2018-07-19 14:52:09 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*-coding:UTF-8 -*
|
|
|
|
"""
|
|
|
|
Decoder module
|
|
|
|
|
|
|
|
Dectect Binary and decode it
|
|
|
|
"""
|
2021-05-07 12:24:41 +00:00
|
|
|
|
|
|
|
##################################
|
|
|
|
# Import External packages
|
|
|
|
##################################
|
2018-07-19 14:52:09 +00:00
|
|
|
import time
|
|
|
|
import os
|
|
|
|
import base64
|
|
|
|
from hashlib import sha1
|
|
|
|
import magic
|
|
|
|
import json
|
|
|
|
import datetime
|
2021-05-07 12:24:41 +00:00
|
|
|
import re
|
|
|
|
import signal
|
2021-06-02 12:42:23 +00:00
|
|
|
import sys
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-06-02 12:42:23 +00:00
|
|
|
sys.path.append(os.environ['AIL_BIN'])
|
2021-05-07 12:24:41 +00:00
|
|
|
##################################
|
|
|
|
# Import Project packages
|
|
|
|
##################################
|
2021-06-02 12:42:23 +00:00
|
|
|
from modules.abstract_module import AbstractModule
|
2022-08-19 14:53:31 +00:00
|
|
|
from lib.ConfigLoader import ConfigLoader
|
|
|
|
from lib.objects.Items import Item
|
|
|
|
from lib.objects import Decodeds
|
|
|
|
|
|
|
|
config_loader = ConfigLoader()
|
|
|
|
serv_metadata = config_loader.get_redis_conn("ARDB_Metadata")
|
|
|
|
hex_max_execution_time = config_loader.get_config_int("Hex", "max_execution_time")
|
|
|
|
binary_max_execution_time = config_loader.get_config_int("Binary", "max_execution_time")
|
|
|
|
base64_max_execution_time = config_loader.get_config_int("Base64", "max_execution_time")
|
|
|
|
config_loader = None
|
|
|
|
|
|
|
|
#####################################################
|
|
|
|
#####################################################
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-06-02 12:42:23 +00:00
|
|
|
# # TODO: use regex_helper
|
2018-07-19 14:52:09 +00:00
|
|
|
class TimeoutException(Exception):
|
|
|
|
pass
|
|
|
|
|
|
|
|
def timeout_handler(signum, frame):
|
|
|
|
raise TimeoutException
|
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
|
|
|
|
# # TODO: # FIXME: Remove signal -> replace with regex_helper
|
2018-07-19 14:52:09 +00:00
|
|
|
signal.signal(signal.SIGALRM, timeout_handler)
|
|
|
|
|
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
#####################################################
|
|
|
|
####################################################
|
|
|
|
|
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
class Decoder(AbstractModule):
|
|
|
|
"""
|
|
|
|
Decoder module for AIL framework
|
|
|
|
"""
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# TODO to lambda expr
|
|
|
|
def hex_decoder(self, hexStr):
|
|
|
|
#hexStr = ''.join( hex_string.split(" ") )
|
|
|
|
return bytes(bytearray([int(hexStr[i:i+2], 16) for i in range(0, len(hexStr), 2)]))
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# TODO to lambda expr
|
|
|
|
def binary_decoder(self, binary_string):
|
|
|
|
return bytes(bytearray([int(binary_string[i:i+8], 2) for i in range(0, len(binary_string), 8)]))
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# TODO to lambda expr
|
|
|
|
def base64_decoder(self, base64_string):
|
|
|
|
return base64.b64decode(base64_string)
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
def __init__(self):
|
2021-05-07 12:43:25 +00:00
|
|
|
super(Decoder, self).__init__()
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
regex_binary = r'[0-1]{40,}'
|
|
|
|
# regex_hex = r'(0[xX])?[A-Fa-f0-9]{40,}'
|
|
|
|
regex_hex = r'[A-Fa-f0-9]{40,}'
|
|
|
|
regex_base64 = r'(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9+/][AQgw]==)'
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
cmp_regex_binary = re.compile(regex_binary)
|
|
|
|
cmp_regex_hex = re.compile(regex_hex)
|
|
|
|
cmp_regex_base64 = re.compile(regex_base64)
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# map decoder function
|
2022-10-25 14:25:19 +00:00
|
|
|
self.decoder_function = {'binary': self.binary_decoder, 'hexadecimal': self.hex_decoder, 'base64': self.base64_decoder}
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# list all decoder with regex,
|
|
|
|
decoder_binary = {'name': 'binary', 'regex': cmp_regex_binary, 'encoded_min_size': 300, 'max_execution_time': binary_max_execution_time}
|
|
|
|
decoder_hexadecimal = {'name': 'hexadecimal', 'regex': cmp_regex_hex, 'encoded_min_size': 300, 'max_execution_time': hex_max_execution_time}
|
|
|
|
decoder_base64 = {'name': 'base64', 'regex': cmp_regex_base64, 'encoded_min_size': 40, 'max_execution_time': base64_max_execution_time}
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
self.decoder_order = [decoder_base64, decoder_binary, decoder_hexadecimal, decoder_base64]
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
for decoder in self.decoder_order:
|
|
|
|
serv_metadata.sadd('all_decoder', decoder['name'])
|
2018-07-25 08:47:36 +00:00
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
# Waiting time in seconds between to message processed
|
2021-05-07 12:24:41 +00:00
|
|
|
self.pending_seconds = 1
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
# Send module state to logs
|
|
|
|
self.redis_logger.info(f'Module {self.module_name} initialized')
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
def compute(self, message):
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
item = Item(message)
|
|
|
|
content = item.get_content()
|
|
|
|
date = item.get_date()
|
2018-07-19 14:52:09 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
for decoder in self.decoder_order: # add threshold and size limit
|
2018-07-19 14:52:09 +00:00
|
|
|
# max execution time on regex
|
|
|
|
signal.alarm(decoder['max_execution_time'])
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2018-07-19 14:52:09 +00:00
|
|
|
try:
|
2021-05-07 12:24:41 +00:00
|
|
|
encoded_list = decoder['regex'].findall(content)
|
2018-07-19 14:52:09 +00:00
|
|
|
except TimeoutException:
|
|
|
|
encoded_list = []
|
2021-05-07 12:24:41 +00:00
|
|
|
self.process.incr_module_timeout_statistic() # add encoder type
|
2022-08-19 14:53:31 +00:00
|
|
|
self.redis_logger.debug(f"{item.id} processing timeout")
|
2018-07-19 14:52:09 +00:00
|
|
|
continue
|
|
|
|
else:
|
|
|
|
signal.alarm(0)
|
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
if len(encoded_list) > 0:
|
2022-08-19 14:53:31 +00:00
|
|
|
content = self.decode_string(content, item.id, date, encoded_list, decoder['name'], decoder['encoded_min_size'])
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
def decode_string(self, content, item_id, date, encoded_list, decoder_name, encoded_min_size):
|
2021-05-07 12:24:41 +00:00
|
|
|
find = False
|
|
|
|
for encoded in encoded_list:
|
|
|
|
if len(encoded) >= encoded_min_size:
|
|
|
|
decoded_file = self.decoder_function[decoder_name](encoded)
|
|
|
|
find = True
|
|
|
|
|
|
|
|
sha1_string = sha1(decoded_file).hexdigest()
|
2022-08-19 14:53:31 +00:00
|
|
|
decoded = Decoded(sha1_string)
|
|
|
|
|
|
|
|
mimetype = decoded.guess_mimetype(decoded_file)
|
2021-05-07 12:24:41 +00:00
|
|
|
if not mimetype:
|
2021-06-02 12:42:23 +00:00
|
|
|
print(item_id)
|
|
|
|
print(sha1_string)
|
2022-08-19 14:53:31 +00:00
|
|
|
raise Exception(f'Invalid mimetype: {sha1_string} {item_id}')
|
|
|
|
|
|
|
|
decoded.create(content, date)
|
|
|
|
decoded.add(decoder_name, date, item_id, mimetype)
|
|
|
|
|
|
|
|
save_item_relationship(sha1_string, item_id) ################################
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
# remove encoded from item content
|
2021-05-07 12:24:41 +00:00
|
|
|
content = content.replace(encoded, '', 1)
|
|
|
|
|
|
|
|
self.redis_logger.debug(f'{item_id} : {decoder_name} - {mimetype}')
|
2021-06-02 12:42:23 +00:00
|
|
|
print(f'{item_id} : {decoder_name} - {mimetype}')
|
2022-10-25 14:25:19 +00:00
|
|
|
if find:
|
2022-08-19 14:53:31 +00:00
|
|
|
self.redis_logger.info(f'{decoder_name} decoded')
|
|
|
|
print(f'{decoder_name} decoded')
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
# Send to Tags
|
|
|
|
msg = f'infoleak:automatic-detection="{decoder_name}";{item_id}'
|
|
|
|
self.send_message_to_queue(msg, 'Tags')
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
# perf: remove encoded from item content
|
|
|
|
return content
|
2021-05-07 12:24:41 +00:00
|
|
|
|
2022-10-25 14:25:19 +00:00
|
|
|
|
2021-05-07 12:24:41 +00:00
|
|
|
if __name__ == '__main__':
|
2021-06-02 12:42:23 +00:00
|
|
|
|
2022-08-19 14:53:31 +00:00
|
|
|
# # TODO: TEST ME
|
2021-05-07 12:24:41 +00:00
|
|
|
module = Decoder()
|
|
|
|
module.run()
|