This repository has been archived by the owner on Jun 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathrat.py
105 lines (82 loc) · 3.35 KB
/
rat.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# -*- coding: utf-8 -*-
# This file is part of Viper - https://github.com/viper-framework/viper
# See the file 'LICENSE' for copying permission.
import os
import importlib
import viper
from viper.common.out import bold
from viper.common.abstracts import Module
from viper.core.session import __sessions__
try:
from scandir import walk
except ImportError:
from os import walk
try:
import yara
HAVE_YARA = True
except ImportError:
HAVE_YARA = False
class RAT(Module):
cmd = 'rat'
description = 'Extract information from known RAT families'
authors = ['Kevin Breen', 'nex']
def __init__(self):
super(RAT, self).__init__()
group = self.parser.add_mutually_exclusive_group(required=True)
group.add_argument('-a', '--auto', action='store_true', help='Automatically detect RAT')
group.add_argument('-f', '--family', help='Specify which RAT family')
group.add_argument('-l', '--list', action='store_true', help='List available RAT modules')
def list(self):
self.log('info', "List of available RAT modules:")
rat_modules_path = os.path.join(os.path.join(os.path.dirname(viper.__file__), 'modules/rats/'))
for folder, folders, files in walk(rat_modules_path):
for file_name in files:
if not file_name.endswith('.py') or file_name.startswith('__init__'):
continue
self.log('item', os.path.join(folder, file_name))
def get_config(self, family):
if not __sessions__.is_set():
self.log('error', "No open session. This command expects a file to be open.")
return
try:
module = importlib.import_module('viper.modules.rats.{0}'.format(family))
except ImportError:
self.log('error', "There is no module for family {0}".format(bold(family)))
return
try:
config = module.config(__sessions__.current.file.data)
except Exception:
config = None
if not config:
self.log('error', "No Configuration Detected")
return
rows = []
for key, value in config.items():
rows.append([key, value])
rows = sorted(rows, key=lambda entry: entry[0])
self.log('info', "Configuration:")
self.log('table', dict(header=['Key', 'Value'], rows=rows))
def auto(self):
if not HAVE_YARA:
self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
return
if not __sessions__.is_set():
self.log('error', "No open session. This command expects a file to be open.")
return
rules = yara.compile(os.path.join(os.path.dirname(viper.__file__), "data", "yara", "rats.yara"))
for match in rules.match(__sessions__.current.file.path):
if 'family' in match.meta:
self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
self.get_config(match.meta['family'])
return
self.log('info', "No known RAT detected")
def run(self):
super(RAT, self).run()
if self.args is None:
return
if self.args.auto:
self.auto()
elif self.args.family:
self.get_config(self.args.family)
elif self.args.list:
self.list()