]) flowtab.add_row(["", ""]) if flow["scan"]["yara"]: if hasattr(flow["scan"]["yara"], "cts") and flow["scan"]["yara"]["cts"]: ctsmatches = [] for entry in flow["scan"]["yara"]["cts"]: ctsmatches.append(entry["rule"]) flowtab.add_row( ["CTS Yara Matches", "\n".join(ctsmatches)]) if hasattr(flow["scan"]["yara"], "stc") and flow["scan"]["yara"]["stc"]: stcmatches = [] for entry in flow["scan"]["yara"]["stc"]: stcmatches.append(entry["rule"]) flowtab.add_row( ["STC Yara Matches", "\n".join(stcmatches)]) flowtab.add_row(["", ""]) result = flowtab.get_string() if result != "": summarytab.add_row(["Flows", result]) result = summarytab.get_string() if result != "": print "\nPcap Summary:\n%s" % (result) Manager().register_plugin(pcapsummary)
import os current_dir = os.path.abspath(os.path.dirname(__file__)) root_dir = os.path.normpath(os.path.join(current_dir, "..")) sys.path.insert(0, root_dir) class template(PluginInterface): name = "template" enabled = True def __init__(self): self.details = utils.objdict({}) self.details.name = self.name self.details.description = "Plugin template to be used for creating new plugins" self.details.mimetypes = ["application/x-dosexec"] self.details.author = "@author" self.details.version = "0.01" self.details.date = "15/OCT/2015" self.details.path = ("" if __file__ is None else os.path.abspath(__file__)) def run(self, report): if self.details["mimetypes"] and report.meta.filemimetype in self.details["mimetypes"]: return return Manager().register_plugin(template)
whitelisttab.align["Source"] = "l" whitelisttab.add_row( ["NSRL", report.pe.scan.whitelist["nsrl"]]) whitelisttab.add_row( ["Mandiant", report.pe.scan.whitelist["mandiant"]]) result = whitelisttab.get_string(sortby="Whitelisted", reversesort=True) if result != "": tab.add_row(["Whitelist", result]) tab.add_row(["", ""]) if report.pe.scan.yara: yaratab = PrettyTable(["Rules"]) yaratab.border = borderflag yaratab.header = headerflag yaratab.padding_width = padwidth yaratab.align["Rules"] = "l" for rulename in report.pe.scan.yara.keys(): yaratab.add_row([rulename]) result = yaratab.get_string(sortby="Rules", reversesort=False) if result != "": tab.add_row(["Yara", result]) result = tab.get_string() if result != "": print "\nScan Results:\n%s" % result Manager().register_plugin(pesummary)
self.details.name = self.name self.details.description = "Extract overlay data into report directory" self.details.mimetypes = ["application/x-dosexec"] self.details.author = "@7h3rAm" self.details.version = "0.01" self.details.date = "19/OCT/2015" self.details.path = ("" if __file__ is None else os.path.abspath(__file__)) def run(self, report): if self.details[ "mimetypes"] and report.meta.filemimetype in self.details[ "mimetypes"]: if report.pe.static.overlay and report.pe.static.overlay.size: with open(report.meta.filename, "rb") as fo: filedata = fo.read() fileutils.file_save( filename="%s/%s.overlay" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=filedata[report.pe.static.overlay. offset:report.pe.static.overlay.offset + report.pe.static.overlay.size], mode="w" if report.pe.static.overlay.mimetype and "text" in report.pe.static.overlay.mimetype else "wb") return Manager().register_plugin(extractoverlay)
self.details.author = "@7h3rAm" self.details.version = "0.01" self.details.date = "19/OCT/2015" self.details.path = ("" if __file__ is None else os.path.abspath(__file__)) def run(self, report): if self.details[ "mimetypes"] and report.meta.filemimetype in self.details[ "mimetypes"]: if report.pe.static.authenticode: if report.pe.static.authenticode.offset > 0 and report.pe.static.authenticode.size > 0: with open(report.meta.filename, "rb") as fo: filedata = fo.read() authenticoderaw = filedata[ report.pe.static.authenticode. offset:report.pe.static.authenticode.offset + report.pe.static.authenticode.size] mtype = utils.data_mimetype(authenticoderaw) mode = "w" if mtype and "text" in mtype else "wb" fileutils.file_save(filename="%s/%s.der" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=authenticoderaw, mode=mode) return Manager().register_plugin(extractauthenticode)
yaratab.add_row([rulename, desc, tags]) normalizeddata = yaratab.get_html_string( sortby="Rule", reversesort=False ).replace("<", "<").replace(">", ">").replace( "&", "&" ).replace( "</table>", "</table></div></div></div></div>" ).replace( "<table>", "<div class='panel panel-info'>\n<div class='panel-heading'><strong>Yara</strong></div>\n<div class='panel-body'>\n<div class='row'>\n<div class='col-md-12'>\n<table class='table table-condensed table-hover table-striped'>" ) htmldata += "%s\n" % (normalizeddata) htmldata += "%s" % (htmlends) thregex = re.compile(r"<tr>(\s+)<td>(.*)</td>") htmldata = thregex.sub(r"<tr>\1<th class='col-md-2'>\2</th>", htmldata) tdregex = re.compile(r"<td>(.*)</td>") normalizedhtmldata = tdregex.sub( r"<td class='highlight_def'>\1</td>", htmldata) fileutils.file_save(filename="%s/%s.html" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data="%s" % (normalizedhtmldata), mode="w") Manager().register_plugin(pehtml)
def run(self, report): if report.misc.config.enablefilevisualization and report.meta.visual: fileutils.file_save( filename="%s/%s.pnggray" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=utils.from_base64(report.meta.visual.pnggray), mode="wb") fileutils.file_save( filename="%s/%s.pngrgb" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=utils.from_base64(report.meta.visual.pngrgb), mode="wb") fileutils.file_save(filename="%s/%s.bfh" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=report.meta.visual.bytefreqhistogram, mode="wb") if report.meta.visual.identicon: fileutils.file_save(filename="%s/%s.identicon" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data=utils.from_base64( report.meta.visual.identicon), mode="wb") return Manager().register_plugin(extractvisual)
def __init__(self): self.details = utils.objdict({}) self.details.name = self.name self.details.description = "Extract all subfiles into report directory" self.details.mimetypes = None self.details.author = "@7h3rAm" self.details.version = "0.01" self.details.date = "19/OCT/2015" self.details.path = ("" if __file__ is None else os.path.abspath(__file__)) def run(self, report): if report.meta.subfiles and len(report.meta.subfiles) > 1: with open(report.meta.filename, "rb") as fo: filedata = fo.read() for entry in report.meta.subfiles: if entry["offset"] > 0 and entry["size"] and entry["size"] > 0: fileutils.file_save( filename="%s/%s_%s" % (report.misc.config.currreportpath, report.misc.config.currreportfile, entry["hashes"]["sha256"]), data=filedata[entry["offset"]:entry["offset"] + entry["size"]], mode="w" if "text" in entry["mimetype"] else "wb") return Manager().register_plugin(extractsubfiles)
normalizeddata = flowtab.get_html_string().replace( "<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>", "" ).replace("<", "<").replace(">", ">").replace( "&", "&" ).replace( "</table>", "</table></div></div></div></div>" ).replace( "<table>", "<div class='panel panel-info'>\n<div class='panel-heading'><strong>Flow Stats</strong> <span class='badge'>%d</span></div>\n<div class='panel-body'>\n<div class='row'>\n<div class='col-md-12'>\n<table class='table table-condensed table-hover table-striped'>" % (len(report.pcap.parsed.flows)), 1) htmldata += "%s\n" % (normalizeddata) htmldata += "%s" % (htmlends) thregex = re.compile(r"<tr>(\s+)<td>(.*)</td>") htmldata = thregex.sub(r"<tr>\1<th class='col-md-2'>\2</th>", htmldata) tdregex = re.compile(r"<td>(.*)</td>") normalizedhtmldata = tdregex.sub( r"<td class='highlight_def'>\1</td>", htmldata) fileutils.file_save(filename="%s/%s.html" % (report.misc.config.currreportpath, report.misc.config.currreportfile), data="%s" % (normalizedhtmldata), mode="w") Manager().register_plugin(pcaphtml)