PageRenderTime 34ms CodeModel.GetById 22ms RepoModel.GetById 1ms app.codeStats 0ms

/src/bat/checks.py

https://gitlab.com/hook/binary-analysis-tool
Python | 328 lines | 286 code | 8 blank | 34 comment | 20 complexity | d2878b599d0013c83e60cdac1750ccc1 MD5 | raw file
    

  1. #!/usr/bin/python
    2. 

  2. 

  3. ## Binary Analysis Tool
    4. 

  4. ## Copyright 2009-2016 Armijn Hemel for Tjaldur Software Governance Solutions
    5. 

  5. ## Licensed under Apache 2.0, see LICENSE file for details
    6. 

  6. 

  7. '''
    8. 

  8. This file contains a few methods that check for the presence of marker
    9. 

  9. strings that are likely to be found in certain programs. It is far from fool
    10. 

  10. proof and false positives are likely, so either check the results, or replace
    11. 

  11. it with your own more robust checks.
    12. 

  12. '''
    13. 

    14. 

  14. import string, re, os, magic, subprocess, sys, tempfile, copy
    15. 

  15. import extractor, elfcheck
    16. 

  16. 

  17. ## generic searcher for certain marker strings
    18. 

  18. ## TODO: implement overlap between subsequent buffer reads
    19. 

  19. def genericSearch(filename, markerDict, blacklist=[], unpacktempdir=None):
    20. 

  20. 	results = []
    21. 

  21. 	## first see if the entire file has been blacklisted
    22. 

  22. 	filesize = os.stat(filename).st_size
    23. 

  23. 	carved = False
    24. 

  24. 	foundmarkers = set()
    25. 

  25. 	if blacklist != []:
    26. 

  26. 		if extractor.inblacklist(0, blacklist) == filesize:
    27. 

  27. 			return None
    28. 

  28. 		datafile = open(filename, 'rb')
    29. 

  29. 		lastindex = 0
    30. 

  30. 		datafile.seek(lastindex)
    31. 

  31. 		## make a copy and add a bogus value for the last
    32. 

  32. 		## byte to a temporary blacklist to make the loop work
    33. 

  33. 		## well.
    34. 

  34. 		blacklist_tmp = copy.deepcopy(blacklist)
    35. 

  35. 		blacklist_tmp.append((filesize,filesize))
    36. 

  36. 		for i in blacklist_tmp:
    37. 

  37. 			if i[0] == lastindex:
    38. 

  38. 				lastindex = i[1] - 1
    39. 

  39. 				datafile.seek(lastindex)
    40. 

  40. 				continue
    41. 

  41. 			if i[0] > lastindex:
    42. 

  42. 				## read the data, then search for markers
    43. 

  43. 				data = datafile.read(i[0] - lastindex)
    44. 

  44. 				if len(data) <=1:
    45. 

  45. 					## set lastindex to the next
    46. 

  46. 					lastindex = i[1] - 1
    47. 

  47. 					datafile.seek(lastindex)
    48. 

  48. 					continue
    49. 

  49. 				for marker in markerDict.keys():
    50. 

  50. 					if marker in foundmarkers:
    51. 

  51. 						continue
    52. 

  52. 					for markerstring in markerDict[marker]:
    53. 

  53. 						markeroffset = data.find(markerstring)
    54. 

  54. 						if markeroffset != -1:
    55. 

  55. 							results.append(marker)
    56. 

  56. 							foundmarkers.add(marker)
    57. 

  57. 							break
    58. 

  58. 				## set lastindex to the next
    59. 

  59. 				lastindex = i[1] - 1
    60. 

  60. 				datafile.seek(lastindex)
    61. 

  61. 		datafile.close()
    62. 

  62. 	else:
    63. 

  63. 		datafile = open(filename, 'rb')
    64. 

  64. 		databuffer = []
    65. 

  65. 		offset = 0
    66. 

  66. 		datafile.seek(offset)
    67. 

  67. 		databuffer = datafile.read(100000)
    68. 

  68. 		while databuffer != '':
    69. 

  69. 			for marker in markerDict.keys():
    70. 

  70. 				if marker in foundmarkers:
    71. 

  71. 					continue
    72. 

  72. 				for markerstring in markerDict[marker]:
    73. 

  73. 					markeroffset = databuffer.find(markerstring)
    74. 

  74. 					if markeroffset != -1:
    75. 

  75. 						results.append(marker)
    76. 

  76. 						foundmarkers.add(marker)
    77. 

  77. 						break
    78. 

  78. 			## move the offset 100000
    79. 

  79. 			datafile.seek(offset + 100000)
    80. 

  80. 			databuffer = datafile.read(100000)
    81. 

  81. 			offset = offset + len(databuffer)
    82. 

  82. 		datafile.close()
    83. 

  83. 	if results != []:
    84. 

  84. 		return list(set(results))
    85. 

  85. 	return None
    86. 

  86. 

  87. ## The result of this method is a list of library names that the file dynamically links
    88. 

  88. ## with. The path of these libraries is not given, since this is usually not recorded
    89. 

  89. ## in the binary (unless RPATH is used) but determined at runtime: it is dependent on
    90. 

  90. ## the dynamic linker configuration on the device. With some mixing and matching it is
    91. 

  91. ## nearly always to determine which library in which path is used, since most installations
    92. 

  92. ## don't change the default search paths.
    93. 

  93. def searchDynamicLibs(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    94. 

  94. 	if not 'elf' in tags:
    95. 

  95. 		return
    96. 

  96. 	dynamicres = elfcheck.getDynamicLibs(filename, scandebug)
    97. 

  97. 	if dynamicres == {} or dynamicres == None:
    98. 

  98. 		return None
    99. 

  99. 	if 'needed_libs' in dynamicres:
    100. 

  100. 		return (['libs'], dynamicres['needed_libs'])
    101. 

  101. 

  102. ## This method determines the architecture of the executable file.
    103. 

  103. ## This is necessary because sometimes leftovers from different products (and
    104. 

  104. ## different architectures) can be found in one firmware.
    105. 

  105. def scanArchitecture(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    106. 

  106. 	if not 'elf' in tags:
    107. 

  107. 		return
    108. 

  108. 	archres = elfcheck.getArchitecture(filename, tags)
    109. 

  109. 	if archres != None:
    110. 

  110. 		return (['architecture'], archres)
    111. 

  111. 

  112. ## search markers for various open source programs
    113. 

  113. ## This search is not accurate, but might come in handy in some situations
    114. 

  114. def searchMarker(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    115. 

  115. 	markerStrings = {
    116. 

  116.              'loadlin': [ 'Ooops..., size of "setup.S" has become too long for LOADLIN,'
    117. 

  117. 			, 'LOADLIN started from $'
    118. 

  118. 			],
    119. 

  119. 	     'iptables':[ 'iptables who? (do you need to insmod?)'
    120. 

  120. 			, 'Will be implemented real soon.  I promise ;)'
    121. 

  121. 			, 'can\'t initialize iptables table `%s\': %s'
    122. 

  122. 			],
    123. 

  123. 	     'dproxy':  [ '# dproxy monitors this file to determine when the machine is'
    124. 

  124. 			, '# If you want dproxy to log debug info specify a file here.'
    125. 

  125. 			],
    126. 

  126. 	     'ez-ipupdate': [ 'ez-ipupdate Version %s, Copyright (C) 1998-'
    127. 

  127. 			, '%s says that your IP address has not changed since the last update'
    128. 

  128. 			, 'you must provide either an interface or an address'
    129. 

  129. 			],
    130. 

  130. 	     'libusb':  [ 'Check that you have permissions to write to %s/%s and, if you don\'t, that you set up hotplug (http://linux-hotplug.sourceforge.net/) correctly.'
    131. 

  131. 			, 'usb_os_find_busses: Skipping non bus directory %s'
    132. 

  132. 			, 'usb_os_init: couldn\'t find USB VFS in USB_DEVFS_PATH'
    133. 

  133. 			],
    134. 

  134. 	     'vsftpd':  [ 'vsftpd: version'
    135. 

  135. 			, '(vsFTPd '
    136. 

  136. 			, 'VSFTPD_LOAD_CONF'
    137. 

  137. 			, 'run two copies of vsftpd for IPv4 and IPv6'
    138. 

  138. 			],
    139. 

  139. 	     'hostapd': [ 'hostapd v'],
    140. 

  140. 	     'wpasupplicant': [ 'wpa_supplicant v'],
    141. 

  141. 	     'iproute': [ 'Usage: tc [ OPTIONS ] OBJECT { COMMAND | help }'
    142. 

  142. 			, 'tc utility, iproute2-ss%s'
    143. 

  143. 			, 'Option "%s" is unknown, try "tc -help".'
    144. 

  144. 			],
    145. 

  145. 	     'wireless-tools': [ "Driver has no Wireless Extension version information."
    146. 

  146. 			, "Wireless Extension version too old."
    147. 

  147. 			, "Wireless-Tools version"
    148. 

  148. 			, "Wireless Extension, while we are using version %d."
    149. 

  149. 			, "Currently compiled with Wireless Extension v%d."
    150. 

  150.        	                ],
    151. 

  151. 	     'redboot': ["Display RedBoot version information"],
    152. 

  152.              'uboot': [ "run script starting at addr"
    153. 

  153. 			, "Hit any key to stop autoboot: %2d"
    154. 

  154. 			, "## Binary (kermit) download aborted"
    155. 

  155. 			, "## Ready for binary (ymodem) download "
    156. 

  156. 			]}
    157. 

  157. 

  158. 	res = genericSearch(filename, markerStrings, blacklist)
    159. 

  159. 	if res != None:
    160. 

  160. 		return (res, res)
    161. 

  161. 

  162. '''
    163. 

  163. ## What actually do these dependencies mean?
    164. 

  164. ## Are they dependencies of the installer itself, or of the programs that are
    165. 

  165. ## installed by the installer?
    166. 

  166. def searchWindowsDependencies(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    167. 

  167. 	## first determine if we are dealing with a MS Windows executable
    168. 

  168. 	ms = magic.open(magic.MAGIC_NONE)
    169. 

  169. 	ms.load()
    170. 

  170. 	mstype = ms.file(filename)
    171. 

  171. 	ms.close()
    172. 

  172. 	if not 'PE32 executable for MS Windows' in mstype and not "PE32+ executable for MS Windows" in mstype:
    173. 

  173.                 return None
    174. 

  174. 	deps = extractor.searchAssemblyDeps(filename)
    175. 

  175. 	if deps == None:
    176. 

  176. 		return None
    177. 

  177. 	if deps == []:
    178. 

  178. 		return None
    179. 

  179. 	else:
    180. 

  180. 		return (['windowsdependencies'], deps)
    181. 

  181. '''
    182. 

    183. 

  183. ## method to extract meta information from PDF files
    184. 

  184. def scanPDF(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    185. 

  185. 	## Only consider whole PDF files. If anything has been carved from
    186. 

  186. 	## it, skip it. Blacklists are a good indicator.
    187. 

  187. 	if blacklist != []:
    188. 

  188. 		return None
    189. 

  189. 	if not 'pdf' in tags:
    190. 

  190. 		return None
    191. 

  191. 	p = subprocess.Popen(['pdfinfo', "%s" % (filename,)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    192. 

  192. 	(stanout, stanerr) = p.communicate()
    193. 

  193. 	if p.returncode != 0:
    194. 

  194.                	return
    195. 

  195. 	pdfinfo = {}
    196. 

  196. 	pdflines = stanout.rstrip().split("\n")
    197. 

  197. 	for pdfline in pdflines:
    198. 

  198. 		pdfsplit = pdfline.split(":", 1)
    199. 

  199. 		if len(pdfsplit) != 2:
    200. 

  200. 			continue
    201. 

  201. 		(tag, value) = pdfsplit
    202. 

  202. 		if tag == "Title":
    203. 

  203. 			pdfinfo['title'] = value.strip()
    204. 

  204. 		if tag == "Author":
    205. 

  205. 			pdfinfo['author'] = value.strip()
    206. 

  206. 		if tag == "Creator":
    207. 

  207. 			pdfinfo['creator'] = value.strip()
    208. 

  208. 		if tag == "CreationDate":
    209. 

  209. 			pdfinfo['creationdate'] = value.strip()
    210. 

  210. 		if tag == "Producer":
    211. 

  211. 			pdfinfo['producer'] = value.strip()
    212. 

  212. 		if tag == "Tagged":
    213. 

  213. 			pdfinfo['tagged'] = value.strip()
    214. 

  214. 		if tag == "Pages":
    215. 

  215. 			pdfinfo['pages'] = int(value.strip())
    216. 

  216. 		if tag == "Page size":
    217. 

  217. 			pdfinfo['pagesize'] = value.strip()
    218. 

  218. 		if tag == "Encrypted":
    219. 

  219. 			pdfinfo['encrypted'] = value.strip()
    220. 

  220. 		if tag == "Optimized":
    221. 

  221. 			pdfinfo['optimized'] = value.strip()
    222. 

  222. 		if tag == "PDF version":
    223. 

  223. 			pdfinfo['version'] = value.strip()
    224. 

  224. 	return (['pdfinfo'], pdfinfo)
    225. 

  225. 

  226. ## scan for mentions of licenses
    227. 

  227. ######################################
    228. 

  228. ## !!! WARNING WARNING WARNING !!! ###
    229. 

  229. ######################################
    230. 

  230. ## This should only be used as an indicator for further investigation,
    231. 

  231. ## never as proof that a binary is actually licensed under a license!
    232. 

  232. def scanLicenses(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    233. 

  233. 	licenseidentifiers = {}
    234. 

  234. 

  235. 	## identifiers for any GNU license (could apply to multiple licenses)
    236. 

  236. 	licenseidentifiers['GNU'] = ["General Public License", "http://www.gnu.org/licenses/", "http://gnu.org/licenses/", "http://www.gnu.org/gethelp/", "http://www.gnu.org/software/"]
    237. 

  237. 

  238. 	## identifiers for a version of GNU GPL
    239. 

  239. 	licenseidentifiers['GPL'] = ["http://gnu.org/licenses/gpl.html", "http://www.gnu.org/licenses/gpl.html",
    240. 

  240.                                 "http://www.gnu.org/licenses/gpl.txt", "http://www.opensource.org/licenses/gpl-license.php",
    241. 

  241.                                 "http://www.gnu.org/copyleft/gpl.html"]
    242. 

  242. 

  243. 	## identifiers specifically for GPLv2
    244. 

  244. 	licenseidentifiers['GPL-2.0'] = ["http://gnu.org/licenses/gpl-2.0.html", "http://www.gnu.org/licenses/old-licenses/gpl-2.0.html"]
    245. 

  245. 

  246. 	## identifiers specifically for LGPLv2.1
    247. 

  247. 	licenseidentifiers['LGPL-2.1'] = ["http://gnu.org/licenses/old-licenses/lgpl-2.1.html"]
    248. 

  248. 

  249. 	## identifiers specifically for Apache 2.0
    250. 

  250. 	licenseidentifiers['Apache-2.0'] = ["http://www.apache.org/licenses/LICENSE-2.0", "http://opensource.org/licenses/apache2.0.php"]
    251. 

  251. 

  252. 	## identifiers for MPL license
    253. 

  253. 	licenseidentifiers['MPL'] = ["http://www.mozilla.org/MPL/"]
    254. 

  254. 

  255. 	## identifiers for MIT license
    256. 

  256. 	licenseidentifiers['MIT'] = ["http://www.opensource.org/licenses/mit-license.php"]
    257. 

  257. 

  258. 	## identifiers for BSD license
    259. 

  259. 	licenseidentifiers['BSD'] = ["http://www.opensource.org/licenses/bsd-license.php"]
    260. 

  260. 

  261. 	## identifiers specifically for OpenOffice
    262. 

  262. 	licenseidentifiers['OpenOffice'] = ["http://www.openoffice.org/license.html"]
    263. 

  263. 

  264. 	## identifiers specifically for BitTorrent
    265. 

  265. 	licenseidentifiers['BitTorrent'] = ["http://www.bittorrent.com/license/"]
    266. 

  266. 

  267. 	## identifiers specifically for Tizen
    268. 

  268. 	licenseidentifiers['Tizen'] = ["http://www.tizenopensource.org/license"]
    269. 

  269. 

  270. 	## identifiers specifically for OpenSSL
    271. 

  271. 	licenseidentifiers['OpenSSL'] = ["http://www.openssl.org/source/license.html"]
    272. 

  272. 

  273. 	## identifiers specifically for Boost
    274. 

  274. 	licenseidentifiers['BSL-1.0'] = ["http://www.boost.org/LICENSE_1_0.txt", "http://pocoproject.org/license.html"]
    275. 

  275. 

  276. 	## identifiers specifically for zlib
    277. 

  277. 	licenseidentifiers['Zlib'] = ["http://www.zlib.net/zlib_license.html"]
    278. 

  278. 

  279. 	## identifiers specifically for jQuery
    280. 

  280. 	licenseidentifiers['jQuery'] = ["http://jquery.org/license"]
    281. 

  281. 

  282. 	## identifiers specifically for libxml
    283. 

  283. 	licenseidentifiers['libxml'] = ["http://xmlsoft.org/FAQ.html#License"]
    284. 

  284. 

  285. 	## identifiers specifically for ICU
    286. 

  286. 	licenseidentifiers['ICU'] = ["http://source.icu-project.org/repos/icu/icu/trunk/license.html"]
    287. 

  287. 

  288. 	licenseresults = genericSearch(filename, licenseidentifiers, blacklist)
    289. 

  289. 

  290. 	if licenseresults != None:
    291. 

  291. 		return (['licenses'], licenseresults)
    292. 

  292. 	else:
    293. 

  293. 		return None
    294. 

  294. 

  295. ## scan for mentions of several forges
    296. 

  296. ## Some of the URLs of the forges no longer work or are redirected, but they
    297. 

  297. ## might still pop up in binaries.
    298. 

  298. def scanForges(filename, tags, cursor, conn, filehashes, blacklist=[], scanenv={}, scandebug=False, unpacktempdir=None):
    299. 

  299. 	forgeidentifiers = {}
    300. 

  300. 

  301. 	forgeidentifiers['sourceforge.net'] = ["sourceforge.net"]
    302. 

  302. 

  303. 	forgeidentifiers['freedesktop.org'] = ["http://cvs.freedesktop.org/", "http://cgit.freedesktop.org/"]
    304. 

  304. 

  305. 	forgeidentifiers['code.google.com'] = ["code.google.com", "googlecode.com"]
    306. 

  306. 

  307. 	forgeidentifiers['savannah.gnu.org'] = ["savannah.gnu.org/"]
    308. 

  308. 

  309. 	forgeidentifiers['github.com'] = ["github.com", "github.io"]
    310. 

  310. 

  311. 	forgeidentifiers['bitbucket.org'] = ["bitbucket.org"]
    312. 

  312. 

  313. 	forgeidentifiers['tigris.org'] = ["tigris.org"]
    314. 

  314. 

  315. 	forgeidentifiers['svn.apache.org'] = ["http://svn.apache.org/"]
    316. 

  316. 

  317. 	forgeidentifiers['launchpad.net'] = ["https://git.launchpad.net/", "launchpad.net"]
    318. 

  318. 

  319. 	## various gits:
    320. 

  320. 	## http://git.fedoraproject.org/git/
    321. 

  321. 	## https://fedorahosted.org/
    322. 

  322. 

  323. 	forgeresults = genericSearch(filename, forgeidentifiers, blacklist)
    324. 

  324. 

  325. 	if forgeresults != None:
    326. 

  326. 		return (['forges'], forgeresults)
    327. 

  327. 	else:
    328. 

  328. 		return None
    329. 

  329.