def extract_lzma(buf, fname, res_dir): b = Buffer(buf) stream_prop = b.GetByte() dico_size = b.GetDword() final_length = b.GetQword() new_head = struct.pack("<B", stream_prop) + struct.pack("<I", dico_size) open(res_dir + fname, "wb").write(pylzma.decompress_compat(new_head + buf[13:]))
def decompress(f, rename_to=None): """ Decompress a compressed file by the extension. Only supports .7z and .zip files. :type f: str :param f: Full path to file """ f_types = ['.7z', '.zip'] fn, ext = os.path.splitext(f) if ext not in f_types: raise ValueError("f extension must be one of %s" % f_types) fn = fn if rename_to is None else rename_to if ext == f_types[0]: with open(f, "rb") as fl: cdata = fl.read() with open(fn, 'wb') as fl: # pylint: disable=E1101 fl.write(pylzma.decompress_compat(cdata[0:5] + cdata[13:])) elif ext == f_types[1]: with zipf.ZipFile(f) as z: p = os.path.dirname(f) z.extractall(p) fn = z.namelist() fn = [os.path.join(p, i) for i in fn] if len(fn) == 1: fn = fn[0] return fn
def test_compression_decompression_noeos(self): # call compression and decompression on random data of various sizes for i in range(18): size = 1 << i original = generate_random(size) result = pylzma.decompress_compat(pylzma.compress(original, eos=0))[:size] self.assertEqual(md5(original).hexdigest(), md5(result).hexdigest())
def ParseFile(data, name): rule = yara.compile("rules.yr") matches = rule.match(data=data) if len(matches) > 0: for hit in matches['main']: print name, hit['rule'] if data[:3] == 'CWS': #print "Zlib Compressed" try: new = 'FWS' + data[3:8] + zlib.decompress(data[8:]) except: print "zlib error " return ParseFile(new, name) elif data[:3] == 'ZWS': #print "lzma compressed" try: new = 'FWS' + data[3:8] + pylzma.decompress_compat(data[12:]) except: print "pylzma error " return ParseFile(new, name) elif data[:3] == "GET": # Angler search = re.search( r'(GET /.{1,25}/index.php\?PHPSESSID=.{1,6}&action=.{12}.{1,512})\r\n\r\n', data, re.S) if search: print "Angler GET", name print search.group(1) search = re.search( r'(GET .{0,100}/.{1,25}/viewtopic.php\?t=.{1,6}&f=.{12}.{1,512})\r\n\r\n', data, re.S) if search: print "Angler GET", name print search.group(1) search = re.search( r'(GET .{0,100}/.{1,25}/viewforum.php\?f=.{1,6}&sid=.{12}.{1,512})\r\n\r\n', data, re.S) if search: print "Angler GET", name print search.group(1) search = re.search( r'(GET .{0,100}/.{1,25}/search.php\?keywords=.{1,6}&fid0=.{12}.{1,512})\r\n\r\n', data, re.S) if search: print "Angler GET", name print search.group(1) search = re.search( r'(GET .{0,100}/topic/[0-9]{4,12}(-[a-z]{3,20}){3,10}/ HTTP.{1,512})\r\n\r\n', data, re.S) if search: print "Angler GET", name print search.group(1) # RIG search = re.search( r'(GET .{0,100}/\?[a-zA-Z0-9]{15}=[a-zA-Z0-9_-]{100,200} HTTP.{1,512})\r\n\r\n', data, re.S) if search: print "RIG GET", name print search.group(1) # Eltest Gate search = re.search( r'(GET /[a-z0-9\-]{80,150}/[a-z]{1,20}\.html HTTP.{1,512})\r\n\r\n', data, re.S) if search: print "EItest GET", name print search.group(1) # Magnitude search = re.search( r'(GET .{0,100}/\?[a-z0-9]{38} HTTP.{1,512})\r\n\r\n', data, re.S) if search: print "Magnitude GET", name print search.group(1) # Neutrino search = re.search( r'(GET.{1,512}Media Center PC 6\.0; rv.{1,100})\r\n\r\n', data, re.S) if search: print "Neutrino GET", name print search.group(1) else: # AfraidGate search = re.search( r'^(document\.write\(.{200,400}i\'\+\'frame.{5,20}\))', data, re.S) if search: print "AfraidGate", name print search.group(1) # Pseudo Darkleech search = re.search( r'(<span id=\".{1,20} style=\"display:none\">).{3000,10000}</span>', data, re.S) if search: print "Psuedo Darkleech", name print search.group(1)
def test_decompression_noeos(self): # test decompression without the end of stream marker decompressed = pylzma.decompress_compat(self.plain_without_eos) self.assertEqual(decompressed, self.plain)