def delete_tag(self, tag_name, sha256): session = self.Session() try: # First remove the tag from the sample malware_entry = session.query(Malware).filter(Malware.sha256 == sha256).first() tag = session.query(Tag).filter(Tag.tag == tag_name).first() try: malware_entry = session.query(Malware).filter(Malware.sha256 == sha256).first() malware_entry.tag.remove(tag) session.commit() except: print_error("Tag {0} does not exist for this sample".format(tag_name)) # If tag has no entries drop it count = len(self.find("tag", tag_name)) if count == 0: session.delete(tag) session.commit() print_warning("Tag {0} has no additional entries dropping from Database".format(tag_name)) except SQLAlchemyError as e: print_error("Unable to delete tag: {0}".format(e)) session.rollback() finally: session.close()
def load_modules(): # Import modules package. import viper.modules as modules plugins = dict() # Walk recursively through all modules and packages. for loader, module_name, ispkg in pkgutil.walk_packages(modules.__path__, modules.__name__ + '.'): # If current item is a package, skip. if ispkg: continue # Try to import the module, otherwise skip. try: module = importlib.import_module(module_name) except ImportError as e: print_warning("Something wrong happened while importing the module {0}: {1}".format(module_name, e)) continue # Walk through all members of currently imported modules. for member_name, member_object in inspect.getmembers(module): # Check if current member is a class. if inspect.isclass(member_object): # Yield the class if it's a subclass of Module. if issubclass(member_object, Module) and member_object is not Module: plugins[member_object.cmd] = dict(obj=member_object, description=member_object.description, parser_args=get_argparse_parser_actions(member_object().parser), subparser_args=get_argparse_subparser_actions(member_object().parser)) return plugins
def delete_tag(self, tag_name, sha256): session = self.Session() try: # First remove the tag from the sample malware_entry = session.query(Malware).filter( Malware.sha256 == sha256).first() tag = session.query(Tag).filter(Tag.tag == tag_name).first() try: malware_entry = session.query(Malware).filter( Malware.sha256 == sha256).first() malware_entry.tag.remove(tag) session.commit() except: print_error( "Tag {0} does not exist for this sample".format(tag_name)) # If tag has no entries drop it count = len(self.find('tag', tag_name)) if count == 0: session.delete(tag) session.commit() print_warning( "Tag {0} has no additional entries dropping from Database". format(tag_name)) except SQLAlchemyError as e: print_error("Unable to delete tag: {0}".format(e)) session.rollback() finally: session.close()
def load_commands(): # Import modules package. import viper.core.ui.cmd as cmd plugins = dict() # Walk recursively through all cmd and packages. for loader, cmd_name, ispkg in pkgutil.walk_packages(cmd.__path__, cmd.__name__ + '.'): # If current item is a package, skip. if ispkg: continue # Try to import the command, otherwise skip. try: cmd_module = importlib.import_module(cmd_name) except ImportError as e: print_warning("Something wrong happened while importing the command {0}: {1}".format(cmd_name, e)) continue # Walk through all members of currently imported cmd. for member_name, member_object in inspect.getmembers(cmd_module): # Check if current member is a class. if inspect.isclass(member_object): # Yield the class if it's a subclass of Command. if issubclass(member_object, Command) and member_object is not Command: instance = member_object() plugins[member_object.cmd] = dict(obj=instance.run, description=instance.description, parser_args=get_argparse_parser_actions(instance.parser), fs_path_completion=instance.fs_path_completion) return plugins
def load_modules(): # Add $HOME/.viper/ as a Python path. sys.path.insert(0, os.path.join(expanduser("~"), ".viper")) try: import modules except ImportError: return dict() else: plugins = dict() # Walk recursively through all modules and packages. for loader, module_name, ispkg in pkgutil.walk_packages(modules.__path__, modules.__name__ + '.'): # If current item is a package, skip. if ispkg: continue # Try to import the module, otherwise skip. try: module = importlib.import_module(module_name) except ImportError as e: print_warning("Something wrong happened while importing the module {0}: {1}".format(module_name, e)) continue # Walk through all members of currently imported modules. for member_name, member_object in inspect.getmembers(module): # Check if current member is a class. if inspect.isclass(member_object): # Yield the class if it's a subclass of Module. if issubclass(member_object, Module) and member_object is not Module: plugins[member_object.cmd] = dict(obj=member_object, description=member_object.description, categories=getattr(member_object, "categories", []), parser_args=get_argparse_parser_actions(member_object().parser), subparser_args=get_argparse_subparser_actions(member_object().parser)) return plugins
def store_sample(file_object): sha256 = file_object.sha256 if not sha256: print_error("No hash") return None folder = os.path.join( __project__.get_path(), 'binaries', sha256[0], sha256[1], sha256[2], sha256[3] ) if not os.path.exists(folder): os.makedirs(folder, 0o750) file_path = os.path.join(folder, sha256) if not os.path.exists(file_path): with open(file_path, 'wb') as stored: for chunk in file_object.get_chunks(): stored.write(chunk) else: print_warning("File exists already") return None return file_path
def load_modules(): # Import modules package. import modules plugins = dict() # Walk recursively through all modules and packages. for loader, module_name, ispkg in pkgutil.walk_packages( modules.__path__, modules.__name__ + '.'): # If current item is a package, skip. if ispkg: continue # Try to import the module, otherwise skip. try: module = __import__(module_name, globals(), locals(), ['dummy'], -1) except ImportError as e: print_warning( "Something wrong happened while importing the module {0}: {1}". format(module_name, e)) continue # Walk through all members of currently imported modules. for member_name, member_object in inspect.getmembers(module): # Check if current member is a class. if inspect.isclass(member_object): # Yield the class if it's a subclass of Module. if issubclass(member_object, Module) and member_object is not Module: plugins[member_object.cmd] = dict( obj=member_object, description=member_object.description) return plugins
def check_and_deploy_yara_rules(): """Yara: check whether rule path exist - if not copy default set of rules to directory""" yara_rules_path = os.path.join(__project__.base_path, "yara") if os.path.exists(yara_rules_path): print_info("Using Yara rules from directory: {}".format(yara_rules_path)) else: # Prio 1: rules if Viper was installed with pip yara_path_setup_utils = os.path.join(VIPER_ROOT, DIST_DIR_YARA_RULES) # Prio 2: rules if Viper was checkout from repo yara_path_repo = os.path.join(VIPER_ROOT, "data", "yara") if os.path.exists(yara_path_setup_utils): print_warning("Yara rule directory not found - copying default " "rules ({}) to: {}".format(yara_path_setup_utils, yara_rules_path)) shutil.copytree(yara_path_setup_utils, yara_rules_path) elif os.path.exists(yara_path_repo): print_warning("Yara rule directory not found - copying default " "rules ({}) to: {}".format(yara_path_repo, yara_rules_path)) shutil.copytree(yara_path_repo, yara_rules_path) else: print_error("No default Yara rules found")
def config(data): key = 'C\x00O\x00N\x00F\x00I\x00G' config_coded = extract_config(data) config_raw = rc4crypt(config_coded, key) # 1.3.x - Not implemented yet. if len(config_raw) == 0xe10: print_warning("Detected XtremeRAT 1.3.x, not supported yet") config = None # 2.9.x - Not a stable extract. elif len(config_raw) == 0x1390 or len(config_raw) == 0x1392: config = v29(config_raw) # 3.1 & 3.2 elif len(config_raw) == 0x5Cc: config = v32(config_raw) # 3.5 elif len(config_raw) == 0x7f0: config = v35(config_raw) else: print_error("No known XtremeRAT version detected") config = None return config