Improved PE_info analyzer (intelowlproject#2464)

g4ze · mlodic · Michalsus · commit 5ca21e55ac06 · 2024-10-11T20:32:13.000+02:00
* update

* update

* init

* init

* blint fix

* black and flake8

* upgraded lief

* complexity

---------

Co-authored-by: Matteo Lodi &lt;30625432+mlodic@users.noreply.github.com&gt;
diff --git a/api_app/analyzers_manager/admin.py b/api_app/analyzers_manager/admin.py
@@ -6,9 +6,9 @@
 from api_app.analyzers_manager.models import AnalyzerConfig, AnalyzerReport
 
 
+# flake8: noqa
 @admin.register(AnalyzerReport)
-class AnalyzerReportAdminView(AbstractReportAdminView):
-    ...
+class AnalyzerReportAdminView(AbstractReportAdminView): ...
 
 
 @admin.register(AnalyzerConfig)
diff --git a/api_app/analyzers_manager/file_analyzers/doc_info.py b/api_app/analyzers_manager/file_analyzers/doc_info.py
@@ -239,9 +239,9 @@ def manage_encrypted_doc(self):
                 decrypted_file_name, correct_password = self.vbaparser.decrypt_file(
                     self.passwords_to_check,
                 )
-                self.olevba_results[
-                    "additional_passwords_tried"
-                ] = self.passwords_to_check
+                self.olevba_results["additional_passwords_tried"] = (
+                    self.passwords_to_check
+                )
                 if correct_password:
                     self.olevba_results["correct_password"] = correct_password
                 if decrypted_file_name:
diff --git a/api_app/analyzers_manager/file_analyzers/pe_info.py b/api_app/analyzers_manager/file_analyzers/pe_info.py
@@ -11,8 +11,10 @@
 from datetime import datetime
 
 import lief
+import magic
 import pefile
 import pyimpfuzzy
+from dotnetfile import DotNetPE
 from PIL import Image
 
 from api_app.analyzers_manager.classes import FileAnalyzer
@@ -33,8 +35,34 @@ class No_Icon_Error(Exception):
 
 
 class PEInfo(FileAnalyzer):
+    def update(self):
+        pass
+
+    def dotnetpe(self):
+        results = {}
+        file_type = magic.from_buffer(self.read_file_bytes())
+
+        if ".Net" in file_type:
+            dotnet_file = DotNetPE(self.filepath)
+            dotnet_info = {
+                "runtime_target_version": dotnet_file.get_runtime_target_version(),
+                "number_of_streams": dotnet_file.get_number_of_streams(),
+                "has_resources": dotnet_file.has_resources(),
+                "is_mixed_assembly": dotnet_file.is_mixed_assembly(),
+                "has_native_entry_point": dotnet_file.has_native_entry_point(),
+                "is_native_image": dotnet_file.is_native_image(),
+                "is_windows_forms_app": dotnet_file.is_windows_forms_app(),
+            }
+            results["is_dotnet"] = True
+            results["dotnet_info"] = dotnet_info
+        else:
+            results["is_dotnet"] = False
+        return results
+
     def run(self):
         results = {}
+        results["dotnet"] = self.dotnetpe()
+
         try:
             pe = pefile.PE(self.filepath)
             if not pe:
diff --git a/api_app/connectors_manager/admin.py b/api_app/connectors_manager/admin.py
@@ -8,8 +8,8 @@
 
 
 @admin.register(ConnectorReport)
-class ConnectorReportAdminView(AbstractReportAdminView):
-    ...
+# flake8: noqa
+class ConnectorReportAdminView(AbstractReportAdminView): ...
 
 
 @admin.register(ConnectorConfig)
diff --git a/api_app/connectors_manager/connectors/slack.py b/api_app/connectors_manager/connectors/slack.py
@@ -41,12 +41,11 @@ def run(self) -> dict:
 
     @classmethod
     def _monkeypatch(cls):
+        # flake8: noqa
         class MockClient:
-            def __init__(self, *args, **kwargs):
-                ...
+            def __init__(self, *args, **kwargs): ...
 
-            def chat_postMessage(self, *args, **kwargs):
-                ...
+            def chat_postMessage(self, *args, **kwargs): ...
 
         patches = [
             if_mock_connections(
diff --git a/api_app/ingestors_manager/admin.py b/api_app/ingestors_manager/admin.py
@@ -7,9 +7,9 @@
 from api_app.ingestors_manager.models import IngestorConfig, IngestorReport
 
 
+# flake8: noqa
 @admin.register(IngestorReport)
-class IngestorReportAdminView(AbstractReportAdminView):
-    ...
+class IngestorReportAdminView(AbstractReportAdminView): ...
 
 
 @admin.register(IngestorConfig)
diff --git a/api_app/interfaces.py b/api_app/interfaces.py
@@ -102,9 +102,11 @@ def _get_file_serializer(
         from tests.mock_utils import MockUpRequest
 
         files = [
-            data
-            if isinstance(data, File)
-            else File(io.BytesIO(data), name=f"{self.name}.{i}")
+            (
+                data
+                if isinstance(data, File)
+                else File(io.BytesIO(data), name=f"{self.name}.{i}")
+            )
             for i, data in enumerate(values)
         ]
         query_dict = QueryDict(mutable=True)
diff --git a/api_app/investigations_manager/queryset.py b/api_app/investigations_manager/queryset.py
@@ -1,5 +1,5 @@
+# flake8: noqa
 from api_app.queryset import CleanOnCreateQuerySet, ModelWithOwnershipQuerySet
 
 
-class InvestigationQuerySet(CleanOnCreateQuerySet, ModelWithOwnershipQuerySet):
-    ...
+class InvestigationQuerySet(CleanOnCreateQuerySet, ModelWithOwnershipQuerySet): ...
diff --git a/api_app/pivots_manager/admin.py b/api_app/pivots_manager/admin.py
@@ -1,6 +1,6 @@
 # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl
 # See the file 'LICENSE' for copying permission.
-
+# flake8: noqa
 from django.contrib import admin
 from django.http import HttpRequest
 
@@ -10,8 +10,7 @@
 
 
 @admin.register(PivotReport)
-class PivotReportAdminView(AbstractReportAdminView):
-    ...
+class PivotReportAdminView(AbstractReportAdminView): ...
 
 
 @admin.register(PivotConfig)
diff --git a/api_app/queryset.py b/api_app/queryset.py
@@ -1,3 +1,4 @@
+# flake8: noqa
 import datetime
 import json
 import uuid
@@ -285,15 +286,18 @@ def _alias_org_value_for_user(
         from api_app.models import PluginConfig
 
         return self.alias(
-            org_value=Subquery(
-                PluginConfig.objects.filter(
-                    parameter__pk=OuterRef("pk"), **{config.snake_case_name: config.pk}
+            org_value=(
+                Subquery(
+                    PluginConfig.objects.filter(
+                        parameter__pk=OuterRef("pk"),
+                        **{config.snake_case_name: config.pk},
+                    )
+                    .visible_for_user_by_org(user)
+                    .values("value")[:1],
                 )
-                .visible_for_user_by_org(user)
-                .values("value")[:1],
-            )
-            if user and user.has_membership()
-            else Value(None, output_field=JSONField()),
+                if user and user.has_membership()
+                else Value(None, output_field=JSONField())
+            ),
         )
 
     def _alias_default_value(self, config: "PythonConfig") -> "ParameterQuerySet":
@@ -455,8 +459,7 @@ def visible_for_user(self, user: User = None) -> "PluginConfigQuerySet":
             return self.default_values()
 
 
-class PluginConfigQuerySet(CleanOnCreateQuerySet, ModelWithOwnershipQuerySet):
-    ...
+class PluginConfigQuerySet(CleanOnCreateQuerySet, ModelWithOwnershipQuerySet): ...
 
 
 class PythonConfigQuerySet(AbstractConfigQuerySet):
diff --git a/api_app/serializers/job.py b/api_app/serializers/job.py
@@ -230,12 +230,12 @@ def validate(self, attrs: dict) -> dict:
                 playbook.tags.all()
             )
 
-        analyzers_to_execute = attrs[
-            "analyzers_to_execute"
-        ] = self.set_analyzers_to_execute(**attrs)
-        connectors_to_execute = attrs[
-            "connectors_to_execute"
-        ] = self.set_connectors_to_execute(**attrs)
+        analyzers_to_execute = attrs["analyzers_to_execute"] = (
+            self.set_analyzers_to_execute(**attrs)
+        )
+        connectors_to_execute = attrs["connectors_to_execute"] = (
+            self.set_connectors_to_execute(**attrs)
+        )
         if not analyzers_to_execute and not connectors_to_execute:
             warnings = "\n".join(self.filter_warnings)
             raise ValidationError(
diff --git a/api_app/serializers/plugin.py b/api_app/serializers/plugin.py
@@ -1,3 +1,4 @@
+# flake8: noqa
 import json
 import logging
 from typing import Any
@@ -257,8 +258,7 @@ class Meta:
         exclude = ["id"]
 
 
-class AbstractConfigSerializer(rfs.ModelSerializer):
-    ...
+class AbstractConfigSerializer(rfs.ModelSerializer): ...
 
 
 class PythonConfigSerializer(AbstractConfigSerializer):
diff --git a/api_app/visualizers_manager/admin.py b/api_app/visualizers_manager/admin.py
@@ -7,9 +7,9 @@
 from api_app.visualizers_manager.models import VisualizerConfig, VisualizerReport
 
 
+# flake8: noqa
 @admin.register(VisualizerReport)
-class VisualizerReportAdminView(AbstractReportAdminView):
-    ...
+class VisualizerReportAdminView(AbstractReportAdminView): ...
 
 
 @admin.register(VisualizerConfig)
diff --git a/api_app/visualizers_manager/visualizers/dns.py b/api_app/visualizers_manager/visualizers/dns.py
@@ -67,10 +67,12 @@ def _dns_resolution(self, analyzer_report: AnalyzerReport) -> VisualizableObject
             name=self.Base(value=f"{printable_analyzer_name}", disable=disable_element),
             value=[
                 self.Base(
-                    value=dns_resolution["data"]
-                    if self._job.observable_classification
-                    == ObservableClassification.DOMAIN
-                    else dns_resolution,
+                    value=(
+                        dns_resolution["data"]
+                        if self._job.observable_classification
+                        == ObservableClassification.DOMAIN
+                        else dns_resolution
+                    ),
                     disable=False,
                 )
                 for dns_resolution in analyzer_report.report["resolutions"]
diff --git a/api_app/visualizers_manager/visualizers/domain_reputation_services.py b/api_app/visualizers_manager/visualizers/domain_reputation_services.py
@@ -73,9 +73,11 @@ def _urlhaus(self):
                     icon=VisualizableIcon.URLHAUS,
                 ),
                 self.Base(
-                    value=""
-                    if disabled
-                    else f'found {analyzer_report.report.get("urlhaus_status", "")}'
+                    value=(
+                        ""
+                        if disabled
+                        else f'found {analyzer_report.report.get("urlhaus_status", "")}'
+                    )
                 ),
                 disable=disabled,
             )
diff --git a/api_app/visualizers_manager/visualizers/ip_reputation_services.py b/api_app/visualizers_manager/visualizers/ip_reputation_services.py
@@ -95,9 +95,11 @@ def _urlhaus(self):
                     icon=VisualizableIcon.URLHAUS,
                 ),
                 self.Base(
-                    value=""
-                    if disabled
-                    else f'found {analyzer_report.report.get("urlhaus_status", "")}'
+                    value=(
+                        ""
+                        if disabled
+                        else f'found {analyzer_report.report.get("urlhaus_status", "")}'
+                    )
                 ),
                 disable=disabled,
             )
diff --git a/requirements/project-requirements.txt b/requirements/project-requirements.txt
@@ -45,7 +45,7 @@ dnstwist[full]==20240812
 google>=3.0.0
 google-cloud-webrisk==1.14.0
 intezer-sdk==1.21
-lief==0.14.0
+lief==0.15.1
 maxminddb==2.6.0
 geoip2==4.8.0
 mwdblib==4.5.0
@@ -76,12 +76,14 @@ XLMMacroDeobfuscator[secure]==0.2.3
 thinkst-zippy==0.1.2
 querycontacts==2.0.0
 hfinger==0.2.2
+blint==2.2.2
 permhash==0.1.4
 ail_typo_squatting==2.7.4
 iocextract==1.16.1
 ioc-finder==7.0.0
 polyswarm-api==3.9.0
 knock-subdomains==7.0.1
+dotnetfile==0.2.4
 
 # this is required because XLMMacroDeobfuscator does not pin the following packages
 pyxlsb2==0.0.8
