def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
# get the report, automatically append results
started = timestamp(datetime.utcnow())
(error_raised, response) = self.get_file_report(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# check eventually for errors
if error_raised:
results.status = self.YaraResult.ERROR
results.error = response
elif response.__len__() == 0:
results.status = self.YaraResult.NOT_FOUND
else:
results.status = self.YaraResult.FOUND
match_string = ""
matches = []
if results.status is self.YaraResult.FOUND:
for match in response:
match_string = "{0}, {1}".format(match_string, match)
matches.append("{0!s}".format(match))
results.results = None
if not error_raised:
# results.results = {'Matches': "{0}".format(match_string)}
results.results = {'Matches': matches}
except Exception as e:
results.status = self.YaraResult.ERROR
results.results = str(e)
return results
def run(self, paths):
assert self.module
if isinstance(paths, (tuple, list, set)):
raise NotImplementedError(
"Scanning of multiple paths at once is not supported for now")
fpath = Path(paths)
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=self.module.version)
try:
# add database metadata
results.database = None
if self.module.database:
results.database = {str(fp): self.file_metadata(fp)
for fp in self.module.database}
# launch an antivirus scan, automatically append scan results
started = timestamp(datetime.utcnow())
results.status = self.module.scan(fpath)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
return_results = self.module.scan_results[fpath]
# add scan results or append error
if results.status < 0:
results.error = return_results
else:
results.results = return_results
# Add virus_database_version metadata
results.virus_database_version = self.module.virus_database_version
except Exception as e:
results.status = -1
results.error = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).display_name,
type=type(self).plugin_category,
version=None)
try:
# lookup the specified sha1
started = timestamp(datetime.utcnow())
response = self.module.lookup_by_sha1(sha1sum(paths).upper())
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# check for errors
if isinstance(response, dict) and \
(not response.get('MfgCode', None) or
not response.get('OpSystemCode', None) or
not response.get('ProductCode', None) or
not response.get('SHA-1', None)):
results.status = self.NSRLPluginResult.NOT_FOUND
response = None
else:
results.status = self.NSRLPluginResult.FOUND
results.results = response
except Exception as e:
results.status = self.NSRLPluginResult.ERROR
results.error = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
# get the report, automatically append results
started = timestamp(datetime.utcnow())
response = self.get_file_report(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# check eventually for errors
if 'error' in response:
results.status = self.VirusTotalResult.ERROR
results.error = str(response['error'])
elif response['response_code'] == 204:
results.status = self.VirusTotalResult.ERROR
results.error = "Public API request rate limit exceeded"
elif response['response_code'] == 403:
results.status = self.VirusTotalResult.ERROR
results.error = "Access forbidden (wrong key value or type)"
elif response['response_code'] == 200 and \
response['results']['response_code'] != 1:
results.status = self.VirusTotalResult.NOT_FOUND
else:
results.status = self.VirusTotalResult.FOUND
results.results = response if 'error' not in response else None
except Exception as e:
results.status = self.VirusTotalResult.ERROR
results.results = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
# get the report, automatically append results
started = timestamp(datetime.utcnow())
response = self.get_file_report(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# check eventually for errors
if 'error' in response:
results.status = self.VirusTotalResult.ERROR
results.error = str(response['error'])
elif response['response_code'] == 204:
results.status = self.VirusTotalResult.ERROR
results.error = "Public API request rate limit exceeded"
elif response['response_code'] == 403:
results.status = self.VirusTotalResult.ERROR
results.error = "Access forbidden (wrong key value or type)"
elif response['response_code'] == 200 and \
response['results']['response_code'] != 1:
results.status = self.VirusTotalResult.NOT_FOUND
else:
results.status = self.VirusTotalResult.FOUND
results.results = response if 'error' not in response else None
except Exception as e:
results.status = self.VirusTotalResult.ERROR
results.results = str(e)
return results
def run(self, paths):
response = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
response.results = sha256sum(open(paths, 'rb'))
stopped = timestamp(datetime.utcnow())
response.duration = stopped - started
response.status = self.DummyResult.SUCCESS
except Exception as e:
response.status = self.DummyResult.ERROR
response.results = type(e).__name__ + " : " + str(e)
return response
def run(self, paths):
response = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
response.results = "Main analysis call here"
stopped = timestamp(datetime.utcnow())
response.duration = stopped - started
response.status = self.SkeletonResult.SUCCESS
except Exception as e:
response.status = self.SkeletonResult.ERROR
response.results = str(e)
return response
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
# launch file analysis
try:
started = timestamp(datetime.utcnow())
results.status, results.results = self.module.analyze(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
except Exception as e:
results.status = self.TrIDResults.ERROR
results.error = str(e)
return results
def run(self, paths):
response = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
response.results = "Main analysis call here"
stopped = timestamp(datetime.utcnow())
response.duration = stopped - started
response.status = self.SkeletonResult.SUCCESS
except Exception as e:
response.status = self.SkeletonResult.ERROR
response.results = str(e)
return response
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
# launch file analysis
try:
started = timestamp(datetime.utcnow())
results.status, results.results = self.module.analyze(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
except Exception as e:
results.status = self.TrIDResults.ERROR
results.error = type(e).__name__ + " : " + str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
(status, response) = self.analyze(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
results.status = status
results.results = response
except Exception as e:
results.status = self.PEiDResult.ERROR
results.error = type(e).__name__ + " : " + str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
(status, response) = self.analyze(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
results.status = status
results.results = response
except Exception as e:
results.status = self.PEiDResult.ERROR
results.error = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_name,
type=type(self).plugin_category,
version=None)
try:
started = timestamp(datetime.utcnow())
output_dir = tempfile.mkdtemp()
file_list = self.unarchive(paths, output_dir)
results.output_files = {}
results.output_files['output_dir'] = output_dir
results.output_files['file_list'] = file_list
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
results.status = self.UnarchiveResult.OK
results.results = None
except Exception as e:
results.status = self.UnarchiveResult.ERROR
results.error = "Maybe a zip bomb : " + str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
# query the ICAP server: issue a REQMOD request
started = timestamp(datetime.utcnow())
response = self.query_server(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
if response is None:
results.status = self.ICAPResult.CLEAN
results.results = 'No threat found'
else:
results.status = self.ICAPResult.INFECTED
results.results = response
except Exception as e:
results.status = self.ICAPResult.ERROR
results.error = type(e).__name__ + " : " + str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
try:
# query the ICAP server: issue a REQMOD request
started = timestamp(datetime.utcnow())
response = self.query_server(paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
if response is None:
results.status = self.ICAPResult.CLEAN
results.results = 'No threat found'
else:
results.status = self.ICAPResult.INFECTED
results.results = response
except Exception as e:
results.status = self.ICAPResult.ERROR
results.error = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
# launch file analysis
try:
started = timestamp(datetime.utcnow())
response = self.analyze(filename=paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# update results
if not response:
results.status = self.StaticAnalyzerResults.FAILURE
results.results = "Not a PE file"
else:
results.status = self.StaticAnalyzerResults.SUCCESS
results.results = response
except Exception as e:
results.status = self.StaticAnalyzerResults.ERROR
results.error = type(e).__name__ + " : " + str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=None)
# launch file analysis
try:
started = timestamp(datetime.utcnow())
response = self.analyze(filename=paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# update results
if not response:
results.status = self.StaticAnalyzerResults.FAILURE
results.results = "Not a PE file"
else:
results.status = self.StaticAnalyzerResults.SUCCESS
results.results = response
except Exception as e:
results.status = self.StaticAnalyzerResults.ERROR
results.error = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_name,
type=type(self).plugin_category,
version=self.lief_version)
try:
started = timestamp(datetime.utcnow())
response = self.analyze(filename=paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# update results
if not response:
results.status = self.LiefAnalyzerResult.FAILURE
results.results = "ERROR"
else:
results.status = self.LiefAnalyzerResult.SUCCESS
results.results = response
except Exception as e:
results.status = self.LiefAnalyzerResult.ERROR
results.results = str(e)
return results
def run(self, paths):
results = PluginResult(name=type(self).plugin_name,
type=type(self).plugin_category,
version=self.lief_version)
try:
started = timestamp(datetime.utcnow())
response = self.analyze(filename=paths)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
# update results
if not response:
results.status = self.LiefAnalyzerResult.FAILURE
results.results = "ERROR"
else:
results.status = self.LiefAnalyzerResult.SUCCESS
results.results = response
except Exception as e:
results.status = self.LiefAnalyzerResult.ERROR
results.results = str(e)
return results
def run(self, paths):
assert self.module
if isinstance(paths, (tuple, list, set)):
raise NotImplementedError(
"Scanning of multiple paths at once is not supported for now")
fpath = Path(paths)
results = PluginResult(name=type(self).plugin_display_name,
type=type(self).plugin_category,
version=self.module.version)
try:
# add database metadata
results.database = None
if self.module.database:
results.database = {
str(fp): self.file_metadata(fp)
for fp in self.module.database
}
# launch an antivirus scan, automatically append scan results
fpath = str(fpath)
started = timestamp(datetime.utcnow())
results.status = self.module.scan(fpath)
stopped = timestamp(datetime.utcnow())
results.duration = stopped - started
return_results = self.module.scan_results[fpath]
# add scan results or append error
if results.status < 0:
results.error = return_results
else:
results.results = return_results
# Add virus_database_version metadata
results.virus_database_version = self.module.virus_database_version
except Exception as e:
results.status = -1
results.error = str(e)
return results