Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #11 from stacksth/master

Added signature installwinpcap
  • Loading branch information...
commit 8a5cf377bfce98fdf1b087772a481d2601247bbe 2 parents 602dc0b + 4f240ff
@botherder botherder authored
Showing with 44 additions and 0 deletions.
  1. +44 −0 modules/signatures/installwinpcap.py
View
44 modules/signatures/installwinpcap.py
@@ -0,0 +1,44 @@
+# Copyright (C) 2012 Thomas "stacks" Birn (@stacksth)
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import re
+
+from lib.cuckoo.common.abstracts import Signature
+
+class InstallsWinpcap(Signature):
+ name = "installswinpcap"
+ description = "Installs WinPCAP (Network Sniffer)"
+ severity = 3
+ categories = ["generic"]
+ authors = ["Thomas Birn"]
+ minimum = "0.4.2"
+
+
+
+ def run(self, results):
+ files = [
+ ".*\\\\packet.dll",
+ ".*\\\\npf.sys",
+ ".*\\\\wpcap.dll"
+ ]
+
+ for file_name in results["behavior"]["summary"]["files"]:
+ for indicator in files:
+ regexp = re.compile(indicator, re.IGNORECASE)
+ if regexp.match(file_name):
+ self.data.append({"file" : file_name})
+ return True
+
+ return False
Please sign in to comment.
Something went wrong with that request. Please try again.