def CreateSignatureScanner(cls, specification_store):
"""Creates a signature scanner for format specifications with signatures.
Args:
specification_store (FormatSpecificationStore): format specifications
with signatures.
Returns:
pysigscan.scanner: signature scanner.
"""
scanner_object = pysigscan.scanner()
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(signature.identifier,
pattern_offset, signature.pattern,
signature_flags)
return scanner_object
def GetScanner(cls, specification_store):
"""Initializes the scanner object form the specification store.
Args:
specification_store: a specification store (instance of
FormatSpecificationStore).
Returns:
A scanner object (instance of pysigscan.scanner).
"""
scanner_object = pysigscan.scanner()
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(signature.identifier,
pattern_offset, signature.pattern,
signature_flags)
return scanner_object
def _GetScanner(cls, specification_store):
"""Initializes the scanner object form the specification store.
Args:
specification_store: a specification store (instance of
FormatSpecificationStore).
Returns:
A scanner object (instance of pysigscan.scanner).
"""
scanner_object = pysigscan.scanner()
scanner_object.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE)
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(
signature.identifier, pattern_offset, signature.pattern,
signature_flags)
return scanner_object
def _GetSignatureScanner(cls, specification_store):
"""Initializes a signature scanner based on a specification store.
Args:
specification_store (FormatSpecificationStore): specification store.
Returns:
pysigscan.scanner: signature scanner.
"""
signature_scanner = pysigscan.scanner()
signature_scanner.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE)
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
signature_scanner.add_signature(
signature.identifier, pattern_offset, signature.pattern,
signature_flags)
return signature_scanner
def _GetScanner(self, specification_store, signature_identifiers):
"""Initializes the scanner object form the specification store.
Args:
specification_store: a specification store (instance of
FormatSpecificationStore).
signature_identifiers: a list of signature identifiers.
Returns:
A scanner object (instance of pysigscan.scanner).
"""
scanner_object = pysigscan.scanner()
for format_specification in specification_store.specifications:
if format_specification.identifier not in signature_identifiers:
continue
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(signature.identifier,
pattern_offset, signature.pattern,
signature_flags)
self._signature_identifiers.append(format_specification.identifier)
return scanner_object
def GetScanner(cls, specification_store):
"""Initializes a signature scanner form a specification store.
Args:
specification_store (FormatSpecificationStore): specification store.
Returns:
pysigscan.scanner: signature scanner.
"""
scanner_object = pysigscan.scanner()
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(
signature.identifier, pattern_offset, signature.pattern,
signature_flags)
return scanner_object
def _GetScanner(self, specification_store, signature_identifiers):
"""Initializes the scanner object form the specification store.
Args:
specification_store: a specification store (instance of
FormatSpecificationStore).
signature_identifiers: a list of signature identifiers.
Returns:
A scanner object (instance of pysigscan.scanner).
"""
scanner_object = pysigscan.scanner()
for format_specification in specification_store.specifications:
if format_specification.identifier not in signature_identifiers:
continue
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner_object.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags)
self._signature_identifiers.append(format_specification.identifier)
return scanner_object
def _GetSignatureScanner(cls, specification_store):
"""Initializes a signature scanner based on a specification store.
Args:
specification_store (FormatSpecificationStore): specification store.
Returns:
pysigscan.scanner: signature scanner.
"""
signature_scanner = pysigscan.scanner()
signature_scanner.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE)
for format_specification in specification_store.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
signature_scanner.add_signature(
signature.identifier, pattern_offset, signature.pattern,
signature_flags)
return signature_scanner
def _GetSignatureScanner(self):
"""Retrieves a signature scanner.
Returns:
pysigscan.scanner: signature scanner.
"""
scanner_object = pysigscan.scanner()
for identifier, pattern_offset, pattern in self._SIGNATURES:
scanner_object.add_signature(
identifier, pattern_offset, pattern,
pysigscan.signature_flags.RELATIVE_FROM_START)
return scanner_object
def SetScanner(self, signature_specifications):
scanner = pysigscan.scanner()
for format_specification in signature_specifications.specifications:
for signature in format_specification.signatures:
pattern_offset = signature.offset
if pattern_offset is None:
signature_flags = pysigscan.signature_flags.NO_OFFSET
elif pattern_offset < 0:
pattern_offset *= -1
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END
else:
signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START
scanner.add_signature(signature.identifier, pattern_offset,
signature.pattern, signature_flags)
self._scanner = scanner
def main():
RELATIVE_FROM_START = pysigscan.signature_flags.RELATIVE_FROM_START
RELATIVE_FROM_END = pysigscan.signature_flags.RELATIVE_FROM_END
evt_pattern = b"\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00"
lnk_pattern = (
b"\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
b"\x00\x00\x00\x46")
nk2_pattern = b"\x0d\xf0\xad\xba\xa0\x00\x00\x00\x01\x00\x00\x00"
olecf_pattern = b"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1"
olecf_beta_pattern = b"\x0e\x11\xfc\x0d\xd0\xcf\x11\x0e"
regf_pattern = b"regf"
vhdi_pattern = b"conectix"
signatures = [
Signature("7z", 0, b"7z\xbc\xaf\x27\x1c", RELATIVE_FROM_START),
Signature("esedb", 4, b"\xef\xcd\xab\x89", RELATIVE_FROM_START),
Signature("evt", 0, evt_pattern, RELATIVE_FROM_START),
Signature("evtx", 0, b"ElfFile\x00", RELATIVE_FROM_START),
Signature("ewf_e01", 0, b"EVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START),
Signature("ewf_l01", 0, b"LVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START),
Signature("lnk", 0, lnk_pattern, RELATIVE_FROM_START),
Signature("msiecf", 0, b"Client UrlCache MMF Ver ", RELATIVE_FROM_START),
Signature("nk2", 0, nk2_pattern, RELATIVE_FROM_START),
Signature("olecf", 0, olecf_pattern, RELATIVE_FROM_START),
Signature("olecf_beta", 0, olecf_beta_pattern, RELATIVE_FROM_START),
Signature("pff", 0, b"!BDN", RELATIVE_FROM_START),
Signature("qcow", 0, b"QFI\xfb", RELATIVE_FROM_START),
Signature("rar", 0, b"Rar!\x1a\x07\x00", RELATIVE_FROM_START),
Signature("regf", 0, b"regf", RELATIVE_FROM_START),
Signature("vhdi_header", 0, vhdi_pattern, RELATIVE_FROM_START),
Signature("vhdi_footer", 512, vhdi_pattern, RELATIVE_FROM_END),
Signature("wtcdb_cache", 0, b"CMMM", RELATIVE_FROM_START),
Signature("wtcdb_index", 0, b"IMMM", RELATIVE_FROM_START)]
random_data = (
b"\x01\xfa\xe0\xbe\x99\x8e\xdb\x70\xea\xcc\x6b\xae\x2f\xf5\xa2\xe4")
scanner = pysigscan.scanner()
for signature in signatures:
scanner.add_signature(
signature.identifier, signature.pattern_offset, signature.pattern,
signature.flags)
# TODO add test to set Unicode pattern.
# TODO add test to set negative pattern offset.
expected_scan_results = ["lnk"]
if not pysigscan_test_scan_buffer(
scanner, lnk_pattern, expected_scan_results):
return False
expected_scan_results = ["lnk"]
if not pysigscan_test_scan_buffer(
scanner, lnk_pattern, expected_scan_results):
return False
expected_scan_results = ["regf"]
if not pysigscan_test_scan_buffer(
scanner, regf_pattern, expected_scan_results):
return False
expected_scan_results = []
if not pysigscan_test_scan_buffer(
scanner, random_data, expected_scan_results):
return False
return True
def main():
RELATIVE_FROM_START = pysigscan.signature_flags.RELATIVE_FROM_START
RELATIVE_FROM_END = pysigscan.signature_flags.RELATIVE_FROM_END
evt_pattern = b"\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00"
lnk_pattern = (
b"\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
b"\x00\x00\x00\x46")
nk2_pattern = b"\x0d\xf0\xad\xba\xa0\x00\x00\x00\x01\x00\x00\x00"
olecf_pattern = b"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1"
olecf_beta_pattern = b"\x0e\x11\xfc\x0d\xd0\xcf\x11\x0e"
regf_pattern = b"regf"
vhdi_pattern = b"conectix"
signatures = [
Signature("7z", 0, b"7z\xbc\xaf\x27\x1c", RELATIVE_FROM_START),
Signature("esedb", 4, b"\xef\xcd\xab\x89", RELATIVE_FROM_START),
Signature("evt", 0, evt_pattern, RELATIVE_FROM_START),
Signature("evtx", 0, b"ElfFile\x00", RELATIVE_FROM_START),
Signature("ewf_e01", 0, b"EVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START),
Signature("ewf_l01", 0, b"LVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START),
Signature("lnk", 0, lnk_pattern, RELATIVE_FROM_START),
Signature("msiecf", 0, b"Client UrlCache MMF Ver ", RELATIVE_FROM_START),
Signature("nk2", 0, nk2_pattern, RELATIVE_FROM_START),
Signature("olecf", 0, olecf_pattern, RELATIVE_FROM_START),
Signature("olecf_beta", 0, olecf_beta_pattern, RELATIVE_FROM_START),
Signature("pff", 0, b"!BDN", RELATIVE_FROM_START),
Signature("qcow", 0, b"QFI\xfb", RELATIVE_FROM_START),
Signature("rar", 0, b"Rar!\x1a\x07\x00", RELATIVE_FROM_START),
Signature("regf", 0, b"regf", RELATIVE_FROM_START),
Signature("vhdi_header", 0, vhdi_pattern, RELATIVE_FROM_START),
Signature("vhdi_footer", 512, vhdi_pattern, RELATIVE_FROM_END),
Signature("wtcdb_cache", 0, b"CMMM", RELATIVE_FROM_START),
Signature("wtcdb_index", 0, b"IMMM", RELATIVE_FROM_START)]
random_data = (
b"\x01\xfa\xe0\xbe\x99\x8e\xdb\x70\xea\xcc\x6b\xae\x2f\xf5\xa2\xe4")
scanner = pysigscan.scanner()
for signature in signatures:
scanner.add_signature(
signature.identifier, signature.pattern_offset, signature.pattern,
signature.flags)
# TODO add test to set Unicode pattern.
# TODO add test to set negative pattern offset.
expected_scan_results = ["lnk"]
if not pysigscan_test_scan_buffer(
scanner, lnk_pattern, expected_scan_results):
return False
expected_scan_results = ["lnk"]
if not pysigscan_test_scan_buffer(
scanner, lnk_pattern, expected_scan_results):
return False
expected_scan_results = ["regf"]
if not pysigscan_test_scan_buffer(
scanner, regf_pattern, expected_scan_results):
return False
expected_scan_results = []
if not pysigscan_test_scan_buffer(
scanner, random_data, expected_scan_results):
return False
return True
