# Copyright (c) 2017, The MITRE Corporation. All rights reserved.
# See LICENSE.txt for complete terms.
from mixbox import entities, fields
import cybox
import cybox.bindings.win_executable_file_object as win_executable_file_binding
from cybox.common import (
DateTime, DigitalSignature, Float, HashList, HexBinary, Integer, Long,
NonNegativeInteger, String, PositiveInteger
)
from cybox.objects.win_file_object import WinFile
[docs]class Entropy(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.EntropyType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
value = fields.TypedField("Value", Float)
min = fields.TypedField("Min", Float)
max = fields.TypedField("Max", Float)
[docs]class PEExportedFunction(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEExportedFunctionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
function_name = fields.TypedField("Function_Name", String)
entry_point = fields.TypedField("Entry_Point", HexBinary)
ordinal = fields.TypedField("Ordinal", NonNegativeInteger)
[docs]class PEExportedFunctions(entities.EntityList):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEExportedFunctionsType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
exported_function = fields.TypedField("Exported_Function", PEExportedFunction, multiple=True)
[docs]class PEExports(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEExportsType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
name = fields.TypedField("Name", String)
exported_functions = fields.TypedField("Exported_Functions", PEExportedFunctions)
number_of_functions = fields.TypedField("Number_Of_Functions", Integer)
exports_time_stamp = fields.TypedField("Exports_Time_Stamp", DateTime)
number_of_addresses = fields.TypedField("Number_Of_Addresses", Long)
number_of_names = fields.TypedField("Number_Of_Names", Long)
[docs]class PEDataDirectoryStruct(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEDataDirectoryStructType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
size = fields.TypedField("Size", NonNegativeInteger)
[docs]class DataDirectory(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.DataDirectoryType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
export_table = fields.TypedField("Export_Table", PEDataDirectoryStruct)
import_table = fields.TypedField("Import_Table", PEDataDirectoryStruct)
resource_table = fields.TypedField("Resource_Table", PEDataDirectoryStruct)
exception_table = fields.TypedField("Exception_Table", PEDataDirectoryStruct)
certificate_table = fields.TypedField("Certificate_Table", PEDataDirectoryStruct)
base_relocation_table = fields.TypedField("Base_Relocation_Table", PEDataDirectoryStruct)
debug = fields.TypedField("Debug", PEDataDirectoryStruct)
architecture = fields.TypedField("Architecture", PEDataDirectoryStruct)
global_ptr = fields.TypedField("Global_Ptr", PEDataDirectoryStruct)
tls_table = fields.TypedField("TLS_Table", PEDataDirectoryStruct)
load_config_table = fields.TypedField("Load_Config_Table", PEDataDirectoryStruct)
bound_import = fields.TypedField("Bound_Import", PEDataDirectoryStruct)
import_address_table = fields.TypedField("Import_Address_Table", PEDataDirectoryStruct)
delay_import_descriptor = fields.TypedField("Delay_Import_Descriptor", PEDataDirectoryStruct)
clr_runtime_header = fields.TypedField("CLR_Runtime_Header", PEDataDirectoryStruct)
reserved = fields.TypedField("Reserved", PEDataDirectoryStruct)
[docs]class PEImportedFunction(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportedFunctionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
function_name = fields.TypedField("Function_Name", String)
hint = fields.TypedField("Hint", HexBinary)
ordinal = fields.TypedField("Ordinal", NonNegativeInteger)
bound = fields.TypedField("Bound", HexBinary)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
[docs]class PEImportedFunctions(entities.EntityList):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportedFunctionsType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
imported_function = fields.TypedField("Imported_Function", PEImportedFunction, multiple=True)
[docs]class PEImport(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
delay_load = fields.TypedField("delay_load")
initially_visible = fields.TypedField("initially_visible")
file_name = fields.TypedField("File_Name", String)
imported_functions = fields.TypedField("Imported_Functions", PEImportedFunctions)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
[docs]class PEImportList(entities.EntityList):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportListType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
import_ = fields.TypedField("Import", PEImport, multiple=True)
[docs]class PEChecksum(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEChecksumType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
pe_computed_api = fields.TypedField("PE_Computed_API", Long)
pe_file_api = fields.TypedField("PE_File_API", Long)
pe_file_raw = fields.TypedField("PE_File_Raw", Long)
class PEResourceFactory(entities.EntityFactory):
@classmethod
def entity_class(cls, key):
return cybox.lookup_extension(key, default=PEResource)
[docs]class PEResource(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEResourceType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
_XSI_TYPE = None # overridden by subclasses
type_ = fields.TypedField("Type", String)
name = fields.TypedField("Name", String)
size = fields.TypedField("Size", PositiveInteger)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
language = fields.TypedField("Language", String)
sub_language = fields.TypedField("Sub_Language", String)
hashes = fields.TypedField("Hashes", HashList)
data = fields.TypedField("Data", String)
[docs] def to_dict(self):
d = super(PEResource, self).to_dict()
if self._XSI_TYPE:
d["xsi:type"] = self._XSI_TYPE
return d
@staticmethod
[docs] def lookup_class(xsi_type):
return cybox.lookup_extension(xsi_type, default=PEResource)
@cybox.register_extension
[docs]class PEVersionInfoResource(PEResource):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEVersionInfoResourceType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
_XSI_TYPE = "WinExecutableFileObj:PEVersionInfoResourceType"
comments = fields.TypedField("Comments", String)
companyname = fields.TypedField("CompanyName", String)
filedescription = fields.TypedField("FileDescription", String)
fileversion = fields.TypedField("FileVersion", String)
internalname = fields.TypedField("InternalName", String)
langid = fields.TypedField("LangID", String)
legalcopyright = fields.TypedField("LegalCopyright", String)
legaltrademarks = fields.TypedField("LegalTrademarks", String)
originalfilename = fields.TypedField("OriginalFilename", String)
privatebuild = fields.TypedField("PrivateBuild", String)
productname = fields.TypedField("ProductName", String)
productversion = fields.TypedField("ProductVersion", String)
specialbuild = fields.TypedField("SpecialBuild", String)
[docs]class PEResourceList(entities.EntityList):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEResourceListType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
resource = fields.TypedField("Resource", PEResource, multiple=True, factory=PEResourceFactory)
[docs]class PESection(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PESectionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
section_header = fields.TypedField("Section_Header", PESectionHeaderStruct)
data_hashes = fields.TypedField("Data_Hashes", HashList)
entropy = fields.TypedField("Entropy", Entropy)
header_hashes = fields.TypedField("Header_Hashes", HashList)
[docs]class PESectionList(entities.EntityList):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PESectionListType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
section = fields.TypedField("Section", PESection, multiple=True)
[docs]class WinExecutableFile(WinFile):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.WindowsExecutableFileObjectType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
_XSI_NS = "WinExecutableFileObj"
_XSI_TYPE = "WindowsExecutableFileObjectType"
build_information = fields.TypedField("Build_Information", PEBuildInformation)
digital_signature = fields.TypedField("Digital_Signature", DigitalSignature)
exports = fields.TypedField("Exports", PEExports)
extraneous_bytes = fields.TypedField("Extraneous_Bytes", Integer)
headers = fields.TypedField("Headers", PEHeaders)
imports = fields.TypedField("Imports", PEImportList)
pe_checksum = fields.TypedField("PE_Checksum", PEChecksum)
resources = fields.TypedField("Resources", PEResourceList)
sections = fields.TypedField("Sections", PESectionList)
type_ = fields.TypedField("Type", String)