API tools faq
paste
Advertisement
Ollie920049

functions.q

Ollie920049
May 3rd, 2012
2,499
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
q/kdb+ 8.38 KB | None | 0 0
raw download clone embed print report
  1. /=====================================================================================
  2. /      Filename:  functions.q
  3. /   Description:  Script contains the main functions used to scan a file by Q
  4. /       Version:  1.0
  5. /       Created:  28/01/12 23:00:55
  6. /        Author:  Oliver Fletcher, ttolf@lboro.ac.uk
  7. /    University:  Loughborough University
  8. /=====================================================================================
  9.  
  10. load `:database/virus_sigs;              / Load in the database tables
  11. load `:database/md5_sigs;
  12. load `:database/filetype_sigs;
  13. load `:database/filetype_iden;
  14. load `:database/settings;
  15.  
  16. regexb:`boost 2:(`regexp;2);              / Load the boost regex shared object file
  17.  
  18. / ===  FUNCTION  ======================================================================
  19. /        Name:    vregex
  20. / Description:    Takes an input string, or vector of strings and compares to a regular
  21. /                 expression.
  22. /      Inputs:    str         -> a string to be matched against patterns
  23. /                 expressions -> a single/list of regular expressions
  24. /     Returns:    for a single expression -> 0 or 1
  25. /                 for a vector of expressions -> a vector of 0 and 1's
  26. / =====================================================================================
  27. vregex:{[str;expression]
  28.   $[0h~type expression;regexb[str;]each expression;regex[str;expression]]}
  29.  
  30. / ===  FUNCTION  ======================================================================
  31. /        Name:    load_file
  32. / Description:    Reads a file into Q as binary data.
  33. /                 Grabs the file extension
  34. /                 Converts the hex output to string and takes md5 value
  35. /                 Queries the filetype database attempting to recognise file type
  36. /      Inputs:    file -> path to a file to be read
  37. /     Outputs:    ext -> file type extension
  38. /                 file_hex -> string of files binary data
  39. /                 filetype -> Table of file type information discovered
  40. / =====================================================================================
  41. load_file:{[file]
  42.   strip:{[x](neg (count x) - (1 + last where x=".")) sublist x};
  43.   ext::@[strip;file;"Unknown"];                            / Get the files extension
  44.  
  45.   lfile:":",file;                                          / Read the file in as binary
  46.   hex_dump:read1(`$lfile);  
  47.  
  48.   $[hex_dump~`byte$();hex_dump:4h$"Empty File";];          / Label an empty file
  49.  
  50.   file_hex::raze string hex_dump;                          / Convert to string
  51.  
  52.   file_md5::raze string md5 file_hex;                      / Get md5 value
  53.  
  54.  / Atempt to get the filetype using the filetype signature database
  55.   filetype::filetype_sigs[where vregex[file_hex;filetype_sigs[`Sig]]];
  56.   $[(count filetype)>0;filetype::filetype[0];filetype::-1#filetype_sigs];
  57.   fname::select from filetype_iden where Id=filetype[`fileType];
  58.   }
  59.  
  60. / ===  FUNCTION  ======================================================================
  61. /        Name:    qupdate
  62. / Description:    Runs the update.q script, timing it and counting how many signatures
  63. /                 and md5 hashes were added to the database
  64. /      Inputs:  
  65. /     Outputs:    Time taken for update and signatures updated
  66. / =====================================================================================
  67. qupdate:{
  68.   start:.z.t;                                              / Start timer
  69.   start_v:count virus_sigs;                                / Count database signatures
  70.   start_m:count md5_sigs;
  71.  
  72.   value"\\l qupdate/qupdate.q";                            / Run qupdate.q script
  73.  
  74.   finish:.z.t;
  75.   finish_v:count virus_sigs;
  76.   finish_m:count md5_sigs;
  77.  
  78.   out: "Total time taken: ", (string finish-start);        / Save output data
  79.   out:(out;"MD5 Signatures Updated: ", (string finish_m-start_m));
  80.   out,: "Malware Signatures Updated: ", (string finish_v-start_v);
  81.   out
  82.   }
  83.  
  84. / ===  FUNCTION  ======================================================================
  85. /        Name:    qscan
  86. / Description:    Changes Q into the directory provided
  87. /                 Creates a handle from filename and directory
  88. /                 Gets directory files (not including directory)
  89. /                 Scans the system using the fscan function
  90. /      Inputs:    filename -> file to be scanned
  91. /                 dir      -> path/to/file/
  92. /     Outputs:    output   -> log information on the scan
  93. / =====================================================================================
  94. qscan:{[filename;dir]
  95.   home:system["pwd"];                                      / Save current directory
  96.   system ["cd ",dir];                                      / Change to scan directory
  97.   path:system["pwd"];                                      / Get current directory path
  98.  
  99.  /directory::system ["ls -l ",dir," | awk 'NR!=1 && !/(^d|^l)/ {print $NF}'"];
  100.  
  101.   handle:`$(raze ":",path);                                / Create file handle
  102.  
  103.  / Get a vector containg just the files in the current directory  
  104.   directory: string (key handle)[where -11h~/:type each key each(` sv'handle,/:key handle)];
  105.  
  106.  / if filename exists then check that the filename exists in directory
  107.   error:$[not ""~filename;not max directory like (filename);0b];
  108.   $[error;'`$"Error Reading File (Possibly does not Exist)";];
  109.  
  110.   $[""~filename;output:{fscan[x]}each directory;output:fscan[filename]]; / Scan files
  111.  
  112.   system ["cd ",raze home];                                / Return to last directory
  113.   output
  114.   }
  115.  
  116. / ===  FUNCTION  ======================================================================
  117. /        Name:    fscan
  118. / Description:    Loads a file into Q using load_file[]
  119. /                 Scans MD5 database
  120. /                 Scans virus sig database
  121. /                 Times scan
  122. /      Inputs:    filename -> file to be scanned
  123. /     Outputs:    out      -> log of scan information
  124. / =====================================================================================
  125. fscan:{[filename]
  126.   start:.z.t;                                              / Start timer
  127.   load_file[filename];                                    / Load file
  128.   out:("Filename: ",filename);            
  129.  
  130.   $[not 0~count filetype;                                  / Check file exists
  131.     ftype:("Recognised: ", raze fname[`Name]);
  132.     ftype:"Not Recognised"
  133.     ];
  134.  
  135.  / Log data
  136.   out:(out;("File size: ", (raze string (count file_hex)%2000)," kb"));
  137.   out,:("File extention: .", raze string ext);
  138.   out,:("File MD5: ", raze string file_md5);
  139.   out,:ftype;
  140.  
  141.   $[settings[`md5];[                                      / If md5 is switched on
  142.       out,:"Scanning md5 database...";
  143.       md5_results:vregex[file_md5;md5_sigs[`MD5]];        / Scan the file
  144.  
  145.       $[0~max md5_results;                                / Generate results data
  146.         out,:"MD5 Database: Not Infected";
  147.         [malware:md5_sigs[`MalwareName][where md5_results];out,:raze "Malware Detected: ", string malware;]];
  148.       ];
  149.     [out,:"not scanning";
  150.     out,:"MD5 Database not scanned (turn on in settings)";]];
  151.  
  152.   $[settings[`virus];[                                      / Virus scanning on
  153.       out,: "Scanning malware signature database (warning may take some time)...";
  154.  
  155.      / Select the viruses matching the inputted files filetype signature
  156.       $[filetype[`fileType]~10;viruses:virus_sigs;viruses:select from virus_sigs where TargetType=filetype[`fileType]];  
  157.       virus_results:vregex[file_hex;viruses[`HexSig]];
  158.       $[0~max virus_results;
  159.         out,: "Malware Database: Not Infected";
  160.         [malware:viruses[where virus_results];out,:raze "Malware Detected: ", string malware[`MalwareName];]];
  161.       ];
  162.  
  163.     [out,:"not scanning";
  164.     out,:"Virus Signature Database not scanned (turn on in settings)";]
  165.     ];
  166.  
  167.  / Log information and return the log
  168.   finish:.z.t;
  169.   out,: "Total time taken: ", (string finish-start);
  170.   $[settings[`verbose];out;out[0 6 8]]
  171.   }
  172.  
  173. / ===  FUNCTION  ======================================================================
  174. /        Name:    qsettings
  175. / Description:    Updates the current scan settings
  176. /      Inputs:    updateSettings -> vector of 0's and 1's containing updated settings
  177. /     Outputs:  
  178. / =====================================================================================
  179. qsettings:{[updateSettings]
  180.   settings[`md5`virus`verbose`updates]:1h$(updateSettings);
  181.   save `:database/settings;
  182.   }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!