def _parse_scan_result(self, scan_result):
files, images, metadata = [], [], dict()
metadata.update(self.version)
# todo: metadata['officemalscanner'].update(scan_result)
metadata['oms_rawresult_scan_debug'] = scan_result['scan_debug']
metadata['oms_rawresult_info'] = scan_result['info']
# NOTE: we are no longer concerned with detecting whether a file is "supported" or not, because we assume that
# this engine will not be called if the MIME-type of the file does not match the _supported_file_types filter.
# If we've gotten to this point, the file is malicious. OMS isn't like other adapters - it's not going to give
# you a signature name. At best, it will give you a "malicious index". I suppose this is as good of an
# infection string to report as any other.
idx_loc = scan_result['scan_debug'].find('Malicious Index = ')
metadata['infected_string'] = scan_result['scan_debug'][
idx_loc:idx_loc + len('Malicious Index = ') + 2]
if metadata['infected_string']:
metadata['infected'] = True
else:
metadata['infected'] = False
# Loop over Macros directory, make each into Pickleable files
if path.isdir(self._macro_dir):
for outfile in listdir(self._macro_dir):
files.append(
PickleableFileSample.path_factory(
path.join(self._macro_dir, outfile)))
return files, images, metadata
def setUp(self):
self.update_tar = PickleableFileSample.path_factory(
self.update_tar_file)
AVEngineTemplate.setUp(self)
# we have to do this once at the start to make sure all tests that rely on these rule updates run
self._clear_rule_dir_and_update()
def generate_yara_update_file(path=self._yara_repo_rules_dir):
import vcs
# don't move these imports! they're not needed on the worker
from constance import config
rule_repo = None
try:
rule_repo = vcs.get_backend(config.YARA_REPO_TYPE)(path, create=True, src_url=config.YARA_REPO_URL)
except vcs.RepositoryError:
# this means its already there ....
rule_repo = vcs.get_repo(path=path, create=False)
# ensure that we have the latest copy
# todo detect when the repo url is changed and blow it away
rule_repo.run_git_command("pull")
tmp_path = tempfile.mktemp(suffix='.tar')
rule_repo.run_git_command("checkout")
rule_repo.run_git_command("archive master -o {0}".format(tmp_path))
temp_ver_path = tempfile.mktemp()
with open(temp_ver_path, 'w') as version_file_obj:
version_file_obj.write(str(rule_repo.get_changeset().revision))
version_file_obj.flush()
with open(temp_ver_path, 'r') as version_file_obj:
with tarfile.open(tmp_path, 'a') as tf:
version_info = tf.gettarinfo(name=self._version_file, fileobj=version_file_obj, arcname=self._version_file)
tf.addfile(version_info, fileobj=version_file_obj)
tf.close()
pfs_update = PickleableFileSample.path_factory(tmp_path)
unlink(tmp_path)
unlink(temp_ver_path)
return pfs_update
def _parse_scan_result(self, scan_result):
files, images, metadata = [], [], dict()
metadata.update(self.version)
# todo: metadata['officemalscanner'].update(scan_result)
metadata['oms_rawresult_scan_debug'] = scan_result['scan_debug']
metadata['oms_rawresult_info'] = scan_result['info']
# NOTE: we are no longer concerned with detecting whether a file is "supported" or not, because we assume that
# this engine will not be called if the MIME-type of the file does not match the _supported_file_types filter.
# If we've gotten to this point, the file is malicious. OMS isn't like other adapters - it's not going to give
# you a signature name. At best, it will give you a "malicious index". I suppose this is as good of an
# infection string to report as any other.
idx_loc = scan_result['scan_debug'].find('Malicious Index = ')
metadata['infected_string'] = scan_result['scan_debug'][idx_loc:idx_loc + len('Malicious Index = ') + 2]
if metadata['infected_string']:
metadata['infected'] = True
else:
metadata['infected'] = False
# Loop over Macros directory, make each into Pickleable files
if path.isdir(self._macro_dir):
for outfile in listdir(self._macro_dir):
files.append(PickleableFileSample.path_factory(path.join(self._macro_dir, outfile)))
return files, images, metadata
def generate_yara_update_file(path=self._yara_repo_rules_dir):
import vcs
# don't move these imports! they're not needed on the worker
from constance import config
rule_repo = None
try:
rule_repo = vcs.get_backend(config.YARA_REPO_TYPE)(path, create=True, src_url=config.YARA_REPO_URL)
except vcs.RepositoryError:
# this means its already there ....
rule_repo = vcs.get_repo(path=path, create=False)
# ensure that we have the latest copy
# todo detect when the repo url is changed and blow it away
rule_repo.run_git_command("pull")
tmp_path = tempfile.mktemp(suffix='.tar')
rule_repo.run_git_command("checkout")
rule_repo.run_git_command("archive master -o {0}".format(tmp_path))
temp_ver_path = tempfile.mktemp()
with open(temp_ver_path, 'w') as version_file_obj:
version_file_obj.write(str(rule_repo.get_changeset().revision))
version_file_obj.flush()
with open(temp_ver_path, 'r') as version_file_obj:
with tarfile.open(tmp_path, 'a') as tf:
version_info = tf.gettarinfo(name=self._version_file, fileobj=version_file_obj, arcname=self._version_file)
tf.addfile(version_info, fileobj=version_file_obj)
tf.close()
pfs_update = PickleableFileSample.path_factory(tmp_path)
unlink(tmp_path)
unlink(temp_ver_path)
return pfs_update
def test_supported_scan(self): """ Running scanner against a supported file (.exe). Expecting parse results """ my_peid_engine = peid_engine() TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_')) my_scan = my_peid_engine.scan(path)
def test_supported_scan(self): """ Running scanner against a supported file (.exe). Expecting parse results """ my_peid_engine = peid_engine() TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_')) my_scan = my_peid_engine.scan(path)
def test_unsupported_scan(self): """ Running scanner against an unsupported file (.pdf). Not expecting parse results """ my_peid_engine = peid_engine() TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf')) try: my_scan = my_peid_engine.scan(path) ok_(False) except UnsupportedFileTypeForScanner: ok_(True)
def test_unsupported_scan(self): """ Running scanner against an unsupported file (.pdf). Not expecting parse results """ my_peid_engine = peid_engine() TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf')) try: my_scan = my_peid_engine.scan(path) ok_(False) except UnsupportedFileTypeForScanner: ok_(True)
def _ensure_file_is_pickleable(self, file_sample):
pickleable_file = None
if isinstance(file_sample, str):
# treat all strings in this list as a path
if not path.isabs(file_sample):
raise FilePathMustBeAbsolute()
pickleable_file = PickleableFileSample.path_factory(file_sample)
elif isinstance(file_sample, PickleableFileSample):
pickleable_file = file_sample
if not pickleable_file:
raise UnrecognizedFileTypeInMetadataResult
return pickleable_file
def _ensure_file_is_pickleable(self, file_sample): pickleable_file = None if isinstance(file_sample, str): # treat all strings in this list as a path if not path.isabs(file_sample): raise FilePathMustBeAbsolute() pickleable_file = PickleableFileSample.path_factory(file_sample) elif isinstance(file_sample, PickleableFileSample): pickleable_file = file_sample if not pickleable_file: raise UnrecognizedFileTypeInMetadataResult return pickleable_file
def setUp(self): TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') self.supported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_')) self.unsupported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
def setUp(self): TEST_FILE_DIR_PATH = join(dirname(__file__), 'file') self.evil_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.evil')) self.good_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good')) self.supported_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good')) self.unsupported_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.unsupported'))
def setUp(self):
TEST_FILE_DIR_PATH = dirname(__file__) + "/file"
self.supported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + "/SAMPLE.good")
self.unsupported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + "/SAMPLE.evil_javascript")
def _make_inert_file_object_small():
return PickleableFileSample.path_factory(INERT_FILE_PATH)
def _make_eicar_picklable_file_object():
return PickleableFileSample.path_factory(EICAR_TEST_FILE_PATH)
def get_pickleable_file(self):
return PickleableFileSample.file_object_factory(self.file)
def setUp(self): TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file') self.supported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_')) self.unsupported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
def setUp(self): TEST_FILE_DIR_PATH = join(dirname(__file__), 'file') self.evil_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.evil')) self.good_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good')) self.supported_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good')) self.unsupported_file_object = PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.unsupported'))
def add_output_file_from_string(self, string_buffer, original_filename = None): """ Add an output file but do it all in memory from a string buffer, no removal required """ self._output_files.add(PickleableFileSample.string_factory( string_buffer, original_filename=original_filename))
def _make_inert_file_object_small():
return PickleableFileSample.path_factory(INERT_FILE_PATH)
def _make_eicar_picklable_file_object():
return PickleableFileSample.path_factory(EICAR_TEST_FILE_PATH)
def setUp(self): self.update_tar = PickleableFileSample.path_factory(self.update_tar_file) AVEngineTemplate.setUp(self) # we have to do this once at the start to make sure all tests that rely on these rule updates run self._clear_rule_dir_and_update()
def setUp(self):
TEST_FILE_DIR_PATH = dirname(__file__) + '/file'
self.supported_file_object = PickleableFileSample.path_factory(
TEST_FILE_DIR_PATH + '/SAMPLE.good')
self.unsupported_file_object = PickleableFileSample.path_factory(
TEST_FILE_DIR_PATH + '/SAMPLE.evil_javascript')
def setUp(self): TEST_FILE_DIR_PATH = dirname(__file__) + '/file' self.supported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + '/SAMPLE.good') self.unsupported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + '/SAMPLE.unsupported')
def get_pickleable_file(self): return PickleableFileSample.file_object_factory(self.file)