Package lib :: Package cuckoo :: Package common :: Module abstracts :: Class Signature
[hide private]
[frames] | no frames]

Class Signature

source code

object --+
         |
        Signature

Base class for Cuckoo signatures.

Instance Methods [hide private]
 
__init__(self, caller)
x.__init__(...) initializes x; see help(type(x)) for signature
source code
 
_check_value(self, pattern, subject, regex=False, all=False)
Checks a pattern against a given subject.
source code
 
get_results(self, key=None, default=None) source code
 
get_processes(self, name=None)
Get a list of processes.
source code
 
get_process_by_pid(self, pid=None)
Get a process by its process identifier.
source code
 
get_summary(self, key=None, default=[])
Get one or all values related to the global summary.
source code
 
get_summary_generic(self, pid, actions)
Get generic info from summary.
source code
 
get_files(self, pid=None, actions=None)
Get files read, queried, or written to optionally by a specific process.
source code
 
get_dll_loaded(self, pid=None)
Get DLLs loaded by a specific process.
source code
 
get_keys(self, pid=None, actions=None)
Get registry keys.
source code
 
check_file(self, pattern, regex=False, actions=None, pid=None, all=False)
Checks for a file being opened.
source code
 
check_dll_loaded(self, pattern, regex=False, actions=None, pid=None, all=False)
Checks for DLLs being loaded.
source code
 
check_key(self, pattern, regex=False, actions=None, pid=None, all=False)
Checks for a registry key being accessed.
source code
 
get_mutexes(self, pid=None)
Returns: List of mutexes
source code
 
check_mutex(self, pattern, regex=False, all=False)
Checks for a mutex being opened.
source code
 
get_command_lines(self)
Retrieves all command lines used.
source code
 
get_wmi_queries(self)
Retrieves all executed WMI queries.
source code
 
get_net_generic(self, subtype)
Generic getting network data.
source code
 
get_net_hosts(self)
Returns a list of all hosts.
source code
 
get_net_domains(self)
Returns a list of all domains.
source code
 
get_net_http(self)
Returns a list of all http data.
source code
 
get_net_http_ex(self)
Returns a list of all http data.
source code
 
get_net_udp(self)
Returns a list of all udp data.
source code
 
get_net_icmp(self)
Returns a list of all icmp data.
source code
 
get_net_irc(self)
Returns a list of all irc data.
source code
 
get_net_smtp(self)
Returns a list of all smtp data.
source code
 
get_virustotal(self)
Returns the information retrieved from virustotal.
source code
 
get_volatility(self, module=None)
Returns the data that belongs to the given module.
source code
 
get_apkinfo(self, section=None, default={})
Returns the apkinfo results for this analysis.
source code
 
get_droidmon(self, section=None, default={})
Returns the droidmon results for this analysis.
source code
 
get_googleplay(self, section=None, default={})
Returns the Google Play results for this analysis.
source code
 
check_ip(self, pattern, regex=False, all=False)
Checks for an IP address being contacted.
source code
 
check_domain(self, pattern, regex=False, all=False)
Checks for a domain being contacted.
source code
 
check_url(self, pattern, regex=False, all=False)
Checks for a URL being contacted.
source code
 
init(self)
Allow signatures to initialize themselves.
source code
 
mark_call(self, *args, **kwargs)
Mark the current call as explanation as to why this signature matched.
source code
 
mark_ioc(self, category, ioc, description=None)
Mark an IOC as explanation as to why the current signature matched.
source code
 
mark_vol(self, plugin, **kwargs)
Mark output of a Volatility plugin as explanation as to why the current signature matched.
source code
 
mark(self, **kwargs)
Mark arbitrary data.
source code
 
has_marks(self, count=None)
Returns true if this signature has one or more marks.
source code
 
on_call(self, call, process)
Notify signature about API call.
source code
 
on_signature(self, signature)
Event yielded when another signatures has matched.
source code
 
on_process(self, process)
Called on process change.
source code
 
on_complete(self)
Signature is notified when all API calls have been processed.
source code
 
results(self)
Turn this signature into actionable results.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables [hide private]
  name = ""
  description = ""
  severity = 1
  order = 1
  categories = []
  families = []
  authors = []
  references = []
  platform = None
hash(x)
  alert = False
  enabled = True
  minimum = None
hash(x)
  maximum = None
hash(x)
  markcount = 50
  filter_apinames = []
  filter_categories = []
  on_call_dispatch = False
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, caller)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Parameters:
  • caller - calling object. Stores results in caller.results
Overrides: object.__init__

_check_value(self, pattern, subject, regex=False, all=False)

source code 

Checks a pattern against a given subject.

Parameters:
  • pattern - string or expression to check for.
  • subject - target of the check.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

get_processes(self, name=None)

source code 

Get a list of processes.

Parameters:
  • name - If set only return processes with that name.
Returns:
List of processes or empty list

get_process_by_pid(self, pid=None)

source code 

Get a process by its process identifier.

Parameters:
  • pid - pid to search for.
Returns:
process.

get_summary_generic(self, pid, actions)

source code 

Get generic info from summary.

Parameters:
  • pid - pid of the process. None for all
  • actions - A list of actions to get

get_files(self, pid=None, actions=None)

source code 

Get files read, queried, or written to optionally by a specific process.

Parameters:
  • pid - the process or None for all
  • actions - actions to search for. None is all
Returns:
yields files

get_dll_loaded(self, pid=None)

source code 

Get DLLs loaded by a specific process.

Parameters:
  • pid - the process or None for all
Returns:
yields DLLs loaded

get_keys(self, pid=None, actions=None)

source code 

Get registry keys.

Parameters:
  • pid - The pid to look in or None for all.
  • actions - the actions as a list.
Returns:
yields registry keys

check_file(self, pattern, regex=False, actions=None, pid=None, all=False)

source code 

Checks for a file being opened.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
  • actions - a list of key actions to use.
  • pid - The process id to check. If it is set to None, all processes will be checked.
Returns:
boolean with the result of the check.

check_dll_loaded(self, pattern, regex=False, actions=None, pid=None, all=False)

source code 

Checks for DLLs being loaded.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
  • pid - The process id to check. If it is set to None, all processes will be checked.
Returns:
boolean with the result of the check.

check_key(self, pattern, regex=False, actions=None, pid=None, all=False)

source code 

Checks for a registry key being accessed.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
  • actions - a list of key actions to use.
  • pid - The process id to check. If it is set to None, all processes will be checked.
Returns:
boolean with the result of the check.

get_mutexes(self, pid=None)

source code 
Parameters:
  • pid - Pid to filter for
Returns:
List of mutexes

check_mutex(self, pattern, regex=False, all=False)

source code 

Checks for a mutex being opened.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

get_net_generic(self, subtype)

source code 

Generic getting network data.

Parameters:
  • subtype - subtype string to search for.

check_ip(self, pattern, regex=False, all=False)

source code 

Checks for an IP address being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_domain(self, pattern, regex=False, all=False)

source code 

Checks for a domain being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

check_url(self, pattern, regex=False, all=False)

source code 

Checks for a URL being contacted.

Parameters:
  • pattern - string or expression to check for.
  • regex - boolean representing if the pattern is a regular expression or not and therefore should be compiled.
Returns:
boolean with the result of the check.

on_call(self, call, process)

source code 

Notify signature about API call. Return value determines if this signature is done or could still match.

Only called if signature is "active".

Parameters:
  • call - logged API call.
  • process - proc object.

on_signature(self, signature)

source code 

Event yielded when another signatures has matched. Some signatures only take effect when one or more other signatures have matched as well.

Parameters:
  • signature - The signature that just matched

on_process(self, process)

source code 

Called on process change.

Can be used for cleanup of flags, re-activation of the signature, etc.

Parameters:
  • process - dictionary describing this process