def CreateSignatureScanner(cls, specification_store): """Creates a signature scanner for format specifications with signatures. Args: specification_store (FormatSpecificationStore): format specifications with signatures. Returns: pysigscan.scanner: signature scanner. """ scanner_object = pysigscan.scanner() for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags) return scanner_object
def GetScanner(cls, specification_store): """Initializes the scanner object form the specification store. Args: specification_store: a specification store (instance of FormatSpecificationStore). Returns: A scanner object (instance of pysigscan.scanner). """ scanner_object = pysigscan.scanner() for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags) return scanner_object
def _GetScanner(cls, specification_store): """Initializes the scanner object form the specification store. Args: specification_store: a specification store (instance of FormatSpecificationStore). Returns: A scanner object (instance of pysigscan.scanner). """ scanner_object = pysigscan.scanner() scanner_object.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE) for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature( signature.identifier, pattern_offset, signature.pattern, signature_flags) return scanner_object
def _GetSignatureScanner(cls, specification_store): """Initializes a signature scanner based on a specification store. Args: specification_store (FormatSpecificationStore): specification store. Returns: pysigscan.scanner: signature scanner. """ signature_scanner = pysigscan.scanner() signature_scanner.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE) for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START signature_scanner.add_signature( signature.identifier, pattern_offset, signature.pattern, signature_flags) return signature_scanner
def _GetScanner(self, specification_store, signature_identifiers): """Initializes the scanner object form the specification store. Args: specification_store: a specification store (instance of FormatSpecificationStore). signature_identifiers: a list of signature identifiers. Returns: A scanner object (instance of pysigscan.scanner). """ scanner_object = pysigscan.scanner() for format_specification in specification_store.specifications: if format_specification.identifier not in signature_identifiers: continue for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags) self._signature_identifiers.append(format_specification.identifier) return scanner_object
def GetScanner(cls, specification_store): """Initializes a signature scanner form a specification store. Args: specification_store (FormatSpecificationStore): specification store. Returns: pysigscan.scanner: signature scanner. """ scanner_object = pysigscan.scanner() for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature( signature.identifier, pattern_offset, signature.pattern, signature_flags) return scanner_object
def _GetScanner(self, specification_store, signature_identifiers): """Initializes the scanner object form the specification store. Args: specification_store: a specification store (instance of FormatSpecificationStore). signature_identifiers: a list of signature identifiers. Returns: A scanner object (instance of pysigscan.scanner). """ scanner_object = pysigscan.scanner() for format_specification in specification_store.specifications: if format_specification.identifier not in signature_identifiers: continue for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner_object.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags) self._signature_identifiers.append(format_specification.identifier) return scanner_object
def _GetSignatureScanner(cls, specification_store): """Initializes a signature scanner based on a specification store. Args: specification_store (FormatSpecificationStore): specification store. Returns: pysigscan.scanner: signature scanner. """ signature_scanner = pysigscan.scanner() signature_scanner.set_scan_buffer_size(cls._SCAN_BUFFER_SIZE) for format_specification in specification_store.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START signature_scanner.add_signature( signature.identifier, pattern_offset, signature.pattern, signature_flags) return signature_scanner
def _GetSignatureScanner(self): """Retrieves a signature scanner. Returns: pysigscan.scanner: signature scanner. """ scanner_object = pysigscan.scanner() for identifier, pattern_offset, pattern in self._SIGNATURES: scanner_object.add_signature( identifier, pattern_offset, pattern, pysigscan.signature_flags.RELATIVE_FROM_START) return scanner_object
def SetScanner(self, signature_specifications): scanner = pysigscan.scanner() for format_specification in signature_specifications.specifications: for signature in format_specification.signatures: pattern_offset = signature.offset if pattern_offset is None: signature_flags = pysigscan.signature_flags.NO_OFFSET elif pattern_offset < 0: pattern_offset *= -1 signature_flags = pysigscan.signature_flags.RELATIVE_FROM_END else: signature_flags = pysigscan.signature_flags.RELATIVE_FROM_START scanner.add_signature(signature.identifier, pattern_offset, signature.pattern, signature_flags) self._scanner = scanner
def main(): RELATIVE_FROM_START = pysigscan.signature_flags.RELATIVE_FROM_START RELATIVE_FROM_END = pysigscan.signature_flags.RELATIVE_FROM_END evt_pattern = b"\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00" lnk_pattern = ( b"\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00" b"\x00\x00\x00\x46") nk2_pattern = b"\x0d\xf0\xad\xba\xa0\x00\x00\x00\x01\x00\x00\x00" olecf_pattern = b"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1" olecf_beta_pattern = b"\x0e\x11\xfc\x0d\xd0\xcf\x11\x0e" regf_pattern = b"regf" vhdi_pattern = b"conectix" signatures = [ Signature("7z", 0, b"7z\xbc\xaf\x27\x1c", RELATIVE_FROM_START), Signature("esedb", 4, b"\xef\xcd\xab\x89", RELATIVE_FROM_START), Signature("evt", 0, evt_pattern, RELATIVE_FROM_START), Signature("evtx", 0, b"ElfFile\x00", RELATIVE_FROM_START), Signature("ewf_e01", 0, b"EVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START), Signature("ewf_l01", 0, b"LVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START), Signature("lnk", 0, lnk_pattern, RELATIVE_FROM_START), Signature("msiecf", 0, b"Client UrlCache MMF Ver ", RELATIVE_FROM_START), Signature("nk2", 0, nk2_pattern, RELATIVE_FROM_START), Signature("olecf", 0, olecf_pattern, RELATIVE_FROM_START), Signature("olecf_beta", 0, olecf_beta_pattern, RELATIVE_FROM_START), Signature("pff", 0, b"!BDN", RELATIVE_FROM_START), Signature("qcow", 0, b"QFI\xfb", RELATIVE_FROM_START), Signature("rar", 0, b"Rar!\x1a\x07\x00", RELATIVE_FROM_START), Signature("regf", 0, b"regf", RELATIVE_FROM_START), Signature("vhdi_header", 0, vhdi_pattern, RELATIVE_FROM_START), Signature("vhdi_footer", 512, vhdi_pattern, RELATIVE_FROM_END), Signature("wtcdb_cache", 0, b"CMMM", RELATIVE_FROM_START), Signature("wtcdb_index", 0, b"IMMM", RELATIVE_FROM_START)] random_data = ( b"\x01\xfa\xe0\xbe\x99\x8e\xdb\x70\xea\xcc\x6b\xae\x2f\xf5\xa2\xe4") scanner = pysigscan.scanner() for signature in signatures: scanner.add_signature( signature.identifier, signature.pattern_offset, signature.pattern, signature.flags) # TODO add test to set Unicode pattern. # TODO add test to set negative pattern offset. expected_scan_results = ["lnk"] if not pysigscan_test_scan_buffer( scanner, lnk_pattern, expected_scan_results): return False expected_scan_results = ["lnk"] if not pysigscan_test_scan_buffer( scanner, lnk_pattern, expected_scan_results): return False expected_scan_results = ["regf"] if not pysigscan_test_scan_buffer( scanner, regf_pattern, expected_scan_results): return False expected_scan_results = [] if not pysigscan_test_scan_buffer( scanner, random_data, expected_scan_results): return False return True
def main(): RELATIVE_FROM_START = pysigscan.signature_flags.RELATIVE_FROM_START RELATIVE_FROM_END = pysigscan.signature_flags.RELATIVE_FROM_END evt_pattern = b"\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00" lnk_pattern = ( b"\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00" b"\x00\x00\x00\x46") nk2_pattern = b"\x0d\xf0\xad\xba\xa0\x00\x00\x00\x01\x00\x00\x00" olecf_pattern = b"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1" olecf_beta_pattern = b"\x0e\x11\xfc\x0d\xd0\xcf\x11\x0e" regf_pattern = b"regf" vhdi_pattern = b"conectix" signatures = [ Signature("7z", 0, b"7z\xbc\xaf\x27\x1c", RELATIVE_FROM_START), Signature("esedb", 4, b"\xef\xcd\xab\x89", RELATIVE_FROM_START), Signature("evt", 0, evt_pattern, RELATIVE_FROM_START), Signature("evtx", 0, b"ElfFile\x00", RELATIVE_FROM_START), Signature("ewf_e01", 0, b"EVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START), Signature("ewf_l01", 0, b"LVF\x09\x0d\x0a\xff\x00", RELATIVE_FROM_START), Signature("lnk", 0, lnk_pattern, RELATIVE_FROM_START), Signature("msiecf", 0, b"Client UrlCache MMF Ver ", RELATIVE_FROM_START), Signature("nk2", 0, nk2_pattern, RELATIVE_FROM_START), Signature("olecf", 0, olecf_pattern, RELATIVE_FROM_START), Signature("olecf_beta", 0, olecf_beta_pattern, RELATIVE_FROM_START), Signature("pff", 0, b"!BDN", RELATIVE_FROM_START), Signature("qcow", 0, b"QFI\xfb", RELATIVE_FROM_START), Signature("rar", 0, b"Rar!\x1a\x07\x00", RELATIVE_FROM_START), Signature("regf", 0, b"regf", RELATIVE_FROM_START), Signature("vhdi_header", 0, vhdi_pattern, RELATIVE_FROM_START), Signature("vhdi_footer", 512, vhdi_pattern, RELATIVE_FROM_END), Signature("wtcdb_cache", 0, b"CMMM", RELATIVE_FROM_START), Signature("wtcdb_index", 0, b"IMMM", RELATIVE_FROM_START)] random_data = ( b"\x01\xfa\xe0\xbe\x99\x8e\xdb\x70\xea\xcc\x6b\xae\x2f\xf5\xa2\xe4") scanner = pysigscan.scanner() for signature in signatures: scanner.add_signature( signature.identifier, signature.pattern_offset, signature.pattern, signature.flags) # TODO add test to set Unicode pattern. # TODO add test to set negative pattern offset. expected_scan_results = ["lnk"] if not pysigscan_test_scan_buffer( scanner, lnk_pattern, expected_scan_results): return False expected_scan_results = ["lnk"] if not pysigscan_test_scan_buffer( scanner, lnk_pattern, expected_scan_results): return False expected_scan_results = ["regf"] if not pysigscan_test_scan_buffer( scanner, regf_pattern, expected_scan_results): return False expected_scan_results = [] if not pysigscan_test_scan_buffer( scanner, random_data, expected_scan_results): return False return True