/* Chrysalide - Outil d'analyse de fichiers binaires * tlsh.c - équivalent Python du fichier "plugins/bhash/tlsh.c" * * Copyright (C) 2021 Cyrille Bagard * * This file is part of Chrysalide. * * Chrysalide is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * Chrysalide is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "tlsh.h" #include #include #include #include #include "../tlsh.h" /* Calcule l'empreinte TLSH d'un contenu binaire. */ static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *, PyObject *); /* Indique si une chaîne représente à priori une empreinte TLSH. */ static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *, PyObject *); /* Détermine la similarité entre deux empreintes TLSH. */ static PyObject *py_bhash_compare_tlsh_hash(PyObject *, PyObject *); /****************************************************************************** * * * Paramètres : self = objet Python concerné par l'appel. * * args = paramètre à récupérer pour le traitement. * * * * Description : Calcule l'empreinte TLSH d'un contenu binaire. * * * * Retour : Empreinte TLSH calculée ou None en cas d'échec. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_bhash_compute_content_tlsh_hash(PyObject *self, PyObject *args) { PyObject *result; /* Valeur à retourner */ int version; /* Affichage de la version ? */ GBinContent *content; /* Contenu binaire à traiter */ int ret; /* Bilan de lecture des args. */ char *digest; /* Empreinte calculée */ #define BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ ( \ compute_content_tlsh_hash, "content, /, version=True", \ METH_VARARGS, py_bhash, \ "Compute the TLSH compact hash for a given binary content with a" \ " 1-byte checksum.\n" \ "\n" \ "The *content* argument is a pychrysalide.analysis.BinContent" \ " instance providing the data to process. The optional *version*" \ " parameter add a 'T?' prefix to the result.\n" \ "\n" \ "The returned value is a MD5 digest string or *None* in case of" \ " error." \ ) result = NULL; version = 1; ret = PyArg_ParseTuple(args, "O&|p", convert_to_binary_content, &content, &version); if (!ret) goto exit; digest = compute_content_tlsh_hash(content, version); if (digest != NULL) { result = PyUnicode_FromString(digest); free(digest); } else { result = Py_None; Py_INCREF(result); } exit: return result; } /****************************************************************************** * * * Paramètres : self = objet Python concerné par l'appel. * * args = paramètre à récupérer pour le traitement. * * * * Description : Indique si une chaîne représente à priori une empreinte TLSH.* * * * Retour : Bilan de l'analyse. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_bhash_is_valid_tlsh_hash(PyObject *self, PyObject *args) { PyObject *result; /* Valeur à retourner */ const char *h; /* Chaîne à considérer */ int ret; /* Bilan de lecture des args. */ bool status; /* Validité de la chaîne */ #define BHASH_IS_VALID_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ ( \ is_valid_tlsh_hash, "h", \ METH_VARARGS, py_bhash, \ "Check if a *h* string can be considered as a valid TLSH compact" \ " hash.\n" \ "\n" \ "The returned value is a boolean value." \ ) result = NULL; ret = PyArg_ParseTuple(args, "s", &h); if (!ret) goto exit; status = is_valid_tlsh_hash(h); result = status ? Py_True : Py_False; Py_INCREF(result); exit: return result; } /****************************************************************************** * * * Paramètres : self = objet Python concerné par l'appel. * * args = paramètres à récupérer pour le traitement. * * * * Description : Détermine la similarité entre deux empreintes TLSH. * * * * Retour : Degré de différence relevé ou None en cas d'erreur. * * * * Remarques : - * * * ******************************************************************************/ static PyObject *py_bhash_compare_tlsh_hash(PyObject *self, PyObject *args) { PyObject *result; /* Valeur à retourner */ bool length; /* Indication de taille ? */ const char *ha; /* Première chaîne à considérer*/ const char *hb; /* Seconde chaîne à considérer */ int ret; /* Bilan de lecture des args. */ int32_t diff; /* Différence à calculer */ bool status; /* Validité de l'opération */ #define BHASH_COMPARE_TLSH_HASH_METHOD PYTHON_METHOD_DEF \ ( \ compare_tlsh_hash, "ha, hb, /, length=True", \ METH_VARARGS, py_bhash, \ "Compare two TLSH compact hashes.\n" \ "\n" \ "The *ha* and *hb* arguments are strings from which the hashes" \ " will be rebuilt. The" \ " pychrysalide.plugins.bhash.compute_content_tlsh_hash() method" \ " can be used to create such strings. The filtering of valid" \ " inputs rely internally on the" \ " pychrysalide.plugins.bhash.is_valid_tlsh_hash() function.\n" \ "\n" \ "The *length* argument defines if the TLSH data size hint has to" \ " be considered by the comparison process.\n" \ "\n" \ "The returned value is a difference level provided as an integer" \ " value or *None* in case of error." \ ) result = NULL; length = 1; ret = PyArg_ParseTuple(args, "ss|p", &ha, &hb, &length); if (!ret) goto exit; status = compare_tlsh_hash(ha, hb, length, &diff); if (status) result = PyLong_FromLong(diff); else { result = Py_None; Py_INCREF(result); } exit: return result; } /****************************************************************************** * * * Paramètres : super = module dont la définition est à compléter. * * * * Description : Définit une extension du module 'bhash' à compléter. * * * * Retour : Bilan de l'opération. * * * * Remarques : - * * * ******************************************************************************/ bool populate_bhash_module_with_tlsh(PyObject *super) { bool result; /* Bilan à retourner */ static PyMethodDef py_tlsh_methods[] = { BHASH_COMPUTE_CONTENT_TLSH_HASH_METHOD, BHASH_IS_VALID_TLSH_HASH_METHOD, BHASH_COMPARE_TLSH_HASH_METHOD, { NULL } }; result = register_python_module_methods(super, py_tlsh_methods); return result; }