概要介绍
mmpi,是一款应用python实现的开源邮件疾速检测工具库,基于community框架设计开发。mmpi反对对邮件头、邮件注释、邮件附件的解析检测,并输入json检测报告。
代码我的项目地址:mmpi
pypi我的项目地址:pypi
mmpi,邮件疾速检测工具库检测逻辑:
反对解析提取邮件头数据,包含收件人、发件人的姓名和邮箱,邮件主题,邮件发送工夫,以及邮件原始发送IP。通过检测发件人邮箱和邮件原始发送IP,实现对邮件头的检测。
反对对邮件注释的解析检测,提取text和html格局的邮件注释,对text邮件注释进行关键字匹配,对html邮件注释进行解析剖析检测,实现探针邮件检测、钓鱼邮件检测、垃圾邮件检测等其余检测。
反对对邮件附件等解析检测
ole文件格式:如doc、xls等,提取其中的vba宏代码、模板注入链接
zip文件格式:提取压缩文件列表,统计文件名、文件格式等
rtf文件格式:解析内嵌ole对象等
其余文件格式:如PE可执行文件
检测形式包含
根底信息规定检测形式
yara规定检测形式
实用前提
mmpi的剖析断定检测前提:邮件系统环境。脱离邮件环境上下文,检测规定的根据就不牢靠了。
应用形式
- 装置
$ pip install mmpi备注:windows装置yara-python,点击这里下载
- 命令执行
$ mmpi-run $email_path- 疾速开始
from mmpi import mmpidef main(): emp = mmpi() emp.parse('test.eml') report = emp.get_report() print(report)if __name__ == "__main__":main()- 输入格局
{ // 固定字段 "headers": [], "body": [], "attachments": [], "signatures": [] // 动静字段 "vba": [], "rtf": [], ......}工具阐明
mmpi齐全基于python开发,应用python原生email、html、zip库进行解析,基于oletools做定制化批改,反对对office文档和rtf文档的解析,再联合yara实现对其余文件的检测。
我的项目代码构造
.├── mmpi│ ├── common│ ├── core│ ├── data│ │ ├── signatures│ │ │ ├── eml│ │ │ ├── html│ │ │ ├── ole│ │ │ ├── other│ │ │ ├── rtf│ │ │ └── zip│ │ ├── white│ │ └── yara│ │ ├── exe│ │ ├── pdf│ │ └── vba│ └── processing└── tests └── samplesmmpi/common:根底模块,实现根本流程性能
mmpi/core:外围调度模块,实现插件的加载及相干模块的初始化
mmpi/data:外围检测模块,实现根本检测规定及yara检测规定
mmpi/processing:外围解析模块,实现eml、html、zip等文件格式的解析
tests:测试模块
检测规定示例阐明
- PE文件假装文档类检测
检测规定:压缩包中文件名以.exe结尾,并且两头插入20个以上空格的
class PEFakeDocument(Signature): authors = ["ddvv"] sig_type = 'zip' name = "pe_fake_document" severity = 9 description = "PE File Fake Document" def on_complete(self): results = self.get_results() for result in results: if result.get('type', '') == self.sig_type: infos = result.get('value', {}).get('infos', []) for info in infos: file_type = info.get('type') file_name = info.get('name') space_count = file_name.count(' ') if 'exe' == file_type and space_count > 20: self.mark(type="zip", tag=self.name, data=info.get('name')) return self.has_marks() return None- DLL劫持检测
检测规定:压缩包中同时存在exe和dll文件
class DLLHijacking(Signature): authors = ["ddvv"] sig_type = 'zip' name = "dll_hijacking" severity = 9 description = "DLL Hijacking" def on_complete(self): results = self.get_results() for result in results: if result.get('type', '') == self.sig_type: infos = result.get('value', {}).get('infos', []) file_types = [info.get('type') for info in infos] if set(['exe', 'dll']).issubset(file_types): self.mark(type="zip", tag=self.name) return self.has_marks() return None- RTF破绽利用检测
检测规定:RTF文档中存在OLE对象,并且class_name是OLE2Link或者以equation结尾
class RTFExploitDetected(Signature): authors = ["ddvv"] sig_type = 'rtf' name = "rtf_exploit_detected" severity = 9 description = "RTF Exploit Detected" def on_complete(self): results = self.get_results() for result in results: if result.get('type', '') == self.sig_type: infos = result.get('value', {}).get('infos', []) for info in infos: if info.get('is_ole', False): class_name = info.get('class_name', '') if class_name == 'OLE2Link' or class_name.lower().startswith('equation'): self.mark(type="rtf", tag=self.name) return self.has_marks() return None后果示例
后果阐明:邮件蕴含破绽利用的RTF文档,属于歹意邮件。
包含收发件人信息、主题信息、发送工夫,邮件注释,以及附件信息。
vba和rtf字段为附件检测根本信息。
signatures字段阐明命中规定。
{ "headers": [ { "From": [ { "name": "Mohd Mukhriz Ramli (MLNG/GNE)", "addr": "info@vm1599159.3ssd.had.wf" } ], "To": [ { "name": "", "addr": "" } ], "Subject": "Re: Proforma Invoice", "Date": "2020-11-24 12:37:38 UTC+01:00", "X-Originating-IP": [] } ], "body": [ { "type": "text", "content": " \nDEAR SIR, \n\nPLEASE SIGN THE PROFORMA INVOICE SO THAT I CAN PAY AS SOON AS POSSIBLE.\n\nATTACHED IS THE PROFORMA INVOICE,\n\nPLEASE REPLY QUICKLY, \n\nTHANKS & REGARDS' \n\nRAJASHEKAR \n\n Dubai I Kuwait I Saudi Arabia I India I Egypt \nKuwait: +965 22261501 \nSaudi Arabia: +966 920033029 \nUAE: +971 42431343 \nEmail ID: help@rehlat.co [1]m\n \n\nLinks:\n------\n[1]\nhttps://deref-mail.com/mail/client/OV1N7sILlK8/dereferrer/?redirectUrl=https%3A%2F%2Fe.mail.ru%2Fcompose%2F%3Fmailto%3Dmailto%253ahelp%40rehlat.com" } ], "attachments": [ { "type": "doc", "filename": "Proforma Invoice.doc", "filesize": 1826535, "md5": "558c4aa596b0c4259182253a86b35e8c", "sha1": "63982d410879c09ca090a64873bc582fcc7d802b" } ], "vba": [], "rtf": [ { "is_ole": true, "format_id": 2, "format_type": "Embedded", "class_name": "EQUATion.3", "data_size": 912305, "md5": "a5cee525de80eb537cfea247271ad714" } ], "signatures": [ { "name": "rtf_suspicious_detected", "description": "RTF Suspicious Detected", "severity": 3, "marks": [ { "type": "rtf", "tag": "rtf_suspicious_detected" } ], "markcount": 1 }, { "name": "rtf_exploit_detected", "description": "RTF Exploit Detected", "severity": 9, "marks": [ { "type": "rtf", "tag": "rtf_exploit_detected" } ], "markcount": 1 } ]}以上就是本次分享的全部内容,当初想要学习编程的小伙伴欢送关注Python技术大本营,获取更多技能与教程。