1# Copyright (c) 2017, The MITRE Corporation. All rights reserved. 2# See LICENSE.txt for complete terms. 3 4from mixbox import entities, fields 5 6import cybox 7import cybox.bindings.win_executable_file_object as win_executable_file_binding 8from cybox.common import ( 9 DateTime, DigitalSignature, Float, HashList, HexBinary, Integer, Long, 10 NonNegativeInteger, String, PositiveInteger 11) 12from cybox.objects.win_file_object import WinFile 13 14 15class Entropy(entities.Entity): 16 _binding = win_executable_file_binding 17 _binding_class = win_executable_file_binding.EntropyType 18 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 19 20 value = fields.TypedField("Value", Float) 21 min = fields.TypedField("Min", Float) 22 max = fields.TypedField("Max", Float) 23 24 25class PEBuildInformation(entities.Entity): 26 _binding = win_executable_file_binding 27 _binding_class = win_executable_file_binding.PEBuildInformationType 28 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 29 30 linker_name = fields.TypedField("Linker_Name", String) 31 linker_version = fields.TypedField("Linker_Version", String) 32 compiler_name = fields.TypedField("Compiler_Name", String) 33 compiler_version = fields.TypedField("Compiler_Version", String) 34 35 36class PEExportedFunction(entities.Entity): 37 _binding = win_executable_file_binding 38 _binding_class = win_executable_file_binding.PEExportedFunctionType 39 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 40 41 function_name = fields.TypedField("Function_Name", String) 42 entry_point = fields.TypedField("Entry_Point", HexBinary) 43 ordinal = fields.TypedField("Ordinal", NonNegativeInteger) 44 45 46class PEExportedFunctions(entities.EntityList): 47 _binding = win_executable_file_binding 48 _binding_class = win_executable_file_binding.PEExportedFunctionsType 49 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 50 51 exported_function = fields.TypedField("Exported_Function", PEExportedFunction, multiple=True) 52 53 54class PEExports(entities.Entity): 55 _binding = win_executable_file_binding 56 _binding_class = win_executable_file_binding.PEExportsType 57 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 58 59 name = fields.TypedField("Name", String) 60 exported_functions = fields.TypedField("Exported_Functions", PEExportedFunctions) 61 number_of_functions = fields.TypedField("Number_Of_Functions", Integer) 62 exports_time_stamp = fields.TypedField("Exports_Time_Stamp", DateTime) 63 number_of_addresses = fields.TypedField("Number_Of_Addresses", Long) 64 number_of_names = fields.TypedField("Number_Of_Names", Long) 65 66 67class DOSHeader(entities.Entity): 68 _binding = win_executable_file_binding 69 _binding_class = win_executable_file_binding.DOSHeaderType 70 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 71 72 e_magic = fields.TypedField("e_magic", HexBinary) 73 e_cblp = fields.TypedField("e_cblp", HexBinary) 74 e_cp = fields.TypedField("e_cp", HexBinary) 75 e_crlc = fields.TypedField("e_crlc", HexBinary) 76 e_cparhdr = fields.TypedField("e_cparhdr", HexBinary) 77 e_minalloc = fields.TypedField("e_minalloc", HexBinary) 78 e_maxalloc = fields.TypedField("e_maxalloc", HexBinary) 79 e_ss = fields.TypedField("e_ss", HexBinary) 80 e_sp = fields.TypedField("e_sp", HexBinary) 81 e_csum = fields.TypedField("e_csum", HexBinary) 82 e_ip = fields.TypedField("e_ip", HexBinary) 83 e_cs = fields.TypedField("e_cs", HexBinary) 84 e_lfarlc = fields.TypedField("e_lfarlc", HexBinary) 85 e_ovro = fields.TypedField("e_ovro", HexBinary) 86 e_oemid = fields.TypedField("e_oemid", HexBinary) 87 e_oeminfo = fields.TypedField("e_oeminfo", HexBinary) 88 reserved2 = fields.TypedField("reserved2", HexBinary) 89 e_lfanew = fields.TypedField("e_lfanew", HexBinary) 90 hashes = fields.TypedField("Hashes", HashList) 91 reserved1 = fields.TypedField("reserved1", HexBinary, multiple=True) 92 93 94class PEFileHeader(entities.Entity): 95 _binding = win_executable_file_binding 96 _binding_class = win_executable_file_binding.PEFileHeaderType 97 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 98 99 machine = fields.TypedField("Machine", HexBinary) 100 number_of_sections = fields.TypedField("Number_Of_Sections", NonNegativeInteger) 101 time_date_stamp = fields.TypedField("Time_Date_Stamp", HexBinary) 102 pointer_to_symbol_table = fields.TypedField("Pointer_To_Symbol_Table", HexBinary) 103 number_of_symbols = fields.TypedField("Number_Of_Symbols", NonNegativeInteger) 104 size_of_optional_header = fields.TypedField("Size_Of_Optional_Header", HexBinary) 105 characteristics = fields.TypedField("Characteristics", HexBinary) 106 hashes = fields.TypedField("Hashes", HashList) 107 108 109class PEDataDirectoryStruct(entities.Entity): 110 _binding = win_executable_file_binding 111 _binding_class = win_executable_file_binding.PEDataDirectoryStructType 112 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 113 114 virtual_address = fields.TypedField("Virtual_Address", HexBinary) 115 size = fields.TypedField("Size", NonNegativeInteger) 116 117 118class DataDirectory(entities.Entity): 119 _binding = win_executable_file_binding 120 _binding_class = win_executable_file_binding.DataDirectoryType 121 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 122 123 export_table = fields.TypedField("Export_Table", PEDataDirectoryStruct) 124 import_table = fields.TypedField("Import_Table", PEDataDirectoryStruct) 125 resource_table = fields.TypedField("Resource_Table", PEDataDirectoryStruct) 126 exception_table = fields.TypedField("Exception_Table", PEDataDirectoryStruct) 127 certificate_table = fields.TypedField("Certificate_Table", PEDataDirectoryStruct) 128 base_relocation_table = fields.TypedField("Base_Relocation_Table", PEDataDirectoryStruct) 129 debug = fields.TypedField("Debug", PEDataDirectoryStruct) 130 architecture = fields.TypedField("Architecture", PEDataDirectoryStruct) 131 global_ptr = fields.TypedField("Global_Ptr", PEDataDirectoryStruct) 132 tls_table = fields.TypedField("TLS_Table", PEDataDirectoryStruct) 133 load_config_table = fields.TypedField("Load_Config_Table", PEDataDirectoryStruct) 134 bound_import = fields.TypedField("Bound_Import", PEDataDirectoryStruct) 135 import_address_table = fields.TypedField("Import_Address_Table", PEDataDirectoryStruct) 136 delay_import_descriptor = fields.TypedField("Delay_Import_Descriptor", PEDataDirectoryStruct) 137 clr_runtime_header = fields.TypedField("CLR_Runtime_Header", PEDataDirectoryStruct) 138 reserved = fields.TypedField("Reserved", PEDataDirectoryStruct) 139 140 141class PEOptionalHeader(entities.Entity): 142 _binding = win_executable_file_binding 143 _binding_class = win_executable_file_binding.PEOptionalHeaderType 144 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 145 146 magic = fields.TypedField("Magic", HexBinary) 147 major_linker_version = fields.TypedField("Major_Linker_Version", HexBinary) 148 minor_linker_version = fields.TypedField("Minor_Linker_Version", HexBinary) 149 size_of_code = fields.TypedField("Size_Of_Code", HexBinary) 150 size_of_initialized_data = fields.TypedField("Size_Of_Initialized_Data", HexBinary) 151 size_of_uninitialized_data = fields.TypedField("Size_Of_Uninitialized_Data", HexBinary) 152 address_of_entry_point = fields.TypedField("Address_Of_Entry_Point", HexBinary) 153 base_of_code = fields.TypedField("Base_Of_Code", HexBinary) 154 base_of_data = fields.TypedField("Base_Of_Data", HexBinary) 155 image_base = fields.TypedField("Image_Base", HexBinary) 156 section_alignment = fields.TypedField("Section_Alignment", HexBinary) 157 file_alignment = fields.TypedField("File_Alignment", HexBinary) 158 major_os_version = fields.TypedField("Major_OS_Version", HexBinary) 159 minor_os_version = fields.TypedField("Minor_OS_Version", HexBinary) 160 major_image_version = fields.TypedField("Major_Image_Version", HexBinary) 161 minor_image_version = fields.TypedField("Minor_Image_Version", HexBinary) 162 major_subsystem_version = fields.TypedField("Major_Subsystem_Version", HexBinary) 163 minor_subsystem_version = fields.TypedField("Minor_Subsystem_Version", HexBinary) 164 win32_version_value = fields.TypedField("Win32_Version_Value", HexBinary) 165 size_of_image = fields.TypedField("Size_Of_Image", HexBinary) 166 size_of_headers = fields.TypedField("Size_Of_Headers", HexBinary) 167 checksum = fields.TypedField("Checksum", HexBinary) 168 subsystem = fields.TypedField("Subsystem", HexBinary) 169 dll_characteristics = fields.TypedField("DLL_Characteristics", HexBinary) 170 size_of_stack_reserve = fields.TypedField("Size_Of_Stack_Reserve", HexBinary) 171 size_of_stack_commit = fields.TypedField("Size_Of_Stack_Commit", HexBinary) 172 size_of_heap_reserve = fields.TypedField("Size_Of_Heap_Reserve", HexBinary) 173 size_of_heap_commit = fields.TypedField("Size_Of_Heap_Commit", HexBinary) 174 loader_flags = fields.TypedField("Loader_Flags", HexBinary) 175 number_of_rva_and_sizes = fields.TypedField("Number_Of_Rva_And_Sizes", HexBinary) 176 data_directory = fields.TypedField("Data_Directory", DataDirectory) 177 hashes = fields.TypedField("Hashes", HashList) 178 179 180class PEHeaders(entities.Entity): 181 _binding = win_executable_file_binding 182 _binding_class = win_executable_file_binding.PEHeadersType 183 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 184 185 dos_header = fields.TypedField("DOS_Header", DOSHeader) 186 signature = fields.TypedField("Signature", HexBinary) 187 file_header = fields.TypedField("File_Header", PEFileHeader) 188 optional_header = fields.TypedField("Optional_Header", PEOptionalHeader) 189 entropy = fields.TypedField("Entropy", Entropy) 190 hashes = fields.TypedField("Hashes", HashList) 191 192 193class PEImportedFunction(entities.Entity): 194 _binding = win_executable_file_binding 195 _binding_class = win_executable_file_binding.PEImportedFunctionType 196 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 197 198 function_name = fields.TypedField("Function_Name", String) 199 hint = fields.TypedField("Hint", HexBinary) 200 ordinal = fields.TypedField("Ordinal", NonNegativeInteger) 201 bound = fields.TypedField("Bound", HexBinary) 202 virtual_address = fields.TypedField("Virtual_Address", HexBinary) 203 204 205class PEImportedFunctions(entities.EntityList): 206 _binding = win_executable_file_binding 207 _binding_class = win_executable_file_binding.PEImportedFunctionsType 208 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 209 210 imported_function = fields.TypedField("Imported_Function", PEImportedFunction, multiple=True) 211 212 213class PEImport(entities.Entity): 214 _binding = win_executable_file_binding 215 _binding_class = win_executable_file_binding.PEImportType 216 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 217 218 delay_load = fields.TypedField("delay_load") 219 initially_visible = fields.TypedField("initially_visible") 220 file_name = fields.TypedField("File_Name", String) 221 imported_functions = fields.TypedField("Imported_Functions", PEImportedFunctions) 222 virtual_address = fields.TypedField("Virtual_Address", HexBinary) 223 224 225class PEImportList(entities.EntityList): 226 _binding = win_executable_file_binding 227 _binding_class = win_executable_file_binding.PEImportListType 228 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 229 230 import_ = fields.TypedField("Import", PEImport, multiple=True) 231 232 233class PEChecksum(entities.Entity): 234 _binding = win_executable_file_binding 235 _binding_class = win_executable_file_binding.PEChecksumType 236 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 237 238 pe_computed_api = fields.TypedField("PE_Computed_API", Long) 239 pe_file_api = fields.TypedField("PE_File_API", Long) 240 pe_file_raw = fields.TypedField("PE_File_Raw", Long) 241 242 243class PEResourceFactory(entities.EntityFactory): 244 @classmethod 245 def entity_class(cls, key): 246 return cybox.lookup_extension(key, default=PEResource) 247 248 249class PEResource(entities.Entity): 250 _binding = win_executable_file_binding 251 _binding_class = win_executable_file_binding.PEResourceType 252 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 253 _XSI_TYPE = None # overridden by subclasses 254 255 type_ = fields.TypedField("Type", String) 256 name = fields.TypedField("Name", String) 257 size = fields.TypedField("Size", PositiveInteger) 258 virtual_address = fields.TypedField("Virtual_Address", HexBinary) 259 language = fields.TypedField("Language", String) 260 sub_language = fields.TypedField("Sub_Language", String) 261 hashes = fields.TypedField("Hashes", HashList) 262 data = fields.TypedField("Data", String) 263 264 def to_dict(self): 265 d = super(PEResource, self).to_dict() 266 267 if self._XSI_TYPE: 268 d["xsi:type"] = self._XSI_TYPE 269 270 return d 271 272 @staticmethod 273 def lookup_class(xsi_type): 274 return cybox.lookup_extension(xsi_type, default=PEResource) 275 276 277@cybox.register_extension 278class PEVersionInfoResource(PEResource): 279 _binding = win_executable_file_binding 280 _binding_class = win_executable_file_binding.PEVersionInfoResourceType 281 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 282 _XSI_TYPE = "WinExecutableFileObj:PEVersionInfoResourceType" 283 284 comments = fields.TypedField("Comments", String) 285 companyname = fields.TypedField("CompanyName", String) 286 filedescription = fields.TypedField("FileDescription", String) 287 fileversion = fields.TypedField("FileVersion", String) 288 internalname = fields.TypedField("InternalName", String) 289 langid = fields.TypedField("LangID", String) 290 legalcopyright = fields.TypedField("LegalCopyright", String) 291 legaltrademarks = fields.TypedField("LegalTrademarks", String) 292 originalfilename = fields.TypedField("OriginalFilename", String) 293 privatebuild = fields.TypedField("PrivateBuild", String) 294 productname = fields.TypedField("ProductName", String) 295 productversion = fields.TypedField("ProductVersion", String) 296 specialbuild = fields.TypedField("SpecialBuild", String) 297 298 299class PEResourceList(entities.EntityList): 300 _binding = win_executable_file_binding 301 _binding_class = win_executable_file_binding.PEResourceListType 302 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 303 304 resource = fields.TypedField("Resource", PEResource, multiple=True, factory=PEResourceFactory) 305 306 307class PESectionHeaderStruct(entities.Entity): 308 _binding = win_executable_file_binding 309 _binding_class = win_executable_file_binding.PESectionHeaderStructType 310 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 311 312 name = fields.TypedField("Name", String) 313 virtual_size = fields.TypedField("Virtual_Size", HexBinary) 314 virtual_address = fields.TypedField("Virtual_Address", HexBinary) 315 size_of_raw_data = fields.TypedField("Size_Of_Raw_Data", HexBinary) 316 pointer_to_raw_data = fields.TypedField("Pointer_To_Raw_Data", HexBinary) 317 pointer_to_relocations = fields.TypedField("Pointer_To_Relocations", HexBinary) 318 pointer_to_linenumbers = fields.TypedField("Pointer_To_Linenumbers", HexBinary) 319 number_of_relocations = fields.TypedField("Number_Of_Relocations", NonNegativeInteger) 320 number_of_linenumbers = fields.TypedField("Number_Of_Linenumbers", NonNegativeInteger) 321 characteristics = fields.TypedField("Characteristics", HexBinary) 322 323 324class PESection(entities.Entity): 325 _binding = win_executable_file_binding 326 _binding_class = win_executable_file_binding.PESectionType 327 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 328 329 section_header = fields.TypedField("Section_Header", PESectionHeaderStruct) 330 data_hashes = fields.TypedField("Data_Hashes", HashList) 331 entropy = fields.TypedField("Entropy", Entropy) 332 header_hashes = fields.TypedField("Header_Hashes", HashList) 333 334 335class PESectionList(entities.EntityList): 336 _binding = win_executable_file_binding 337 _binding_class = win_executable_file_binding.PESectionListType 338 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 339 340 section = fields.TypedField("Section", PESection, multiple=True) 341 342 343class WinExecutableFile(WinFile): 344 _binding = win_executable_file_binding 345 _binding_class = win_executable_file_binding.WindowsExecutableFileObjectType 346 _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" 347 _XSI_NS = "WinExecutableFileObj" 348 _XSI_TYPE = "WindowsExecutableFileObjectType" 349 350 build_information = fields.TypedField("Build_Information", PEBuildInformation) 351 digital_signature = fields.TypedField("Digital_Signature", DigitalSignature) 352 exports = fields.TypedField("Exports", PEExports) 353 extraneous_bytes = fields.TypedField("Extraneous_Bytes", Integer) 354 headers = fields.TypedField("Headers", PEHeaders) 355 imports = fields.TypedField("Imports", PEImportList) 356 pe_checksum = fields.TypedField("PE_Checksum", PEChecksum) 357 resources = fields.TypedField("Resources", PEResourceList) 358 sections = fields.TypedField("Sections", PESectionList) 359 type_ = fields.TypedField("Type", String) 360