# Copyright (c) 2015, The MITRE Corporation. All rights reserved.
# See LICENSE.txt for complete terms.
from mixbox import fields
import cybox
import cybox.bindings.win_executable_file_object as win_executable_file_binding
from cybox.common import (DateTime, DigitalSignature, Float, HashList,
HexBinary, Integer, Long, NonNegativeInteger, String, UnsignedLong, PositiveInteger)
from cybox.objects.win_file_object import WinFile
[docs]class Entropy(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.EntropyType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
value = fields.TypedField("Value", Float)
min = fields.TypedField("Min", Float)
max = fields.TypedField("Max", Float)
[docs]class PEExportedFunction(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEExportedFunctionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
function_name = fields.TypedField("Function_Name", String)
entry_point = fields.TypedField("Entry_Point", HexBinary)
ordinal = fields.TypedField("Ordinal", NonNegativeInteger)
[docs]class PEExportedFunctions(cybox.EntityList):
_binding_class = win_executable_file_binding.PEExportedFunctionsType
_binding_var = "Exported_Function"
_contained_type = PEExportedFunction
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
[docs]class PEExports(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEExportsType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
name = fields.TypedField("Name", String)
exported_functions = fields.TypedField("Exported_Functions", PEExportedFunctions)
number_of_functions = fields.TypedField("Number_Of_Functions", Integer)
exports_time_stamp = fields.TypedField("Exports_Time_Stamp", DateTime)
number_of_addresses = fields.TypedField("Number_Of_Addresses", Long)
number_of_names = fields.TypedField("Number_Of_Names", Long)
[docs]class PEDataDirectoryStruct(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEDataDirectoryStructType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
size = fields.TypedField("Size", NonNegativeInteger)
[docs]class DataDirectory(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.DataDirectoryType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
export_table = fields.TypedField("Export_Table", PEDataDirectoryStruct)
import_table = fields.TypedField("Import_Table", PEDataDirectoryStruct)
resource_table = fields.TypedField("Resource_Table", PEDataDirectoryStruct)
exception_table = fields.TypedField("Exception_Table", PEDataDirectoryStruct)
certificate_table = fields.TypedField("Certificate_Table", PEDataDirectoryStruct)
base_relocation_table = fields.TypedField("Base_Relocation_Table", PEDataDirectoryStruct)
debug = fields.TypedField("Debug", PEDataDirectoryStruct)
architecture = fields.TypedField("Architecture", PEDataDirectoryStruct)
global_ptr = fields.TypedField("Global_Ptr", PEDataDirectoryStruct)
tls_table = fields.TypedField("Tls_Table", PEDataDirectoryStruct)
load_config_table = fields.TypedField("Load_Config_Table", PEDataDirectoryStruct)
bound_import = fields.TypedField("Bound_Import", PEDataDirectoryStruct)
import_address_table = fields.TypedField("Import_Address_Table", PEDataDirectoryStruct)
delay_import_descriptor = fields.TypedField("Delay_Import_Descriptor", PEDataDirectoryStruct)
clr_runtime_header = fields.TypedField("CLR_Runtime_Header", PEDataDirectoryStruct)
reserved = fields.TypedField("Reserved", PEDataDirectoryStruct)
[docs]class PEImportedFunction(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportedFunctionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
function_name = fields.TypedField("Function_Name", String)
hint = fields.TypedField("Hint", HexBinary)
ordinal = fields.TypedField("Ordinal", NonNegativeInteger)
bound = fields.TypedField("Bound", HexBinary)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
[docs]class PEImportedFunctions(cybox.EntityList):
_binding_class = win_executable_file_binding.PEImportedFunctionsType
_binding_var = "Imported_Function"
_contained_type = PEImportedFunction
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
[docs]class PEImport(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEImportType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
delay_load = fields.TypedField("delay_load")
initially_visible = fields.TypedField("initially_visible")
file_name = fields.TypedField("File_Name", String)
imported_functions = fields.TypedField("Imported_Functions", PEImportedFunctions)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
[docs]class PEImportList(cybox.EntityList):
_binding_class = win_executable_file_binding.PEImportListType
_binding_var = "Import"
_contained_type = PEImport
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
[docs]class PEChecksum(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEChecksumType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
pe_computed_api = fields.TypedField("PE_Computed_API", Long)
pe_file_api = fields.TypedField("PE_File_API", Long)
pe_file_raw = fields.TypedField("PE_File_Raw", Long)
[docs]class PEResource(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEResourceType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
type_ = fields.TypedField("Type", String)
name = fields.TypedField("Name", String)
size = fields.TypedField("Size", PositiveInteger)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
language = fields.TypedField("Language", String)
sub_language = fields.TypedField("Sub_Language", String)
hashes = fields.TypedField("Hashes", HashList)
data = fields.TypedField("Data", String)
[docs]class PEResourceList(cybox.EntityList):
_binding_class = win_executable_file_binding.PEResourceListType
_binding_var = "Resource"
_contained_type = PEResource
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
#VersionInfoResource temporary fix
@staticmethod
[docs] def from_list(pe_resource_list):
if not pe_resource_list:
return None
pe_resource_list_ = PEResourceList()
for pe_resource_dict in pe_resource_list:
if PEVersionInfoResource.keyword_test(pe_resource_dict):
pe_resource_list_.append(PEVersionInfoResource.from_dict(pe_resource_dict))
else:
pe_resource_list_.append(PEResource.from_dict(pe_resource_dict))
return pe_resource_list_
[docs]class PESection(cybox.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PESectionType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
section_header = fields.TypedField("Section_Header", PESectionHeaderStruct)
data_hashes = fields.TypedField("Data_Hashes", HashList)
entropy = fields.TypedField("Entropy", Entropy)
header_hashes = fields.TypedField("Header_Hashes", HashList)
[docs]class PESectionList(cybox.EntityList):
_binding_class = win_executable_file_binding.PESectionListType
_binding_var = "Section"
_contained_type = PESection
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
[docs]class PEVersionInfoResource(PEResource):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEVersionInfoResourceType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
comments = fields.TypedField("Comments", String)
companyname = fields.TypedField("CompanyName", String)
filedescription = fields.TypedField("FileDescription", String)
fileversion = fields.TypedField("FileVersion", String)
internalname = fields.TypedField("InternalName", String)
langid = fields.TypedField("LangID", String)
legalcopyright = fields.TypedField("LegalCopyright", String)
legaltrademarks = fields.TypedField("LegalTrademarks", String)
originalfilename = fields.TypedField("OriginalFilename", String)
privatebuild = fields.TypedField("PrivateBuild", String)
productname = fields.TypedField("ProductName", String)
productversion = fields.TypedField("ProductVersion", String)
specialbuild = fields.TypedField("SpecialBuild", String)
@staticmethod
[docs] def keyword_test(pe_resource_dict):
keywords_list = ['comments',
'companyname',
'filedescription',
'fileversion',
'internalname',
'langid',
'legalcopyright',
'originalfilename',
'privatebuild',
'productname',
'productversion',
'specialbuild']
for key in pe_resource_dict:
if key in keywords_list:
return True
return False
[docs]class WinExecutableFile(WinFile):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.WindowsExecutableFileObjectType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
_XSI_NS = "WinExecutableFileObj"
_XSI_TYPE = "WindowsExecutableFileObjectType"
build_information = fields.TypedField("Build_Information", PEBuildInformation)
digital_signature = fields.TypedField("Digital_Signature", DigitalSignature)
exports = fields.TypedField("Exports", PEExports)
extraneous_bytes = fields.TypedField("Extraneous_Bytes", Integer)
headers = fields.TypedField("Headers", PEHeaders)
imports = fields.TypedField("Imports", PEImportList)
pe_checksum = fields.TypedField("PE_Checksum", PEChecksum)
resources = fields.TypedField("Resources", PEResourceList)
sections = fields.TypedField("Sections", PESectionList)
type_ = fields.TypedField("Type", String)