Package lib :: Package cuckoo :: Package common :: Module abstracts :: Class Signature
[hide private]
[frames] | no frames]

Class Signature

source code

object --+
         |
        Signature
Known Subclasses:

Base class for Cuckoo signatures.

Instance Methods [hide private]
 
__init__(self, results=None)
x.__init__(...) initializes x; see help(type(x)) for signature
source code
 
_check_value(self, pattern, subject, regex=False)
Checks a pattern against a given subject.
source code
 
as_result(self)
Properties as a dict (for results).
source code
 
check_api(self, pattern, process=None, regex=False)
Checks for an API being called.
source code
 
check_argument(self, pattern, name=None, api=None, category=None, process=None, regex=False)
Checks for a specific argument of an invoked API.
source code
 
check_argument_call(self, call, pattern, name=None, api=None, category=None, regex=False)
Checks for a specific argument of an invoked API.
source code
 
check_domain(self, pattern, regex=False)
Checks for a domain being contacted.
source code
 
check_file(self, pattern, regex=False)
Checks for a file being opened.
source code
 
check_ip(self, pattern, regex=False)
Checks for an IP address being contacted.
source code
 
check_key(self, pattern, regex=False)
Checks for a registry key being opened.
source code
 
check_mutex(self, pattern, regex=False)
Checks for a mutex being opened.
source code
 
check_url(self, pattern, regex=False)
Checks for a URL being contacted.
source code
 
get_argument(self, call, name)
Retrieves the value of a specific argument from an API call.
source code
 
on_call(self, call, process)
Notify signature about API call.
source code
 
on_complete(self)
Evented signature is notified when all API calls are done.
source code
 
run(self)
Start signature processing.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables [hide private]
  alert = False
  authors = []
  categories = []
  description = ''
  enabled = True
  evented = False
  families = []
  filter_apinames = set([])
  filter_categories = set([])
  filter_processnames = set([])
  maximum = None
hash(x)
  minimum = None
hash(x)
  name = ''
  order = 0
  references = []
  severity = 1
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, results=None)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

_check_value(self, pattern, subject, regex=False)

source code 

Checks a pattern against a given subject.

Parameters:
  • pattern - string or expression to check for.
  • subject - target of the check.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

as_result(self)

source code 

Properties as a dict (for results).

Returns:
result dictionary.

check_api(self, pattern, process=None, regex=False)

source code 

Checks for an API being called.

Parameters:
  • pattern - string or expression to check for.
  • process - optional filter for a specific process name.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_argument(self, pattern, name=None, api=None, category=None, process=None, regex=False)

source code 

Checks for a specific argument of an invoked API.

Parameters:
  • pattern - string or expression to check for.
  • name - optional filter for the argument name.
  • api - optional filter for the API function name.
  • category - optional filter for a category name.
  • process - optional filter for a specific process name.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_argument_call(self, call, pattern, name=None, api=None, category=None, regex=False)

source code 

Checks for a specific argument of an invoked API.

Parameters:
  • call - API call information.
  • pattern - string or expression to check for.
  • name - optional filter for the argument name.
  • api - optional filter for the API function name.
  • category - optional filter for a category name.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_domain(self, pattern, regex=False)

source code 

Checks for a domain being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_file(self, pattern, regex=False)

source code 

Checks for a file being opened.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_ip(self, pattern, regex=False)

source code 

Checks for an IP address being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_key(self, pattern, regex=False)

source code 

Checks for a registry key being opened.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_mutex(self, pattern, regex=False)

source code 

Checks for a mutex being opened.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_url(self, pattern, regex=False)

source code 

Checks for a URL being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

get_argument(self, call, name)

source code 

Retrieves the value of a specific argument from an API call.

Parameters:
  • call - API call object.
  • name - name of the argument to retrieve.
Returns:
value of the requried argument.

on_call(self, call, process)

source code 

Notify signature about API call. Return value determines if this signature is done or could still match.

Parameters:
  • call - logged API call.
  • process - process doing API call.
Raises:
  • NotImplementedError - this method is abstract.

on_complete(self)

source code 

Evented signature is notified when all API calls are done.

Returns:
Match state.
Raises:
  • NotImplementedError - this method is abstract.

run(self)

source code 

Start signature processing.

Parameters:
  • results - analysis results.
Raises:
  • NotImplementedError - this method is abstract.