heuristics infer moved inside framework, working again :)

necst · Jun 29, 2018 · 871c398 · 871c398
1 parent 0e52848
commit 871c398
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 11 deletions.
diff --git a/crave.py b/crave.py
@@ -80,9 +80,9 @@ def main():
 
     # create the parser for the "b" command
     parser_b = subparsers.add_parser(
-        'scan', help='Scan with virustotal the crafted samples')
-    parser_b = parser_b.add_argument(
-        '--no-submit', action='store_true', help='Do not submit samples, but retrieve results from VT')
+            'scan', help='Scan with virustotal the crafted samples')
+    parser_b.add_argument('--no-submit', action='store_true',
+            help='Do not submit samples, but retrieve results from VT')
 
     parser_c = subparsers.add_parser(
         'infer', help='Infer AV capabilities from scan results')

diff --git a/crave/cravedb/vedisbackend.py b/crave/cravedb/vedisbackend.py
@@ -28,7 +28,7 @@ def put_sample(self, sample):
 
         # keep reference of the sample for each tag :)
         for t in sample.tags:
-            self._tags[t] = sample.sha256
+            self.put_tag(t, sample.sha256)
 
         self._db.commit()
 
@@ -50,14 +50,17 @@ def get_scan(self, sample=None, sha256=None):
             return json.loads(res)
         return None
 
+    def put_tag(self, tag, sha256):
+        t = self._db.Set('tag_' + tag)
+        t.add(sha256)
+
+    def get_tagged_samples(self, tag):
+        return self._db.Set('tag_' + tag)
+
     @property
     def _samples(self):
         return self._db.Hash('samples')
 
-    @property
-    def _tags(self):
-        return self._db.Hash('tags')
-
     @property
     def _scans(self):
         return self._db.Hash('scans')

diff --git a/crave/decider/decider.py b/crave/decider/decider.py
@@ -1,4 +1,11 @@
 from ..plugin import Plugin
+from collections import defaultdict
+from ..sample import TAGS
+from ..utils.colors import *
+import logging
+
+l = logging.getLogger('crave.decider')
+
 
 class Decider(Plugin):
 
@@ -19,10 +26,43 @@ def emulation(self, goodware, malware):
         return {}
 
     def heuristics(self):
-        print 'yolo'
+
+        avs = defaultdict(dict)
+
+        for s in self.project.db.get_tagged_samples('heur'):
+            # we have sha256 of the sample here
+            sample = self.project.db.get_sample(s)
+            scan = self.project.db.get_scan(sample)
+            scans = scan['scans']
+
+            # false positive = detected but goodware
+            # false negative = not detected but malware
+
+            for av in scans:
+                avs[av]['_'.join(sample.mutations)] = {
+                    'false_positive': 0,
+                    'false_negative': 0}
+
+            for av in scans:
+                if TAGS.GOODWARE in sample.tags and scans[av]['detected']:
+                    avs[av]['_'.join(sample.mutations)]['false_positive'] += 1
+                if TAGS.MALWARE in sample.tags and not scans[av]['detected']:
+                    avs[av]['_'.join(sample.mutations)]['false_negative'] += 1
+
+            for av in avs:
+                print blue('Heuristics results for %s' % av)
+                for m in avs[av]:
+                    fp = avs[av][m]['false_positive']
+                    fn = avs[av][m]['false_negative']
+                    text = ('%20s:\tFP: %d\tFN: %d' % (
+                        m, fp, fn))
+                    if fp or fn:
+                        text = red(text)
+                    print text
+                print ''
 
     def static_unpacking(self, malware):
-        sample = malware.get_sample() # (?) o gli passiamo un sample direttamente
+        sample = malware.get_sample()  # (?) o gli passiamo un sample direttamente
         packed = sample.get_packed()
         broke_oep = packed.get_heur('retoep')
 

diff --git a/crave/scanner/scanner.py b/crave/scanner/scanner.py
@@ -114,7 +114,11 @@ def _query_vt(resources):
                 resources.remove(res['resource'])
 
                 scan = self.project.db.get_scan(sha256=res['sha256'])
-                scan.update(res)
+                if scan is not None:
+                    scan.update(res)
+                else:
+                    scan = res
+
                 self.project.db.put_scan(scan, sha256=res['sha256'])
                 l.debug('Updated scans for %s', res['sha256'])
 

diff --git a/crave/utils/colors.py b/crave/utils/colors.py
@@ -18,3 +18,7 @@ def green(text):
 
 def yellow(text):
     return color(text, 33)
+
+
+def blue(text):
+    return color(text, 34)