def do_perform_test(self, caplog, url, expected, type_="local"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_features_logging()
thug.set_ssl_verify()
thug.set_connect_timeout(1)
thug.add_urlclassifier(
os.path.join(self.signatures_path, "url_signature_13.yar"))
thug.register_pyhook("DFT", "do_handle_params",
self.do_handle_params_hook)
thug.register_pyhook("ThugLogging", "log_classifier",
self.log_classifier_hook)
thug.log_init(url)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, shockwave, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_events('click,storage')
thug.disable_cert_logging()
thug.set_features_logging()
if shockwave in ('disable', ):
thug.disable_shockwave_flash()
else:
thug.set_shockwave_flash(shockwave)
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self,
caplog,
sample,
expected,
events='',
useragent='win7ie90'):
thug = ThugAPI()
thug.set_useragent(useragent)
thug.set_events(events)
thug.disable_cert_logging()
thug.set_features_logging()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_ssl_verify()
thug.reset_image_processing()
thug.set_image_processing()
thug.get_image_processing()
thug.register_pyhook("MIMEHandler", "handle_image",
self.handle_image_hook)
thug.set_json_logging()
thug.log_init(url)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, adobe, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_events('click,storage')
thug.disable_cert_logging()
thug.set_features_logging()
if adobe in ('disable', ):
thug.disable_acropdf()
else:
thug.set_acropdf_pdf(adobe)
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_events('click,storage')
thug.set_web_tracking()
thug.enable_cert_logging()
thug.set_features_logging()
thug.set_log_verbose()
thug.set_ssl_verify()
thug.log_init(url)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_events('click,storage')
thug.set_extensive()
thug.disable_cert_logging()
thug.set_file_logging()
thug.set_json_logging()
thug.set_features_logging()
thug.set_ssl_verify()
thug.set_threshold(3)
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_remote_test(self, caplog, url, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_image_processing()
thug.set_threshold(2)
thug.disable_cert_logging()
thug.set_features_logging()
thug.set_ssl_verify()
thug.log_init(url)
thug.add_htmlclassifier(
os.path.join(self.signatures_path, "html_signature_12.yar"))
thug.add_imageclassifier(
os.path.join(self.signatures_path, "image_signature_14.yar"))
thug.add_imageclassifier(
os.path.join(self.signatures_path, "image_signature_15.yar"))
thug.run_remote(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self,
caplog,
sample,
expected,
useragent='osx10safari5'):
thug = ThugAPI()
thug.set_useragent(useragent)
thug.set_events('click,storage')
thug.set_connect_timeout(2)
thug.disable_cert_logging()
thug.set_features_logging()
thug.set_ssl_verify()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.log_init(sample)
thug.add_htmlclassifier(os.path.join(self.signatures_path, "html_signature_1.yar"))
thug.add_textclassifier(os.path.join(self.signatures_path, "text_signature_5.yar"))
thug.add_cookieclassifier(os.path.join(self.signatures_path, "cookie_signature_8.yar"))
thug.add_sampleclassifier(os.path.join(self.signatures_path, "sample_signature_10.yar"))
thug.add_imageclassifier(os.path.join(self.signatures_path, "image_signature_14.yar"))
thug.add_htmlfilter(os.path.join(self.signatures_path, "html_filter_2.yar"))
thug.add_jsfilter(os.path.join(self.signatures_path, "js_signature_2.yar"))
thug.add_vbsfilter(os.path.join(self.signatures_path, "vbs_signature_6.yar"))
thug.add_textfilter(os.path.join(self.signatures_path, "text_signature_5.yar"))
thug.add_cookiefilter(os.path.join(self.signatures_path, "cookie_filter_9.yar"))
thug.add_samplefilter(os.path.join(self.signatures_path, "sample_filter_11.yar"))
thug.add_imagefilter(os.path.join(self.signatures_path, "image_filter_16.yar"))
thug.add_htmlclassifier(os.path.join(self.signatures_path, "not_existing.yar"))
thug.add_htmlfilter(os.path.join(self.signatures_path, "not_existing.yar"))
thug.add_customclassifier('wrong_type', 'wrong_method')
thug.add_customclassifier('url', 'wrong_method')
thug.add_customclassifier('sample', self.sample_passthrough)
thug.add_customclassifier('image', self.image_passthrough)
thug.add_customclassifier('cookie', self.cookie_passthrough)
with open(os.path.join(self.samples_path, sample), 'rb') as fd:
data = fd.read()
log.HTMLClassifier.classify(os.path.basename(sample), data)
log.TextClassifier.classify(os.path.basename(sample), data)
log.TextClassifier.classify(os.path.basename(sample), data)
log.CookieClassifier.classify(os.path.basename(sample), data)
log.CookieClassifier.classify(os.path.basename(sample), data)
log.SampleClassifier.classify(data, hashlib.md5(data).hexdigest())
log.ImageClassifier.classify('https://buffer.antifork.org/images/antifork.jpg', 'Antifork')
log.ImageClassifier.classify('https://buffer.antifork.org/images/antifork.jpg', 'Antifork')
log.HTMLClassifier.filter(os.path.basename(sample), data)
log.JSClassifier.filter(os.path.basename(sample), data)
log.VBSClassifier.filter(os.path.basename(sample), data)
log.TextClassifier.filter(os.path.basename(sample), data)
log.CookieClassifier.filter(os.path.basename(sample), data)
log.SampleClassifier.filter(data, hashlib.md5(data).hexdigest())
log.ImageClassifier.filter('https://buffer.antifork.org/images/antifork.jpg', 'Antifork')
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def _run(self, context, exploit):
sample = os.path.join(MISC, exploit[0])
instance = ThugAPI(None, configuration_path = "/etc/thug")
instance.set_events('click')
instance.set_timeout(1)
instance.log_init(sample)
instance.run_local(sample)
for assertion in exploit[1].split(","):
assert assertion in context.log_capture.getvalue()
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('winxpie70')
thug.set_threshold(2)
thug.disable_cert_logging()
thug.set_features_logging()
thug.set_ssl_verify()
thug.log_init(sample)
thug.reset_customclassifiers()
thug.add_customclassifier('url', self.catchall)
thug.reset_customclassifiers()
thug.add_customclassifier('html', self.catchall)
thug.add_customclassifier('url', self.catchall)
thug.add_customclassifier('js', self.catchall)
thug.add_customclassifier('vbs', self.catchall)
thug.add_customclassifier('sample', self.catchall)
thug.add_customclassifier('cookie', self.catchall)
thug.add_customclassifier('text', self.catchall)
thug.add_htmlclassifier(
os.path.join(self.signatures_path, "html_signature_1.yar"))
thug.add_jsclassifier(
os.path.join(self.signatures_path, "js_signature_2.yar"))
thug.add_urlclassifier(
os.path.join(self.signatures_path, "url_signature_3.yar"))
thug.add_urlfilter(
os.path.join(self.signatures_path, "url_filter_4.yar"))
thug.add_textclassifier(
os.path.join(self.signatures_path, "text_signature_5.yar"))
thug.add_vbsclassifier(
os.path.join(self.signatures_path, "vbs_signature_6.yar"))
thug.add_urlclassifier(
os.path.join(self.signatures_path, "url_signature_7.yar"))
thug.add_urlclassifier(
os.path.join(self.signatures_path, "url_signature_13.yar"))
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.log_init(sample)
thug.add_htmlclassifier(os.path.join(self.signatures_path, "html_signature_1.yar"))
thug.add_textclassifier(os.path.join(self.signatures_path, "text_signature_5.yar"))
thug.add_cookieclassifier(os.path.join(self.signatures_path, "cookie_signature_8.yar"))
thug.add_sampleclassifier(os.path.join(self.signatures_path, "sample_signature_10.yar"))
thug.add_htmlfilter(os.path.join(self.signatures_path, "html_filter_2.yar"))
thug.add_jsfilter(os.path.join(self.signatures_path, "js_signature_2.yar"))
thug.add_vbsfilter(os.path.join(self.signatures_path, "vbs_signature_6.yar"))
thug.add_textfilter(os.path.join(self.signatures_path, "text_signature_5.yar"))
thug.add_cookiefilter(os.path.join(self.signatures_path, "cookie_filter_9.yar"))
thug.add_samplefilter(os.path.join(self.signatures_path, "sample_filter_11.yar"))
thug.add_htmlclassifier(os.path.join(self.signatures_path, "not_existing.yar"))
thug.add_htmlfilter(os.path.join(self.signatures_path, "not_existing.yar"))
thug.add_customclassifier('wrong_type', 'wrong_method')
thug.add_customclassifier('url', 'wrong_method')
thug.add_customclassifier('sample', self.sample_passthrough)
with open(os.path.join(self.samples_path, sample), 'r') as fd:
data = fd.read()
log.HTMLClassifier.classify(os.path.basename(sample), data)
log.TextClassifier.classify(os.path.basename(sample), data)
log.TextClassifier.classify(os.path.basename(sample), data)
log.CookieClassifier.classify(os.path.basename(sample), data)
log.CookieClassifier.classify(os.path.basename(sample), data)
log.SampleClassifier.classify(data, hashlib.md5(data).hexdigest())
log.HTMLClassifier.filter(os.path.basename(sample), data)
log.JSClassifier.filter(os.path.basename(sample), data)
log.VBSClassifier.filter(os.path.basename(sample), data)
log.TextClassifier.filter(os.path.basename(sample), data)
log.CookieClassifier.filter(os.path.basename(sample), data)
log.SampleClassifier.filter(data, hashlib.md5(data).hexdigest())
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_broken_url()
thug.log_init(url)
thug.run_remote(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected, events = '', useragent = 'win7ie90'):
thug = ThugAPI()
thug.set_useragent(useragent)
thug.set_events(events)
thug.disable_cert_logging()
thug.set_features_logging()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_ = "remote"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_features_logging()
thug.log_init(url)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('linuxfirefox40')
thug.set_events('click,storage')
thug.disable_cert_logging()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_events('click,storage')
thug.set_features_logging()
thug.set_connect_timeout(2)
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_features_logging()
thug.log_init(url)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('winxpie70')
thug.set_events('click')
thug.set_connect_timeout(2)
thug.disable_cert_logging()
thug.set_features_logging()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_vt_query()
thug.set_vt_submit()
thug.disable_cert_logging()
thug.set_features_logging()
thug.log_init(url)
thug.run_remote(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('winxpie70')
thug.set_ssl_verify()
thug.log_init(sample)
thug.add_htmlclassifier(
os.path.join(self.signatures_path, "inspector.yar"))
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_ = "local"):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.set_features_logging()
thug.set_connect_timeout(1)
thug.log_init(url)
thug.register_pyhook("DFT", "do_handle_params", self.do_handle_params_hook)
m = getattr(thug, "run_{}".format(type_))
m(url)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected):
thug = ThugAPI()
thug.set_useragent('win7ie90')
thug.disable_acropdf()
thug.disable_shockwave_flash()
thug.disable_javaplugin()
thug.disable_silverlight()
thug.log_init(sample)
thug.run_local(sample)
records = [r.message for r in caplog.records]
matches = 0
for e in expected:
for record in records:
if e in record:
matches += 1
assert matches >= len(expected)
def do_perform_test(self, caplog, sample):
thug = ThugAPI()
thug.log_init(sample)
thug.set_useragent('win7ie90')
thug.set_verbose()
thug.set_json_logging()
thug.reset_features_logging()
assert thug.get_features_logging() is False
thug.set_features_logging()
assert thug.get_features_logging() is True
thug.log_init(sample)
thug.run_local(sample)
thug.log_event()
for r in caplog.records:
try:
features = json.dumps(r)
except Exception:
continue
if not isinstance(features, dict):
continue
if "html_count" not in features:
continue
for url in self.expected:
if not url.endswith(sample):
continue
for key in features:
assert features[key] == self.expected[url][key]
