2017-07-21 18:47:10 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2017-09-20 12:44:55 +02:00
|
|
|
from ..exceptions import InvalidMISPObject
|
2017-08-31 10:40:18 +02:00
|
|
|
from .abstractgenerator import AbstractMISPObjectGenerator
|
2017-07-21 18:47:10 +02:00
|
|
|
from io import BytesIO
|
|
|
|
from hashlib import md5, sha1, sha256, sha512
|
|
|
|
from datetime import datetime
|
2017-11-08 03:10:04 +01:00
|
|
|
import logging
|
2017-07-21 18:47:10 +02:00
|
|
|
|
2017-11-08 03:10:04 +01:00
|
|
|
logger = logging.getLogger('pymisp')
|
2017-07-21 18:47:10 +02:00
|
|
|
|
|
|
|
try:
|
|
|
|
import lief
|
|
|
|
HAS_LIEF = True
|
|
|
|
except ImportError:
|
|
|
|
HAS_LIEF = False
|
|
|
|
|
|
|
|
try:
|
|
|
|
import pydeep
|
|
|
|
HAS_PYDEEP = True
|
|
|
|
except ImportError:
|
|
|
|
HAS_PYDEEP = False
|
|
|
|
|
|
|
|
|
2017-08-28 19:01:53 +02:00
|
|
|
class PEObject(AbstractMISPObjectGenerator):
|
2017-07-21 18:47:10 +02:00
|
|
|
|
2017-12-12 17:34:09 +01:00
|
|
|
def __init__(self, parsed=None, filepath=None, pseudofile=None, standalone=True, **kwargs):
|
2019-10-08 09:28:33 +02:00
|
|
|
# Python3 way
|
|
|
|
# super().__init__('pe')
|
|
|
|
super(PEObject, self).__init__('pe', standalone=standalone, **kwargs)
|
2017-07-21 18:47:10 +02:00
|
|
|
if not HAS_PYDEEP:
|
2017-11-08 03:10:04 +01:00
|
|
|
logger.warning("Please install pydeep: pip install git+https://github.com/kbandla/pydeep.git")
|
2017-07-21 18:47:10 +02:00
|
|
|
if not HAS_LIEF:
|
|
|
|
raise ImportError('Please install lief, documentation here: https://github.com/lief-project/LIEF')
|
|
|
|
if pseudofile:
|
|
|
|
if isinstance(pseudofile, BytesIO):
|
2017-09-12 16:46:06 +02:00
|
|
|
self.__pe = lief.PE.parse(raw=pseudofile.getvalue())
|
2017-07-21 18:47:10 +02:00
|
|
|
elif isinstance(pseudofile, bytes):
|
2017-09-12 16:46:06 +02:00
|
|
|
self.__pe = lief.PE.parse(raw=pseudofile)
|
2017-07-21 18:47:10 +02:00
|
|
|
else:
|
2017-09-20 12:44:55 +02:00
|
|
|
raise InvalidMISPObject('Pseudo file can be BytesIO or bytes got {}'.format(type(pseudofile)))
|
2017-07-21 18:47:10 +02:00
|
|
|
elif filepath:
|
2017-09-12 16:46:06 +02:00
|
|
|
self.__pe = lief.PE.parse(filepath)
|
2017-07-21 18:47:10 +02:00
|
|
|
elif parsed:
|
|
|
|
# Got an already parsed blob
|
|
|
|
if isinstance(parsed, lief.PE.Binary):
|
2017-09-12 16:46:06 +02:00
|
|
|
self.__pe = parsed
|
2017-07-21 18:47:10 +02:00
|
|
|
else:
|
2017-09-20 12:44:55 +02:00
|
|
|
raise InvalidMISPObject('Not a lief.PE.Binary: {}'.format(type(parsed)))
|
2017-07-21 18:47:10 +02:00
|
|
|
self.generate_attributes()
|
|
|
|
|
|
|
|
def _is_exe(self):
|
|
|
|
if not self._is_dll() and not self._is_driver():
|
2017-09-12 16:46:06 +02:00
|
|
|
return self.__pe.header.has_characteristic(lief.PE.HEADER_CHARACTERISTICS.EXECUTABLE_IMAGE)
|
2017-07-21 18:47:10 +02:00
|
|
|
return False
|
|
|
|
|
|
|
|
def _is_dll(self):
|
2017-09-12 16:46:06 +02:00
|
|
|
return self.__pe.header.has_characteristic(lief.PE.HEADER_CHARACTERISTICS.DLL)
|
2017-07-21 18:47:10 +02:00
|
|
|
|
|
|
|
def _is_driver(self):
|
|
|
|
# List from pefile
|
|
|
|
system_DLLs = set(('ntoskrnl.exe', 'hal.dll', 'ndis.sys', 'bootvid.dll', 'kdcom.dll'))
|
2017-09-12 16:46:06 +02:00
|
|
|
if system_DLLs.intersection([imp.lower() for imp in self.__pe.libraries]):
|
2017-07-21 18:47:10 +02:00
|
|
|
return True
|
|
|
|
return False
|
|
|
|
|
2017-08-23 15:36:13 +02:00
|
|
|
def _get_pe_type(self):
|
2017-07-21 18:47:10 +02:00
|
|
|
if self._is_dll():
|
2017-08-23 15:36:13 +02:00
|
|
|
return 'dll'
|
2017-07-21 18:47:10 +02:00
|
|
|
elif self._is_driver():
|
2017-08-23 15:36:13 +02:00
|
|
|
return 'driver'
|
2017-07-21 18:47:10 +02:00
|
|
|
elif self._is_exe():
|
2017-08-23 15:36:13 +02:00
|
|
|
return 'exe'
|
2017-07-21 18:47:10 +02:00
|
|
|
else:
|
2017-08-23 15:36:13 +02:00
|
|
|
return 'unknown'
|
|
|
|
|
|
|
|
def generate_attributes(self):
|
2017-08-28 19:01:53 +02:00
|
|
|
self.add_attribute('type', value=self._get_pe_type())
|
2017-07-21 18:47:10 +02:00
|
|
|
# General information
|
2017-09-12 16:46:06 +02:00
|
|
|
self.add_attribute('entrypoint-address', value=self.__pe.entrypoint)
|
|
|
|
self.add_attribute('compilation-timestamp', value=datetime.utcfromtimestamp(self.__pe.header.time_date_stamps).isoformat())
|
|
|
|
# self.imphash = self.__pe.get_imphash()
|
2017-07-21 18:47:10 +02:00
|
|
|
try:
|
2017-09-12 16:46:06 +02:00
|
|
|
if (self.__pe.has_resources and
|
|
|
|
self.__pe.resources_manager.has_version and
|
|
|
|
self.__pe.resources_manager.version.has_string_file_info and
|
|
|
|
self.__pe.resources_manager.version.string_file_info.langcode_items):
|
|
|
|
fileinfo = dict(self.__pe.resources_manager.version.string_file_info.langcode_items[0].items.items())
|
2017-08-28 19:01:53 +02:00
|
|
|
self.add_attribute('original-filename', value=fileinfo.get('OriginalFilename'))
|
|
|
|
self.add_attribute('internal-filename', value=fileinfo.get('InternalName'))
|
|
|
|
self.add_attribute('file-description', value=fileinfo.get('FileDescription'))
|
|
|
|
self.add_attribute('file-version', value=fileinfo.get('FileVersion'))
|
2017-09-12 16:46:06 +02:00
|
|
|
self.add_attribute('lang-id', value=self.__pe.resources_manager.version.string_file_info.langcode_items[0].key)
|
2017-08-28 19:01:53 +02:00
|
|
|
self.add_attribute('product-name', value=fileinfo.get('ProductName'))
|
|
|
|
self.add_attribute('product-version', value=fileinfo.get('ProductVersion'))
|
|
|
|
self.add_attribute('company-name', value=fileinfo.get('CompanyName'))
|
|
|
|
self.add_attribute('legal-copyright', value=fileinfo.get('LegalCopyright'))
|
2017-07-21 18:47:10 +02:00
|
|
|
except lief.read_out_of_bound:
|
|
|
|
# The file is corrupted
|
|
|
|
pass
|
|
|
|
# Sections
|
|
|
|
self.sections = []
|
2017-09-12 16:46:06 +02:00
|
|
|
if self.__pe.sections:
|
2017-07-21 18:47:10 +02:00
|
|
|
pos = 0
|
2017-09-12 16:46:06 +02:00
|
|
|
for section in self.__pe.sections:
|
2017-12-20 14:27:31 +01:00
|
|
|
s = PESectionObject(section, self._standalone, default_attributes_parameters=self._default_attributes_parameters)
|
2019-07-24 13:57:36 +02:00
|
|
|
self.add_reference(s.uuid, 'includes', 'Section {} of PE'.format(pos))
|
2017-09-12 16:46:06 +02:00
|
|
|
if ((self.__pe.entrypoint >= section.virtual_address) and
|
|
|
|
(self.__pe.entrypoint < (section.virtual_address + section.virtual_size))):
|
2017-08-29 10:25:45 +02:00
|
|
|
self.add_attribute('entrypoint-section-at-position', value='{}|{}'.format(section.name, pos))
|
2017-07-21 18:47:10 +02:00
|
|
|
pos += 1
|
|
|
|
self.sections.append(s)
|
2017-08-28 19:01:53 +02:00
|
|
|
self.add_attribute('number-sections', value=len(self.sections))
|
2017-07-21 18:47:10 +02:00
|
|
|
# TODO: TLSSection / DIRECTORY_ENTRY_TLS
|
|
|
|
|
|
|
|
|
2017-08-28 19:01:53 +02:00
|
|
|
class PESectionObject(AbstractMISPObjectGenerator):
|
2017-07-21 18:47:10 +02:00
|
|
|
|
2017-12-12 17:34:09 +01:00
|
|
|
def __init__(self, section, standalone=True, **kwargs):
|
2017-08-25 09:45:56 +02:00
|
|
|
# Python3 way
|
|
|
|
# super().__init__('pe-section')
|
2017-12-12 17:34:09 +01:00
|
|
|
super(PESectionObject, self).__init__('pe-section', standalone=standalone, **kwargs)
|
2017-09-12 16:46:06 +02:00
|
|
|
self.__section = section
|
|
|
|
self.__data = bytes(self.__section.content)
|
2017-07-21 18:47:10 +02:00
|
|
|
self.generate_attributes()
|
|
|
|
|
|
|
|
def generate_attributes(self):
|
2017-09-12 16:46:06 +02:00
|
|
|
self.add_attribute('name', value=self.__section.name)
|
|
|
|
size = self.add_attribute('size-in-bytes', value=self.__section.size)
|
2017-08-24 19:21:52 +02:00
|
|
|
if int(size.value) > 0:
|
2017-09-12 16:46:06 +02:00
|
|
|
self.add_attribute('entropy', value=self.__section.entropy)
|
|
|
|
self.add_attribute('md5', value=md5(self.__data).hexdigest())
|
|
|
|
self.add_attribute('sha1', value=sha1(self.__data).hexdigest())
|
|
|
|
self.add_attribute('sha256', value=sha256(self.__data).hexdigest())
|
|
|
|
self.add_attribute('sha512', value=sha512(self.__data).hexdigest())
|
2017-07-21 18:47:10 +02:00
|
|
|
if HAS_PYDEEP:
|
2017-09-12 16:46:06 +02:00
|
|
|
self.add_attribute('ssdeep', value=pydeep.hash_buf(self.__data).decode())
|