Skip to content

Commit

Permalink
Merge pull request #32 from CybercentreCanada/update/more-heurs
Browse files Browse the repository at this point in the history 
Update/more heurs [dev]
  • Loading branch information
@cccs-kevin
cccs-kevin authored Jan 9, 2024
2 parents eb19a6d + 98fb929 commit 4738636
Show file tree
Hide file tree
Showing 15 changed files with 245 additions and 630 deletions.
39 changes: 6 additions & 33 deletions elf/elf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@ def add_segments(self):
self.file_res.add_section(res)

def add_libraries(self):
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L401
if len(self.elf.libraries) == 0:
heur = Heuristic(4)
ResultSection(heur.name, heuristic=heur, parent=self.file_res)
Expand Down Expand Up @@ -150,41 +149,21 @@ def add_hash(self):
res.add_line(f"Number of chains: {self.elf.sysv_hash['nchain']}")
self.file_res.add_section(res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L403
def check_symbols(self):
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L426
if not self.lief_binary.symbols:
ResultSection("No symbol found", parent=self.file_res)
heur = Heuristic(8)
ResultSection(heur.name, body=heur.description, heuristic=heur, parent=self.file_res)
else:
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L782
if not self.lief_binary.exported_symbols:
ResultSection("No exported symbol found", parent=self.file_res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L820
if not self.lief_binary.imported_symbols:
ResultSection("No imported symbol found", parent=self.file_res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L820
if not self.lief_binary.dynamic_symbols:
ResultSection("No dynamic symbol found", parent=self.file_res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1560
if not self.lief_binary.static_symbols:
ResultSection("No static symbol found", parent=self.file_res)
heur = Heuristic(6)
ResultSection(heur.name, body=heur.description, heuristic=heur, parent=self.file_res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1064
# and https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1075
def check_relocations(self):
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1073
if not self.lief_binary.object_relocations:
ResultSection("No object relocation found", parent=self.file_res)

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1075
if not self.lief_binary.relocations:
ResultSection("No relocation found", parent=self.file_res)
heur = Heuristic(7)
ResultSection(heur.name, body=heur.description, heuristic=heur, parent=self.file_res)

def check_dynamic_entries(self):
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1538
if not self.elf.dynamic_entries:
heur = Heuristic(5)
ResultSection(heur.name, heuristic=heur, parent=self.file_res)
Expand All @@ -201,16 +180,10 @@ def add_functions(self):
res = ResultSection("Imported Functions")
res.set_body(json.dumps(self.elf.imported_functions), BODY_FORMAT.JSON)
self.file_res.add_section(res)
else:
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L798
ResultSection("No imported function found", parent=self.file_res)
if hasattr(self.elf, "exported_functions") and self.elf.exported_functions:
res = ResultSection("Exported Functions")
res.set_body(json.dumps(self.elf.exported_functions), BODY_FORMAT.JSON)
self.file_res.add_section(res)
else:
# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L760
ResultSection("No exported function found", parent=self.file_res)

def execute(self, request: ServiceRequest):
request.result = Result()
Expand Down
21 changes: 21 additions & 0 deletions service_manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,27 @@ heuristics:
name: No dynamic entry found
score: 100

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1549
- description: Lief could not find a dynamic symbol
filetype: "executable/linux/.*"
heur_id: 6
name: No dynamic symbol found
score: 100

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L1075
- description: Lief could not find any relocations
filetype: "executable/linux/.*"
heur_id: 7
name: No relocation found
score: 100

# Inspired by https://github.com/viper-framework/viper-modules/blob/00ee6cd2b2ad4ed278279ca9e383e48bc23a2555/lief.py#L426
- description: Lief could not find any symbols
filetype: "executable/linux/.*"
heur_id: 8
name: No symbol found
score: 100

docker_config:
image: ${REGISTRY}cccs/assemblyline-service-elf:$SERVICE_TAG
cpu_cores: 1
Expand Down
86 changes: 29 additions & 57 deletions tests/results/0a846f09653a8ac0580b842fa2f0969629a9a36252b2f9d703df3570b14d0446/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 200,
"score": 400,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -836,77 +836,39 @@
},
{
"auto_collapse": false,
"body": null,
"body": "Lief could not find a dynamic symbol",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No imported symbol found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 6,
"score": 100,
"score_map": {},
"signatures": {}
},
"promote_to": null,
"tags": {},
"title_text": "No dynamic symbol found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No imported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No exported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body": "Lief could not find any relocations",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No object relocation found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 7,
"score": 100,
"score_map": {},
"signatures": {}
},
"promote_to": null,
"tags": {},
"title_text": "No relocation found",
Expand Down Expand Up @@ -954,6 +916,16 @@
"attack_ids": [],
"heur_id": 5,
"signatures": []
},
{
"attack_ids": [],
"heur_id": 6,
"signatures": []
},
{
"attack_ids": [],
"heur_id": 7,
"signatures": []
}
],
"tags": {
Expand Down
73 changes: 29 additions & 44 deletions tests/results/0fb3505db411da107f8f8ac888c6b753abf2ae015c346ec985371449e93835bf/result.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 200,
"score": 400,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -445,64 +445,39 @@
},
{
"auto_collapse": false,
"body": null,
"body": "Lief could not find any symbols",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 8,
"score": 100,
"score_map": {},
"signatures": {}
},
"promote_to": null,
"tags": {},
"title_text": "No symbol found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No imported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No exported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No object relocation found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body": "Lief could not find any relocations",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 7,
"score": 100,
"score_map": {},
"signatures": {}
},
"promote_to": null,
"tags": {},
"title_text": "No relocation found",
Expand Down Expand Up @@ -550,6 +525,16 @@
"attack_ids": [],
"heur_id": 5,
"signatures": []
},
{
"attack_ids": [],
"heur_id": 7,
"signatures": []
},
{
"attack_ids": [],
"heur_id": 8,
"signatures": []
}
],
"tags": {
Expand Down
52 changes: 0 additions & 52 deletions tests/results/17d02f610223768ff002f62fb989c2e179549d2843c4a7a62d05d0991276dc42/result.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1084,58 +1084,6 @@
"tags": {},
"title_text": "GNU Hash",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No static symbol found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No imported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No exported function found",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": null,
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 0,
"heuristic": null,
"promote_to": null,
"tags": {},
"title_text": "No object relocation found",
"zeroize_on_tag_safe": false
}
]
},
Expand Down
Loading

0 comments on commit 4738636

Please sign in to comment.