Fix #21 KeyError: 'minopsz'

lisa/analysis/anomaly.py

@@ -3,7 +3,7 @@
 """
 
 
-class Anomaly():
+class Anomaly:
     """Anomaly base structure.
 
     :param name: Name of anomaly.

lisa/analysis/network_analysis.py

@@ -41,7 +41,7 @@ def is_ip_blacklisted(ipaddr):
         mid = low + (high - low) // 2
         ipmid = ipblacklist[mid]
 
-        if ip >= ipmid[0] and ip <= ipmid[1]:
+        if ipmid[0] <= ip <= ipmid[1]:
             return True
         elif ip < ipmid[0]:
             high = mid - 1
@@ -60,11 +60,11 @@ def is_ip_local(ipaddr):
     ip = int(ipaddress.ip_address(ipaddr))
 
     # 10.x.x.x
-    if ip >= 167772160 and ip < 184549376:
+    if 167772160 <= ip < 184549376:
         return True
 
     # 172.16.0.0 – 172.31.255.255
-    if ip >= 2886729728 and ip < 2887778304:
+    if 2886729728 <= ip < 2887778304:
         return True
 
     # 192.168.x.x

lisa/analysis/static_analysis.py

@@ -27,7 +27,7 @@ def run_analysis(self):
         log.info('Static Analysis started.')
 
         # start radare2
-        self._r2 = r2pipe.open(self._file.path, ['-2'])
+        self._r2 = r2pipe.open(self._file.path)
         self._r2.cmd('aaa')
 
         # binary info
@@ -59,8 +59,8 @@ def _r2_info(self):
             'language': info['bin']['lang'],
             'stripped': info['bin']['stripped'],
             'relocations': info['bin']['relocs'],
-            'min_opsize': info['bin']['minopsz'],
-            'max_opsize': info['bin']['maxopsz'],
+            'min_opsize': info['core']['minopsz'],
+            'max_opsize': info['core']['maxopsz'],
             'entry_point': entry_point[0]['vaddr']
         }
 

lisa/analysis/top_level.py

@@ -29,7 +29,7 @@ def create_analyzer(analyzer_path, file_path):
     return analyzer_class(file_path)
 
 
-class Master():
+class Master:
     """Top level analyzer of binary files.
 
     :param file_path: Path to binary file.

lisa/analysis/yara_scan.py

@@ -0,0 +1,52 @@
+import yara
+
+
+class YaraScan:
+    # https://yara.readthedocs.io/en/stable/yarapython.html
+    def __init__(self, path):
+        """
+        param path: absolute path to rules
+        """
+        is_compiled = self.is_compiled_rules(path)
+        if not is_compiled:
+            # Load rules from file and compile
+            self.rules = yara.compile(filepath=path)
+        else:
+            # Load compiled rules to memory
+            self.rules = yara.load(path)
+        self.__rule_matched = ""
+
+    def is_compiled_rules(self, path):
+        """
+        Check if uploaded yara rule is compiled rule or string
+        param path: absolute path to rules
+        """
+        yara_file_magic = b"YARA"
+        with open(path, "rb") as read_header:
+            if read_header.read(4) == yara_file_magic:
+                return True
+        # FIXME if reading the file returns error?
+        return False
+
+    def scan_callback(self, data):
+        if data["matches"]:
+            print(data)  # TODO use logging instead
+            self.__rule_matched = data
+            return yara.CALLBACK_ABORT
+        return yara.CALLBACK_CONTINUE
+
+    def scan_file(self, file_path):
+        self.rules.match(filepath=file_path, callback=self.scan_callback)
+
+    def scan_process(self, pid):
+        self.rules.match(pid=pid, callback=self.scan_callback)
+
+    def get_scan_result(self):
+        """
+        Allow other classes to get the scan result
+        Clean the result after it was called
+        Remove data to avoid wrong result in cache
+        """
+        result = self.__rule_matched
+        self.__rule_matched = ""
+        return result

lisa/core/architecture.py

@@ -45,7 +45,7 @@ def get_architecture(file_path):
         # check ELF header 7xELF
         if header[:4] != b'\x7fELF':
             log.critical('Analyzed file has invalid ELF header.')
-            return (None, None, None)
+            return None, None, None
 
         # 32 vs 64 bit
         if header[4] == 1:
@@ -65,4 +65,4 @@ def get_architecture(file_path):
         if byte_arch_code in e_machine:
             arch = e_machine[byte_arch_code]
 
-    return (arch, bit, endian)
+    return arch, bit, endian

lisa/core/base.py

@@ -51,7 +51,7 @@ def output(self):
         return self._output
 
 
-class AnalyzedFile():
+class AnalyzedFile:
     """Class for holding analyzed samples information.
 
     :param file_path: Path to analyzed file.
@@ -131,7 +131,7 @@ def exec_time(self):
         return self._exec_time
 
 
-class AnalyzedPcap():
+class AnalyzedPcap:
     """Class for holding analyzed pcap information.
 
     :param pcap_path: Path to pcap.

lisa/core/file_handling.py

@@ -33,7 +33,7 @@ def save_output(output, output_file, indented=False):
     :param output: Analysis output to be saved.
     :param output_file: Output file path.
     :param indented: Indentation of json file.
-    :returns: Boolean whether file was saved succesfully.
+    :returns: Boolean whether file was saved successfully.
     """
     with opened_w_error(output_file, 'w') as (f, err):
         if err:
@@ -44,4 +44,4 @@ def save_output(output, output_file, indented=False):
                 json.dump(output, f, indent=4)
             else:
                 json.dump(output, f)
-            log.info(f'File saved succesfully to {output_file}.')
+            log.info(f'File saved successfully to {output_file}.')

lisa/core/qemu_guest.py

@@ -14,7 +14,7 @@
 log = logging.getLogger()
 
 
-class QEMUGuest():
+class QEMUGuest:
     """QEMU guest handling.
 
     :param file: Targeted binary to emulate.
@@ -69,7 +69,7 @@ def process(self):
     def send_command(self, command):
         """Sends command to guest VM and returns it's output.
 
-        :param command: String containing desired commmand.
+        :param command: String containing desired command.
         :returns: Command's output inside VM.
         """
         if not self._is_running:

requirements.txt

@@ -12,3 +12,4 @@ pymysql==0.9.3
 uwsgi==2.0.18
 pytest==4.3.0
 pytest-cov==2.6.1
+yara>=4.0.4