summaryrefslogtreecommitdiff
path: root/plugins/bhash/python
diff options
context:
space:
mode:
authorCyrille Bagard <nocbos@gmail.com>2021-04-06 22:55:54 (GMT)
committerCyrille Bagard <nocbos@gmail.com>2021-04-06 22:55:54 (GMT)
commitc12d6a5d11bf9a2436ff78e393173ca59b6c9c46 (patch)
treeb579b642e301f5d6e6d88fb0213a54db6bf6fd38 /plugins/bhash/python
parentc4d2e0fa48eab453d5c43a3c0938427617449a6a (diff)
Provide several kinds of hashes for binary files.
Diffstat (limited to 'plugins/bhash/python')
-rw-r--r--plugins/bhash/python/Makefile.am21
-rw-r--r--plugins/bhash/python/imphash.c135
-rw-r--r--plugins/bhash/python/imphash.h39
-rw-r--r--plugins/bhash/python/module.c90
-rw-r--r--plugins/bhash/python/module.h38
-rw-r--r--plugins/bhash/python/rich.c194
-rw-r--r--plugins/bhash/python/rich.h39
-rw-r--r--plugins/bhash/python/tlsh.c256
-rw-r--r--plugins/bhash/python/tlsh.h39
9 files changed, 851 insertions, 0 deletions
diff --git a/plugins/bhash/python/Makefile.am b/plugins/bhash/python/Makefile.am
new file mode 100644
index 0000000..822a716
--- /dev/null
+++ b/plugins/bhash/python/Makefile.am
@@ -0,0 +1,21 @@
+
+noinst_LTLIBRARIES = libbhashpython.la
+
+libbhashpython_la_SOURCES = \
+ imphash.h imphash.c \
+ module.h module.c \
+ tlsh.h tlsh.c \
+ rich.h rich.c
+
+libbhashpython_la_LDFLAGS =
+
+
+devdir = $(includedir)/chrysalide/$(subdir)
+
+dev_HEADERS = $(libbhashpython_la_SOURCES:%c=)
+
+
+AM_CPPFLAGS = $(LIBGTK_CFLAGS) $(LIBXML_CFLAGS) $(LIBPYTHON_CFLAGS) $(LIBPYGOBJECT_CFLAGS) \
+ -I$(top_srcdir)/src -DNO_IMPORT_PYGOBJECT
+
+AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) $(COMPLIANCE_FLAGS)
diff --git a/plugins/bhash/python/imphash.c b/plugins/bhash/python/imphash.c
new file mode 100644
index 0000000..c01628d
--- /dev/null
+++ b/plugins/bhash/python/imphash.c
@@ -0,0 +1,135 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * imphash.c - équivalent Python du fichier "plugins/bhash/imphash.c"
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include "imphash.h"
+
+
+#include <pygobject.h>
+
+
+#include <plugins/pe/python/format.h>
+#include <plugins/pychrysalide/access.h>
+#include <plugins/pychrysalide/helpers.h>
+
+
+#include "../imphash.h"
+
+
+
+/* Calcule l'empreinte des importations d'un format PE. */
+static PyObject *py_bhash_compute_pe_import_hash(PyObject *, PyObject *);
+
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètre à récupérer pour le traitement. *
+* *
+* Description : Calcule l'empreinte des importations d'un format PE. *
+* *
+* Retour : Empreinte MD5 calculée ou None en cas d'échec. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_compute_pe_import_hash(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ int std; /* Méthode de calcul */
+ GPeFormat *format; /* Format PE à manipuler */
+ int ret; /* Bilan de lecture des args. */
+ char *digest; /* Empreinte calculée */
+
+#define BHASH_COMPUTE_PE_IMPORT_HASH_METHOD PYTHON_METHOD_DEF \
+( \
+ compute_pe_import_hash, "format, /, std=True", \
+ METH_VARARGS, py_bhash, \
+ "Compute the import hash for a given PE format.\n" \
+ "\n" \
+ "The *format* argument is a PE file format provided as a" \
+ " pychrysalide.format.pe.PeFormat instance and *std* defines the" \
+ " kind of hash to compute.\n" \
+ "\n" \
+ "The standard version has been created by Mandiant/FireEye; the" \
+ " other one is used by the popular pefile Python module.\n" \
+ "\n" \
+ "The returned value is a MD5 digest string or *None* in case of" \
+ " error." \
+)
+
+ result = NULL;
+
+ std = 1;
+
+ ret = PyArg_ParseTuple(args, "O&|p", convert_to_pe_format, &format, &std);
+ if (!ret) goto exit;
+
+ digest = compute_pe_import_hash(format, std);
+
+ if (digest != NULL)
+ {
+ result = PyUnicode_FromString(digest);
+ free(digest);
+ }
+ else
+ {
+ result = Py_None;
+ Py_INCREF(result);
+ }
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : super = module dont la définition est à compléter. *
+* *
+* Description : Définit une extension du module 'bhash' à compléter. *
+* *
+* Retour : Bilan de l'opération. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+bool populate_bhash_module_with_imphash(PyObject *super)
+{
+ bool result; /* Bilan à retourner */
+
+ static PyMethodDef py_imphash_methods[] = {
+ BHASH_COMPUTE_PE_IMPORT_HASH_METHOD,
+ { NULL }
+ };
+
+ result = register_python_module_methods(super, py_imphash_methods);
+
+ return result;
+
+}
diff --git a/plugins/bhash/python/imphash.h b/plugins/bhash/python/imphash.h
new file mode 100644
index 0000000..fa5ff2c
--- /dev/null
+++ b/plugins/bhash/python/imphash.h
@@ -0,0 +1,39 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * imphash.h - équivalent Python du fichier "plugins/bhash/imphash.h"
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#ifndef _PLUGINS_BHASH_PYTHON_IMPHASH_H
+#define _PLUGINS_BHASH_PYTHON_IMPHASH_H
+
+
+#include <Python.h>
+#include <stdbool.h>
+
+
+
+/* Définit une extension du module 'bhash' à compléter. */
+bool populate_bhash_module_with_imphash(PyObject *);
+
+
+
+#endif /* _PLUGINS_BHASH_PYTHON_IMPHASH_H */
diff --git a/plugins/bhash/python/module.c b/plugins/bhash/python/module.c
new file mode 100644
index 0000000..deb5d28
--- /dev/null
+++ b/plugins/bhash/python/module.c
@@ -0,0 +1,90 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * module.c - intégration du répertoire bhash en tant que module
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include "module.h"
+
+
+#include <assert.h>
+#include <Python.h>
+
+
+#include <plugins/pychrysalide/access.h>
+#include <plugins/pychrysalide/helpers.h>
+
+
+#include "imphash.h"
+#include "tlsh.h"
+#include "rich.h"
+
+
+
+/******************************************************************************
+* *
+* Paramètres : - *
+* *
+* Description : Ajoute le module 'plugins.bhash' au module Python. *
+* *
+* Retour : - *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+bool add_bhash_module_to_python_module(void)
+{
+ bool result; /* Bilan à retourner */
+ PyObject *super; /* Module à compléter */
+ PyObject *module; /* Sous-module mis en place */
+
+#define PYCHRYSALIDE_PLUGINS_BHASH_DOC \
+ "bhash is a module providing several kinds of hashes for binary files."
+
+ static PyModuleDef py_chrysalide_bhash_module = {
+
+ .m_base = PyModuleDef_HEAD_INIT,
+
+ .m_name = "pychrysalide.plugins.bhash",
+ .m_doc = PYCHRYSALIDE_PLUGINS_BHASH_DOC,
+
+ .m_size = -1,
+
+ };
+
+ result = false;
+
+ super = get_access_to_python_module("pychrysalide.plugins");
+
+ module = build_python_module(super, &py_chrysalide_bhash_module);
+
+ result = (module != NULL);
+
+ if (result) result = populate_bhash_module_with_imphash(module);
+ if (result) result = populate_bhash_module_with_tlsh(module);
+ if (result) result = populate_bhash_module_with_rich_header(module);
+
+ assert(result);
+
+ return result;
+
+}
diff --git a/plugins/bhash/python/module.h b/plugins/bhash/python/module.h
new file mode 100644
index 0000000..057cfdf
--- /dev/null
+++ b/plugins/bhash/python/module.h
@@ -0,0 +1,38 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * module.h - prototypes pour l'intégration du répertoire bhash en tant que module
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#ifndef _PLUGINS_BHASH_PYTHON_MODULE_H
+#define _PLUGINS_BHASH_PYTHON_MODULE_H
+
+
+#include <stdbool.h>
+
+
+
+/* Ajoute le module 'plugins.bhash' au module Python. */
+bool add_bhash_module_to_python_module(void);
+
+
+
+#endif /* _PLUGINS_BHASH_PYTHON_MODULE_H */
diff --git a/plugins/bhash/python/rich.c b/plugins/bhash/python/rich.c
new file mode 100644
index 0000000..1a8b894
--- /dev/null
+++ b/plugins/bhash/python/rich.c
@@ -0,0 +1,194 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * rich.c - équivalent Python du fichier "plugins/bhash/rich.c"
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include "rich.h"
+
+
+#include <pygobject.h>
+
+
+#include <plugins/pe/python/format.h>
+#include <plugins/pychrysalide/access.h>
+#include <plugins/pychrysalide/helpers.h>
+
+
+#include "../rich.h"
+
+
+
+/* Calcule la valeur pour empreinte d'en-tête PE enrichi. */
+static PyObject *py_bhash_compute_pe_rich_header_checksum(PyObject *, PyObject *);
+
+/* Calcule l'empreinte des informations d'en-tête PE enrichi. */
+static PyObject *py_bhash_compute_pe_rich_header_hash(PyObject *, PyObject *);
+
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètre à récupérer pour le traitement. *
+* *
+* Description : Calcule la valeur pour empreinte d'en-tête PE enrichi. *
+* *
+* Retour : None ou empreinte déterminée. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_compute_pe_rich_header_checksum(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ GPeFormat *format; /* Format PE à manipuler */
+ int ret; /* Bilan de lecture des args. */
+ uint32_t csum; /* Empreinte réalisée */
+ bool status; /* Bilan de l'opération */
+
+#define BHASH_COMPUTE_PE_RICH_HEADER_CHECKSUM_METHOD PYTHON_METHOD_DEF \
+( \
+ compute_pe_rich_header_checksum, "format, /", \
+ METH_VARARGS, py_bhash, \
+ "Compute the expected value for the Rich header checksum of a PE" \
+ " file.\n" \
+ "\n" \
+ "The *format* argument is a PE file format provided as a" \
+ " pychrysalide.format.pe.PeFormat instance.\n" \
+ "\n" \
+ "The returned value is a 32-bit integer value or *None* in case of" \
+ " error." \
+)
+
+ result = NULL;
+
+ ret = PyArg_ParseTuple(args, "O&", convert_to_pe_format, &format);
+ if (!ret) goto exit;
+
+ status = compute_pe_rich_header_checksum(format, &csum);
+
+ if (status)
+ result = PyLong_FromUnsignedLong(csum);
+
+ else
+ {
+ result = Py_None;
+ Py_INCREF(result);
+ }
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètre à récupérer pour le traitement. *
+* *
+* Description : Calcule l'empreinte des informations d'en-tête PE enrichi. *
+* *
+* Retour : Empreinte MD5 calculée ou None en cas d'échec. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_compute_pe_rich_header_hash(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ int pv; /* Sélection de l'empreinte */
+ GPeFormat *format; /* Format PE à manipuler */
+ int ret; /* Bilan de lecture des args. */
+ char *digest; /* Empreinte calculée */
+
+#define BHASH_COMPUTE_PE_RICH_HEADER_HASH_METHOD PYTHON_METHOD_DEF \
+( \
+ compute_pe_rich_header_hash, "format, /, pv=True", \
+ METH_VARARGS, py_bhash, \
+ "Compute the Rich hash or the RichPV hash for a given PE format.\n" \
+ "\n" \
+ "The *format* argument is a PE file format provided as a" \
+ " pychrysalide.format.pe.PeFormat instance and *pv* defines the" \
+ " kind of hash to compute.\n" \
+ "\n" \
+ "The returned value is a MD5 digest string or *None* in case of" \
+ " error." \
+)
+
+ result = NULL;
+
+ pv = 1;
+
+ ret = PyArg_ParseTuple(args, "O&|p", convert_to_pe_format, &format, &pv);
+ if (!ret) goto exit;
+
+ digest = compute_pe_rich_header_hash(format, pv);
+
+ if (digest != NULL)
+ {
+ result = PyUnicode_FromString(digest);
+ free(digest);
+ }
+ else
+ {
+ result = Py_None;
+ Py_INCREF(result);
+ }
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : super = module dont la définition est à compléter. *
+* *
+* Description : Définit une extension du module 'bhash' à compléter. *
+* *
+* Retour : Bilan de l'opération. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+bool populate_bhash_module_with_rich_header(PyObject *super)
+{
+ bool result; /* Bilan à retourner */
+
+ static PyMethodDef py_rich_header_methods[] = {
+ BHASH_COMPUTE_PE_RICH_HEADER_CHECKSUM_METHOD,
+ BHASH_COMPUTE_PE_RICH_HEADER_HASH_METHOD,
+ { NULL }
+ };
+
+ result = register_python_module_methods(super, py_rich_header_methods);
+
+ return result;
+
+}
diff --git a/plugins/bhash/python/rich.h b/plugins/bhash/python/rich.h
new file mode 100644
index 0000000..45125bc
--- /dev/null
+++ b/plugins/bhash/python/rich.h
@@ -0,0 +1,39 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * rich.h - équivalent Python du fichier "plugins/bhash/rich.h"
+ *
+ * Copyright (C) 2020 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#ifndef _PLUGINS_BHASH_PYTHON_RICH_H
+#define _PLUGINS_BHASH_PYTHON_RICH_H
+
+
+#include <Python.h>
+#include <stdbool.h>
+
+
+
+/* Définit une extension du module 'bhash' à compléter. */
+bool populate_bhash_module_with_rich_header(PyObject *);
+
+
+
+#endif /* _PLUGINS_BHASH_PYTHON_RICH_H */
diff --git a/plugins/bhash/python/tlsh.c b/plugins/bhash/python/tlsh.c
new file mode 100644
index 0000000..351327e
--- /dev/null
+++ b/plugins/bhash/python/tlsh.c
@@ -0,0 +1,256 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * tlsh.c - équivalent Python du fichier "plugins/bhash/tlsh.c"
+ *
+ * Copyright (C) 2021 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include "tlsh.h"
+
+
+#include <pygobject.h>
+
+
+#include <plugins/pychrysalide/access.h>
+#include <plugins/pychrysalide/helpers.h>
+#include <plugins/pychrysalide/analysis/content.h>
+
+
+#include "../tlsh.h"
+
+
+
+/* Calcule l'empreinte TLSH d'un contenu binaire. */
+static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *, PyObject *);
+
+/* Indique si une chaîne représente à priori une empreinte TLSH. */
+static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *, PyObject *);
+
+/* Détermine la similarité entre deux empreintes TLSH. */
+static PyObject *py_bhash_compare_tlsh_hash(PyObject *, PyObject *);
+
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètre à récupérer pour le traitement. *
+* *
+* Description : Calcule l'empreinte TLSH d'un contenu binaire. *
+* *
+* Retour : Empreinte TLSH calculée ou None en cas d'échec. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ int version; /* Affichage de la version ? */
+ GBinContent *content; /* Contenu binaire à traiter */
+ int ret; /* Bilan de lecture des args. */
+ char *digest; /* Empreinte calculée */
+
+#define BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD PYTHON_METHOD_DEF \
+( \
+ compute_content_tlsh_hash, "content, /, version=True", \
+ METH_VARARGS, py_bhash, \
+ "Compute the TLSH compact hash for a given binary content with a" \
+ " 1-byte checksum.\n" \
+ "\n" \
+ "The *content* argument is a pychrysalide.analysis.BinContent" \
+ " instance providing the data to process. The optional *version*" \
+ " parameter add a 'T?' prefix to the result.\n" \
+ "\n" \
+ "The returned value is a MD5 digest string or *None* in case of" \
+ " error." \
+)
+
+ result = NULL;
+
+ version = 1;
+
+ ret = PyArg_ParseTuple(args, "O&|p", convert_to_binary_content, &content, &version);
+ if (!ret) goto exit;
+
+ digest = compute_content_tlsh_hash(content, version);
+
+ if (digest != NULL)
+ {
+ result = PyUnicode_FromString(digest);
+ free(digest);
+ }
+ else
+ {
+ result = Py_None;
+ Py_INCREF(result);
+ }
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètre à récupérer pour le traitement. *
+* *
+* Description : Indique si une chaîne représente à priori une empreinte TLSH.*
+* *
+* Retour : Bilan de l'analyse. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ const char *h; /* Chaîne à considérer */
+ int ret; /* Bilan de lecture des args. */
+ bool status; /* Validité de la chaîne */
+
+#define BHASH_IS_VALID_TLSH_HASH_METHOD PYTHON_METHOD_DEF \
+( \
+ is_valid_tlsh_hash, "h", \
+ METH_VARARGS, py_bhash, \
+ "Check if a *h* string can be considered as a valid TLSH compact" \
+ " hash.\n" \
+ "\n" \
+ "The returned value is a boolean value." \
+)
+
+ result = NULL;
+
+ ret = PyArg_ParseTuple(args, "s", &h);
+ if (!ret) goto exit;
+
+ status = is_valid_tlsh_hash(h);
+
+ result = status ? Py_True : Py_False;
+ Py_INCREF(result);
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : self = objet Python concerné par l'appel. *
+* args = paramètres à récupérer pour le traitement. *
+* *
+* Description : Détermine la similarité entre deux empreintes TLSH. *
+* *
+* Retour : Degré de différence relevé ou None en cas d'erreur. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+static PyObject *py_bhash_compare_tlsh_hash(PyObject *self, PyObject *args)
+{
+ PyObject *result; /* Valeur à retourner */
+ bool length; /* Indication de taille ? */
+ const char *ha; /* Première chaîne à considérer*/
+ const char *hb; /* Seconde chaîne à considérer */
+ int ret; /* Bilan de lecture des args. */
+ int32_t diff; /* Différence à calculer */
+ bool status; /* Validité de l'opération */
+
+#define BHASH_COMPARE_TLSH_HASH_METHOD PYTHON_METHOD_DEF \
+( \
+ compare_tlsh_hash, "ha, hb, /, length=True", \
+ METH_VARARGS, py_bhash, \
+ "Compare two TLSH compact hashes.\n" \
+ "\n" \
+ "The *ha* and *hb* arguments are strings from which the hashes" \
+ " will be rebuilt. The" \
+ " pychrysalide.plugins.bhash.compute_content_tlsh_hash() method" \
+ " can be used to create such strings. The filtering of valid" \
+ " inputs rely internally on the" \
+ " pychrysalide.plugins.bhash.is_valid_tlsh_hash() function.\n" \
+ "\n" \
+ "The *length* argument defines if the TLSH data size hint has to" \
+ " be considered by the comparison process.\n" \
+ "\n" \
+ "The returned value is a difference level provided as an integer" \
+ " value or *None* in case of error." \
+)
+
+ result = NULL;
+
+ length = 1;
+
+ ret = PyArg_ParseTuple(args, "ss|p", &ha, &hb, &length);
+ if (!ret) goto exit;
+
+ status = compare_tlsh_hash(ha, hb, length, &diff);
+
+ if (status)
+ result = PyLong_FromLong(diff);
+
+ else
+ {
+ result = Py_None;
+ Py_INCREF(result);
+ }
+
+ exit:
+
+ return result;
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : super = module dont la définition est à compléter. *
+* *
+* Description : Définit une extension du module 'bhash' à compléter. *
+* *
+* Retour : Bilan de l'opération. *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+bool populate_bhash_module_with_tlsh(PyObject *super)
+{
+ bool result; /* Bilan à retourner */
+
+ static PyMethodDef py_tlsh_methods[] = {
+ BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD,
+ BHASH_IS_VALID_TLSH_HASH_METHOD,
+ BHASH_COMPARE_TLSH_HASH_METHOD,
+ { NULL }
+ };
+
+ result = register_python_module_methods(super, py_tlsh_methods);
+
+ return result;
+
+}
diff --git a/plugins/bhash/python/tlsh.h b/plugins/bhash/python/tlsh.h
new file mode 100644
index 0000000..7312b97
--- /dev/null
+++ b/plugins/bhash/python/tlsh.h
@@ -0,0 +1,39 @@
+
+/* Chrysalide - Outil d'analyse de fichiers binaires
+ * tlsh.h - équivalent Python du fichier "plugins/bhash/tlsh.h"
+ *
+ * Copyright (C) 2021 Cyrille Bagard
+ *
+ * This file is part of Chrysalide.
+ *
+ * Chrysalide is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Chrysalide is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#ifndef _PLUGINS_BHASH_PYTHON_TLSH_H
+#define _PLUGINS_BHASH_PYTHON_TLSH_H
+
+
+#include <Python.h>
+#include <stdbool.h>
+
+
+
+/* Définit une extension du module 'bhash' à compléter. */
+bool populate_bhash_module_with_tlsh(PyObject *);
+
+
+
+#endif /* _PLUGINS_BHASH_PYTHON_TLSH_H */