共计 6764 个字符,预计需要花费 17 分钟才能阅读完成。
原文地址:
https://github.com/cssaheel/d…
1.1 Introduction
Cuckoo Sandbox is an Automated Malware Analysis developed by Claudio Guarnieri, mainly Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity. This documentation is introduce you a library which processes the network files (PCAP files or Packet-Capture files) and return back a report of the result. This library dissect packets fields and extract the most possible extent of information out of network packets, it also aware of tcp reassemblingn not just that it can recover the downloaded files for http, ftp and the sent emails by smtp.
Cuckoo Sandbox 是 Claudio Guarnieri 开发的主动恶意软件剖析工具,次要的 Cuckoo 是一个轻量级解决方案,该计划对提供的 Windows 二进制文件执行主动动态分析。它可能返回无关要害 API 调用和网络流动的全面报告。本文档向您介绍一个库,它解决网络文件 (PCAP 文件或数据包捕捉文件) 并返回后果报告。该库解析数据包字段,并从网络数据包中提取尽可能多的信息,它还理解 tcp 重组,不仅能够复原 http、ftp 下载的文件和 smtp 发送的电子邮件。
1.2 Description
This library depend on Scapy library. The supported protocols in this library are: TCP, UDP, ICMP, DNS, SMB, HTTP, FTP, IRC, SIP, TELNET, SSH, SMTP, IMAP and POP. Even that the first five protocols were supported by Scapy they have been interfaced by this library. This figure demonstrates the transparent structure of the library:
这个库依赖于 Scapy 库。该库中反对的协定有:TCP、UDP、ICMP、DNS、SMB、HTTP、FTP、IRC、SIP、TELNET、SSH、SMTP、IMAP 和 POP。即便前五个协定由 Scapy 反对,它们也由这个库连贯。此图显示了库的通明构造:
1- The main component in this library which is dissector is responsible of receiving a path to pcap file and send back a dictionary of the supported protocols which holds the dissected packets. Also this component is the one who specify how to represent the data and also it is the responsible of importing Scapy classes and the library classes. Also it preprocesses the tcp sequence numbers and implements the tcp reassembly.
1- 此库中的次要组件是 dissector,负责接管 pcap 文件的门路,并发回反对的协定字典,该字典保留解析的数据包。该组件还负责指定如何示意数据,并负责导入 Scapy 类和库类。同时对 tcp 序列号进行预处理,实现 tcp 重组。
2- The protocols files, each file has one or more classes which responsible fordissecting the corresponding protocol packets.
2- 协定文件,每个文件有一个或多个类,负责拆散相应的协定包。
3- There are set of Scapy classes have been used in this library which are Packet class inherited by “Protocols classes”, and Field class which inherited by “Fields classes” and it does use rdpcap which takes a path to pcap file and returns back a list of packets.
3- 该库中应用了一组 Scapy 类,它们是由“Protocols classes”继承的 Packet 类,以及由“Fields classes”继承的 Field 类,并且它的确应用 rdpcap,该 rdpcap 获取 pcap 文件的门路并返回数据包列表。
1.3 General Protocol File Structure
For any future development no need to go deep in Scapy since in this library I didn’t use advanced features of Scapy, so I am going to introduce you the simplest (pseudo code) form of a protocol file structure I followed in this library annotated with some comments:
对于任何将来的开发,无需深刻 Scapy,因为在这个库中,我没有应用 Scapy 的高级性能,所以我将向您介绍我在这个库中遵循的协定文件构造的最简略(伪代码)模式,并附上一些正文:
class FTPData(Packet):
"""
class for dissecting the ftp data
@attention: it inherets Packet class from Scapy library
"""name ="ftp"fields_desc = [FTPDataField("data","")]
class FTPResponse(Packet):
"""
class for dissecting the ftp responses
@attention: it inherets Packet class from Scapy library
"""name ="ftp"fields_desc = [FTPResField("command","", "H"),
FTPResArgField("argument", "","H")]
class FTPRequest(Packet):
"""
class for dissecting the ftp requests
@attention: it inherets Packet class from Scapy library
"""name ="ftp"fields_desc = [FTPReqField("command","", "H"),
StrField("argument", "","H")]
bind_layers(TCP, FTPResponse, sport=21)
bind_layers(TCP, FTPRequest, dport=21)
bind_layers(TCP, FTPData, dport=20)
bind_layers(TCP, FTPData, dport=20)
Are we done of the protocol file? well, Not yet. As you see in the previous code in fields desc we have used a class named FTPField and this class is “Field Class” which means in either way it should inherits Field class of Scapy, the other class StrField this has the same thing it inherits Field class but it is predefined by Scapy. Now let us have a look at FTPField class.
协定文件处理完毕了吗?嗯,还没有。正如您在后面的 fields desc 代码中看到的,咱们应用了一个名为 FTPField 的类,这个类是“Field class”,这意味着它应该以任何一种形式继承 Scapy 的 Field class,另一个类 StrField 它继承了 Field class,但它是由 Scapy 预约义的。当初让咱们看看 FTPField 类。
class FTPReqField(StrField):
holds_packets = 1
name = "FTPReqField"
def getfield(self, pkt, s):
"""
this method will get the packet, takes what does need to be
taken and let the remaining go, so it returns two values.
first value which belongs to this field and the second is
the remaining which does need to be dissected with
other "field classes".
@param pkt: holds the whole packet
@param s: holds only the remaining data which is not dissected yet.
"""remain =""
value = ""
ls = s.split()
if ls[0].lower() == "retr":
c = 1
file = ""
while c < len(ls):
file = file + ls
c = c + 1
if len(file) > 0:
add_file(file)
length = len(ls)
if length > 1:
value = ls[0]
if length == 2:
remain = ls[1]
return remain, value
else:
i = 1
remain = ""
while i < length:
remain = remain + ls[i] + " "
i = i + 1
return remain, value
else:
return "", ls[0]
def __init__(self, name, default, fmt, remain=0):
"""
class constructor for initializing the instance variables
@param name: name of the field
@param default: Scapy has many formats to represent the data
internal, human and machine. anyways you may sit this param to None.
@param fmt: specifying the format, this has been set to "H"
@param remain: this parameter specifies the size of the remaining
data so make it 0 to handle all of the data.
"""
self.name = name
StrField.__init__(self, name, default, fmt, remain)
1.4 Protocols Details and Notes
Different protocols have different properties especially when you go in details. So here I am going to lists the different characteristics and features of the implemented protocols.
不同的协定有不同的属性,尤其是当你深刻理解细节时。在这里,我将列出已实现协定的不同特色和个性。
1.5 Requirements
This library has been tested with python version 2.6.5 and Scapy version 2.1.0.
1.6 Usage
Here you will see simple use of this library. Let us have our file usedissector.py as follows:
from dissector import *
"""
this file is a test unit for a pcap library (mainly dissector.py
and its associated protocols classes). This library uses and
depends on Scapy library.
"""
# instance of dissector class
dissector = Dissector()
# sending the pcap file to be dissected
pkts = dissector.dissect_pkts("/root/Desktop/ssh.cap")
print(pkts)
the output will be similar to this:
{’ftp’: [....],’http’: [....], ....}
1.7 Downloaded Files Recovery
I have wrote a dedicated section for the files recovery to state how this feature works for http, ftp and smtp. All of the protocols will create a directory named downloaded in the current working directory (CWD) to store the recovered files. in case that you want to change the default and want to store the recovered files in another directory you have to send a path to change dfolder just like this:
我曾经为文件复原写了一个专门的章节,来阐明这个性能如何实用于 http、ftp 和 smtp。所有协定都将在当前工作目录(CWD)中创立一个名为 downloaded 的目录来存储复原的文件。如果要更改默认值,并心愿将复原的文件存储在另一个目录中,则必须发送一个门路来更改数据文件夹,如下所示:
from dissector import *
# instance of dissector class
dissector = Dissector()
# now the downloaded files will be stored on the desktop
dissector.change_dfolder("/root/Desktop/")
# sending the pcap file to be dissected
pkts = dissector.dissect_pkts("/root/Desktop/ssh.cap")
for http it takes the file name from the start line of the http request, so if another file has the same name in the specified directory or the name has some special characters then a random name will be generated. the same apply for ftp which takes the file name from RETR command. whereas smtp just gives the file a random name.
对于 http,它从 http 申请的起始行获取文件名,因而如果另一个文件在指定目录中具备雷同的名称,或者该名称具备一些特殊字符,则将生成一个随机名称。这同样实用于从 RETR 命令获取文件名的 ftp。而 smtp 只是给文件一个随机名称。
1.8 Source Code
the source code of this library is on github:
$ git clone https://github.com/cssaheel/d…