diff options
| author | Felix Bauer <jack@ai4me.de> | 2019-10-02 15:54:56 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-02 15:54:56 +0200 |
| commit | b3d21e8b689b5fe59335cfff99414d92d45aadb9 (patch) | |
| tree | aead49295dbee276d69d8a59b3c25525b9406830 | |
| parent | baab4937eff80e950db33a080790ad4b2a45b99d (diff) | |
Remove file extension check from oletools module (#105)
The file extension was checked against a list with office file extensions
preventing analysis of non office files.
Therefore the oletools module couldn't be used on other files with oterh
extensions e.g. rtf.
Now any file can be processed with oletools module.
Tests and documentation have been adapted accordingly.
| -rw-r--r-- | CHANGELOG.md | 2 | ||||
| -rw-r--r-- | peekaboo/toolbox/ole.py | 9 | ||||
| -rw-r--r-- | ruleset.conf.sample | 6 | ||||
| -rw-r--r-- | tests/test-data/office/example.rtf | 8 | ||||
| -rw-r--r-- | tests/test-data/office/suspiciousMacro.rtf | bin | 0 -> 28672 bytes | |||
| -rwxr-xr-x | tests/test.py | 45 |
6 files changed, 43 insertions, 27 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 861c131..ed110c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ See documentation for details. ## devel +- Generic rules allow to evaluate expressions with sample, cuckooreport and + olereport - Distribute and install sample configuration files in/from PyPI source distribution - Make list of rules to run configurable in members and order. See diff --git a/peekaboo/toolbox/ole.py b/peekaboo/toolbox/ole.py index b4d9eb6..fb907e9 100644 --- a/peekaboo/toolbox/ole.py +++ b/peekaboo/toolbox/ole.py @@ -36,21 +36,12 @@ class OleNotAnOfficeDocumentException(Exception): class Oletools(object): """ Parent class, defines interface to Oletools. """ - def __init__(self): - self.MS_OFFICE_EXTENSIONS = [ - "doc", "docm", "dotm", "docx", - "ppt", "pptm", "pptx", "potm", "ppam", "ppsm", - "xls", "xlsm", "xlsx", - ] - def get_report(self, sample): """ Return oletools report or create if not already cached. """ if sample.oletools_report != None: return sample.oletools_report report = {} - if sample.file_extension not in self.MS_OFFICE_EXTENSIONS: - raise OleNotAnOfficeDocumentException(sample.file_extension) try: vbaparser = VBA_Parser(sample.file_path) diff --git a/ruleset.conf.sample b/ruleset.conf.sample index e0b2ef2..84d1cae 100644 --- a/ruleset.conf.sample +++ b/ruleset.conf.sample @@ -90,7 +90,11 @@ expression.3 : sample.meta_info_name_declared == 'signature.asc' and sample.meta_info_type_declared in { 'application/pgp-signature' } -> ignore -expression.4 : olereport.has_office_macros == True +expression.4 : sample.file_extension in { + 'doc', 'docm', 'dotm', 'docx', + 'ppt', 'pptm', 'pptx', 'potm', 'ppam', 'ppsm', + 'xls', 'xlsm', 'xlsx' } + and olereport.has_office_macros == True and cuckooreport.score > 4 -> bad [cuckoo_evil_sig] diff --git a/tests/test-data/office/example.rtf b/tests/test-data/office/example.rtf new file mode 100644 index 0000000..b4192f7 --- /dev/null +++ b/tests/test-data/office/example.rtf @@ -0,0 +1,8 @@ +{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf600 +{\fonttbl\f0\fswiss\fcharset0 Helvetica;} +{\colortbl;\red255\green255\blue255;} +{\*\expandedcolortbl;;} +\paperw11900\paperh16840\margl1440\margr1440\vieww13500\viewh10800\viewkind0 +\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\pardirnatural\partightenfactor0 + +\f0\fs30 \cf0 Example rtf File}
\ No newline at end of file diff --git a/tests/test-data/office/suspiciousMacro.rtf b/tests/test-data/office/suspiciousMacro.rtf Binary files differnew file mode 100644 index 0000000..f618a97 --- /dev/null +++ b/tests/test-data/office/suspiciousMacro.rtf diff --git a/tests/test.py b/tests/test.py index 6ab72b2..1300cae 100755 --- a/tests/test.py +++ b/tests/test.py @@ -752,27 +752,23 @@ unknown : baz''' keyword.2 : AutoClose keyword.3 : suSPi.ious''' rule = OfficeMacroWithSuspiciousKeyword(CreatingConfigParser(config)) - # sample factory to create samples from real files - factory1 = SampleFactory( - cuckoo=None, base_dir=None, job_hash_regex=None, - keep_mail_data=False, processing_info_dir=None) - # sampe factory to create samples with defined content - factory2 = CreatingSampleFactory( + # sampe factory to create samples + factory = CreatingSampleFactory( cuckoo=None, base_dir=None, job_hash_regex=None, keep_mail_data=False, processing_info_dir=None) tests_data_dir = os.path.dirname(os.path.abspath(__file__))+"/test-data" combinations = [ # no office document file extension - [Result.unknown, factory2.make_sample('test.nodoc', 'test')], + [Result.unknown, factory.create_sample('test.nodoc', 'test')], # test with empty file - [Result.unknown, factory1.make_sample(tests_data_dir+'/office/empty.doc')], + [Result.unknown, factory.make_sample(tests_data_dir+'/office/empty.doc')], # office document with 'suspicious' in macro code - [Result.bad, factory1.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')], + [Result.bad, factory.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')], # test with blank word doc - [Result.unknown, factory1.make_sample(tests_data_dir+'/office/blank.doc')], + [Result.unknown, factory.make_sample(tests_data_dir+'/office/blank.doc')], # test with legitimate macro - [Result.unknown, factory1.make_sample(tests_data_dir+'/office/legitmacro.xls')] + [Result.unknown, factory.make_sample(tests_data_dir+'/office/legitmacro.xls')] ] for expected, sample in combinations: result = rule.evaluate(sample) @@ -782,15 +778,15 @@ unknown : baz''' rule = OfficeMacroRule(CreatingConfigParser(config)) combinations = [ # no office document file extension - [Result.unknown, factory2.make_sample('test.nodoc', 'test')], + [Result.unknown, factory.create_sample('test.nodoc', 'test')], # test with empty file - [Result.unknown, factory1.make_sample(tests_data_dir+'/office/empty.doc')], + [Result.unknown, factory.make_sample(tests_data_dir+'/office/empty.doc')], # office document with 'suspicious' in macro code - [Result.bad, factory1.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')], + [Result.bad, factory.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')], # test with blank word doc - [Result.unknown, factory1.make_sample(tests_data_dir+'/office/blank.doc')], + [Result.unknown, factory.make_sample(tests_data_dir+'/office/blank.doc')], # test with legitimate macro - [Result.bad, factory1.make_sample(tests_data_dir+'/office/legitmacro.xls')] + [Result.bad, factory.make_sample(tests_data_dir+'/office/legitmacro.xls')] ] for expected, sample in combinations: result = rule.evaluate(sample) @@ -957,7 +953,7 @@ unknown : baz''' def test_rule_expressions_olereport_context(self): """ Test generic rule olereport context """ config = '''[expressions] - expression.3 : olereport.has_office_macros == True -> bad + expression.3 : sample.file_extension in {'doc', 'rtf'} and olereport.has_office_macros == True -> bad ''' factory = CreatingSampleFactory( @@ -965,6 +961,21 @@ unknown : baz''' keep_mail_data=False, processing_info_dir=None) tests_data_dir = os.path.dirname(os.path.abspath(__file__))+"/test-data" + sample = factory.make_sample(tests_data_dir+'/office/blank.doc') + rule = ExpressionRule(CreatingConfigParser(config)) + result = rule.evaluate(sample) + self.assertEqual(result.result, Result.unknown) + + sample = factory.make_sample(tests_data_dir+'/office/example.rtf') + rule = ExpressionRule(CreatingConfigParser(config)) + result = rule.evaluate(sample) + self.assertEqual(result.result, Result.unknown) + + sample = factory.make_sample(tests_data_dir+'/office/suspiciousMacro.rtf') + rule = ExpressionRule(CreatingConfigParser(config)) + result = rule.evaluate(sample) + self.assertEqual(result.result, Result.bad) + sample = factory.make_sample(tests_data_dir+'/office/suspiciousMacro.doc') rule = ExpressionRule(CreatingConfigParser(config)) result = rule.evaluate(sample) |