def _swf_analysis(full_targ_path):
# This function calls swftools, tools, and flasm against SWF samples to extract data and/or performs analysis as needed.
command_out = subprocess.Popen(["swfdump", "-a", full_targ_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[0]
command2_out = subprocess.Popen(["swfextract", full_targ_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[0]
command2_list = command2_out.split('\n')
command_out_list = command_out.split('\n')
swf_ioc_res = ""
for out in command_out_list:
strOut = str(out)
ioc_list = ["http", "www", ".com", ".net", ".info", "GetVariable", "GetURL", 'String:"_post"', 'String:"send"', "\\\\", "pushstring", "url.split", ".php", "urlmon", ".exe"]
for indi in ioc_list:
if indi in strOut:
swf_ioc_res = "Present"
if len(swf_ioc_res) == 0:
swf_ioc_res = "None"
extract_list_fns = []
for out in command2_list:
if "JPEG" in out:
j_id = out.rfind(' ')+1
j_id = int(out[j_id:len(out)])
# Sometimes picture extraction doesn't occur... correctly, so we suppress the output. If we get it, great, if we don't whatever, for now.
os_null = open(os.devnull, 'wb')
subprocess.Popen(['swfextract', full_targ_path, '-j', str(j_id), '-o', '/tmp/automal/'+str(j_id)+'.jpg'], stdout=os_null, stderr=os_null)
subprocess.Popen(['swfextract', full_targ_path, '-p', str(j_id), '-o', '/tmp/automal/'+str(j_id)+'.png'], stdout=os_null, stderr=os_null)
extract_list_fns.append('/tmp/automal/'+str(j_id))
return(command_out, extract_list_fns, command2_out, swf_ioc_res)
评论列表
文章目录
