示例#1
0
    def _parse_scan_result(self, scan_result):

        files, images, metadata = [], [], dict()
        metadata.update(self.version)

        # todo: metadata['officemalscanner'].update(scan_result)
        metadata['oms_rawresult_scan_debug'] = scan_result['scan_debug']
        metadata['oms_rawresult_info'] = scan_result['info']

        # NOTE: we are no longer concerned with detecting whether a file is "supported" or not, because we assume that
        # this engine will not be called if the MIME-type of the file does not match the _supported_file_types filter.

        # If we've gotten to this point, the file is malicious.  OMS isn't like other adapters - it's not going to give
        # you a signature name.  At best, it will give you a "malicious index".  I suppose this is as good of an
        # infection string to report as any other.
        idx_loc = scan_result['scan_debug'].find('Malicious Index = ')
        metadata['infected_string'] = scan_result['scan_debug'][
            idx_loc:idx_loc + len('Malicious Index = ') + 2]

        if metadata['infected_string']:
            metadata['infected'] = True
        else:
            metadata['infected'] = False

        # Loop over Macros directory, make each into Pickleable files
        if path.isdir(self._macro_dir):
            for outfile in listdir(self._macro_dir):
                files.append(
                    PickleableFileSample.path_factory(
                        path.join(self._macro_dir, outfile)))

        return files, images, metadata
示例#2
0
    def setUp(self):
        self.update_tar = PickleableFileSample.path_factory(
            self.update_tar_file)
        AVEngineTemplate.setUp(self)
        # we have to do this once at the start to make sure all tests that rely on these rule updates run

        self._clear_rule_dir_and_update()
示例#3
0
		def generate_yara_update_file(path=self._yara_repo_rules_dir):
			import vcs

			# don't move these imports! they're not needed on the worker
			from constance import config
			rule_repo = None
			try:
				rule_repo = vcs.get_backend(config.YARA_REPO_TYPE)(path, create=True, src_url=config.YARA_REPO_URL)
			except vcs.RepositoryError:
				# this means its already there ....
				rule_repo = vcs.get_repo(path=path, create=False)
			# ensure that we have the latest copy
			# todo detect when the repo url is changed and blow it away
			rule_repo.run_git_command("pull")
			tmp_path = tempfile.mktemp(suffix='.tar')
			rule_repo.run_git_command("checkout")
			rule_repo.run_git_command("archive master -o {0}".format(tmp_path))
			temp_ver_path = tempfile.mktemp()

			with open(temp_ver_path, 'w') as version_file_obj:

				version_file_obj.write(str(rule_repo.get_changeset().revision))
				version_file_obj.flush()
			with open(temp_ver_path, 'r') as version_file_obj:
				with tarfile.open(tmp_path, 'a') as tf:
					version_info = tf.gettarinfo(name=self._version_file, fileobj=version_file_obj, arcname=self._version_file)
					tf.addfile(version_info, fileobj=version_file_obj)
					tf.close()

			pfs_update = PickleableFileSample.path_factory(tmp_path)

			unlink(tmp_path)
			unlink(temp_ver_path)
			return pfs_update
示例#4
0
	def _parse_scan_result(self, scan_result):

		files, images, metadata = [], [], dict()
		metadata.update(self.version)

		# todo: metadata['officemalscanner'].update(scan_result)
		metadata['oms_rawresult_scan_debug'] = scan_result['scan_debug']
		metadata['oms_rawresult_info'] = scan_result['info']

		# NOTE: we are no longer concerned with detecting whether a file is "supported" or not, because we assume that
		# this engine will not be called if the MIME-type of the file does not match the _supported_file_types filter.

		# If we've gotten to this point, the file is malicious.  OMS isn't like other adapters - it's not going to give
		# you a signature name.  At best, it will give you a "malicious index".  I suppose this is as good of an
		# infection string to report as any other.
		idx_loc = scan_result['scan_debug'].find('Malicious Index = ')
		metadata['infected_string'] = scan_result['scan_debug'][idx_loc:idx_loc + len('Malicious Index = ') + 2]

		if metadata['infected_string']:
			metadata['infected'] = True
		else:
			metadata['infected'] = False

		# Loop over Macros directory, make each into Pickleable files
		if path.isdir(self._macro_dir):
			for outfile in listdir(self._macro_dir):
				files.append(PickleableFileSample.path_factory(path.join(self._macro_dir, outfile)))

		return files, images, metadata
示例#5
0
		def generate_yara_update_file(path=self._yara_repo_rules_dir):
			import vcs

			# don't move these imports! they're not needed on the worker
			from constance import config
			rule_repo = None
			try:
				rule_repo = vcs.get_backend(config.YARA_REPO_TYPE)(path, create=True, src_url=config.YARA_REPO_URL)
			except vcs.RepositoryError:
				# this means its already there ....
				rule_repo = vcs.get_repo(path=path, create=False)
			# ensure that we have the latest copy
			# todo detect when the repo url is changed and blow it away
			rule_repo.run_git_command("pull")
			tmp_path = tempfile.mktemp(suffix='.tar')
			rule_repo.run_git_command("checkout")
			rule_repo.run_git_command("archive master -o {0}".format(tmp_path))
			temp_ver_path = tempfile.mktemp()

			with open(temp_ver_path, 'w') as version_file_obj:

				version_file_obj.write(str(rule_repo.get_changeset().revision))
				version_file_obj.flush()
			with open(temp_ver_path, 'r') as version_file_obj:
				with tarfile.open(tmp_path, 'a') as tf:
					version_info = tf.gettarinfo(name=self._version_file, fileobj=version_file_obj, arcname=self._version_file)
					tf.addfile(version_info, fileobj=version_file_obj)
					tf.close()

			pfs_update = PickleableFileSample.path_factory(tmp_path)

			unlink(tmp_path)
			unlink(temp_ver_path)
			return pfs_update
示例#6
0
	def test_supported_scan(self):
		"""
		Running scanner against a supported file (.exe).  Expecting parse results
		"""
		my_peid_engine = peid_engine()
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_'))
		my_scan = my_peid_engine.scan(path)
示例#7
0
	def test_supported_scan(self):
		"""
		Running scanner against a supported file (.exe).  Expecting parse results
		"""
		my_peid_engine = peid_engine()
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_'))
		my_scan = my_peid_engine.scan(path)
示例#8
0
	def test_unsupported_scan(self):
		"""
		Running scanner against an unsupported file (.pdf).  Not expecting parse results
		"""
		my_peid_engine = peid_engine()
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
		try:
			my_scan = my_peid_engine.scan(path)
			ok_(False)
		except UnsupportedFileTypeForScanner:
			ok_(True)
示例#9
0
	def test_unsupported_scan(self):
		"""
		Running scanner against an unsupported file (.pdf).  Not expecting parse results
		"""
		my_peid_engine = peid_engine()
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		path = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
		try:
			my_scan = my_peid_engine.scan(path)
			ok_(False)
		except UnsupportedFileTypeForScanner:
			ok_(True)
示例#10
0
    def _ensure_file_is_pickleable(self, file_sample):
        pickleable_file = None
        if isinstance(file_sample, str):
            # treat all strings in this list as a path
            if not path.isabs(file_sample):
                raise FilePathMustBeAbsolute()
            pickleable_file = PickleableFileSample.path_factory(file_sample)
        elif isinstance(file_sample, PickleableFileSample):
            pickleable_file = file_sample

        if not pickleable_file:
            raise UnrecognizedFileTypeInMetadataResult

        return pickleable_file
示例#11
0
	def _ensure_file_is_pickleable(self, file_sample):
		pickleable_file = None
		if isinstance(file_sample, str):
			# treat all strings in this list as a path
			if not path.isabs(file_sample):
				raise FilePathMustBeAbsolute()
			pickleable_file = PickleableFileSample.path_factory(file_sample)
		elif isinstance(file_sample, PickleableFileSample):
			pickleable_file = file_sample

		if not pickleable_file:
			raise UnrecognizedFileTypeInMetadataResult

		return pickleable_file
示例#12
0
	def setUp(self):
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		self.supported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_'))
		self.unsupported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
示例#13
0
	def setUp(self):
		TEST_FILE_DIR_PATH 			 	= join(dirname(__file__), 'file')
		self.evil_file_object 		 	= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.evil'))
		self.good_file_object 			= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good'))
		self.supported_file_object		= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good'))
		self.unsupported_file_object	= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.unsupported'))
示例#14
0
 def setUp(self):
     TEST_FILE_DIR_PATH = dirname(__file__) + "/file"
     self.supported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + "/SAMPLE.good")
     self.unsupported_file_object = PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + "/SAMPLE.evil_javascript")
示例#15
0
def _make_inert_file_object_small():

    return PickleableFileSample.path_factory(INERT_FILE_PATH)
示例#16
0
def _make_eicar_picklable_file_object():

    return PickleableFileSample.path_factory(EICAR_TEST_FILE_PATH)
示例#17
0
 def get_pickleable_file(self):
     return PickleableFileSample.file_object_factory(self.file)
示例#18
0
	def setUp(self):
		TEST_FILE_DIR_PATH = os.path.join(os.path.dirname(__file__), '..', '..', 'generic', 'test', 'file')
		self.supported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'blat.ex_'))
		self.unsupported_file_object = PickleableFileSample.path_factory(os.path.join(TEST_FILE_DIR_PATH, 'evil.pdf'))
示例#19
0
	def setUp(self):
		TEST_FILE_DIR_PATH 			 	= join(dirname(__file__), 'file')
		self.evil_file_object 		 	= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.evil'))
		self.good_file_object 			= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good'))
		self.supported_file_object		= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.good'))
		self.unsupported_file_object	= PickleableFileSample.path_factory(join(TEST_FILE_DIR_PATH, 'SAMPLE.unsupported'))
示例#20
0
	def add_output_file_from_string(self, string_buffer, original_filename = None):
		"""
		Add an output file but do it all in memory from a string buffer, no removal required
		"""
		self._output_files.add(PickleableFileSample.string_factory( string_buffer, original_filename=original_filename))
示例#21
0
def _make_inert_file_object_small():

    return PickleableFileSample.path_factory(INERT_FILE_PATH)
示例#22
0
def _make_eicar_picklable_file_object():

    return PickleableFileSample.path_factory(EICAR_TEST_FILE_PATH)
示例#23
0
	def setUp(self):
		self.update_tar = PickleableFileSample.path_factory(self.update_tar_file)
		AVEngineTemplate.setUp(self)
		# we have to do this once at the start to make sure all tests that rely on these rule updates run

		self._clear_rule_dir_and_update()
示例#24
0
 def setUp(self):
     TEST_FILE_DIR_PATH = dirname(__file__) + '/file'
     self.supported_file_object = PickleableFileSample.path_factory(
         TEST_FILE_DIR_PATH + '/SAMPLE.good')
     self.unsupported_file_object = PickleableFileSample.path_factory(
         TEST_FILE_DIR_PATH + '/SAMPLE.evil_javascript')
示例#25
0
	def setUp(self):
		TEST_FILE_DIR_PATH 			 	= dirname(__file__) + '/file'
		self.supported_file_object		= PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + '/SAMPLE.good')
		self.unsupported_file_object 	= PickleableFileSample.path_factory(TEST_FILE_DIR_PATH + '/SAMPLE.unsupported')
示例#26
0
	def get_pickleable_file(self):
		return PickleableFileSample.file_object_factory(self.file)