Already implemented in: https://github.com/Xen0ph0n/malwarehouse

Hey scott, I'm throwing VT/Exiftool/Yara & SSdeep into this guy and gonna try to make search cover all of that stuff...probably not going to be useful to anyone but me in the end, but I found the following with the base .py when I tired to submit a non existent file it would puke because it was trying to call parser which didn't exist yet.

So I changed it to exit this way instead of try to call parser.. seems to work.

except IOError as e:
    print "You specified an invalid malware target path."
    exit(0)
    return False

One of the biggest insprerations as I started working on Malwarehouse was Zynamics VxClass. I never got a chance to use it, but the possibility of doing this sort of triage malware analysis, the boiler plate stuff that takes up the first few chapters of every good malware analysis book(such as Practical Malware Analysis & the Malware Analysts Cookbook).

There were a ton of great features in VxClass that don't seem to be met in a unified tool since Google took VxClass off the market (with no hope of bringing it back). Integrating some of these features could be a boon, and intersects with some of @technoskald's work on Konig

References:

• Zynamics | VxClass
• Zynamics Blog | Archive for the ‘VxClass’ Category
• Slideshare | VxClass for Incident Response
• Mandiant | zynamics VxClass and memory analysis
• Zynamics Blog | VxClass 1.5

I'm not quite sure yet what to do with this, but I feel like there are some cool possibilities.

Ref: PEFILE

Basic schema:

# Setup Database
__tablename__ = malwarehouse_index

meta_id = Column(Integer, primary_key=True)
meta_datetime = Column(String)

basic_filename = Column(String)
basic_size = Column(Integer)

mimetype = Column(String)
tags = Column(String)

hash_md5 = Column(String)
hash_sha256 = Column(String)
hash_ssdeep = Column(String)

user_source = Column(String)
user_notes = Column(String)

A good ideal longterm for supporting larger datasets, but it's a lot to bite off now with all the other restructuring.

The url http://sroberts.github.io/malwarehouse/ in the GitHub repo description gives a 404.

Howdy

Great work on this by the way. It's very useful.

It may just be me and my weird samples, but I've had to modify the search function a little. What I do is convert the string given in the argument to lower case so that not matter what it should be found.

The Gist of the code is here if you want to take a look https://gist.github.com/3871159

Let me know what you think

./matt

Trying out latest malwarehouse.py on a couple of systems. It appears
that the magic library used in malwarehouse is different than that of
other systems I have. The version on my FreeBSD and OS X don't
implement the magic.Magic class. OpenBSD does.

I notice MHL ran up against this in pescanner.py too. This is how he
handled it there:

-----

def get_filetype(data):
"""There are two versions of python-magic floating around, and
annoyingly, the interface
changed between versions, so we try one method and if it fails,
then we try the other.
NOTE: you may need to alter the magic_file for your system to
point to the magic file."""
if sys.modules.has_key('magic'):
try:
ms = magic.open(magic.MAGIC_NONE)
ms.load()
return ms.buffer(data)
except:
try:
return magic.from_buffer(data)
except magic.MagicException:
magic_custom =
magic.Magic(magic_file='C:\windows\system32\magic')
return magic_custom.from_buffer(data)
return ''

-----

• Run cleanly
• Write unit tests
• Pass unit tests
• Integrate with SQLite

Hi,

Apparently poster is needed but not listed in the requirements :

~/Perso/malwares/malwarehouse(branch:master*) » python2 malware_manager.py -h                       
/home/me/Perso/malwares/malwarehouse/extensions/plugins
Traceback (most recent call last):
  File "malware_manager.py", line 14, in <module>
    import extensions.plugins
  File "/home/me/Perso/malwares/malwarehouse/extensions/plugins/__init__.py", line 18, in <module>
    __load_modules('.')
  File "/home/me/Perso/malwares/malwarehouse/extensions/plugins/__init__.py", line 15, in __load_modules
    exec('from ' + m + ' import *')
  File "<string>", line 1, in <module>
  File "/home/me/Perso/malwares/malwarehouse/extensions/plugins/virus_total.py", line 3, in <module>
    from poster.encode import multipart_encode
ImportError: No module named poster.encode