def test_parsers_descriptions(make_sample_parser): registry.clear() parser_path, config_path = make_sample_parser() source = os.path.abspath(str(parser_path.dirname)) mwcp.register_parser_directory(source, config_file_path=str(config_path)) # Test bogus descriptions = list(mwcp.get_parser_descriptions('bogus')) assert descriptions == [] # Test config only descriptions = list(mwcp.get_parser_descriptions()) assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')] descriptions = list(mwcp.get_parser_descriptions('Sample')) assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')] descriptions = list(mwcp.get_parser_descriptions(source=source)) assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')] # Test all non-config only descriptions = list( mwcp.get_parser_descriptions('Sample', config_only=False)) assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')] descriptions = list(mwcp.get_parser_descriptions(config_only=False)) assert descriptions == [ ('Sample', source, 'Mr. Tester', 'A test parser'), ('Sample.Downloader', source, '', 'TestParser Downloader'), ('Sample.Implant', source, '', 'TestParser Implant'), ] descriptions = list( mwcp.get_parser_descriptions('Sample.Downloader', config_only=False)) assert descriptions == [('Sample.Downloader', source, '', 'TestParser Downloader')] descriptions = list( mwcp.get_parser_descriptions(source=source, config_only=False)) assert descriptions == [ ('Sample', source, 'Mr. Tester', 'A test parser'), ('Sample.Downloader', source, '', 'TestParser Downloader'), ('Sample.Implant', source, '', 'TestParser Implant'), ] # Test using ":" syntax descriptions = list( mwcp.get_parser_descriptions(':Sample', config_only=False)) assert descriptions == [('Sample', source, 'Mr. Tester', 'A test parser')] descriptions = list( mwcp.get_parser_descriptions(source + ':', config_only=False)) assert descriptions == [ ('Sample', source, 'Mr. Tester', 'A test parser'), ('Sample.Downloader', source, '', 'TestParser Downloader'), ('Sample.Implant', source, '', 'TestParser Implant'), ]
def test_parsers_descriptions(monkeypatch, test_parser): monkeypatch.setattr('mwcp.parsers._PARSERS', collections.defaultdict(dict)) mwcp.register_parser_directory(os.path.dirname(test_parser)) descriptions = list(mwcp.get_parser_descriptions('test_parser')) assert len(descriptions) == 1 assert descriptions[0] == ('test_parser', os.path.dirname(test_parser), 'Mr. Tester', 'A test parser')
def list_(all_, json_): """Lists registered malware config parsers.""" descriptions = mwcp.get_parser_descriptions(config_only=not all_) if json_: print(json.dumps(descriptions, indent=4)) else: print(tabulate.tabulate(descriptions, headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def list_(all_, json_): """Lists registered malware config parsers.""" descriptions = mwcp.get_parser_descriptions(config_only=not all_) if json_: print(json.dumps(descriptions, indent=4)) else: print(tabulate.tabulate(descriptions, headers=["NAME", "SOURCE", "AUTHOR", "DESCRIPTION"]))
def _print_parsers(json_output=False, config_only=True): """ Prints a table of registered parsers to stdout. :param json_output: Print json :param config_only: Whether to only print parsers listed in configuration file. """ descriptions = mwcp.get_parser_descriptions(config_only=config_only) if json_output: print(json.dumps(descriptions, indent=4)) else: print(tabulate.tabulate(descriptions, headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def descriptions(): """ List descriptions of parser modules """ try: response.content_type = "application/json" return json.dumps(mwcp.get_parser_descriptions(), indent=4) except Exception: output = {'errors': [traceback.format_exc()]} logger.error("descriptions %s" % (traceback.format_exc())) return output
def descriptions(): """ List descriptions of parser modules. This is for backwards compatibility purposes. Always a JSON response. """ return f.jsonify( [ (parser_info.name, parser_info.author, parser_info.description) for parser_info in mwcp.get_parser_descriptions() ] )
def _print_parsers(json_output=False, config_only=True): """ Prints a table of registered parsers to stdout. :param json_output: Print json :param config_only: Whether to only print parsers listed in configuration file. """ descriptions = mwcp.get_parser_descriptions(config_only=config_only) if json_output: print(json.dumps(descriptions, indent=4)) else: print( tabulate.tabulate( descriptions, headers=['NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION']))
def descriptions(): """ List descriptions of parser modules """ try: response.content_type = "application/json" reporter = mwcp.Reporter(base64outputfiles=True, disableoutputfiles=True, parserdir=PARSERDIR) return json.dumps(mwcp.get_parser_descriptions(), indent=4) except Exception: output = {'errors': [traceback.format_exc()]} logger.error("descriptions %s" % (traceback.format_exc())) return output
def _print_parsers(json_output=False): """ Prints a table of registered parsers to stdout. :param json_output: Print json """ descriptions = mwcp.get_parser_descriptions() if json_output: print(json.dumps(descriptions, indent=4)) else: # TODO: Use a library like tabulate to print this. format = '%-25s %-50s %-15s %s' print(format % ('NAME', 'SOURCE', 'AUTHOR', 'DESCRIPTION')) print('-' * 150) for name, source, author, description in descriptions: print(format % (name, source, author, description))
def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]: if not process_cfg.mwcp.enabled: return {}, False # Import All config parsers try: import mwcp logging.getLogger("mwcp").setLevel(logging.CRITICAL) mwcp.register_parser_directory( os.path.join(CUCKOO_ROOT, process_cfg.mwcp.modules_path)) _malware_parsers = { block.name.rsplit(".", 1)[-1]: block.name for block in mwcp.get_parser_descriptions(config_only=False) } assert "MWCP_TEST" in _malware_parsers return _malware_parsers, mwcp except ImportError as e: log.info("Missed MWCP -> pip3 install mwcp\nDetails: %s", e) return {}, False
def parsers_list(): """ List of configured parsers with names, sources, authors, and descriptions. Normally an HTML table, but if `application/json` is the best mimetype set in the `Accept` header, the response will be in JSON. """ name_filter = f.request.args.get("name", type=str) source_filter = f.request.args.get("source", type=str) headers = ("Name", "Source", "Author", "Description") parsers_info = mwcp.get_parser_descriptions(name=name_filter, source=source_filter) if f.request.accept_mimetypes.best == "application/json": return f.jsonify( {"parsers": [parser_info._asdict() for parser_info in parsers_info]} ) f.g.title = "Parsers" return f.render_template("parsers.html", headers=headers, parsers=parsers_info)
# first, import mwcp import mwcp # create an instance of the Reporter class reporter = mwcp.Reporter() """ The Reporter object is the primary DC3-MWCP framework object, containing most input and output data and controlling execution of the parser modules. The most common parameters to provide are parserdir and resourcedir, depending upon your installation. """ # view location of resource and parser directories print(reporter.parserdir) # view available parsers print(mwcp.get_parser_descriptions()) # run the dummy config parser, view the output reporter.run_parser("foo", "README.md") # alternate, run on provided buffer: reporter.run_parser("foo", data=b"lorem ipsum") # Print results. reporter.print_report() # access output files for filename in reporter.outputfiles: print("%s: %i bytes" % (reporter.outputfiles[filename]['path'], len(reporter.outputfiles[filename]['data'])))
def parsers(): yield mwcp.get_parser_descriptions()
import tempfile import hashlib import subprocess from io import BytesIO from collections import Mapping, Iterable from lib.cuckoo.common.config import Config from lib.cuckoo.common.constants import CUCKOO_ROOT from lib.cuckoo.common.objects import CAPE_YARA_RULEPATH, File malware_parsers = {} #Import All config parsers try: import mwcp mwcp.register_parser_directory(os.path.join(CUCKOO_ROOT, "modules", "processing", "parsers", "mwcp")) malware_parsers = {block.name.split(".")[-1]:block.name for block in mwcp.get_parser_descriptions(config_only=False)} HAS_MWCP = True #disable logging #[mwcp.parser] WARNING: Missing identify() function for: a35a622d01f83b53d0407a3960768b29.Emotet.Emotet except ImportError as e: HAS_MWCP = False print("Missed MWCP -> pip3 install git+https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP\nDetails: {}".format(e)) try: from malwareconfig import fileparser from malwareconfig.modules import __decoders__, __preprocessors__ HAS_MALWARECONFIGS = True except ImportError: HAS_MALWARECONFIGS = False print("Missed RATDecoders -> pip3 install git+https://github.com/kevthehermit/RATDecoders")
from lib.cuckoo.common.config import Config from lib.cuckoo.common.constants import CUCKOO_ROOT from lib.cuckoo.common.objects import CAPE_YARA_RULEPATH, File log = logging.getLogger(__name__) malware_parsers = dict() cape_malware_parsers = dict() #Import All config parsers try: import mwcp mwcp.register_parser_directory( os.path.join(CUCKOO_ROOT, "modules", "processing", "parsers", "mwcp")) malware_parsers = { block.name.split(".")[-1]: block.name for block in mwcp.get_parser_descriptions(config_only=False) } HAS_MWCP = True #disable logging #[mwcp.parser] WARNING: Missing identify() function for: a35a622d01f83b53d0407a3960768b29.Emotet.Emotet except ImportError as e: HAS_MWCP = False log.info( "Missed MWCP -> pip3 install git+https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP\nDetails: {}" .format(e)) try: from malwareconfig import fileparser from malwareconfig.modules import __decoders__, __preprocessors__ HAS_MALWARECONFIGS = True
def upload(): """Upload page""" f.g.title = "Upload" parsers_info = mwcp.get_parser_descriptions() return f.render_template("upload.html", parsers=parsers_info)