create script to create whitelists for all versions of given CMS

author: Mathieu Deous 2016-07-26 18:42:53 +0200
committer: Mathieu Deous 2016-07-28 17:56:19 +0200
commit: f8228c63bd13aec549a901d9600b17873c4850be (patch)
tree: a6c8fd240e417f6de5c624b78917b66d2ab12157
parent: 216702a22dac24e54c88404cf9cd38bca4f0645b (diff)
1 files changed, 181 insertions, 0 deletions
diff --git a/php-malware-finder/utils/mass_whitelist.py b/php-malware-finder/utils/mass_whitelist.py
new file mode 100755
index 0000000..3dd4769
--- /dev/null
+++ b/php-malware-finder/utils/mass_whitelist.py
@@ -0,0 +1,181 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import re
+import sys
+import tarfile
+from copy import copy
+from collections import OrderedDict
+from hashlib import sha1
+from urllib2 import urlopen, HTTPError
+from StringIO import StringIO
+import yara
+USAGE = """
+USAGE: %(prog)s <NAME> <URL_PATTERN> [<MAJOR> [<MINOR> [<PATCH>]]]
+Options:
+    NAME : name of the CMS/whatever being whitelisted
+    URL_PATTERN : download URL with __version__ as a version placeholder
+    MAJOR : minimum and maximum major version to crawl (eg: 1-8, 8)
+    MINOR : minimum and maximum minor version to crawl
+    PATCH : minimum and maximum patch version to crawl
+Examples:
+    %(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 9 50
+    %(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 4-9 1-50
+    %(prog)s wordpress https://wordpress.org/wordpress-__version__.tar.gz 4 15
+""" % {'prog': sys.argv[0]}
+class Opts:
+    DEFAULT_MIN = 0
+    DEFAULT_MAX = 99
+    YARA_RULES = yara.compile('../php.yar', includes=True, error_on_warning=True)
+    @classmethod
+    def to_str(cls):
+        values = []
+        for attr in cls.__dict__:
+            if attr.isupper():
+                values.append('%s=%s' % (attr, getattr(cls, attr)))
+        return '<Opts(%s)>' % ' '.join(values)
+def extract_version_arg(index):
+    min_ver, max_ver = (Opts.DEFAULT_MIN, Opts.DEFAULT_MAX)
+    if len(sys.argv) >= (index + 1):
+        if '-' in sys.argv[index]:
+            min_ver, max_ver = map(int, sys.argv[index].split('-'))
+        else:
+            max_ver = int(sys.argv[index])
+    return min_ver, max_ver
+def generate_whitelist(version):
+    rules = {}
+    # download archive
+    dl_failed = False
+    download_url = Opts.URL_PATTERN.replace('__version__', version)
+    download_url_str = Opts.URL_PATTERN.replace('__version__', '\x1b[1;33m%s\x1b[0m' % version)
+    print "[+] Downloading %s... " % download_url_str,
+    try:
+        resp = urlopen(download_url)
+        resp_code = resp.code
+    except HTTPError as err:
+        dl_failed = True
+        resp_code = err.code
+    if dl_failed or (resp_code != 200):
+        print "\x1b[1;31mFAILED (%d)\x1b[0m" % resp_code
+        return None
+    data = StringIO(resp.read())
+    data.seek(0)
+    print "\x1b[1;32mOK\x1b[0m"
+    # extract archive and check against YARA signatures (in-memory)
+    tar = tarfile.open(mode='r:gz', fileobj=data)
+    for entry in tar.getnames():
+        entry_fd = tar.extractfile(entry)
+        if entry_fd is None:
+            continue
+        entry_data = entry_fd.read()
+        matches = Opts.YARA_RULES.match(data=entry_data, fast=True)
+        if matches:
+            rules['/'.join(entry.split('/')[1:])] = sha1(entry_data).hexdigest()
+    return rules
+# init vars
+whitelists = OrderedDict()
+# check args
+if (len(sys.argv) < 3) or (len(sys.argv) > 6):
+    print(USAGE)
+    sys.exit(1)
+# parse args
+Opts.CMS_NAME = sys.argv[1]
+Opts.URL_PATTERN = sys.argv[2]
+Opts.MIN_MAJOR, Opts.MAX_MAJOR = extract_version_arg(3)
+Opts.MIN_MINOR, Opts.MAX_MINOR = extract_version_arg(4)
+Opts.MIN_PATCH, Opts.MAX_PATCH = extract_version_arg(5)
+# loop over possible versions
+for vmajor in range(Opts.MIN_MAJOR, Opts.MAX_MAJOR + 1):
+    # download without vminor and vpatch (but ignore if it doesn't exist)
+    version = "%d" % vmajor
+    rules = generate_whitelist(version)
+    if (rules is not None) and rules:
+        whitelists[version] = rules
+    
+    has_mversion = False
+    first_mloop = True
+    for vminor in range(Opts.MIN_MINOR, Opts.MAX_MINOR + 1):
+        # download without vpatch (but ignore if it doesn't exist)
+        version = "%d.%d" % (vmajor, vminor)
+        rules = generate_whitelist(version)
+        if rules is not None: 
+            has_mversion = True
+            if rules:
+                whitelists[version] = rules
+        if (rules is None) and (has_mversion or not first_mloop):
+                break
+        first_mloop = False
+        has_pversion = False
+        first_ploop = True
+        for vpatch in range(Opts.MIN_PATCH, Opts.MAX_PATCH + 1):
+            version = "%d.%d.%d" % (vmajor, vminor, vpatch)
+            rules = generate_whitelist(version)
+            if rules is not None:
+                has_pversion = True
+                if rules:
+                    whitelists[version] = rules
+            # break loop if download failed and:
+            # - a version has already been found during this loop
+            # - this is the 2nd iteration (if a version wasn't found, it means download failed twice)
+            if (rules is None) and (has_pversion or not first_ploop):
+                break
+            first_ploop = False
+# remove duplicate entries:
+known_files = []
+for version, rules in copy(whitelists.items()):
+    used_rules = 0
+    for filename, digest in rules.items():
+        rtuple = (filename, digest)
+        if rtuple in known_files:
+            del whitelists[version][filename]
+        else:
+            known_files.append(rtuple)
+            used_rules += 1
+    if used_rules == 0:
+        del whitelists[version]
+# build final rule
+prefix = 8 * ' '
+conditions = []
+len_wl = len(whitelists.keys()) - 1
+for index, (version, rules) in enumerate(whitelists.items()):
+    cond_str = '%s/* %s %s */\n' % (prefix, Opts.CMS_NAME.title(), version)
+    len_rules = len(rules.keys()) - 1
+    for inner_index, (filename, digest) in enumerate(rules.items()):
+        if (index == len_wl) and (inner_index == len_rules):  # last loop iteration
+            cond_str += '%shash.sha1(0, filesize) == "%s"    // %s\n' % (prefix, digest, filename)
+        else:
+            cond_str += '%shash.sha1(0, filesize) == "%s" or // %s\n' % (prefix, digest, filename)
+    conditions.append(cond_str)
+final_rule = """
+import "hash"
+rule %(name)s
+{
+    condition:
+%(conditions)s
+}
+""" % {'name': Opts.CMS_NAME, 'conditions': '\n'.join(conditions)}
+print final_rule
author	Mathieu Deous	2016-07-26 18:42:53 +0200
committer	Mathieu Deous	2016-07-28 17:56:19 +0200
commit	f8228c63bd13aec549a901d9600b17873c4850be (patch)
tree	a6c8fd240e417f6de5c624b78917b66d2ab12157
parent	216702a22dac24e54c88404cf9cd38bca4f0645b (diff)

diff --git a/php-malware-finder/utils/mass_whitelist.py b/php-malware-finder/utils/mass_whitelist.py new file mode 100755 index 0000000..3dd4769 --- /dev/null +++ b/php-malware-finder/utils/mass_whitelist.py
@@ -0,0 +1,181 @@
	1	#!/usr/bin/env python
	2	# -- coding: utf-8 --
	3
	4	import re
	5	import sys
	6	import tarfile
	7	from copy import copy
	8	from collections import OrderedDict
	9	from hashlib import sha1
	10	from urllib2 import urlopen, HTTPError
	11	from StringIO import StringIO
	12
	13	import yara
	14
	15	USAGE = """
	16	USAGE: %(prog)s <NAME> <URL_PATTERN> [<MAJOR> [<MINOR> [<PATCH>]]]
	17
	18	Options:
	19	NAME : name of the CMS/whatever being whitelisted
	20	URL_PATTERN : download URL with __version__ as a version placeholder
	21	MAJOR : minimum and maximum major version to crawl (eg: 1-8, 8)
	22	MINOR : minimum and maximum minor version to crawl
	23	PATCH : minimum and maximum patch version to crawl
	24
	25	Examples:
	26	%(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 9 50
	27	%(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 4-9 1-50
	28	%(prog)s wordpress https://wordpress.org/wordpress-__version__.tar.gz 4 15
	29	""" % {'prog': sys.argv[0]}
	30
	31
	32	class Opts:
	33	DEFAULT_MIN = 0
	34	DEFAULT_MAX = 99
	35	YARA_RULES = yara.compile('../php.yar', includes=True, error_on_warning=True)
	36
	37	@classmethod
	38	def to_str(cls):
	39	values = []
	40	for attr in cls.__dict__:
	41	if attr.isupper():
	42	values.append('%s=%s' % (attr, getattr(cls, attr)))
	43	return '<Opts(%s)>' % ' '.join(values)
	44
	45
	46	def extract_version_arg(index):
	47	min_ver, max_ver = (Opts.DEFAULT_MIN, Opts.DEFAULT_MAX)
	48	if len(sys.argv) >= (index + 1):
	49	if '-' in sys.argv[index]:
	50	min_ver, max_ver = map(int, sys.argv[index].split('-'))
	51	else:
	52	max_ver = int(sys.argv[index])
	53	return min_ver, max_ver
	54
	55
	56	def generate_whitelist(version):
	57	rules = {}
	58
	59	# download archive
	60	dl_failed = False
	61	download_url = Opts.URL_PATTERN.replace('__version__', version)
	62	download_url_str = Opts.URL_PATTERN.replace('__version__', '\x1b[1;33m%s\x1b[0m' % version)
	63	print "[+] Downloading %s... " % download_url_str,
	64	try:
	65	resp = urlopen(download_url)
	66	resp_code = resp.code
	67	except HTTPError as err:
	68	dl_failed = True
	69	resp_code = err.code
	70	if dl_failed or (resp_code != 200):
	71	print "\x1b[1;31mFAILED (%d)\x1b[0m" % resp_code
	72	return None
	73	data = StringIO(resp.read())
	74	data.seek(0)
	75	print "\x1b[1;32mOK\x1b[0m"
	76
	77	# extract archive and check against YARA signatures (in-memory)
	78	tar = tarfile.open(mode='r:gz', fileobj=data)
	79	for entry in tar.getnames():
	80	entry_fd = tar.extractfile(entry)
	81	if entry_fd is None:
	82	continue
	83	entry_data = entry_fd.read()
	84	matches = Opts.YARA_RULES.match(data=entry_data, fast=True)
	85	if matches:
	86	rules['/'.join(entry.split('/')[1:])] = sha1(entry_data).hexdigest()
	87
	88	return rules
	89
	90
	91	# init vars
	92	whitelists = OrderedDict()
	93
	94	# check args
	95	if (len(sys.argv) < 3) or (len(sys.argv) > 6):
	96	print(USAGE)
	97	sys.exit(1)
	98
	99	# parse args
	100	Opts.CMS_NAME = sys.argv[1]
	101	Opts.URL_PATTERN = sys.argv[2]
	102	Opts.MIN_MAJOR, Opts.MAX_MAJOR = extract_version_arg(3)
	103	Opts.MIN_MINOR, Opts.MAX_MINOR = extract_version_arg(4)
	104	Opts.MIN_PATCH, Opts.MAX_PATCH = extract_version_arg(5)
	105
	106	# loop over possible versions
	107	for vmajor in range(Opts.MIN_MAJOR, Opts.MAX_MAJOR + 1):
	108	# download without vminor and vpatch (but ignore if it doesn't exist)
	109	version = "%d" % vmajor
	110	rules = generate_whitelist(version)
	111	if (rules is not None) and rules:
	112	whitelists[version] = rules
	113
	114	has_mversion = False
	115	first_mloop = True
	116	for vminor in range(Opts.MIN_MINOR, Opts.MAX_MINOR + 1):
	117	# download without vpatch (but ignore if it doesn't exist)
	118	version = "%d.%d" % (vmajor, vminor)
	119	rules = generate_whitelist(version)
	120	if rules is not None:
	121	has_mversion = True
	122	if rules:
	123	whitelists[version] = rules
	124	if (rules is None) and (has_mversion or not first_mloop):
	125	break
	126	first_mloop = False
	127
	128	has_pversion = False
	129	first_ploop = True
	130	for vpatch in range(Opts.MIN_PATCH, Opts.MAX_PATCH + 1):
	131	version = "%d.%d.%d" % (vmajor, vminor, vpatch)
	132	rules = generate_whitelist(version)
	133	if rules is not None:
	134	has_pversion = True
	135	if rules:
	136	whitelists[version] = rules
	137	# break loop if download failed and:
	138	# - a version has already been found during this loop
	139	# - this is the 2nd iteration (if a version wasn't found, it means download failed twice)
	140	if (rules is None) and (has_pversion or not first_ploop):
	141	break
	142	first_ploop = False
	143
	144	# remove duplicate entries:
	145	known_files = []
	146	for version, rules in copy(whitelists.items()):
	147	used_rules = 0
	148	for filename, digest in rules.items():
	149	rtuple = (filename, digest)
	150	if rtuple in known_files:
	151	del whitelists[version][filename]
	152	else:
	153	known_files.append(rtuple)
	154	used_rules += 1
	155	if used_rules == 0:
	156	del whitelists[version]
	157
	158	# build final rule
	159	prefix = 8 * ' '
	160	conditions = []
	161	len_wl = len(whitelists.keys()) - 1
	162	for index, (version, rules) in enumerate(whitelists.items()):
	163	cond_str = '%s/* %s %s */\n' % (prefix, Opts.CMS_NAME.title(), version)
	164	len_rules = len(rules.keys()) - 1
	165	for inner_index, (filename, digest) in enumerate(rules.items()):
	166	if (index == len_wl) and (inner_index == len_rules): # last loop iteration
	167	cond_str += '%shash.sha1(0, filesize) == "%s" // %s\n' % (prefix, digest, filename)
	168	else:
	169	cond_str += '%shash.sha1(0, filesize) == "%s" or // %s\n' % (prefix, digest, filename)
	170	conditions.append(cond_str)
	171
	172	final_rule = """
	173	import "hash"
	174
	175	rule %(name)s
	176	{
	177	condition:
	178	%(conditions)s
	179	}
	180	""" % {'name': Opts.CMS_NAME, 'conditions': '\n'.join(conditions)}
	181	print final_rule