From 8d7cba37a0bfcff6cf72ff86a19802f30f175ffc Mon Sep 17 00:00:00 2001 From: David Date: Wed, 23 May 2018 08:25:33 -0400 Subject: [PATCH 1/4] avoid errors with non-existant keys --- modules/signatures/windows/office_rtf.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/signatures/windows/office_rtf.py b/modules/signatures/windows/office_rtf.py index fc7f59087..0ccdfa548 100644 --- a/modules/signatures/windows/office_rtf.py +++ b/modules/signatures/windows/office_rtf.py @@ -24,8 +24,8 @@ class RTFUnknownVersion(Signature): minimum = "2.0" def on_complete(self): - filetype = self.get_results("target", {})["file"]["type"] - name = self.get_results("target", {})["file"]["name"] + filetype = self.get_results("target", {}).get("file", {}).get("type", "") + name = self.get_results("target", {}).get("file", {}).get("name", "") if "Rich Text Format data" in filetype and "unknown version" in filetype: self.mark( filename=name, @@ -52,8 +52,8 @@ class RTFCharacterSet(Signature): minimum = "2.0" def on_complete(self): - filetype = self.get_results("target", {})["file"]["type"] - name = self.get_results("target", {})["file"]["name"] + filetype = self.get_results("target", {}).get("file", {}).get("type", "") + name = self.get_results("target", {}).get("file", {}).get("name", "") if "Rich Text Format data" in filetype and "unknown character set" in filetype: self.mark( filename=name, From 0550e4a1366a4a6e95dbbdf93c063c28168842bc Mon Sep 17 00:00:00 2001 From: David Date: Wed, 23 May 2018 08:46:09 -0400 Subject: [PATCH 2/4] removed conditional for setting class variable --- modules/signatures/windows/url_file.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/signatures/windows/url_file.py b/modules/signatures/windows/url_file.py index f20fe957d..57af2dabc 100644 --- a/modules/signatures/windows/url_file.py +++ b/modules/signatures/windows/url_file.py @@ -14,8 +14,8 @@ class URLFile(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) - if self.get_results("target", {}).get("category") == "file": - self.file = self.get_results("target", {}).get("file", {}) + + self.file = self.get_results("target", {}).get("file", {}) def on_complete(self): if "Internet shortcut" not in self.file.get("type", ""): From 31b7f3afa0df3ae37f881763e5d711724a679f96 Mon Sep 17 00:00:00 2001 From: David Date: Tue, 20 Nov 2018 14:47:25 -0500 Subject: [PATCH 3/4] some small bugs in the martian sig --- modules/signatures/windows/martians.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index 04cc01fd3..c33d0dd13 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -38,7 +38,7 @@ class ProcessMartian(Signature): "\\\"C:\\\\\Program\\ Files(\\ \\(x86\\))?\\\\Internet\\ Explorer\\\\iexplore\\.exe\\\"\\ SCODEF:\\d+ CREDAT:\\d+", "^[A-Z]\:\\Program Files(?:\s\(x86\))?\\Microsoft Office\\(?:Office1[1-5]\\)?(?:WINWORD|OUTLOOK|POWERPNT|EXCEL|WORDVIEW)\.EXE", "C\\:\\\\Windows\\\\System32\\\\wscript\\.exe", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd64\\.exe", + "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd32\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd64\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Java\\\\jre\\d+\\\\bin\\\\j(?:avaw?|p2launcher)\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Microsoft SilverLight\\\\(?:\\d+\\.)+\\d\\\\agcp\\.exe", @@ -58,7 +58,8 @@ class ProcessMartian(Signature): def on_complete(self): for process in self.get_results("behavior", {}).get("generic", []): - if process["process_name"].lower() not in self.whitelist_procs: + # Don't keep processing if the process_name is in the list of processes to whitelist + if process["process_name"].lower() in self.whitelist_procs: continue for cmdline in process.get("summary", {}).get("command_line", []): From 316335b27d5ca4e1843ac6f45593b040dbd93721 Mon Sep 17 00:00:00 2001 From: David Date: Tue, 20 Nov 2018 14:47:25 -0500 Subject: [PATCH 4/4] some small bugs in the martian sig --- modules/signatures/windows/martians.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index 04cc01fd3..c33d0dd13 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -38,7 +38,7 @@ class ProcessMartian(Signature): "\\\"C:\\\\\Program\\ Files(\\ \\(x86\\))?\\\\Internet\\ Explorer\\\\iexplore\\.exe\\\"\\ SCODEF:\\d+ CREDAT:\\d+", "^[A-Z]\:\\Program Files(?:\s\(x86\))?\\Microsoft Office\\(?:Office1[1-5]\\)?(?:WINWORD|OUTLOOK|POWERPNT|EXCEL|WORDVIEW)\.EXE", "C\\:\\\\Windows\\\\System32\\\\wscript\\.exe", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd64\\.exe", + "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd32\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd64\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Java\\\\jre\\d+\\\\bin\\\\j(?:avaw?|p2launcher)\\.exe", "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Microsoft SilverLight\\\\(?:\\d+\\.)+\\d\\\\agcp\\.exe", @@ -58,7 +58,8 @@ class ProcessMartian(Signature): def on_complete(self): for process in self.get_results("behavior", {}).get("generic", []): - if process["process_name"].lower() not in self.whitelist_procs: + # Don't keep processing if the process_name is in the list of processes to whitelist + if process["process_name"].lower() in self.whitelist_procs: continue for cmdline in process.get("summary", {}).get("command_line", []):