generate_whitelist.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#!/usr/bin/env python

import fnmatch
import hashlib
import os
import sys

try:
    import yara
except ImportError:
    print 'Please install python-yara'
    sys.exit(0)

if len(sys.argv) != 3:
    print 'Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]

rules = yara.compile('./malwares.yara', includes=True, error_on_warning=True)

output_list = list()

for cpt, (root, dirnames, filenames) in enumerate(os.walk(sys.argv[2])):
    for filename in fnmatch.filter(filenames, '*.ph*'):
        fname = os.path.join(root, filename)
        if os.stat(fname).st_size:
            matches = rules.match(os.path.join(root, filename), fast=True)
            if matches:
                matches = matches.pop()  #  only one match, since we're scaning files
                output_list.append('hash.sha1(0, filename) == %s or // %s' % (hashlib.sha1(fname).hexdigest(), fname))


output_rule = 'private rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
output_list.append(output_list.pop().replace(' or ', '    '))
output_rule += '\n\t\t'.join(output_list)
output_rule +='\n}'
print output_rule