def do_perform_test(self, caplog, url, expected, type_="local"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_features_logging() thug.set_ssl_verify() thug.set_connect_timeout(1) thug.add_urlclassifier( os.path.join(self.signatures_path, "url_signature_13.yar")) thug.register_pyhook("DFT", "do_handle_params", self.do_handle_params_hook) thug.register_pyhook("ThugLogging", "log_classifier", self.log_classifier_hook) thug.log_init(url) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, shockwave, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_events('click,storage') thug.disable_cert_logging() thug.set_features_logging() if shockwave in ('disable', ): thug.disable_shockwave_flash() else: thug.set_shockwave_flash(shockwave) thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected, events='', useragent='win7ie90'): thug = ThugAPI() thug.set_useragent(useragent) thug.set_events(events) thug.disable_cert_logging() thug.set_features_logging() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_ssl_verify() thug.reset_image_processing() thug.set_image_processing() thug.get_image_processing() thug.register_pyhook("MIMEHandler", "handle_image", self.handle_image_hook) thug.set_json_logging() thug.log_init(url) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, adobe, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_events('click,storage') thug.disable_cert_logging() thug.set_features_logging() if adobe in ('disable', ): thug.disable_acropdf() else: thug.set_acropdf_pdf(adobe) thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_events('click,storage') thug.set_web_tracking() thug.enable_cert_logging() thug.set_features_logging() thug.set_log_verbose() thug.set_ssl_verify() thug.log_init(url) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_events('click,storage') thug.set_extensive() thug.disable_cert_logging() thug.set_file_logging() thug.set_json_logging() thug.set_features_logging() thug.set_ssl_verify() thug.set_threshold(3) thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_remote_test(self, caplog, url, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_image_processing() thug.set_threshold(2) thug.disable_cert_logging() thug.set_features_logging() thug.set_ssl_verify() thug.log_init(url) thug.add_htmlclassifier( os.path.join(self.signatures_path, "html_signature_12.yar")) thug.add_imageclassifier( os.path.join(self.signatures_path, "image_signature_14.yar")) thug.add_imageclassifier( os.path.join(self.signatures_path, "image_signature_15.yar")) thug.run_remote(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected, useragent='osx10safari5'): thug = ThugAPI() thug.set_useragent(useragent) thug.set_events('click,storage') thug.set_connect_timeout(2) thug.disable_cert_logging() thug.set_features_logging() thug.set_ssl_verify() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.log_init(sample) thug.add_htmlclassifier(os.path.join(self.signatures_path, "html_signature_1.yar")) thug.add_textclassifier(os.path.join(self.signatures_path, "text_signature_5.yar")) thug.add_cookieclassifier(os.path.join(self.signatures_path, "cookie_signature_8.yar")) thug.add_sampleclassifier(os.path.join(self.signatures_path, "sample_signature_10.yar")) thug.add_imageclassifier(os.path.join(self.signatures_path, "image_signature_14.yar")) thug.add_htmlfilter(os.path.join(self.signatures_path, "html_filter_2.yar")) thug.add_jsfilter(os.path.join(self.signatures_path, "js_signature_2.yar")) thug.add_vbsfilter(os.path.join(self.signatures_path, "vbs_signature_6.yar")) thug.add_textfilter(os.path.join(self.signatures_path, "text_signature_5.yar")) thug.add_cookiefilter(os.path.join(self.signatures_path, "cookie_filter_9.yar")) thug.add_samplefilter(os.path.join(self.signatures_path, "sample_filter_11.yar")) thug.add_imagefilter(os.path.join(self.signatures_path, "image_filter_16.yar")) thug.add_htmlclassifier(os.path.join(self.signatures_path, "not_existing.yar")) thug.add_htmlfilter(os.path.join(self.signatures_path, "not_existing.yar")) thug.add_customclassifier('wrong_type', 'wrong_method') thug.add_customclassifier('url', 'wrong_method') thug.add_customclassifier('sample', self.sample_passthrough) thug.add_customclassifier('image', self.image_passthrough) thug.add_customclassifier('cookie', self.cookie_passthrough) with open(os.path.join(self.samples_path, sample), 'rb') as fd: data = fd.read() log.HTMLClassifier.classify(os.path.basename(sample), data) log.TextClassifier.classify(os.path.basename(sample), data) log.TextClassifier.classify(os.path.basename(sample), data) log.CookieClassifier.classify(os.path.basename(sample), data) log.CookieClassifier.classify(os.path.basename(sample), data) log.SampleClassifier.classify(data, hashlib.md5(data).hexdigest()) log.ImageClassifier.classify('https://buffer.antifork.org/images/antifork.jpg', 'Antifork') log.ImageClassifier.classify('https://buffer.antifork.org/images/antifork.jpg', 'Antifork') log.HTMLClassifier.filter(os.path.basename(sample), data) log.JSClassifier.filter(os.path.basename(sample), data) log.VBSClassifier.filter(os.path.basename(sample), data) log.TextClassifier.filter(os.path.basename(sample), data) log.CookieClassifier.filter(os.path.basename(sample), data) log.SampleClassifier.filter(data, hashlib.md5(data).hexdigest()) log.ImageClassifier.filter('https://buffer.antifork.org/images/antifork.jpg', 'Antifork') records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def _run(self, context, exploit): sample = os.path.join(MISC, exploit[0]) instance = ThugAPI(None, configuration_path = "/etc/thug") instance.set_events('click') instance.set_timeout(1) instance.log_init(sample) instance.run_local(sample) for assertion in exploit[1].split(","): assert assertion in context.log_capture.getvalue()
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('winxpie70') thug.set_threshold(2) thug.disable_cert_logging() thug.set_features_logging() thug.set_ssl_verify() thug.log_init(sample) thug.reset_customclassifiers() thug.add_customclassifier('url', self.catchall) thug.reset_customclassifiers() thug.add_customclassifier('html', self.catchall) thug.add_customclassifier('url', self.catchall) thug.add_customclassifier('js', self.catchall) thug.add_customclassifier('vbs', self.catchall) thug.add_customclassifier('sample', self.catchall) thug.add_customclassifier('cookie', self.catchall) thug.add_customclassifier('text', self.catchall) thug.add_htmlclassifier( os.path.join(self.signatures_path, "html_signature_1.yar")) thug.add_jsclassifier( os.path.join(self.signatures_path, "js_signature_2.yar")) thug.add_urlclassifier( os.path.join(self.signatures_path, "url_signature_3.yar")) thug.add_urlfilter( os.path.join(self.signatures_path, "url_filter_4.yar")) thug.add_textclassifier( os.path.join(self.signatures_path, "text_signature_5.yar")) thug.add_vbsclassifier( os.path.join(self.signatures_path, "vbs_signature_6.yar")) thug.add_urlclassifier( os.path.join(self.signatures_path, "url_signature_7.yar")) thug.add_urlclassifier( os.path.join(self.signatures_path, "url_signature_13.yar")) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.log_init(sample) thug.add_htmlclassifier(os.path.join(self.signatures_path, "html_signature_1.yar")) thug.add_textclassifier(os.path.join(self.signatures_path, "text_signature_5.yar")) thug.add_cookieclassifier(os.path.join(self.signatures_path, "cookie_signature_8.yar")) thug.add_sampleclassifier(os.path.join(self.signatures_path, "sample_signature_10.yar")) thug.add_htmlfilter(os.path.join(self.signatures_path, "html_filter_2.yar")) thug.add_jsfilter(os.path.join(self.signatures_path, "js_signature_2.yar")) thug.add_vbsfilter(os.path.join(self.signatures_path, "vbs_signature_6.yar")) thug.add_textfilter(os.path.join(self.signatures_path, "text_signature_5.yar")) thug.add_cookiefilter(os.path.join(self.signatures_path, "cookie_filter_9.yar")) thug.add_samplefilter(os.path.join(self.signatures_path, "sample_filter_11.yar")) thug.add_htmlclassifier(os.path.join(self.signatures_path, "not_existing.yar")) thug.add_htmlfilter(os.path.join(self.signatures_path, "not_existing.yar")) thug.add_customclassifier('wrong_type', 'wrong_method') thug.add_customclassifier('url', 'wrong_method') thug.add_customclassifier('sample', self.sample_passthrough) with open(os.path.join(self.samples_path, sample), 'r') as fd: data = fd.read() log.HTMLClassifier.classify(os.path.basename(sample), data) log.TextClassifier.classify(os.path.basename(sample), data) log.TextClassifier.classify(os.path.basename(sample), data) log.CookieClassifier.classify(os.path.basename(sample), data) log.CookieClassifier.classify(os.path.basename(sample), data) log.SampleClassifier.classify(data, hashlib.md5(data).hexdigest()) log.HTMLClassifier.filter(os.path.basename(sample), data) log.JSClassifier.filter(os.path.basename(sample), data) log.VBSClassifier.filter(os.path.basename(sample), data) log.TextClassifier.filter(os.path.basename(sample), data) log.CookieClassifier.filter(os.path.basename(sample), data) log.SampleClassifier.filter(data, hashlib.md5(data).hexdigest()) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_broken_url() thug.log_init(url) thug.run_remote(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected, events = '', useragent = 'win7ie90'): thug = ThugAPI() thug.set_useragent(useragent) thug.set_events(events) thug.disable_cert_logging() thug.set_features_logging() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_ = "remote"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_features_logging() thug.log_init(url) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('linuxfirefox40') thug.set_events('click,storage') thug.disable_cert_logging() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_events('click,storage') thug.set_features_logging() thug.set_connect_timeout(2) thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_="remote"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_features_logging() thug.log_init(url) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('winxpie70') thug.set_events('click') thug.set_connect_timeout(2) thug.disable_cert_logging() thug.set_features_logging() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_vt_query() thug.set_vt_submit() thug.disable_cert_logging() thug.set_features_logging() thug.log_init(url) thug.run_remote(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('winxpie70') thug.set_ssl_verify() thug.log_init(sample) thug.add_htmlclassifier( os.path.join(self.signatures_path, "inspector.yar")) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, url, expected, type_ = "local"): thug = ThugAPI() thug.set_useragent('win7ie90') thug.set_features_logging() thug.set_connect_timeout(1) thug.log_init(url) thug.register_pyhook("DFT", "do_handle_params", self.do_handle_params_hook) m = getattr(thug, "run_{}".format(type_)) m(url) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample, expected): thug = ThugAPI() thug.set_useragent('win7ie90') thug.disable_acropdf() thug.disable_shockwave_flash() thug.disable_javaplugin() thug.disable_silverlight() thug.log_init(sample) thug.run_local(sample) records = [r.message for r in caplog.records] matches = 0 for e in expected: for record in records: if e in record: matches += 1 assert matches >= len(expected)
def do_perform_test(self, caplog, sample): thug = ThugAPI() thug.log_init(sample) thug.set_useragent('win7ie90') thug.set_verbose() thug.set_json_logging() thug.reset_features_logging() assert thug.get_features_logging() is False thug.set_features_logging() assert thug.get_features_logging() is True thug.log_init(sample) thug.run_local(sample) thug.log_event() for r in caplog.records: try: features = json.dumps(r) except Exception: continue if not isinstance(features, dict): continue if "html_count" not in features: continue for url in self.expected: if not url.endswith(sample): continue for key in features: assert features[key] == self.expected[url][key]