diff --git a/src/plugins/analysis/crypto_hints/code/crypto_hints.py b/src/plugins/analysis/crypto_hints/code/crypto_hints.py index abfcaeacdb..c48895632d 100644 --- a/src/plugins/analysis/crypto_hints/code/crypto_hints.py +++ b/src/plugins/analysis/crypto_hints/code/crypto_hints.py @@ -1,9 +1,32 @@ -from analysis.YaraPluginBase import YaraBasePlugin +import io +import pydantic +import typing -class AnalysisPlugin(YaraBasePlugin): - NAME = 'crypto_hints' - DESCRIPTION = 'find indicators of specific crypto algorithms' - DEPENDENCIES = [] # noqa: RUF012 - VERSION = '0.1.1' - FILE = __file__ +from analysis.plugin import addons, compat +from analysis.plugin import AnalysisPluginV0 + + +class AnalysisPlugin(AnalysisPluginV0, compat.AnalysisBasePluginAdapterMixin): + class Schema(pydantic.BaseModel): + matches: typing.List[dict] + + def __init__(self): + metadata = AnalysisPluginV0.MetaData( + name='crypto_hints', + description='find indicators of specific crypto algorithms', + version='0.2.0', + Schema=AnalysisPlugin.Schema, + ) + super().__init__(metadata=metadata) + + self._yara = addons.Yara(plugin=self) + + def summarize(self, result): + return [match['rule'] for match in result.matches] + + def analyze(self, file_handle: io.FileIO, virtual_file_path: str, analyses: dict) -> Schema: + del virtual_file_path, analyses + return AnalysisPlugin.Schema( + matches=[compat.yara_match_to_dict(m) for m in self._yara.match(file_handle)], + ) diff --git a/src/plugins/analysis/crypto_hints/test/test_crypto_hints.py b/src/plugins/analysis/crypto_hints/test/test_crypto_hints.py index d2bf0f7d0b..69ce8910d5 100644 --- a/src/plugins/analysis/crypto_hints/test/test_crypto_hints.py +++ b/src/plugins/analysis/crypto_hints/test/test_crypto_hints.py @@ -1,9 +1,8 @@ +import io from pathlib import Path import pytest -from objects.file import FileObject - from ..code.crypto_hints import AnalysisPlugin TEST_DATA_DIR = Path(__file__).parent / 'data' @@ -11,9 +10,9 @@ @pytest.mark.AnalysisPluginTestConfig(plugin_class=AnalysisPlugin) def test_additional_rules(analysis_plugin): - test_file = FileObject(file_path=str(TEST_DATA_DIR / 'additional_rules_test_file')) - processed_file = analysis_plugin.process_object(test_file) - result = processed_file.processed_analysis[analysis_plugin.NAME] + file_path = str(TEST_DATA_DIR / 'additional_rules_test_file') + result = analysis_plugin.analyze(io.FileIO(file_path), {}, {}) + summary = analysis_plugin.summarize(result) for rule in [ 'secp256r1', 'AES_Constants', @@ -22,12 +21,12 @@ def test_additional_rules(analysis_plugin): 'camellia_constants', 'present_cipher', ]: - assert rule in result + assert rule in summary @pytest.mark.AnalysisPluginTestConfig(plugin_class=AnalysisPlugin) def test_basic_scan_feature(analysis_plugin): - test_file = FileObject(file_path=str(TEST_DATA_DIR / 'CRC32_table')) - processed_file = analysis_plugin.process_object(test_file) - result = processed_file.processed_analysis[analysis_plugin.NAME] - assert 'CRC32_table' in result + file_path = str(TEST_DATA_DIR / 'CRC32_table') + result = analysis_plugin.analyze(io.FileIO(file_path), {}, {}) + summary = analysis_plugin.summarize(result) + assert 'CRC32_table' in summary diff --git a/src/plugins/analysis/crypto_hints/view/crypto_hints.html b/src/plugins/analysis/crypto_hints/view/crypto_hints.html index a8ca528263..de0e982f72 100644 --- a/src/plugins/analysis/crypto_hints/view/crypto_hints.html +++ b/src/plugins/analysis/crypto_hints/view/crypto_hints.html @@ -10,28 +10,28 @@ - {% for key, entry in analysis_result.items() %} + {% for match_dict in analysis_result["matches"] %} - {% set row_count = 3 + (1 if entry.meta.date else 0) + (1 if entry.meta.author else 0) %} + {% set row_count = 3 + (1 if match_dict.meta.date else 0) + (1 if match_dict.meta.author else 0) %} {{ loop.index - 1 }} Matched Rule - {{ entry['rule'] }} + {{ match_dict['rule'] }} Description - {{ entry['meta']['description'] }} + {{ match_dict['meta']['description'] }} - {% if entry.meta.date %} + {% if match_dict.meta.date %} Rule Version - {{ entry['meta']['date'] }} + {{ match_dict['meta']['date'] }} {% endif %} - {% if entry.meta.author %} + {% if match_dict.meta.author %} Rule Author - {{ entry['meta']['author'] }} + {{ match_dict['meta']['author'] }} {% endif %} @@ -48,7 +48,7 @@ name matched value - {% for offset, name, matched_string in entry['strings'] %} + {% for offset, name, matched_string in match_dict['strings'] %} 0x{{ '0%x' % offset }} {{ name[1:] }}