition = self.get_condition( attribute) elif definition_name == 'DomainName_Value': instance.value = attribute.value elif definition_name == 'Raw_Artifact': path = '{0}/{1}'.format(self.fh.get_base_path(), attribute.value) if isfile(path): with open(path, 'r') as f: bin_string = f.read() instance.data = bin_string # TODO find the corect type instance.type_ = Artifact.TYPE_GENERIC instance.packaging.append(Base64Encoding()) else: instance.data = 'MIA' instance.type_ = Artifact.TYPE_GENERIC instance.packaging.append(Base64Encoding()) elif definition_name == 'content_type': instance.type_ = attribute.value elif definition_name == 'URIType': instance.type_ = attribute.value elif not attribute.definition.cybox_std: self.add_custom_property(instance, attribute) elif isinstance(instance, NetworkConnection) and definition_name in [ 'is_type', 'Port' ]: # TODO: check why this is set?!? pass else: raise Ce1susStixMapperException( 'Cannot map {1} on object type {0}'.format( instance.__class__.__name__, definition_name))