本文整理汇总了Python中lib.cuckoo.common.objects.File类的典型用法代码示例。如果您正苦于以下问题:Python File类的具体用法?Python File怎么用?Python File使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了File类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: run
def run(self):
"""Run analysis.
@return: list of dropped files with related information.
"""
self.key = "dropped"
dropped_files, meta = [], {}
if os.path.exists(self.dropped_meta_path):
for line in open(self.dropped_meta_path, "rb"):
entry = json.loads(line)
filepath = os.path.join(self.analysis_path, entry["path"])
meta[filepath] = {
"pids": entry["pids"],
"filepath": entry["filepath"],
}
for dir_name, dir_names, file_names in os.walk(self.dropped_path):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
file_info.update(meta.get(file_info["path"], {}))
dropped_files.append(file_info)
for dir_name, dir_names, file_names in os.walk(self.package_files):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
file_info = File(file_path=file_path).get_all()
dropped_files.append(file_info)
return dropped_files示例2: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
if not dmp.endswith(".dmp"):
continue
dump_path = os.path.join(self.pmemory_path, dmp)
dump_file = File(dump_path)
if "-" in os.path.basename(dump_path):
pid = int(os.path.basename(dump_path).split("-")[0])
else:
pid = int(os.path.basename(dump_path).split(".")[0])
proc = dict(
file=dump_path, pid=pid,
yara=dump_file.get_yara("memory"),
urls=list(dump_file.get_urls()),
regions=list(self.read_dump(dump_path)),
)
if self.options.get("idapro"):
self.create_idapy(proc)
results.append(proc)
return results示例3: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
dmp_path = os.path.join(self.pmemory_path, dmp)
dmp_file = File(dmp_path)
process_name = ""
process_path = ""
process_id = int(os.path.splitext(os.path.basename(dmp_path))[0])
if "behavior" in self.results and "processes" in self.results["behavior"]:
for process in self.results["behavior"]["processes"]:
if process_id == process["process_id"]:
process_name = process["process_name"]
process_path = process["module_path"]
proc = dict(
file=dmp_path,
pid=process_id,
name=process_name,
path=process_path,
yara=dmp_file.get_yara(os.path.join(CUCKOO_ROOT, "data", "yara", "index_memory.yar")),
address_space=self.parse_dump(dmp_path)
)
results.append(proc)
return results示例4: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
dmp_path = os.path.join(self.pmemory_path, dmp)
dmp_file = File(dmp_path)
# Let's hope the file is not too big.
buf = open(dmp_path, "rb").read()
urls = set()
for url in re.findall(HTTP_REGEX, buf):
if not is_whitelisted_domain(url[1]):
urls.add("".join(url))
proc = dict(
file=dmp_path,
pid=os.path.splitext(os.path.basename(dmp_path))[0],
yara=dmp_file.get_yara(os.path.join(CUCKOO_ROOT, "data", "yara", "index_memory.yar")),
urls=list(urls),
)
results.append(proc)
return results示例5: run
def run(self):
"""Run androguard to extract static android information
@return: list of static features
"""
self.key = "apkinfo"
apkinfo = {}
if "file" not in self.task["category"] or not HAVE_ANDROGUARD:
return
f = File(self.task["target"])
if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
try:
a = APK(self.file_path)
if a.is_valid_APK():
manifest = {}
apkinfo["files"] = self._apk_files(a)
manifest["package"] = a.get_package()
# manifest["permissions"]=a.get_details_permissions_new()
manifest["main_activity"] = a.get_main_activity()
manifest["activities"] = a.get_activities()
manifest["services"] = a.get_services()
manifest["receivers"] = a.get_receivers()
# manifest["receivers_actions"]=a.get__extended_receivers()
manifest["providers"] = a.get_providers()
manifest["libraries"] = a.get_libraries()
apkinfo["manifest"] = manifest
# apkinfo["certificate"] = a.get_certificate()
static_calls = {}
if self.check_size(apkinfo["files"]):
vm = DalvikVMFormat(a.get_dex())
vmx = uVMAnalysis(vm)
static_calls["all_methods"] = self.get_methods(vmx)
static_calls["is_native_code"] = analysis.is_native_code(vmx)
static_calls["is_dynamic_code"] = analysis.is_dyn_code(vmx)
static_calls["is_reflection_code"] = analysis.is_reflection_code(vmx)
# static_calls["dynamic_method_calls"]= analysis.get_show_DynCode(vmx)
# static_calls["reflection_method_calls"]= analysis.get_show_ReflectionCode(vmx)
# static_calls["permissions_method_calls"]= analysis.get_show_Permissions(vmx)
# static_calls["crypto_method_calls"]= analysis.get_show_CryptoCode(vmx)
# static_calls["native_method_calls"]= analysis.get_show_NativeMethods(vmx)
else:
log.warning("Dex size bigger than: %s",
self.options.decompilation_threshold)
apkinfo["static_method_calls"] = static_calls
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return apkinfo示例6: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if self.options.get("extract_img") and not HAVE_PEFILE:
log.warning(
"In order to extract PE files from memory dumps it is "
"required to have pefile installed (`pip install pefile`)."
)
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
if not dmp.endswith(".dmp"):
continue
dump_path = os.path.join(self.pmemory_path, dmp)
dump_file = File(dump_path)
pid, num = map(int, re.findall("(\\d+)", dmp))
proc = dict(
file=dump_path, pid=pid, num=num,
yara=dump_file.get_yara("memory"),
urls=list(dump_file.get_urls()),
regions=list(self.read_dump(dump_path)),
)
if self.options.get("idapro"):
self.create_idapy(proc)
if self.options.get("extract_img") and HAVE_PEFILE:
proc["extracted"] = list(self.dump_images(proc))
if self.options.get("dump_delete"):
try:
os.remove(dump_path)
except OSError:
log.error("Unable to delete memory dump file at path \"%s\"", dump_path)
results.append(proc)
results.sort(key=lambda x: (x["pid"], x["num"]))
return results示例7: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
for dmp in os.listdir(self.pmemory_path):
dmp_path = os.path.join(self.pmemory_path, dmp)
dmp_file = File(dmp_path)
proc = dict(
yara=dmp_file.get_yara(os.path.join(CUCKOO_ROOT, "data", "yara", "index_memory.yar"))
)
results.append(proc)
return results示例8: run
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
if not dmp.endswith(".dmp"):
continue
dump_path = os.path.join(self.pmemory_path, dmp)
dump_file = File(dump_path)
dump_name = os.path.basename(dump_path)
pid = int(re.findall("(\d{2,5})", dump_name)[0])
proc = dict(
file=dump_path, pid=pid,
yara=dump_file.get_yara("memory"),
urls=list(dump_file.get_urls()),
regions=list(self.read_dump(dump_path)),
)
if self.options.get("idapro"):
self.create_idapy(proc)
if self.options.get("dump_delete"):
try:
os.remove(dump_path)
except OSError:
log.error("Unable to delete memory dump file at path \"%s\"", dump_path)
results.append(proc)
return results示例9: run
def run(self, results):
"""Writes report.
@param results: analysis results dictionary.
@raise CuckooReportError: if fails to connect or write to MongoDB.
"""
# We put the raise here and not at the import because it would
# otherwise trigger even if the module is not enabled in the config.
if not HAVE_MONGO:
raise CuckooDependencyError("Unable to import pymongo "
"(install with `pip install pymongo`)")
self.connect()
# Set mongo schema version.
# TODO: This is not optimal becuase it run each analysis. Need to run
# only one time at startup.
if "cuckoo_schema" in self.db.collection_names():
if self.db.cuckoo_schema.find_one()["version"] != self.SCHEMA_VERSION:
CuckooReportError("Mongo schema version not expected, check data migration tool")
else:
self.db.cuckoo_schema.save({"version": self.SCHEMA_VERSION})
# Set an unique index on stored files, to avoid duplicates.
# From pymongo docs:
# Returns the name of the created index if an index is actually
# created.
# Returns None if the index already exists.
# TODO: This is not optimal because it run each analysis. Need to run
# only one time at startup.
self.db.fs.files.ensure_index("sha256", unique=True,
sparse=True, name="sha256_unique")
# Create a copy of the dictionary. This is done in order to not modify
# the original dictionary and possibly compromise the following
# reporting modules.
report = dict(results)
if not "network" in report:
report["network"] = {}
# Store the sample in GridFS.
if results["info"]["category"] == "file" and "target" in results:
sample = File(self.file_path)
if sample.valid():
fname = results["target"]["file"]["name"]
sample_id = self.store_file(sample, filename=fname)
report["target"] = {"file_id": sample_id}
report["target"].update(results["target"])
# Store the PCAP file in GridFS and reference it back in the report.
pcap_path = os.path.join(self.analysis_path, "dump.pcap")
pcap = File(pcap_path)
if pcap.valid():
pcap_id = self.store_file(pcap)
report["network"]["pcap_id"] = pcap_id
sorted_pcap_path = os.path.join(self.analysis_path, "dump_sorted.pcap")
spcap = File(sorted_pcap_path)
if spcap.valid():
spcap_id = self.store_file(spcap)
report["network"]["sorted_pcap_id"] = spcap_id
if "procmemory" in report:
# Store the process memory dump file in GridFS and reference it back in the report.
for idx, procmem in enumerate(report['procmemory']):
procmem_path = os.path.join(self.analysis_path, "memory", "{0}.dmp".format(procmem['pid']))
procmem_file = File(procmem_path)
if procmem_file.valid():
procmem_id = self.store_file(procmem_file)
report["procmemory"][idx].update({"procmem_id": procmem_id})
# Store the suri extracted files in GridFS and reference it back in the report.
suri_extracted_zip_path = os.path.join(self.analysis_path, "logs/files.zip")
suri_extracted_zip = File(suri_extracted_zip_path)
if suri_extracted_zip.valid():
suri_extracted_zip_id = self.store_file(suri_extracted_zip)
report["suricata"] = {"suri_extracted_zip": suri_extracted_zip_id}
report["suricata"].update(results["suricata"])
# Walk through the dropped files, store them in GridFS and update the
# report with the ObjectIds.
new_dropped = []
if "dropped" in report:
for dropped in report["dropped"]:
new_drop = dict(dropped)
drop = File(dropped["path"])
if drop.valid():
dropped_id = self.store_file(drop, filename=dropped["name"])
new_drop["object_id"] = dropped_id
new_dropped.append(new_drop)
report["dropped"] = new_dropped
# Store the Zipped Droppings file in GridFS and reference it back in the report.
#cuckoo_dropped_zip_path = os.path.join(self.analysis_path, "cuckoodroppings.zip")
#cuckoo_dropped_zip = File(cuckoo_dropped_zip_path)
#if cuckoo_dropped_zip.valid():
# cuckoo_droppings_id = self.store_file(cuckoo_dropped_zip)
# report["zippeddroppings"] = {"cuckoo_droppings_id": cuckoo_droppings_id}
# report["zippeddroppings"].update(results["zippeddroppings"])
#.........这里部分代码省略.........
示例10: run
def run(self, results):
"""Writes report.
@param results: analysis results dictionary.
@raise CuckooReportError: if fails to connect or write to Elasticsearch.
"""
# We put the raise here and not at the import because it would
# otherwise trigger even if the module is not enabled in the config.
if not HAVE_ELASTICSEARCH:
raise CuckooDependencyError("Unable to import elasticsearch "
"(install with `pip install elasticsearch`)")
self.connect()
index_prefix = self.options.get("index", "cuckoo")
search_only = self.options.get("searchonly", False)
# Create a copy of the dictionary. This is done in order to not modify
# the original dictionary and possibly compromise the following
# reporting modules.
report = dict(results)
idxdate = report["info"]["started"].split(" ")[0]
self.index_name = '{0}-{1}'.format(index_prefix, idxdate)
if not search_only:
if not "network" in report:
report["network"] = {}
# Store API calls in chunks for pagination in Django
if "behavior" in report and "processes" in report["behavior"]:
new_processes = []
for process in report["behavior"]["processes"]:
new_process = dict(process)
chunk = []
chunks_ids = []
# Loop on each process call.
for index, call in enumerate(process["calls"]):
# If the chunk size is 100 or if the loop is completed then
# store the chunk in Elastcisearch.
if len(chunk) == 100:
to_insert = {"pid": process["process_id"],
"calls": chunk}
pchunk = self.es.index(index=self.index_name,
doc_type="calls", body=to_insert)
chunk_id = pchunk['_id']
chunks_ids.append(chunk_id)
# Reset the chunk.
chunk = []
# Append call to the chunk.
chunk.append(call)
# Store leftovers.
if chunk:
to_insert = {"pid": process["process_id"], "calls": chunk}
pchunk = self.es.index(index=self.index_name,
doc_type="calls", body=to_insert)
chunk_id = pchunk['_id']
chunks_ids.append(chunk_id)
# Add list of chunks.
new_process["calls"] = chunks_ids
new_processes.append(new_process)
# Store the results in the report.
report["behavior"] = dict(report["behavior"])
report["behavior"]["processes"] = new_processes
# Add screenshot paths
report["shots"] = []
shots_path = os.path.join(self.analysis_path, "shots")
if os.path.exists(shots_path):
shots = [shot for shot in os.listdir(shots_path)
if shot.endswith(".jpg")]
for shot_file in sorted(shots):
shot_path = os.path.join(self.analysis_path, "shots",
shot_file)
screenshot = File(shot_path)
if screenshot.valid():
# Strip the extension as it's added later
# in the Django view
report["shots"].append(shot_file.replace(".jpg", ""))
if results.has_key("suricata") and results["suricata"]:
if results["suricata"].has_key("tls") and len(results["suricata"]["tls"]) > 0:
report["suri_tls_cnt"] = len(results["suricata"]["tls"])
if results["suricata"] and results["suricata"].has_key("alerts") and len(results["suricata"]["alerts"]) > 0:
report["suri_alert_cnt"] = len(results["suricata"]["alerts"])
if results["suricata"].has_key("files") and len(results["suricata"]["files"]) > 0:
report["suri_file_cnt"] = len(results["suricata"]["files"])
if results["suricata"].has_key("http") and len(results["suricata"]["http"]) > 0:
report["suri_http_cnt"] = len(results["suricata"]["http"])
else:
report = {}
report["task_id"] = results["info"]["id"]
report["info"] = results.get("info")
report["target"] = results.get("target")
report["summary"] = results.get("behavior", {}).get("summary")
report["network"] = results.get("network")
report["virustotal"] = results.get("virustotal")
#.........这里部分代码省略.........
示例11: run
def run(self, results):
"""Writes report.
@param results: analysis results dictionary.
@raise CuckooReportError: if fails to connect or write to MongoDB.
"""
# We put the raise here and not at the import because it would
# otherwise trigger even if the module is not enabled in the config.
if not HAVE_MONGO:
raise CuckooDependencyError("Unable to import pymongo "
"(install with `pip install pymongo`)")
self.connect()
# Set an unique index on stored files, to avoid duplicates.
# From pymongo docs:
# Returns the name of the created index if an index is actually
# created.
# Returns None if the index already exists.
self.db.fs.files.ensure_index("sha256", unique=True,
sparse=True, name="sha256_unique")
# Create a copy of the dictionary. This is done in order to not modify
# the original dictionary and possibly compromise the following
# reporting modules.
report = dict(results)
# Store the sample in GridFS.
if results["info"]["category"] == "file":
sample = File(self.file_path)
if sample.valid():
fname = results["target"]["file"]["name"]
sample_id = self.store_file(sample, filename=fname)
report["target"] = {"file_id": sample_id}
report["target"].update(results["target"])
# Store the PCAP file in GridFS and reference it back in the report.
pcap_path = os.path.join(self.analysis_path, "dump.pcap")
pcap = File(pcap_path)
if pcap.valid():
pcap_id = self.store_file(pcap)
report["network"] = {"pcap_id": pcap_id}
report["network"].update(results["network"])
# Walk through the dropped files, store them in GridFS and update the
# report with the ObjectIds.
new_dropped = []
for dropped in report["dropped"]:
new_drop = dict(dropped)
drop = File(dropped["path"])
if drop.valid():
dropped_id = self.store_file(drop, filename=dropped["name"])
new_drop["object_id"] = dropped_id
new_dropped.append(new_drop)
report["dropped"] = new_dropped
# Add screenshots.
report["shots"] = []
shots_path = os.path.join(self.analysis_path, "shots")
if os.path.exists(shots_path):
# Walk through the files and select the JPGs.
shots = [shot for shot in os.listdir(shots_path)
if shot.endswith(".jpg")]
for shot_file in sorted(shots):
shot_path = os.path.join(self.analysis_path,
"shots", shot_file)
shot = File(shot_path)
# If the screenshot path is a valid file, store it and
# reference it back in the report.
if shot.valid():
shot_id = self.store_file(shot)
report["shots"].append(shot_id)
# Store chunks of API calls in a different collection and reference
# those chunks back in the report. In this way we should defeat the
# issue with the oversized reports exceeding MongoDB's boundaries.
# Also allows paging of the reports.
new_processes = []
for process in report["behavior"]["processes"]:
new_process = dict(process)
chunk = []
chunks_ids = []
# Loop on each process call.
for index, call in enumerate(process["calls"]):
# If the chunk size is 100 or if the loop is completed then
# store the chunk in MongoDB.
if len(chunk) == 100:
to_insert = {"pid": process["process_id"],
"calls": chunk}
chunk_id = self.db.calls.insert(to_insert)
chunks_ids.append(chunk_id)
# Reset the chunk.
chunk = []
# Append call to the chunk.
chunk.append(call)
#.........这里部分代码省略.........
示例12: run
def run(self):
"""Run Google play unofficial python api the get the google play information
@return: list of google play features
"""
self.key = "googleplay"
googleplay = {}
if not HAVE_GOOGLEPLAY:
log.error("Unable to import the GooglePlay library, has it been "
"installed properly?")
return
if not HAVE_ANDROGUARD:
log.error("Could not find the Androguard library, please install "
"it. (`pip install androguard`)")
if ("file" not in self.task["category"]):
return
f = File(self.task["target"])
if f.get_name().endswith((".zip", ".apk")) or "zip" in f.get_type():
if not os.path.exists(self.file_path):
raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path)
android_id = self.options.get("android_id")
google_login = self.options.get("google_login")
google_password = self.options.get("google_password")
# auth_token = self.options.get("auth_token", None)
if not android_id and not google_login and not google_password:
raise CuckooProcessingError("Google Play Credentials not configured, skip")
try:
a = APK(self.file_path)
if a.is_valid_APK():
package = a.get_package()
# Connect
api = GooglePlayAPI(android_id)
api.login(google_login, google_password, None)
# Get the version code and the offer type from the app details
app_data = api.details(package)
app_detail = app_data.docV2.details.appDetails
if not app_detail.installationSize:
return googleplay
googleplay["title"] = app_detail.title
googleplay["app_category"] = app_detail.appCategory._values
googleplay["version_code"] = app_detail.versionCode
googleplay["app_type"] = app_detail.appType
googleplay["content_rating"] = app_detail.contentRating
googleplay["developer_email"] = app_detail.developerEmail
googleplay["developer_name"] = app_detail.developerName
googleplay["developer_website"] = app_detail.developerWebsite
googleplay["installation_size"] = app_detail.installationSize
googleplay["num_downloads"] = app_detail.numDownloads
googleplay["upload_date"] = app_detail.uploadDate
googleplay["permissions"] = app_detail.permission._values
except (IOError, OSError, BadZipfile) as e:
raise CuckooProcessingError("Error opening file %s" % e)
return googleplay示例13: run
def run(self, results):
"""Writes report.
@param results: Cuckoo results dict.
@raise CuckooReportError: if fails to connect or write to MongoDB.
"""
self._connect()
# Set an unique index on stored files, to avoid duplicates.
# From pymongo docs:
# Returns the name of the created index if an index is actually created.
# Returns None if the index already exists.
self._db.fs.files.ensure_index("md5", unique=True, name="md5_unique")
# Add pcap file, check for dups and in case add only reference.
pcap_file = os.path.join(self.analysis_path, "dump.pcap")
pcap = File(pcap_file)
if pcap.valid():
pcap_id = self.store_file(pcap)
# Preventive key check.
if "network" in results and isinstance(results["network"], dict):
results["network"]["pcap_id"] = pcap_id
else:
results["network"] = {"pcap_id": pcap_id}
# Add dropped files, check for dups and in case add only reference.
dropped_files = {}
for dir_name, dir_names, file_names in os.walk(os.path.join(self.analysis_path, "files")):
for file_name in file_names:
file_path = os.path.join(dir_name, file_name)
drop = File(file_path)
dropped_files[drop.get_md5()] = drop
result_files = dict((dropped.get("md5", None), dropped) for dropped in results["dropped"])
# hopefully the md5s in dropped_files and result_files should be the same
if set(dropped_files.keys()) - set(result_files.keys()):
log.warning("Dropped files in result dict are different from those in storage.")
# store files in gridfs
for md5, fileobj in dropped_files.items():
# only store in db if we have a filename for it in results (should be all)
resultsdrop = result_files.get(md5, None)
if resultsdrop and fileobj.valid():
drop_id = self.store_file(fileobj, filename=resultsdrop["name"])
resultsdrop["dropped_id"] = drop_id
# Add screenshots.
results["shots"] = []
shots_path = os.path.join(self.analysis_path, "shots")
if os.path.exists(shots_path):
shots = [f for f in os.listdir(shots_path) if f.endswith(".jpg")]
for shot_file in sorted(shots):
shot_path = os.path.join(self.analysis_path, "shots", shot_file)
shot = File(shot_path)
if shot.valid():
shot_id = self.store_file(shot)
results["shots"].append(shot_id)
# Save all remaining results.
try:
self._db.analysis.save(results, manipulate=False)
except InvalidDocument:
# The document is too big, we need to shrink it and re-save it.
results["behavior"]["processes"] = ""
# Let's add an error message to the debug block.
error = ("The analysis results were too big to be stored, " +
"the detailed behavioral analysis has been stripped out.")
results["debug"]["errors"].append(error)
# Try again to store, if it fails, just abort.
try:
self._db.analysis.save(results)
except Exception as e:
raise CuckooReportError("Failed to store the document into MongoDB: %s" % e)示例14: run
def run(self):
"""Runs VirusTotal processing
@return: full VirusTotal report.
"""
self.key = "virustotal"
virustotal = []
key = self.options.get("key", None)
timeout = self.options.get("timeout", 60)
urlscrub = self.options.get("urlscrub", None)
do_file_lookup = self.getbool(self.options.get("do_file_lookup", False))
do_url_lookup = self.getbool(self.options.get("do_url_lookup", False))
if not key:
raise CuckooProcessingError("VirusTotal API key not "
"configured, skip")
if self.task["category"] == "file" and do_file_lookup:
if not os.path.exists(self.file_path):
raise CuckooProcessingError("File {0} not found, skipping it".format(self.file_path))
resource = File(self.file_path).get_sha256()
url = VIRUSTOTAL_FILE_URL
elif self.task["category"] == "url" and do_url_lookup:
resource = self.task["target"]
if urlscrub:
urlscrub_compiled_re = None
try:
urlscrub_compiled_re = re.compile(urlscrub)
except Exception as e:
raise CuckooProcessingError("Failed to compile urlscrub regex" % (e))
try:
resource = re.sub(urlscrub_compiled_re,"",resource)
except Exception as e:
raise CuckooProcessingError("Failed to scrub url" % (e))
# normalize the URL the way VT appears to
if not resource.lower().startswith("http://") and not resource.lower().startswith("https://"):
resource = "http://" + resource
slashsplit = resource.split('/')
slashsplit[0] = slashsplit[0].lower()
slashsplit[2] = slashsplit[2].lower()
if len(slashsplit) == 3:
slashsplit.append("")
resource = "/".join(slashsplit)
resource = hashlib.sha256(resource).hexdigest()
url = VIRUSTOTAL_URL_URL
else:
# Not supported type, exit.
return virustotal
data = {"resource": resource, "apikey": key}
try:
r = requests.get(url, params=data, verify=True, timeout=int(timeout))
response_data = r.content
except requests.exceptions.RequestException as e:
raise CuckooProcessingError("Unable to complete connection "
"to VirusTotal: {0}".format(e))
try:
virustotal = json.loads(response_data)
except ValueError as e:
raise CuckooProcessingError("Unable to convert response to "
"JSON: {0}".format(e))
# Work around VT brain-damage
if isinstance(virustotal, list) and len(virustotal):
virustotal = virustotal[0]
if "scans" in virustotal:
items = virustotal["scans"].items()
virustotal["scans"] = dict((engine.replace(".", "_"), signature)
for engine, signature in items)
virustotal["resource"] = resource
virustotal["results"]=list(({"vendor":engine.replace(".", "_"),"sig": signature["result"]})
for engine, signature in items)
return virustotal示例15: run
def run(self, results):
"""Writes report.
@param results: analysis results dictionary.
@raise CuckooReportError: if fails to connect or write to S3.
"""
# We put the raise here and not at the import because it would
# otherwise trigger even if the module is not enabled in the config.
self.s3_region = self.options.get("region", "us-west-2")
self.s3_access_key = self.options.get("access_key", "")
self.s3_secret_key = self.options.get("secret_key", "")
s3_reports_bucket_name = self.options.get("reports_bucket", "")
s3_shots_bucket_name = self.options.get("shots_bucket", "")
s3_samples_bucket_name = self.options.get("samples_bucket", "")
s3_files_bucket_name = self.options.get("files_bucket", "")
s3_aux_bucket_name = self.options.get("aux_bucket", "")
s3_logs_bucket_name = self.options.get("logs_bucket", "")
s3_pcap_bucket_name = self.options.get("pcap_bucket", "")
s3_md5_bucket_name = self.options.get("md5_bucket", "")
cleanup = self.options.get("cleanup", False)
# Create a copy of the dictionary. This is done in order to not modify
# the original dictionary and possibly compromise the following
# reporting modules.
report = dict(results)
if not "network" in report:
report["network"] = {}
# Add screenshot paths
report["shots"] = []
shots_path = os.path.join(self.analysis_path, "shots")
if os.path.exists(shots_path):
shots = [shot for shot in os.listdir(shots_path)
if shot.endswith(".jpg")]
for shot_file in sorted(shots):
shot_path = os.path.join(self.analysis_path, "shots",
shot_file)
screenshot = File(shot_path)
if screenshot.valid():
#report["shots"].append("{0}/{1}".format(results['info']['id'], shot_file))
report["shots"].append(shot_file.replace(".jpg", ""))
# Store chunks of API calls in a different collection and reference
# those chunks back in the report.
# Also allows paging of the reports.
if "behavior" in report and "processes" in report["behavior"]:
new_processes = []
for process in report["behavior"]["processes"]:
new_process = dict(process)
chunk = []
chunks_ids = []
chunk_count = 0
# Using this type of prefix is useful because you can always re-construct it from
# the original results
#chunk_prefix = str(results['info']['id']) + '/' + process['process_name']
chunk_prefix = str(results['info']['id']) + '/' + str(process['process_id'])
# Loop on each process call.
for index, call in enumerate(process["calls"]):
# If the chunk size is 100 or if the loop is completed then
# store the chunk in S1.
if len(chunk) == 100:
chunk_name = "{0}.{1}".format(chunk_prefix, chunk_count)
#log.debug("INFO TIME!")
#log.debug("%s %s %s" %(s3_reports_bucket_name, chunk_name, chunk_prefix))
#log.debug(chunk_prefix)
err = self.save_to_s3(s3_reports_bucket_name, chunk_name, json.dumps(chunk))
if err != '':
log.error("Non-size related issue saving analysis JSON to S3 for chunk {0} - {1}".format(chunk_name, err))
else:
chunks_ids.append("{0}.{1}".format(chunk_prefix, chunk_count))
chunk_count += 1
chunk = []
# Append call to the chunk.
chunk.append(call)
# Store leftovers.
if chunk:
chunk_name = "{0}.{1}".format(chunk_prefix, chunk_count)
#log.debug("%s %s %s" %(s3_reports_bucket_name, chunk_name, chunk_prefix))
err = self.save_to_s3(s3_reports_bucket_name, chunk_name, json.dumps(chunk))
if err != '':
log.error("Non-size related issue saving analysis JSON to S3 for chunk {0} - {1}".format(chunk_name, err))
else:
chunks_ids.append("{0}.{1}".format(chunk_prefix, chunk_count))
# Add list of chunks.
new_process["calls"] = chunks_ids
new_processes.append(new_process)
# Store the results in the report.
report["behavior"] = dict(report["behavior"])
report["behavior"]["processes"] = new_processes
#Other info we want Quick access to from the web UI
if results.has_key("virustotal") and results["virustotal"] and results["virustotal"].has_key("positives") and results["virustotal"].has_key("total"):
report["virustotal_summary"] = "%s/%s" % (results["virustotal"]["positives"], results["virustotal"]["total"])
if results.has_key("suricata") and results["suricata"]:
#.........这里部分代码省略.........