diff --git a/src/python/strelka/auxiliary/xl4ma/analyzer.py b/src/python/strelka/auxiliary/xl4ma/analyzer.py index ef3421e0..1a742912 100644 --- a/src/python/strelka/auxiliary/xl4ma/analyzer.py +++ b/src/python/strelka/auxiliary/xl4ma/analyzer.py @@ -20,15 +20,15 @@ def _make_temp_file(data, file_type): def _get_file_type(data): file_type = None - if data[:2] == b'\xd0\xcf': - file_type = 'xls' - elif data[:2] == b'\x50\x4b': - file_type = 'xlsx' - if file_type == 'xlsx': - if bytes('workbook.bin', 'ascii') in data: - file_type = 'xlsb' - if bytes('workbook.xml', 'ascii') in data: - file_type = 'xlsm' + if data[:2] == b"\xd0\xcf": + file_type = "xls" + elif data[:2] == b"\x50\x4b": + file_type = "xlsx" + if file_type == "xlsx": + if bytes("workbook.bin", "ascii") in data: + file_type = "xlsb" + if bytes("workbook.xml", "ascii") in data: + file_type = "xlsm" temp_file = _make_temp_file(data, file_type) @@ -42,27 +42,24 @@ def process_data(data, filename): results = dict() - if file_type == 'xls': + if file_type == "xls": excel_doc = XLSWrapper(file_path) - elif file_type == 'xlsb': + elif file_type == "xlsb": excel_doc = XLSBWrapper(file_path) - elif file_type == 'xlsm': + elif file_type == "xlsm": excel_doc = XLSMWrapper(file_path) - if not hasattr(excel_doc, 'workbook'): - logging.debug('file not supported') + if not hasattr(excel_doc, "workbook"): + logging.debug("file not supported") return results.update(excel_doc.parse_sheets(file_path)) - results['meta'].update({ - 'file_name': filename, - 'file_type': file_type - }) + results["meta"].update({"file_name": filename, "file_type": file_type}) - excel_doc_decoded = decode(file_path, file_type, results['defined_names']) + excel_doc_decoded = decode(file_path, file_type, results["defined_names"]) - results['decoded'] = excel_doc_decoded - results['iocs'] = iocs(excel_doc_decoded) + results["decoded"] = excel_doc_decoded + results["iocs"] = iocs(excel_doc_decoded) temp_file.close() os.unlink(temp_file.name) @@ -71,10 +68,15 @@ def process_data(data, filename): def parse_args(args=None): - parser = argparse.ArgumentParser( - description='Excel4 Macro Analyzer' + parser = argparse.ArgumentParser(description="Excel4 Macro Analyzer") + parser.add_argument( + "--file", + required=True, + type=str, + action="store", + metavar="FILE_PATH", + help="path to file", ) - parser.add_argument('--file', required=True, type=str, action='store', metavar='FILE_PATH', help="path to file") return parser.parse_args(args) @@ -82,11 +84,11 @@ def parse_args(args=None): def main(args=None): args = parse_args(args) - with open(args.file, 'rb') as fd: + with open(args.file, "rb") as fd: data = fd.read() process_data(data, filename=Path(args.file).name) if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/src/python/strelka/auxiliary/xl4ma/extract.py b/src/python/strelka/auxiliary/xl4ma/extract.py index 519d4033..50922a12 100644 --- a/src/python/strelka/auxiliary/xl4ma/extract.py +++ b/src/python/strelka/auxiliary/xl4ma/extract.py @@ -7,12 +7,16 @@ def iocs(excel_doc_decoded): extracted = set() for decoded in excel_doc_decoded: - if url := re.findall('(https?://[A-Za-z0-9-._]+/[A-Za-z0-9-._~:/?#\[\]@!$&\'\(\)*+,;%=]+[^,\s\)])', decoded, flags=re.IGNORECASE): + if url := re.findall( + "(https?://[A-Za-z0-9-._]+/[A-Za-z0-9-._~:/?#\[\]@!$&'\(\)*+,;%=]+[^,\s\)])", + decoded, + flags=re.IGNORECASE, + ): scheme, netloc, path, params, query, fragment = urlparse(url[0]) - if netloc.startswith('0x'): + if netloc.startswith("0x"): netloc = socket.inet_ntoa(struct.pack(">L", int(netloc, 16))) - if netloc.startswith('0o'): + if netloc.startswith("0o"): netloc = socket.inet_ntoa(struct.pack(">L", int(netloc, 8))) extracted.add(f"{scheme}://{netloc}{path}") - return list(sorted(extracted)) \ No newline at end of file + return list(sorted(extracted)) diff --git a/src/python/strelka/auxiliary/xl4ma/xl4decoder.py b/src/python/strelka/auxiliary/xl4ma/xl4decoder.py index 521edba8..ee54159d 100644 --- a/src/python/strelka/auxiliary/xl4ma/xl4decoder.py +++ b/src/python/strelka/auxiliary/xl4ma/xl4decoder.py @@ -13,7 +13,12 @@ def _sanitize_results(results): for result in results or []: if isinstance(result, str): - sanitized = ", ".join([param.lstrip(' ').rstrip(' ') for param in str(result).replace('"', '').split(',')]) + sanitized = ", ".join( + [ + param.lstrip(" ").rstrip(" ") + for param in str(result).replace('"', "").split(",") + ] + ) sanitized_results.append(sanitized) return sanitized_results @@ -21,7 +26,7 @@ def _sanitize_results(results): # XLS def _decode_xls(file_path, defined_names): - wb = xlrd2.open_workbook(file_path, logfile=open(devnull, 'w')) + wb = xlrd2.open_workbook(file_path, logfile=open(devnull, "w")) book = Workbook() for sheet_name in wb.sheet_names(): sheet_xls = wb.sheet_by_name(sheet_name) @@ -31,9 +36,15 @@ def _decode_xls(file_path, defined_names): for col in range(0, sheet_xls.ncols): try: if wb[sheet_name].cell(row, col).ctype in (3, 4, 5): - book_sheet.cell(row+1, col+1, f"={wb[sheet_name].cell(row, col).formula}") + book_sheet.cell( + row + 1, + col + 1, + f"={wb[sheet_name].cell(row, col).formula}", + ) elif wb[sheet_name].cell(row, col).ctype in (1, 2): - book_sheet.cell(row+1, col+1, wb[sheet_name].cell(row, col).value) + book_sheet.cell( + row + 1, col + 1, wb[sheet_name].cell(row, col).value + ) except: pass temp_file = tempfile.NamedTemporaryFile(suffix=".xlsx", delete=False) @@ -54,19 +65,35 @@ def _decode_xlsb(file_path, defined_names): for cell in row: if isinstance(cell.value, ErrorValue): formula = Formula.parse(cell.formula).stringify(wb) - if '(' in formula and ')' in formula: - book_sheet.cell(cell.row.num + 1, cell.col + 1, f"={formula}") + if "(" in formula and ")" in formula: + book_sheet.cell( + cell.row.num + 1, cell.col + 1, f"={formula}" + ) else: book_sheet.cell(cell.row.num + 1, cell.col + 1, formula) - elif isinstance(cell.formula, bytes) and (isinstance(cell.value, bool)): - book_sheet.cell(cell.row.num + 1, cell.col + 1, f"={Formula.parse(cell.formula).stringify(wb)}") + elif isinstance(cell.formula, bytes) and ( + isinstance(cell.value, bool) + ): + book_sheet.cell( + cell.row.num + 1, + cell.col + 1, + f"={Formula.parse(cell.formula).stringify(wb)}", + ) elif cell.value: if isinstance(cell.value, int): - book_sheet.cell(cell.row.num + 1, cell.col + 1, int(cell.value)) + book_sheet.cell( + cell.row.num + 1, cell.col + 1, int(cell.value) + ) elif isinstance(cell.value, float): - book_sheet.cell(cell.row.num + 1, cell.col + 1, float(cell.value)) + book_sheet.cell( + cell.row.num + 1, cell.col + 1, float(cell.value) + ) elif isinstance(cell.value, str): - book_sheet.cell(cell.row.num + 1, cell.col + 1, str(cell.value).rstrip('\x00')) + book_sheet.cell( + cell.row.num + 1, + cell.col + 1, + str(cell.value).rstrip("\x00"), + ) except: pass temp_file = tempfile.NamedTemporaryFile(suffix=".xlsx", delete=False) @@ -78,16 +105,18 @@ def _decode_xlsb(file_path, defined_names): # XLSM def _decode_xlsm(file_path, defined_names): - with tempfile.NamedTemporaryFile(suffix=f".xlsm", delete=False) as temp_file, open(file_path, 'rb') as fp: + with tempfile.NamedTemporaryFile(suffix=f".xlsm", delete=False) as temp_file, open( + file_path, "rb" + ) as fp: temp_file.write(fp.read()) return _sanitize_results(Interpreter(defined_names).calculate(temp_file)) def decode(file_path, file_type, defined_names): - if file_type == 'xls': + if file_type == "xls": return _decode_xls(file_path, defined_names) - if file_type == 'xlsb': + if file_type == "xlsb": return _decode_xlsb(file_path, defined_names) - if file_type == 'xlsm': - return _decode_xlsm(file_path, defined_names) \ No newline at end of file + if file_type == "xlsm": + return _decode_xlsm(file_path, defined_names) diff --git a/src/python/strelka/auxiliary/xl4ma/xl4interpreter.py b/src/python/strelka/auxiliary/xl4ma/xl4interpreter.py index b455ba60..d1938903 100644 --- a/src/python/strelka/auxiliary/xl4ma/xl4interpreter.py +++ b/src/python/strelka/auxiliary/xl4ma/xl4interpreter.py @@ -4,7 +4,6 @@ class Interpreter: - def __init__(self, defined_names): self.results = set() self.defined_names = defined_names @@ -39,21 +38,27 @@ def eval_char(x): def eval_formula(self, args): if len(args) == 2: x, y = args - if isinstance(x, formulas.ranges.Ranges) and isinstance(y, formulas.functions.Array): + if isinstance(x, formulas.ranges.Ranges) and isinstance( + y, formulas.functions.Array + ): # y[0][0] = x.value[0][0] - y[0][0] = str(x.value[0][0]).replace('"&"', '') + y[0][0] = str(x.value[0][0]).replace('"&"', "") self.results.add(y[0][0]) return y[0][0] - if isinstance(x, formulas.functions.Array) and isinstance(y, formulas.ranges.Ranges): + if isinstance(x, formulas.functions.Array) and isinstance( + y, formulas.ranges.Ranges + ): # y.value[0][0] = x[0][0] - y.value[0][0] = str(x[0][0]).replace('"&"', '') + y.value[0][0] = str(x[0][0]).replace('"&"', "") self.results.add(y.value[0][0]) return y.value[0][0] - if isinstance(x, formulas.ranges.Ranges) and isinstance(y, formulas.ranges.Ranges): + if isinstance(x, formulas.ranges.Ranges) and isinstance( + y, formulas.ranges.Ranges + ): # y.value[0][0] = x.value[0][0] - y.value[0][0] = str(x.value[0][0]).replace('"&"', '') + y.value[0][0] = str(x.value[0][0]).replace('"&"', "") self.results.add(y.value[0][0]) return y.value[0][0] @@ -69,7 +74,7 @@ def eval_formula(self, args): def eval_set_name(self, args): name, arg = args - self.results.add(str(arg).replace('^', '')) + self.results.add(str(arg).replace("^", "")) return arg def eval_custom(self, args, name=""): @@ -83,7 +88,7 @@ def eval_custom(self, args, name=""): if isinstance(arg.tolist(), str): func_args.append(arg.tolist()) if isinstance(arg, str): - func_args.append(str(arg).replace('^', '')) + func_args.append(str(arg).replace("^", "")) if isinstance(arg, int): func_args.append(str(arg)) if isinstance(arg, float): @@ -102,43 +107,45 @@ def eval_run(self, args): def calculate(self, temp_file): FUNCTIONS = formulas.get_functions() - FUNCTIONS['ALERT'] = lambda *args: None - FUNCTIONS['ARGUMENT'] = lambda *args: None - FUNCTIONS['BEEP'] = lambda *args: None - FUNCTIONS['_XLFN.BITXOR'] = lambda *args: args[0] ^ args[1] - FUNCTIONS['CALL'] = lambda *args: self.eval_call(args, 'CALL') - FUNCTIONS['CHAR'] = lambda x: self.eval_char(x) - FUNCTIONS['CLOSE'] = lambda *args: None - FUNCTIONS['COUNTBLANK'] = lambda *args: None - FUNCTIONS['DOCUMENTS'] = lambda *args: None - FUNCTIONS['ECHO'] = lambda *args: None - FUNCTIONS['END.IF'] = lambda *args: None - FUNCTIONS['ERROR'] = lambda *args: None - FUNCTIONS['EXEC'] = lambda *args: self.eval_custom(args, 'EXEC') - FUNCTIONS['FORMULA'] = lambda *args: self.eval_formula(args) - FUNCTIONS['FORMULA.ARRAY'] = lambda *args: self.eval_formula(args) - FUNCTIONS['FORMULA.CONVERT'] = lambda *args: None - FUNCTIONS['FORMULA.FILL'] = lambda *args: self.eval_formula(args) - FUNCTIONS['GET.DOCUMENT'] = lambda *args: None - FUNCTIONS['GET.NAME'] = lambda *args: None - FUNCTIONS['GET.WORKSPACE'] = lambda *args: None - FUNCTIONS['HALT'] = lambda *args: None - FUNCTIONS['OPEN'] = lambda *args: None - FUNCTIONS['REGISTER'] = lambda *args: self.eval_custom(args, 'REGISTER') - FUNCTIONS['RESULT'] = lambda *args: None - FUNCTIONS['RETURN'] = lambda *args: None - FUNCTIONS['RUN'] = lambda *args: self.eval_run(args) - FUNCTIONS['SET.NAME'] = lambda *args: self.eval_set_name(args) - FUNCTIONS['SUBSTITUTE'] = lambda *args: None - FUNCTIONS['T'] = lambda x: x - FUNCTIONS['TEXT'] = lambda x, y: x - FUNCTIONS['WAIT'] = lambda *args: None - FUNCTIONS['WINDOW.MINIMIZE'] = lambda *args: None - FUNCTIONS['WORKBOOK.HIDE'] = lambda *args: None + FUNCTIONS["ALERT"] = lambda *args: None + FUNCTIONS["ARGUMENT"] = lambda *args: None + FUNCTIONS["BEEP"] = lambda *args: None + FUNCTIONS["_XLFN.BITXOR"] = lambda *args: args[0] ^ args[1] + FUNCTIONS["CALL"] = lambda *args: self.eval_call(args, "CALL") + FUNCTIONS["CHAR"] = lambda x: self.eval_char(x) + FUNCTIONS["CLOSE"] = lambda *args: None + FUNCTIONS["COUNTBLANK"] = lambda *args: None + FUNCTIONS["DOCUMENTS"] = lambda *args: None + FUNCTIONS["ECHO"] = lambda *args: None + FUNCTIONS["END.IF"] = lambda *args: None + FUNCTIONS["ERROR"] = lambda *args: None + FUNCTIONS["EXEC"] = lambda *args: self.eval_custom(args, "EXEC") + FUNCTIONS["FORMULA"] = lambda *args: self.eval_formula(args) + FUNCTIONS["FORMULA.ARRAY"] = lambda *args: self.eval_formula(args) + FUNCTIONS["FORMULA.CONVERT"] = lambda *args: None + FUNCTIONS["FORMULA.FILL"] = lambda *args: self.eval_formula(args) + FUNCTIONS["GET.DOCUMENT"] = lambda *args: None + FUNCTIONS["GET.NAME"] = lambda *args: None + FUNCTIONS["GET.WORKSPACE"] = lambda *args: None + FUNCTIONS["HALT"] = lambda *args: None + FUNCTIONS["OPEN"] = lambda *args: None + FUNCTIONS["REGISTER"] = lambda *args: self.eval_custom(args, "REGISTER") + FUNCTIONS["RESULT"] = lambda *args: None + FUNCTIONS["RETURN"] = lambda *args: None + FUNCTIONS["RUN"] = lambda *args: self.eval_run(args) + FUNCTIONS["SET.NAME"] = lambda *args: self.eval_set_name(args) + FUNCTIONS["SUBSTITUTE"] = lambda *args: None + FUNCTIONS["T"] = lambda x: x + FUNCTIONS["TEXT"] = lambda x, y: x + FUNCTIONS["WAIT"] = lambda *args: None + FUNCTIONS["WINDOW.MINIMIZE"] = lambda *args: None + FUNCTIONS["WORKBOOK.HIDE"] = lambda *args: None for name in self.defined_names: if name.upper() not in FUNCTIONS: - FUNCTIONS[name.upper()] = lambda *args: self.eval_custom(args, name=name) + FUNCTIONS[name.upper()] = lambda *args: self.eval_custom( + args, name=name + ) try: xl_model = formulas.ExcelModel().loads(temp_file.name).finish() @@ -156,4 +163,4 @@ def calculate(self, temp_file): temp_file.close() os.unlink(temp_file.name) - return self.results \ No newline at end of file + return self.results diff --git a/src/python/strelka/auxiliary/xl4ma/xls_wrapper.py b/src/python/strelka/auxiliary/xl4ma/xls_wrapper.py index 6e1fa82f..7068ee29 100644 --- a/src/python/strelka/auxiliary/xl4ma/xls_wrapper.py +++ b/src/python/strelka/auxiliary/xl4ma/xls_wrapper.py @@ -16,10 +16,9 @@ class SHEET_TYPE(Enum): class XLSWrapper: - def __init__(self, file_path): try: - self.workbook = xlrd2.open_workbook(file_path, logfile=open(devnull, 'w')) + self.workbook = xlrd2.open_workbook(file_path, logfile=open(devnull, "w")) except xlrd2.biffh.XLRDError: return except xlrd2.compdoc.CompDocError: @@ -38,9 +37,7 @@ def get_defined_names(self): return defined_names def parse_sheets(self, file_path): - results = { - 'sheets': [] - } + results = {"sheets": []} formula_count = 0 value_count = 0 sheet_count = 0 @@ -56,34 +53,46 @@ def parse_sheets(self, file_path): try: if self.workbook[sheet_name].cell(row, col).ctype in (3, 4): formula_count += 1 - formulas.append({ - "cell": xlrd.formula.cellname(row, col), - "value": self.workbook[sheet_name].cell(row, col).formula - }) + formulas.append( + { + "cell": xlrd.formula.cellname(row, col), + "value": self.workbook[sheet_name] + .cell(row, col) + .formula, + } + ) elif self.workbook[sheet_name].cell(row, col).ctype in (1, 2): value_count += 1 - values.append({ - "cell": xlrd.formula.cellname(row, col), - "value": self.workbook[sheet_name].cell(row, col).value - }) + values.append( + { + "cell": xlrd.formula.cellname(row, col), + "value": self.workbook[sheet_name] + .cell(row, col) + .value, + } + ) except: pass - results['sheets'].append({ - 'sheet_number': self.workbook[sheet_name].number, - 'sheet_name': self.workbook[sheet_name].name, - 'sheet_type': SHEET_TYPE(self.workbook[sheet_name].boundsheet_type).name, - 'visibility': VISIBILITY(self.workbook[sheet_name].visibility).name, - 'formulas': formulas, - 'values': values, - }) + results["sheets"].append( + { + "sheet_number": self.workbook[sheet_name].number, + "sheet_name": self.workbook[sheet_name].name, + "sheet_type": SHEET_TYPE( + self.workbook[sheet_name].boundsheet_type + ).name, + "visibility": VISIBILITY(self.workbook[sheet_name].visibility).name, + "formulas": formulas, + "values": values, + } + ) - results['defined_names'] = self.get_defined_names() - results['meta'] = { - 'formulas': formula_count, - 'values': value_count, - 'sheets': sheet_count, - 'defined_names': len(results['defined_names']) + results["defined_names"] = self.get_defined_names() + results["meta"] = { + "formulas": formula_count, + "values": value_count, + "sheets": sheet_count, + "defined_names": len(results["defined_names"]), } - return results \ No newline at end of file + return results diff --git a/src/python/strelka/auxiliary/xl4ma/xlsb_wrapper.py b/src/python/strelka/auxiliary/xl4ma/xlsb_wrapper.py index 4364c0b7..5fb401ea 100644 --- a/src/python/strelka/auxiliary/xl4ma/xlsb_wrapper.py +++ b/src/python/strelka/auxiliary/xl4ma/xlsb_wrapper.py @@ -4,7 +4,6 @@ class XLSBWrapper: - def __init__(self, file_path): try: self.workbook = open_workbook(file_path) @@ -19,9 +18,7 @@ def get_defined_names(self): return defined_names def parse_sheets(self, file_path): - results = { - 'sheets': [] - } + results = {"sheets": []} formula_count = 0 value_count = 0 sheet_count = 0 @@ -35,33 +32,45 @@ def parse_sheets(self, file_path): for cell in row: if cell.formula: formula_count += 1 - formulas.append({ - 'cell': xlrd.formula.cellname(cell.row.num, cell.col), - 'value': Formula.parse(cell.formula).stringify(self.workbook) - }) + formulas.append( + { + "cell": xlrd.formula.cellname( + cell.row.num, cell.col + ), + "value": Formula.parse(cell.formula).stringify( + self.workbook + ), + } + ) elif cell.value and not cell.formula: value_count += 1 - values.append({ - 'cell': xlrd.formula.cellname(cell.row.num, cell.col), - 'value': cell.value - }) + values.append( + { + "cell": xlrd.formula.cellname( + cell.row.num, cell.col + ), + "value": cell.value, + } + ) except: pass - results['sheets'].append({ - 'sheet_number': sheet.sheetId, - 'sheet_name': sheet.name, - 'sheet_type': sheet.type.upper(), - 'visibility': sheet.state.name, - 'formulas': formulas, - 'values': values, - }) + results["sheets"].append( + { + "sheet_number": sheet.sheetId, + "sheet_name": sheet.name, + "sheet_type": sheet.type.upper(), + "visibility": sheet.state.name, + "formulas": formulas, + "values": values, + } + ) - results['defined_names'] = self.get_defined_names() - results['meta'] = { - 'formulas': formula_count, - 'values': value_count, - 'sheets': sheet_count, - 'defined_names': len(results['defined_names']) + results["defined_names"] = self.get_defined_names() + results["meta"] = { + "formulas": formula_count, + "values": value_count, + "sheets": sheet_count, + "defined_names": len(results["defined_names"]), } - return results \ No newline at end of file + return results diff --git a/src/python/strelka/auxiliary/xl4ma/xlsm_wrapper.py b/src/python/strelka/auxiliary/xl4ma/xlsm_wrapper.py index 71536fdb..7590c10c 100644 --- a/src/python/strelka/auxiliary/xl4ma/xlsm_wrapper.py +++ b/src/python/strelka/auxiliary/xl4ma/xlsm_wrapper.py @@ -69,4 +69,4 @@ def parse_sheets(self, file_path): self.workbook.save(file_path) - return results \ No newline at end of file + return results diff --git a/src/python/strelka/scanners/scan_xl4ma.py b/src/python/strelka/scanners/scan_xl4ma.py index 3755ee81..c4b29888 100644 --- a/src/python/strelka/scanners/scan_xl4ma.py +++ b/src/python/strelka/scanners/scan_xl4ma.py @@ -32,4 +32,4 @@ def scan(self, data, file, options, expire_at): except strelka.ScannerTimeout: raise except Exception: - self.flags.append("xl4ma_ioc_processing_error") \ No newline at end of file + self.flags.append("xl4ma_ioc_processing_error") diff --git a/src/python/strelka/scanners/scan_yara.py b/src/python/strelka/scanners/scan_yara.py index b06a2c35..5f106320 100644 --- a/src/python/strelka/scanners/scan_yara.py +++ b/src/python/strelka/scanners/scan_yara.py @@ -60,7 +60,7 @@ def scan(self, data, file, options, expire_at): return # Set the total rules loaded - self.event['rules_loaded'] = self.rules_loaded + self.event["rules_loaded"] = self.rules_loaded # Load YARA configuration options only once. # This prevents loading the configs on every execution. @@ -127,7 +127,9 @@ def load_yara_rules(self, options): try: # Load compiled YARA rules from a file. if compiled.get("enabled", False): - self.compiled_yara = yara.load(os.path.join(location, compiled.get("filename", "rules.compiled"))) + self.compiled_yara = yara.load( + os.path.join(location, compiled.get("filename", "rules.compiled")) + ) except yara.Error as e: self.flags.append(f"compiled_load_error_{e}") @@ -135,7 +137,9 @@ def load_yara_rules(self, options): # Compile YARA rules from a directory. if not self.compiled_yara: if os.path.isdir(location): - globbed_yara_paths = glob.iglob(f"{location}/**/*.yar*", recursive=True) + globbed_yara_paths = glob.iglob( + f"{location}/**/*.yar*", recursive=True + ) if not globbed_yara_paths: self.flags.append("yara_rules_not_found") yara_filepaths = { @@ -195,7 +199,7 @@ def extract_match_hex(self, rule, offset, matched_string, data, offset_padding=3 for i in range(start_offset, end_offset, 16): # If this chunk hasn't been processed before, generate its hex and ASCII representations if i not in self.hex_dump_cache: - chunk = data[i: i + 16] + chunk = data[i : i + 16] # Convert each byte in the chunk to its hexadecimal representation and join them with spaces. # E.g., a chunk [65, 66, 67] would become the string "41 42 43" diff --git a/src/python/strelka/tests/test_scan_macho.py b/src/python/strelka/tests/test_scan_macho.py index 0902635a..ae72a580 100644 --- a/src/python/strelka/tests/test_scan_macho.py +++ b/src/python/strelka/tests/test_scan_macho.py @@ -115,19 +115,19 @@ def test_scan_macho(mocker): }, ], "symbols": { - "exported": ['__mh_execute_header', '_main'], + "exported": ["__mh_execute_header", "_main"], "imported": ["_printf"], "libraries": ["/usr/lib/libSystem.B.dylib"], "table": [ { "export": {"address": 0, "flags": 0}, "origin": "LC_SYMTAB", - "symbol": "__mh_execute_header" + "symbol": "__mh_execute_header", }, { "export": {"address": 16240, "flags": 0}, "origin": "LC_SYMTAB", - "symbol": "_main" + "symbol": "_main", }, { "binding": { @@ -139,17 +139,17 @@ def test_scan_macho(mocker): "timestamp": 2, "version": { "compatibility": "1.0.0", - "current": "1319.0.0" - } + "current": "1319.0.0", + }, }, "segment": "__DATA_CONST", "type": None, - "weak_import": False + "weak_import": False, }, "origin": "LC_SYMTAB", - "symbol": "_printf" - } - ] + "symbol": "_printf", + }, + ], }, "commands": { "commands": [