// Extracts the info from the binary
func binaryData(artifact *Artifact, filePath string) error {
if sectionData, libraries, symbols, err := binanal.PEAnal(filePath); err == nil {
artifact.Format = "pe"
artifact.Imports = libraries
artifact.Symbols = symbols
artifact.Sections = extractSectionNames(sectionData)
if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
return err
}
} else if sectionData, libraries, symbols, err := binanal.ELFAnal(filePath); err == nil {
artifact.Format = "elf"
artifact.Imports = libraries
artifact.Symbols = symbols
artifact.Sections = extractSectionNames(sectionData)
if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
return err
}
} else if sectionData, libraries, symbols, err := binanal.MACHOAnal(filePath); err == nil {
artifact.Format = "macho"
artifact.Imports = libraries
artifact.Symbols = symbols
artifact.Sections = extractSectionNames(sectionData)
if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
return err
}
} else {
artifact.Format = "unknown"
artifact.Imports = libraries
artifact.Symbols = symbols
if err := generateImage(artifact.ImageDir, filePath); err != nil {
return err
}
}
return nil
}
// Runs the artifact cataloger
func catalog() {
// Artifact array to store all the artifacts structs
var artifactArray []Artifact
var strains []string
var mutations []string
dir, err := ioutil.ReadDir(dirFlag)
checkErr(err)
dbgPrint("Calculating SSDEEP.")
// Calculate ssdeep for all the files and create Artifact
for k := range dir {
var element Artifact
fileName := dir[k].Name()
fileDir := path.Join(dirFlag, fileName)
// Get DNA of binary
hash, err := ssdeep.HashFilename(fileDir)
checkErr(err)
element.Ssdeep = hash
element.Sha256 = fileName
element.ArtifactDir = path.Join(dirFlag, fileName)
element.ImageDir = fmt.Sprintf("%s.png", path.Join(imgoutFlag, fileName))
artifactArray = append(artifactArray, element)
}
// Generates the binary info
dbgPrint("Artifact info extraction.")
for i := range artifactArray {
fileDir := artifactArray[i].ArtifactDir
fullImageDir := artifactArray[i].ImageDir
// Reads the artifact into a binary array
binaryArray, err := ioutil.ReadFile(fileDir)
checkErr(err)
if sectionData, libraries, symbols, err := binanal.PEAnal(fileDir); err == nil {
// Check and extract data if PE
err := setArtifactData(&artifactArray[i], "pe", symbols, libraries)
checkErr(err)
generateColorImage(fullImageDir, binaryArray, sectionData)
} else if sectionData, libraries, symbols, err := binanal.ELFAnal(fileDir); err == nil {
// Check and extract data if ELF
err := setArtifactData(&artifactArray[i], "elf", symbols, libraries)
checkErr(err)
generateColorImage(fullImageDir, binaryArray, sectionData)
} else if sectionData, libraries, symbols, err := binanal.MACHOAnal(fileDir); err == nil {
// Check and extract data if Mach-O
err := setArtifactData(&artifactArray[i], "macho", symbols, libraries)
checkErr(err)
generateColorImage(fullImageDir, binaryArray, sectionData)
} else {
// Not a PE, ELF nor MACH-O
err := setArtifactData(&artifactArray[i], "unknown", nil, nil)
checkErr(err)
generateImage(fullImageDir, binaryArray)
}
}
// Genetic selector
dbgPrint("Genetic classification.")
for i := range artifactArray {
var mutsOfStrain []string
atfNameA := artifactArray[i].Sha256
isStrA := sliceContains(strains, atfNameA)
isMutA := sliceContains(mutations, atfNameA)
// Not a mutation nor strain, set as strain
if !isStrA && !isMutA {
strains = append(strains, atfNameA)
artifactArray[i].Strain = ""
}
for j := range artifactArray {
atfNameB := artifactArray[j].Sha256
isSelf := atfNameA == atfNameB
isStrB := sliceContains(strains, atfNameB)
isMutB := sliceContains(mutations, atfNameB)
// if A is B continue to next loop
if isSelf {
continue
}
perc, err := ssdeep.Compare(artifactArray[i].Ssdeep, artifactArray[j].Ssdeep)
checkErr(err)
if !isStrB && !isMutB && !isStrA && !isMutA {
if perc >= thresholdFlag {
mutsOfStrain = append(mutsOfStrain, atfNameB)
mutations = append(mutations, atfNameB)
artifactArray[j].Strain = atfNameA
}
}
}
// Append mutations of the strain to the strain
artifactArray[i].Mutations = mutsOfStrain
}
// Prints the formatted JSON
fmt.Println("[")
for k := range artifactArray {
jsonBytes, _ := json.MarshalIndent(artifactArray[k], "", "\t")
fmt.Println(string(jsonBytes) + ",")
}
fmt.Println("]")
}