diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2021-04-06 22:55:54 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2021-04-06 22:55:54 (GMT) |
commit | c12d6a5d11bf9a2436ff78e393173ca59b6c9c46 (patch) | |
tree | b579b642e301f5d6e6d88fb0213a54db6bf6fd38 /plugins/bhash/python | |
parent | c4d2e0fa48eab453d5c43a3c0938427617449a6a (diff) |
Provide several kinds of hashes for binary files.
Diffstat (limited to 'plugins/bhash/python')
-rw-r--r-- | plugins/bhash/python/Makefile.am | 21 | ||||
-rw-r--r-- | plugins/bhash/python/imphash.c | 135 | ||||
-rw-r--r-- | plugins/bhash/python/imphash.h | 39 | ||||
-rw-r--r-- | plugins/bhash/python/module.c | 90 | ||||
-rw-r--r-- | plugins/bhash/python/module.h | 38 | ||||
-rw-r--r-- | plugins/bhash/python/rich.c | 194 | ||||
-rw-r--r-- | plugins/bhash/python/rich.h | 39 | ||||
-rw-r--r-- | plugins/bhash/python/tlsh.c | 256 | ||||
-rw-r--r-- | plugins/bhash/python/tlsh.h | 39 |
9 files changed, 851 insertions, 0 deletions
diff --git a/plugins/bhash/python/Makefile.am b/plugins/bhash/python/Makefile.am new file mode 100644 index 0000000..822a716 --- /dev/null +++ b/plugins/bhash/python/Makefile.am @@ -0,0 +1,21 @@ + +noinst_LTLIBRARIES = libbhashpython.la + +libbhashpython_la_SOURCES = \ + imphash.h imphash.c \ + module.h module.c \ + tlsh.h tlsh.c \ + rich.h rich.c + +libbhashpython_la_LDFLAGS = + + +devdir = $(includedir)/chrysalide/$(subdir) + +dev_HEADERS = $(libbhashpython_la_SOURCES:%c=) + + +AM_CPPFLAGS = $(LIBGTK_CFLAGS) $(LIBXML_CFLAGS) $(LIBPYTHON_CFLAGS) $(LIBPYGOBJECT_CFLAGS) \ + -I$(top_srcdir)/src -DNO_IMPORT_PYGOBJECT + +AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) $(COMPLIANCE_FLAGS) diff --git a/plugins/bhash/python/imphash.c b/plugins/bhash/python/imphash.c new file mode 100644 index 0000000..c01628d --- /dev/null +++ b/plugins/bhash/python/imphash.c @@ -0,0 +1,135 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * imphash.c - équivalent Python du fichier "plugins/bhash/imphash.c" + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#include "imphash.h" + + +#include <pygobject.h> + + +#include <plugins/pe/python/format.h> +#include <plugins/pychrysalide/access.h> +#include <plugins/pychrysalide/helpers.h> + + +#include "../imphash.h" + + + +/* Calcule l'empreinte des importations d'un format PE. */ +static PyObject *py_bhash_compute_pe_import_hash(PyObject *, PyObject *); + + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Calcule l'empreinte des importations d'un format PE. * +* * +* Retour : Empreinte MD5 calculée ou None en cas d'échec. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compute_pe_import_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + int std; /* Méthode de calcul */ + GPeFormat *format; /* Format PE à manipuler */ + int ret; /* Bilan de lecture des args. */ + char *digest; /* Empreinte calculée */ + +#define BHASH_COMPUTE_PE_IMPORT_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compute_pe_import_hash, "format, /, std=True", \ + METH_VARARGS, py_bhash, \ + "Compute the import hash for a given PE format.\n" \ + "\n" \ + "The *format* argument is a PE file format provided as a" \ + " pychrysalide.format.pe.PeFormat instance and *std* defines the" \ + " kind of hash to compute.\n" \ + "\n" \ + "The standard version has been created by Mandiant/FireEye; the" \ + " other one is used by the popular pefile Python module.\n" \ + "\n" \ + "The returned value is a MD5 digest string or *None* in case of" \ + " error." \ +) + + result = NULL; + + std = 1; + + ret = PyArg_ParseTuple(args, "O&|p", convert_to_pe_format, &format, &std); + if (!ret) goto exit; + + digest = compute_pe_import_hash(format, std); + + if (digest != NULL) + { + result = PyUnicode_FromString(digest); + free(digest); + } + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : super = module dont la définition est à compléter. * +* * +* Description : Définit une extension du module 'bhash' à compléter. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool populate_bhash_module_with_imphash(PyObject *super) +{ + bool result; /* Bilan à retourner */ + + static PyMethodDef py_imphash_methods[] = { + BHASH_COMPUTE_PE_IMPORT_HASH_METHOD, + { NULL } + }; + + result = register_python_module_methods(super, py_imphash_methods); + + return result; + +} diff --git a/plugins/bhash/python/imphash.h b/plugins/bhash/python/imphash.h new file mode 100644 index 0000000..fa5ff2c --- /dev/null +++ b/plugins/bhash/python/imphash.h @@ -0,0 +1,39 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * imphash.h - équivalent Python du fichier "plugins/bhash/imphash.h" + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef _PLUGINS_BHASH_PYTHON_IMPHASH_H +#define _PLUGINS_BHASH_PYTHON_IMPHASH_H + + +#include <Python.h> +#include <stdbool.h> + + + +/* Définit une extension du module 'bhash' à compléter. */ +bool populate_bhash_module_with_imphash(PyObject *); + + + +#endif /* _PLUGINS_BHASH_PYTHON_IMPHASH_H */ diff --git a/plugins/bhash/python/module.c b/plugins/bhash/python/module.c new file mode 100644 index 0000000..deb5d28 --- /dev/null +++ b/plugins/bhash/python/module.c @@ -0,0 +1,90 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * module.c - intégration du répertoire bhash en tant que module + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#include "module.h" + + +#include <assert.h> +#include <Python.h> + + +#include <plugins/pychrysalide/access.h> +#include <plugins/pychrysalide/helpers.h> + + +#include "imphash.h" +#include "tlsh.h" +#include "rich.h" + + + +/****************************************************************************** +* * +* Paramètres : - * +* * +* Description : Ajoute le module 'plugins.bhash' au module Python. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool add_bhash_module_to_python_module(void) +{ + bool result; /* Bilan à retourner */ + PyObject *super; /* Module à compléter */ + PyObject *module; /* Sous-module mis en place */ + +#define PYCHRYSALIDE_PLUGINS_BHASH_DOC \ + "bhash is a module providing several kinds of hashes for binary files." + + static PyModuleDef py_chrysalide_bhash_module = { + + .m_base = PyModuleDef_HEAD_INIT, + + .m_name = "pychrysalide.plugins.bhash", + .m_doc = PYCHRYSALIDE_PLUGINS_BHASH_DOC, + + .m_size = -1, + + }; + + result = false; + + super = get_access_to_python_module("pychrysalide.plugins"); + + module = build_python_module(super, &py_chrysalide_bhash_module); + + result = (module != NULL); + + if (result) result = populate_bhash_module_with_imphash(module); + if (result) result = populate_bhash_module_with_tlsh(module); + if (result) result = populate_bhash_module_with_rich_header(module); + + assert(result); + + return result; + +} diff --git a/plugins/bhash/python/module.h b/plugins/bhash/python/module.h new file mode 100644 index 0000000..057cfdf --- /dev/null +++ b/plugins/bhash/python/module.h @@ -0,0 +1,38 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * module.h - prototypes pour l'intégration du répertoire bhash en tant que module + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef _PLUGINS_BHASH_PYTHON_MODULE_H +#define _PLUGINS_BHASH_PYTHON_MODULE_H + + +#include <stdbool.h> + + + +/* Ajoute le module 'plugins.bhash' au module Python. */ +bool add_bhash_module_to_python_module(void); + + + +#endif /* _PLUGINS_BHASH_PYTHON_MODULE_H */ diff --git a/plugins/bhash/python/rich.c b/plugins/bhash/python/rich.c new file mode 100644 index 0000000..1a8b894 --- /dev/null +++ b/plugins/bhash/python/rich.c @@ -0,0 +1,194 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * rich.c - équivalent Python du fichier "plugins/bhash/rich.c" + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#include "rich.h" + + +#include <pygobject.h> + + +#include <plugins/pe/python/format.h> +#include <plugins/pychrysalide/access.h> +#include <plugins/pychrysalide/helpers.h> + + +#include "../rich.h" + + + +/* Calcule la valeur pour empreinte d'en-tête PE enrichi. */ +static PyObject *py_bhash_compute_pe_rich_header_checksum(PyObject *, PyObject *); + +/* Calcule l'empreinte des informations d'en-tête PE enrichi. */ +static PyObject *py_bhash_compute_pe_rich_header_hash(PyObject *, PyObject *); + + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Calcule la valeur pour empreinte d'en-tête PE enrichi. * +* * +* Retour : None ou empreinte déterminée. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compute_pe_rich_header_checksum(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + GPeFormat *format; /* Format PE à manipuler */ + int ret; /* Bilan de lecture des args. */ + uint32_t csum; /* Empreinte réalisée */ + bool status; /* Bilan de l'opération */ + +#define BHASH_COMPUTE_PE_RICH_HEADER_CHECKSUM_METHOD PYTHON_METHOD_DEF \ +( \ + compute_pe_rich_header_checksum, "format, /", \ + METH_VARARGS, py_bhash, \ + "Compute the expected value for the Rich header checksum of a PE" \ + " file.\n" \ + "\n" \ + "The *format* argument is a PE file format provided as a" \ + " pychrysalide.format.pe.PeFormat instance.\n" \ + "\n" \ + "The returned value is a 32-bit integer value or *None* in case of" \ + " error." \ +) + + result = NULL; + + ret = PyArg_ParseTuple(args, "O&", convert_to_pe_format, &format); + if (!ret) goto exit; + + status = compute_pe_rich_header_checksum(format, &csum); + + if (status) + result = PyLong_FromUnsignedLong(csum); + + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Calcule l'empreinte des informations d'en-tête PE enrichi. * +* * +* Retour : Empreinte MD5 calculée ou None en cas d'échec. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compute_pe_rich_header_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + int pv; /* Sélection de l'empreinte */ + GPeFormat *format; /* Format PE à manipuler */ + int ret; /* Bilan de lecture des args. */ + char *digest; /* Empreinte calculée */ + +#define BHASH_COMPUTE_PE_RICH_HEADER_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compute_pe_rich_header_hash, "format, /, pv=True", \ + METH_VARARGS, py_bhash, \ + "Compute the Rich hash or the RichPV hash for a given PE format.\n" \ + "\n" \ + "The *format* argument is a PE file format provided as a" \ + " pychrysalide.format.pe.PeFormat instance and *pv* defines the" \ + " kind of hash to compute.\n" \ + "\n" \ + "The returned value is a MD5 digest string or *None* in case of" \ + " error." \ +) + + result = NULL; + + pv = 1; + + ret = PyArg_ParseTuple(args, "O&|p", convert_to_pe_format, &format, &pv); + if (!ret) goto exit; + + digest = compute_pe_rich_header_hash(format, pv); + + if (digest != NULL) + { + result = PyUnicode_FromString(digest); + free(digest); + } + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : super = module dont la définition est à compléter. * +* * +* Description : Définit une extension du module 'bhash' à compléter. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool populate_bhash_module_with_rich_header(PyObject *super) +{ + bool result; /* Bilan à retourner */ + + static PyMethodDef py_rich_header_methods[] = { + BHASH_COMPUTE_PE_RICH_HEADER_CHECKSUM_METHOD, + BHASH_COMPUTE_PE_RICH_HEADER_HASH_METHOD, + { NULL } + }; + + result = register_python_module_methods(super, py_rich_header_methods); + + return result; + +} diff --git a/plugins/bhash/python/rich.h b/plugins/bhash/python/rich.h new file mode 100644 index 0000000..45125bc --- /dev/null +++ b/plugins/bhash/python/rich.h @@ -0,0 +1,39 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * rich.h - équivalent Python du fichier "plugins/bhash/rich.h" + * + * Copyright (C) 2020 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef _PLUGINS_BHASH_PYTHON_RICH_H +#define _PLUGINS_BHASH_PYTHON_RICH_H + + +#include <Python.h> +#include <stdbool.h> + + + +/* Définit une extension du module 'bhash' à compléter. */ +bool populate_bhash_module_with_rich_header(PyObject *); + + + +#endif /* _PLUGINS_BHASH_PYTHON_RICH_H */ diff --git a/plugins/bhash/python/tlsh.c b/plugins/bhash/python/tlsh.c new file mode 100644 index 0000000..351327e --- /dev/null +++ b/plugins/bhash/python/tlsh.c @@ -0,0 +1,256 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * tlsh.c - équivalent Python du fichier "plugins/bhash/tlsh.c" + * + * Copyright (C) 2021 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#include "tlsh.h" + + +#include <pygobject.h> + + +#include <plugins/pychrysalide/access.h> +#include <plugins/pychrysalide/helpers.h> +#include <plugins/pychrysalide/analysis/content.h> + + +#include "../tlsh.h" + + + +/* Calcule l'empreinte TLSH d'un contenu binaire. */ +static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *, PyObject *); + +/* Indique si une chaîne représente à priori une empreinte TLSH. */ +static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *, PyObject *); + +/* Détermine la similarité entre deux empreintes TLSH. */ +static PyObject *py_bhash_compare_tlsh_hash(PyObject *, PyObject *); + + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Calcule l'empreinte TLSH d'un contenu binaire. * +* * +* Retour : Empreinte TLSH calculée ou None en cas d'échec. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + int version; /* Affichage de la version ? */ + GBinContent *content; /* Contenu binaire à traiter */ + int ret; /* Bilan de lecture des args. */ + char *digest; /* Empreinte calculée */ + +#define BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compute_content_tlsh_hash, "content, /, version=True", \ + METH_VARARGS, py_bhash, \ + "Compute the TLSH compact hash for a given binary content with a" \ + " 1-byte checksum.\n" \ + "\n" \ + "The *content* argument is a pychrysalide.analysis.BinContent" \ + " instance providing the data to process. The optional *version*" \ + " parameter add a 'T?' prefix to the result.\n" \ + "\n" \ + "The returned value is a MD5 digest string or *None* in case of" \ + " error." \ +) + + result = NULL; + + version = 1; + + ret = PyArg_ParseTuple(args, "O&|p", convert_to_binary_content, &content, &version); + if (!ret) goto exit; + + digest = compute_content_tlsh_hash(content, version); + + if (digest != NULL) + { + result = PyUnicode_FromString(digest); + free(digest); + } + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Indique si une chaîne représente à priori une empreinte TLSH.* +* * +* Retour : Bilan de l'analyse. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + const char *h; /* Chaîne à considérer */ + int ret; /* Bilan de lecture des args. */ + bool status; /* Validité de la chaîne */ + +#define BHASH_IS_VALID_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + is_valid_tlsh_hash, "h", \ + METH_VARARGS, py_bhash, \ + "Check if a *h* string can be considered as a valid TLSH compact" \ + " hash.\n" \ + "\n" \ + "The returned value is a boolean value." \ +) + + result = NULL; + + ret = PyArg_ParseTuple(args, "s", &h); + if (!ret) goto exit; + + status = is_valid_tlsh_hash(h); + + result = status ? Py_True : Py_False; + Py_INCREF(result); + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètres à récupérer pour le traitement. * +* * +* Description : Détermine la similarité entre deux empreintes TLSH. * +* * +* Retour : Degré de différence relevé ou None en cas d'erreur. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compare_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + bool length; /* Indication de taille ? */ + const char *ha; /* Première chaîne à considérer*/ + const char *hb; /* Seconde chaîne à considérer */ + int ret; /* Bilan de lecture des args. */ + int32_t diff; /* Différence à calculer */ + bool status; /* Validité de l'opération */ + +#define BHASH_COMPARE_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compare_tlsh_hash, "ha, hb, /, length=True", \ + METH_VARARGS, py_bhash, \ + "Compare two TLSH compact hashes.\n" \ + "\n" \ + "The *ha* and *hb* arguments are strings from which the hashes" \ + " will be rebuilt. The" \ + " pychrysalide.plugins.bhash.compute_content_tlsh_hash() method" \ + " can be used to create such strings. The filtering of valid" \ + " inputs rely internally on the" \ + " pychrysalide.plugins.bhash.is_valid_tlsh_hash() function.\n" \ + "\n" \ + "The *length* argument defines if the TLSH data size hint has to" \ + " be considered by the comparison process.\n" \ + "\n" \ + "The returned value is a difference level provided as an integer" \ + " value or *None* in case of error." \ +) + + result = NULL; + + length = 1; + + ret = PyArg_ParseTuple(args, "ss|p", &ha, &hb, &length); + if (!ret) goto exit; + + status = compare_tlsh_hash(ha, hb, length, &diff); + + if (status) + result = PyLong_FromLong(diff); + + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : super = module dont la définition est à compléter. * +* * +* Description : Définit une extension du module 'bhash' à compléter. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool populate_bhash_module_with_tlsh(PyObject *super) +{ + bool result; /* Bilan à retourner */ + + static PyMethodDef py_tlsh_methods[] = { + BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD, + BHASH_IS_VALID_TLSH_HASH_METHOD, + BHASH_COMPARE_TLSH_HASH_METHOD, + { NULL } + }; + + result = register_python_module_methods(super, py_tlsh_methods); + + return result; + +} diff --git a/plugins/bhash/python/tlsh.h b/plugins/bhash/python/tlsh.h new file mode 100644 index 0000000..7312b97 --- /dev/null +++ b/plugins/bhash/python/tlsh.h @@ -0,0 +1,39 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * tlsh.h - équivalent Python du fichier "plugins/bhash/tlsh.h" + * + * Copyright (C) 2021 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef _PLUGINS_BHASH_PYTHON_TLSH_H +#define _PLUGINS_BHASH_PYTHON_TLSH_H + + +#include <Python.h> +#include <stdbool.h> + + + +/* Définit une extension du module 'bhash' à compléter. */ +bool populate_bhash_module_with_tlsh(PyObject *); + + + +#endif /* _PLUGINS_BHASH_PYTHON_TLSH_H */ |