diff options
Diffstat (limited to 'plugins/bhash/python/tlsh.c')
-rw-r--r-- | plugins/bhash/python/tlsh.c | 256 |
1 files changed, 256 insertions, 0 deletions
diff --git a/plugins/bhash/python/tlsh.c b/plugins/bhash/python/tlsh.c new file mode 100644 index 0000000..351327e --- /dev/null +++ b/plugins/bhash/python/tlsh.c @@ -0,0 +1,256 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * tlsh.c - équivalent Python du fichier "plugins/bhash/tlsh.c" + * + * Copyright (C) 2021 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * Chrysalide is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Chrysalide is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#include "tlsh.h" + + +#include <pygobject.h> + + +#include <plugins/pychrysalide/access.h> +#include <plugins/pychrysalide/helpers.h> +#include <plugins/pychrysalide/analysis/content.h> + + +#include "../tlsh.h" + + + +/* Calcule l'empreinte TLSH d'un contenu binaire. */ +static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *, PyObject *); + +/* Indique si une chaîne représente à priori une empreinte TLSH. */ +static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *, PyObject *); + +/* Détermine la similarité entre deux empreintes TLSH. */ +static PyObject *py_bhash_compare_tlsh_hash(PyObject *, PyObject *); + + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Calcule l'empreinte TLSH d'un contenu binaire. * +* * +* Retour : Empreinte TLSH calculée ou None en cas d'échec. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + int version; /* Affichage de la version ? */ + GBinContent *content; /* Contenu binaire à traiter */ + int ret; /* Bilan de lecture des args. */ + char *digest; /* Empreinte calculée */ + +#define BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compute_content_tlsh_hash, "content, /, version=True", \ + METH_VARARGS, py_bhash, \ + "Compute the TLSH compact hash for a given binary content with a" \ + " 1-byte checksum.\n" \ + "\n" \ + "The *content* argument is a pychrysalide.analysis.BinContent" \ + " instance providing the data to process. The optional *version*" \ + " parameter add a 'T?' prefix to the result.\n" \ + "\n" \ + "The returned value is a MD5 digest string or *None* in case of" \ + " error." \ +) + + result = NULL; + + version = 1; + + ret = PyArg_ParseTuple(args, "O&|p", convert_to_binary_content, &content, &version); + if (!ret) goto exit; + + digest = compute_content_tlsh_hash(content, version); + + if (digest != NULL) + { + result = PyUnicode_FromString(digest); + free(digest); + } + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètre à récupérer pour le traitement. * +* * +* Description : Indique si une chaîne représente à priori une empreinte TLSH.* +* * +* Retour : Bilan de l'analyse. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + const char *h; /* Chaîne à considérer */ + int ret; /* Bilan de lecture des args. */ + bool status; /* Validité de la chaîne */ + +#define BHASH_IS_VALID_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + is_valid_tlsh_hash, "h", \ + METH_VARARGS, py_bhash, \ + "Check if a *h* string can be considered as a valid TLSH compact" \ + " hash.\n" \ + "\n" \ + "The returned value is a boolean value." \ +) + + result = NULL; + + ret = PyArg_ParseTuple(args, "s", &h); + if (!ret) goto exit; + + status = is_valid_tlsh_hash(h); + + result = status ? Py_True : Py_False; + Py_INCREF(result); + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : self = objet Python concerné par l'appel. * +* args = paramètres à récupérer pour le traitement. * +* * +* Description : Détermine la similarité entre deux empreintes TLSH. * +* * +* Retour : Degré de différence relevé ou None en cas d'erreur. * +* * +* Remarques : - * +* * +******************************************************************************/ + +static PyObject *py_bhash_compare_tlsh_hash(PyObject *self, PyObject *args) +{ + PyObject *result; /* Valeur à retourner */ + bool length; /* Indication de taille ? */ + const char *ha; /* Première chaîne à considérer*/ + const char *hb; /* Seconde chaîne à considérer */ + int ret; /* Bilan de lecture des args. */ + int32_t diff; /* Différence à calculer */ + bool status; /* Validité de l'opération */ + +#define BHASH_COMPARE_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ +( \ + compare_tlsh_hash, "ha, hb, /, length=True", \ + METH_VARARGS, py_bhash, \ + "Compare two TLSH compact hashes.\n" \ + "\n" \ + "The *ha* and *hb* arguments are strings from which the hashes" \ + " will be rebuilt. The" \ + " pychrysalide.plugins.bhash.compute_content_tlsh_hash() method" \ + " can be used to create such strings. The filtering of valid" \ + " inputs rely internally on the" \ + " pychrysalide.plugins.bhash.is_valid_tlsh_hash() function.\n" \ + "\n" \ + "The *length* argument defines if the TLSH data size hint has to" \ + " be considered by the comparison process.\n" \ + "\n" \ + "The returned value is a difference level provided as an integer" \ + " value or *None* in case of error." \ +) + + result = NULL; + + length = 1; + + ret = PyArg_ParseTuple(args, "ss|p", &ha, &hb, &length); + if (!ret) goto exit; + + status = compare_tlsh_hash(ha, hb, length, &diff); + + if (status) + result = PyLong_FromLong(diff); + + else + { + result = Py_None; + Py_INCREF(result); + } + + exit: + + return result; + +} + + +/****************************************************************************** +* * +* Paramètres : super = module dont la définition est à compléter. * +* * +* Description : Définit une extension du module 'bhash' à compléter. * +* * +* Retour : Bilan de l'opération. * +* * +* Remarques : - * +* * +******************************************************************************/ + +bool populate_bhash_module_with_tlsh(PyObject *super) +{ + bool result; /* Bilan à retourner */ + + static PyMethodDef py_tlsh_methods[] = { + BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD, + BHASH_IS_VALID_TLSH_HASH_METHOD, + BHASH_COMPARE_TLSH_HASH_METHOD, + { NULL } + }; + + result = register_python_module_methods(super, py_tlsh_methods); + + return result; + +} |