Menu
▾
▴
nuggetfarm-devel
|
From: <lin...@us...> - 2010-08-29 19:24:01
|
Revision: 11
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=11&view=rev
Author: linuxgeek247
Date: 2010-08-29 19:23:54 +0000 (Sun, 29 Aug 2010)
Log Message:
-----------
Adding missing detection modules to svn.
Added Paths:
-----------
trunk/detection-nuggets/pdf-dissector/modules/
trunk/detection-nuggets/pdf-dissector/modules/__init__.py
trunk/detection-nuggets/pdf-dissector/modules/detector/
trunk/detection-nuggets/pdf-dissector/modules/detector/__init__.py
trunk/detection-nuggets/pdf-dissector/modules/detector/file/
trunk/detection-nuggets/pdf-dissector/modules/detector/file/__init__.py
trunk/detection-nuggets/pdf-dissector/modules/detector/file/vulnerability_finder.py
trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/
trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/__init__.py
trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/javascript.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/
trunk/detection-nuggets/pdf-dissector/modules/detector/object/__init__.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_flatedecode_predictor02.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_jbig2decode.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshcont.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshdecl.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/embedded_file.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/open_action.py
trunk/detection-nuggets/pdf-dissector/modules/detector/object/windows_shell_execute.py
trunk/detection-nuggets/pdf-dissector/modules/utils.py
Property Changed:
----------------
trunk/detection-nuggets/pdf-dissector/
Property changes on: trunk/detection-nuggets/pdf-dissector
___________________________________________________________________
Added: svn:ignore
+ Makefile
Added: trunk/detection-nuggets/pdf-dissector/modules/__init__.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/__init__.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/__init__.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1 @@
+# Nothing to do here
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/__init__.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/__init__.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/__init__.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1 @@
+# Nothing to do here
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/file/__init__.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/file/__init__.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/file/__init__.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1 @@
+# Nothing to do here
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/file/vulnerability_finder.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/file/vulnerability_finder.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/file/vulnerability_finder.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,34 @@
+from com.zynamics.pdf.api import PdfFileHelpers
+from com.zynamics.pdf.api import Interpreter
+from com.zynamics.pdf.api import VulnerabilityFinder
+from java.lang import String
+from modules.utils import *
+
+import re
+
+cve_map = {
+ 'CVE-2009-4324': 'Doc.media.newPlayer use-after-free exploit attempt',
+ 'CVE-2010-0188': 'Adobe Reader malformed TIFF remote code execution attempt',
+ 'CVE-2010-0195': 'Adobe Reader PDF Document Embedded TrueType Font Handling Arbitrary Code Execution'
+ }
+
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, data):
+ self.pdf = pdf
+ self.data = data
+
+ def check(self):
+ for vuln in VulnerabilityFinder.find(self.pdf):
+ m = re.search('(CVE_[0-9]+_[0-9]+)', vuln, re.IGNORECASE | re.MULTILINE | re.DOTALL)
+
+ if m:
+ cve = m.group(0).replace('_', '-')
+
+ try:
+ alert("[%s] %s" % (cve, cve_map[cve]),
+ self.data, "", "", "", "005d5464-7a44-4907-af57-4db08a61e13c")
+ except:
+ print "ALERT: [%s] Unknown attack detected" % cve
+
+
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/__init__.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/__init__.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/__init__.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1 @@
+# Nothing to do here
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/javascript.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/javascript.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/javascript/javascript.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,101 @@
+import sys
+import re
+import string
+import itertools
+import struct
+import traceback
+
+from com.zynamics.pdf.api import Interpreter
+from java.lang import String
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, result, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.result = result
+ self.data = data
+ self.decodedData = decodedData
+
+ self.debug = True
+ self.alert_on_javascript = True
+ self.unescape_minimum_size = 200
+ self.shellcode_minimum_size = 200
+
+ def check(self):
+ try:
+ # Send an alert for the embedded javascript
+ if self.alert_on_javascript:
+
+ alert('Embedded javascript detected in object %d' % (int(self.obj.id)),
+ self.data,
+ self.decodedData,
+ "",
+ "",
+ '2b797454-d367-4841-8c9c-a713d012b546')
+
+
+ # Search for possible shellcode variables
+ for variable_name in self.result.variables:
+
+ if type(self.result.variables[variable_name]).__name__ == 'unicode':
+ d = convertUnicodeToUchar(self.result.variables[variable_name])
+
+ if d and len(d) >= self.shellcode_minimum_size:
+ alert("Possible shellcode detected in variable %s in object %s" % (variable_name, self.obj.id),
+ self.data, self.decodedData, '', '', '4e72c8ec-ff88-4371-a0f0-dfe2b4c733dc')
+
+ # Check for possible heapspray in the variable
+ for offset in range(0, 3):
+ address = checkHeapSpray(d[offset:], 400)
+
+ if address:
+ alert('Attempted heap spray detected in self.object %s variable %s pointing to 0x%08x' %
+ (self.obj.id, variable_name, struct.unpack_from("<L", address)[0]),
+ self.data, self.decodedData, '', '', '4e72c8ec-ff88-4371-a0f0-dfe2b4c733dc')
+
+ break
+
+ # Parse the logs
+ for log_name in self.result.logs:
+
+ # Unescape() strings
+ if log_name == 'Unescape':
+ for un in self.result.logs[log_name]:
+
+ # Check for shellcode as well
+ sc = unescape(un)
+
+ # Do we want to alert on this?
+ if len(sc) > self.unescape_minimum_size:
+ short = ("Javascript unescape() usage\n" +
+ "Object: %d\n" +
+ "Length: %d\n" +
+ "Detection: unescape() function call was captured by the javascript emulator\n") % (int(self.obj.id), len(un))
+
+ alert("Javascript unescape() usage found",
+ self.data, self.decodedData, short, '', '4e72c8ec-ff88-4371-a0f0-dfe2b4c733dc')
+
+ # Debug messages
+ if log_name == 'Debug':
+ for dbg in self.result.logs[log_name]:
+ if self.debug:
+ print dbg
+
+ # Check for Eval statements
+ if log_name == 'Eval':
+ for e in self.result.logs[log_name]:
+
+ alert("JavaScript eval() of %d bytes detected in object %s" % (len(e), self.obj.id),
+ self.data, self.decodedData, '', '', '2b797454-d367-4841-8c9c-a713d012b546')
+
+ # Finally check for the javascript exploit checks
+ if log_name == 'Exploit':
+ for exploit in self.result.logs[log_name]:
+ alert("%s in object %s" % (exploit.rstrip('\n'), self.obj.id),
+ self.data, self.decodedData,
+ '', '',
+ "005d5464-7a44-4907-af57-4db08a61e13c")
+
+ except Exception, e:
+ traceback.print_exc(file=sys.stdout)
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/__init__.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/__init__.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/__init__.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1 @@
+# Nothing to do here
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_flatedecode_predictor02.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_flatedecode_predictor02.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_flatedecode_predictor02.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,32 @@
+import struct
+import re
+import array
+
+from java.lang import String
+from java.util import Arrays
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def send_alert(self):
+ alert("[CVE-2009-3459] Adobe Reader malformed FlateDecode colors declaration in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
+
+ def check(self):
+ try:
+ for entry in self.obj.content.getEntries():
+ if re.search("/Colors.*1073741838", str(entry.value), re.IGNORECASE | re.MULTILINE | re.DOTALL):
+ send_alert()
+ elif re.search("/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d", str(entry.value), re.IGNORECASE | re.MULTILINE | re.DOTALL):
+ send_alert()
+
+ except:
+ pass
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_jbig2decode.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_jbig2decode.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_jbig2decode.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,29 @@
+import struct
+
+from java.lang import String
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ try:
+ if self.decodedData:
+ for entry in self.obj.content.getEntries():
+ if str(entry.name) == '/Filter':
+ if str(entry.value).find('JBIG2Decode') > 0:
+ if struct.unpack_from("B", self.decodedData, 4)[0] & 64:
+ if struct.unpack_from("B", self.decodedData, 5)[0] < 160:
+ if struct.unpack_from("<I", self.decodedData, 6) > 35256:
+ alert("[CVE-2009-0658] Attempted JBIG2Decode exploit in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
+ break
+ except:
+ pass
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshcont.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshcont.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshcont.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,49 @@
+import struct
+import re
+import array
+
+from java.lang import String
+from java.util import Arrays
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ if self.decodedData:
+ for m in re.finditer("U3D\x00", self.decodedData, re.IGNORECASE | re.MULTILINE | re.DOTALL):
+ h = self.decodedData.find("\x31\xff\xff\xff", m.end())
+
+ if h >= 0:
+ h += 4 # Skip our 4 matching bytes
+ h += 8 # Skip 8 bytes of header
+ h += struct.unpack_from("<H", self.decodedData, h)[0] # Read in 2 bytes of size
+ h += 2 # Jump the 2 bytes of size
+ h += 12 # Jump the rest of the header
+
+ # Store the position count for later comparison
+ position_count = struct.unpack_from("<I", self.decodedData, h)[0]
+
+ # Find the next header
+ h = self.decodedData.find("\x3c\xff\xff\xff", h)
+
+ if h > 0:
+ h += 4 # Skip our 4 matching bytes
+ h += 8 # Skip 8 bytes of header
+ h += struct.unpack_from("<H", self.decodedData, h)[0] # Read in 2 bytes of size
+ h += 2 # Jump the 2 bytes of size
+ h += 12 # Jump the rest of the header
+
+ # Final piece for our comparison
+ resolution_update = struct.unpack_from("<I", self.decodedData, h)[0]
+
+ if(resolution_update > position_count):
+ alert("[CVE-2009-2990] Adobe Acrobat Reader U3D CLODMeshContinuation code execution attempt in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshdecl.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshdecl.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/adobe_u3d_meshdecl.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,37 @@
+import struct
+import re
+import array
+
+from java.lang import String
+from java.util import Arrays
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ if self.decodedData:
+ for m in re.finditer("U3D\x00", self.decodedData, re.IGNORECASE | re.MULTILINE | re.DOTALL):
+ h = self.decodedData.find("\x31\xff\xff\xff", m.end())
+
+ if h >= 0:
+ h += 4 # Skip the 4 bytes of the field we just found
+ h += 8 # Skip our 8 bytes of header
+ h += struct.unpack_from("<H", self.decodedData, h)[0] # Read in 2 bytes of size
+ h += 2 # Jump the two bytes of size we just read
+ h += 32 # Jump the rest of the header
+
+ # Store the position count for later comparison
+ shading_count = struct.unpack_from("<I", self.decodedData, h)[0]
+
+ # Finally check the shading count size
+ if shading_count >= 0x05d1745e:
+ alert("[CVE-2010-0196] Adobe Acrobat Reader U3D CLODMeshDeclaration code execution attempt in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/embedded_file.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/embedded_file.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/embedded_file.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,28 @@
+import pefile
+
+from java.lang import String
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ try:
+ if self.decodedData:
+ pe = pefile.PE(data=self.decodedData, fast_load=False)
+
+ if(pe):
+ alert("Embedded executable file detected in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '',
+ pe.dump_info(),
+ 'ba9beb5f-0653-4b04-9552-3bfb634ca7fc')
+
+ except pefile.PEFormatError:
+ pass
+
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/open_action.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/open_action.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/open_action.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,27 @@
+import struct
+import re
+import array
+
+from java.lang import String
+from java.util import Arrays
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ try:
+ for entry in self.obj.content.entries:
+ if entry.name == '/OpenAction':
+ if re.search("/(JavaScript|JS|Launch)", str(entry.value), re.IGNORECASE | re.MULTILINE | re.DOTALL):
+ alert("OpenAction usage found in object %s -> %s" % (self.obj.id, entry.value),
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
+ except:
+ pass
Added: trunk/detection-nuggets/pdf-dissector/modules/detector/object/windows_shell_execute.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/detector/object/windows_shell_execute.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/detector/object/windows_shell_execute.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,30 @@
+import struct
+import re
+import array
+
+from java.lang import String
+from java.util import Arrays
+from modules.utils import *
+
+class VulnerabilityCheck():
+ def __init__(self, pdf, obj, data, decodedData=None):
+ self.pdf = pdf
+ self.obj = obj
+ self.data = data
+ self.decodedData = decodedData
+
+ def check(self):
+ try:
+ for entry in self.obj.content.entries:
+ if entry.name == '/URI':
+ m = re.search("(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2Ecmd",
+ str(entry), re.IGNORECASE | re.MULTILINE | re.DOTALL)
+
+ if m:
+ alert("[CVE-2007-3896] Microsoft Windows ShellExecute and IE7 url handling code execution attempt in object %s" % self.obj.id,
+ self.data,
+ self.decodedData,
+ '', '',
+ '005d5464-7a44-4907-af57-4db08a61e13c')
+ except:
+ pass
Added: trunk/detection-nuggets/pdf-dissector/modules/utils.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/utils.py (rev 0)
+++ trunk/detection-nuggets/pdf-dissector/modules/utils.py 2010-08-29 19:23:54 UTC (rev 11)
@@ -0,0 +1,91 @@
+import sys
+import array
+import os
+import struct
+
+from com.zynamics.pdf.api import Interpreter
+from java.lang import String
+
+def alert(msg, data="", norm="", short="", long_data="", uuid=""):
+ if len(data) != 0:
+ print "ALERT"
+ print msg
+ print "UUID"
+ print uuid
+ print "DATA"
+ print len(data)
+ print data
+ print "NORM"
+ print len(norm)
+ print norm
+ print "SHORT"
+ print len(short)
+ print short
+ print "LONG"
+ print len(long_data)
+ print long_data
+ print "ENDALERT"
+ else:
+ print "Alert has no data"
+
+def getJavaScript(pdf, obj):
+ result = None
+
+ try:
+ result = Interpreter.interpret(pdf, String(obj.stream.decodedData), getEmulatorScript())
+ except:
+ pass
+
+ return result
+
+def unescape(data):
+ return ''.join([(chr(int(chunk[0:2], 16)) + chr(int(chunk[2:4], 16))) for chunk in data.split('%u')[1:]])
+
+def getEmulatorScript():
+ return open('emulator/emulator.js', "r").read()
+
+def convertUnicodeToUchar(data):
+ try:
+ return ''.join([struct.pack('H', ord(i)) for i in data])
+ except:
+ return None
+
+def convertToUchar(data):
+ try:
+ return ''.join(chr(i & 0xff) for i in data)
+ except:
+ return None
+
+
+def getModules(subdir):
+ detector_path = 'modules/detector'
+ modules = []
+
+ for module in os.listdir("%s/%s" % (detector_path, subdir)):
+ if module.endswith('.py'):
+ if module != '__init__.py':
+ path = ("%s/%s/%s" % (detector_path, subdir, module)).rstrip('.py').replace('/', '.')
+ m = __import__(path, globals(), locals(), ['VulnerabilityCheck'], -1)
+ modules.append(m)
+
+ return modules
+
+def checkHeapSpray(data, length=1000):
+ try:
+ f = ""
+ s = ""
+
+ for ctr in range(0, length, 4):
+ f = data[ctr:(ctr + 4)]
+ s = data[(ctr + 4):(ctr + 8)]
+
+ if f == s:
+ continue
+ else:
+ raise
+
+ return f
+
+ except:
+ return None
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <lin...@us...> - 2011-02-03 19:01:23
|
Revision: 40
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=40&view=rev
Author: linuxgeek247
Date: 2011-02-03 19:01:17 +0000 (Thu, 03 Feb 2011)
Log Message:
-----------
Fixed path issue with javascript emulator js file
Modified Paths:
--------------
trunk/detection-nuggets/pdf-dissector/dissector.py
trunk/detection-nuggets/pdf-dissector/modules/utils.py
Modified: trunk/detection-nuggets/pdf-dissector/dissector.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/dissector.py 2011-01-10 19:27:27 UTC (rev 39)
+++ trunk/detection-nuggets/pdf-dissector/dissector.py 2011-02-03 19:01:17 UTC (rev 40)
@@ -3,12 +3,11 @@
import sys
import os
-
# Update this to point to your installed pdf-dissector directory
-zynamics_path = '/usr/src/path/to/zynamics'
+zynamics_path = '/opt/zynamics'
# This needs to point to where the python pieces are installed (the directory this file is installed)
-base_path = '/usr/src/path/to/pdf-dissector'
+base_path = '/home/hal/Projects/nuggetfarm/trunk/detection-nuggets/pdf-dissector'
os.chdir(base_path)
@@ -41,7 +40,7 @@
decodedData = convertToUchar(obj.stream.decodedData)
if len(obj.stream.decodedData) > 0:
- result = getJavaScript(pdf, obj)
+ result = getJavaScript(pdf, obj, zynamics_path)
# This should be javascript
if result:
Modified: trunk/detection-nuggets/pdf-dissector/modules/utils.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/utils.py 2011-01-10 19:27:27 UTC (rev 39)
+++ trunk/detection-nuggets/pdf-dissector/modules/utils.py 2011-02-03 19:01:17 UTC (rev 40)
@@ -28,11 +28,11 @@
else:
print "Alert has no data"
-def getJavaScript(pdf, obj):
+def getJavaScript(pdf, obj, zynamics_path):
result = None
try:
- result = Interpreter.interpret(pdf, String(obj.stream.decodedData), getEmulatorScript())
+ result = Interpreter.interpret(pdf, String(obj.stream.decodedData), getEmulatorScript(zynamics_path))
except:
pass
@@ -41,9 +41,11 @@
def unescape(data):
return ''.join([(chr(int(chunk[0:2], 16)) + chr(int(chunk[2:4], 16))) for chunk in data.split('%u')[1:]])
-def getEmulatorScript():
- return open('emulator/emulator.js', "r").read()
+def getEmulatorScript(zynamics_path):
+ script_path = ("%s/emulator/emulator.js" % zynamics_path)
+ return open(script_path, "r").read()
+
def convertUnicodeToUchar(data):
try:
return ''.join([struct.pack('H', ord(i)) for i in data])
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X