Skip to content

Commit

Permalink
static 2 integrations (#763)
Browse files Browse the repository at this point in the history 
* move PE data to object

* Update objects.py

* Fix code style issues with Black

* static 2 integrations

* fix and isort

* Fix code style issues with Black

* Update static.py

* reads with

* more

* missed imports

* Fix code style issues with Black

* pe

* gen PE data for each PE file

* Fix code style issues with Black

* Update changelog.md

* Update static.py

* Fix code style issues with Black

* use generic template for main hash info too

* done

* fix isort

* Delete _subfile_info.html

* icon size

Co-authored-by: Lint Action
  • Loading branch information
@doomedraven
doomedraven authored Feb 17, 2022
1 parent 25ba613 commit f8a4b18
Show file tree
Hide file tree
Showing 29 changed files with 2,979 additions and 3,414 deletions.
3 changes: 3 additions & 0 deletions changelog.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
### [16-02-2022] Depricate static part 1
* To be able to generate the same info as was generated for initial binary under static tab. We decided to depricate static module and make it reusable for any other files like dropped, downloaded, etc.

### [15-2-2022]
* Monitor updates:
* Do not call notify_successful_load() if tlsdump mode (avoid lsass being added to analyzer process list)
Expand Down
156 changes: 156 additions & 0 deletions lib/cuckoo/common/integrations/parse_dotnet.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. ([email protected])
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.

import logging
import os
from datetime import datetime
from subprocess import PIPE, Popen

from lib.cuckoo.common.utils import convert_to_printable

log = logging.getLogger(__name__)


class DotNETExecutable(object):
""".NET analysis"""

def __init__(self, file_path, results):
self.file_path = file_path
self.results = results

def add_statistic(self, name, field, value):
self.results["statistics"]["processing"].append(
{
"name": name,
field: value,
}
)

def _get_custom_attrs(self):
try:
ret = []
output = (
Popen(["/usr/bin/monodis", "--customattr", self.file_path], stdout=PIPE, universal_newlines=True)
.stdout.read()
.split("\n")
)
for line in output[1:]:
splitline = line.split()
if not splitline or len(splitline) < 7:
continue
typeval = splitline[1].rstrip(":")
nameval = splitline[6].split("::", 1)[0]
if "(string)" not in splitline[6]:
continue
rem = " ".join(splitline[7:])
startidx = rem.find('["')
if startidx < 0:
continue
endidx = rem.rfind('"]')
# also ignore empty strings
if endidx <= 2:
continue
valueval = rem[startidx + 2 : endidx - 2]
item = {}
item["type"] = convert_to_printable(typeval)
item["name"] = convert_to_printable(nameval)
item["value"] = convert_to_printable(valueval)
ret.append(item)
return ret
except Exception as e:
log.error(e, exc_info=True)
return None

def _get_assembly_refs(self):
try:
ret = []
output = (
Popen(["/usr/bin/monodis", "--assemblyref", self.file_path], stdout=PIPE, universal_newlines=True)
.stdout.read()
.split("\n")
)
for idx, line in enumerate(output):
splitline = line.split("Version=")
if len(splitline) < 2:
continue
verval = splitline[1]
splitline = output[idx + 1].split("Name=")
if len(splitline) < 2:
continue
nameval = splitline[1]
item = {}
item["name"] = convert_to_printable(nameval)
item["version"] = convert_to_printable(verval)
ret.append(item)
return ret

except Exception as e:
log.error(e, exc_info=True)
return None

def _get_assembly_info(self):
try:
ret = {}
output = (
Popen(["/usr/bin/monodis", "--assembly", self.file_path], stdout=PIPE, universal_newlines=True)
.stdout.read()
.split("\n")
)
for line in output:
if line.startswith("Name:"):
ret["name"] = convert_to_printable(line[5:].strip())
if line.startswith("Version:"):
ret["version"] = convert_to_printable(line[8:].strip())
return ret
except Exception as e:
log.error(e, exc_info=True)
return None

def _get_type_refs(self):
try:
ret = []
output = (
Popen(["/usr/bin/monodis", "--typeref", self.file_path], stdout=PIPE, universal_newlines=True)
.stdout.read()
.split("\n")
)
for line in output[1:]:
restline = "".join(line.split(":")[1:])
restsplit = restline.split("]")
asmname = restsplit[0][2:]
typename = "".join(restsplit[1:])
if asmname and typename:
item = {}
item["assembly"] = convert_to_printable(asmname)
item["typename"] = convert_to_printable(typename)
ret.append(item)
return ret

except Exception as e:
log.error(e, exc_info=True)
return None

def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return None

results = {}

try:
results["dotnet"] = {}
pretime = datetime.now()
results["dotnet"]["typerefs"] = self._get_type_refs()
results["dotnet"]["assemblyrefs"] = self._get_assembly_refs()
results["dotnet"]["assemblyinfo"] = self._get_assembly_info()
results["dotnet"]["customattrs"] = self._get_custom_attrs()
posttime = datetime.now()
timediff = posttime - pretime
self.add_statistic("static_dotnet", "time", float(f"{timediff.seconds}.{timediff.microseconds // 1000:03d}"))
return results
except Exception as e:
log.error(e, exc_info=True)
return None
Loading

0 comments on commit f8a4b18

Please sign in to comment.