Advertisement
Ollie920049

functions.q

May 3rd, 2012
1,076
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /=====================================================================================
  2. /      Filename:  functions.q
  3. /   Description:  Script contains the main functions used to scan a file by Q
  4. /       Version:  1.0
  5. /       Created:  28/01/12 23:00:55
  6. /        Author:  Oliver Fletcher, ttolf@lboro.ac.uk
  7. /    University:  Loughborough University
  8. /=====================================================================================
  9.  
  10. load `:database/virus_sigs;              / Load in the database tables
  11. load `:database/md5_sigs;
  12. load `:database/filetype_sigs;
  13. load `:database/filetype_iden;
  14. load `:database/settings;
  15.  
  16. regexb:`boost 2:(`regexp;2);              / Load the boost regex shared object file
  17.  
  18. / ===  FUNCTION  ======================================================================
  19. /        Name:    vregex
  20. / Description:    Takes an input string, or vector of strings and compares to a regular
  21. /                 expression.
  22. /      Inputs:    str         -> a string to be matched against patterns
  23. /                 expressions -> a single/list of regular expressions
  24. /     Returns:    for a single expression -> 0 or 1
  25. /                 for a vector of expressions -> a vector of 0 and 1's
  26. / =====================================================================================
  27. vregex:{[str;expression]
  28.   $[0h~type expression;regexb[str;]each expression;regex[str;expression]]}
  29.  
  30. / ===  FUNCTION  ======================================================================
  31. /        Name:    load_file
  32. / Description:    Reads a file into Q as binary data.
  33. /                 Grabs the file extension
  34. /                 Converts the hex output to string and takes md5 value
  35. /                 Queries the filetype database attempting to recognise file type
  36. /      Inputs:    file -> path to a file to be read
  37. /     Outputs:    ext -> file type extension
  38. /                 file_hex -> string of files binary data
  39. /                 filetype -> Table of file type information discovered
  40. / =====================================================================================
  41. load_file:{[file]
  42.   strip:{[x](neg (count x) - (1 + last where x=".")) sublist x};
  43.   ext::@[strip;file;"Unknown"];                            / Get the files extension
  44.  
  45.   lfile:":",file;                                          / Read the file in as binary
  46.   hex_dump:read1(`$lfile);  
  47.  
  48.   $[hex_dump~`byte$();hex_dump:4h$"Empty File";];          / Label an empty file
  49.  
  50.   file_hex::raze string hex_dump;                          / Convert to string
  51.  
  52.   file_md5::raze string md5 file_hex;                      / Get md5 value
  53.  
  54.  / Atempt to get the filetype using the filetype signature database
  55.   filetype::filetype_sigs[where vregex[file_hex;filetype_sigs[`Sig]]];
  56.   $[(count filetype)>0;filetype::filetype[0];filetype::-1#filetype_sigs];
  57.   fname::select from filetype_iden where Id=filetype[`fileType];
  58.   }
  59.  
  60. / ===  FUNCTION  ======================================================================
  61. /        Name:    qupdate
  62. / Description:    Runs the update.q script, timing it and counting how many signatures
  63. /                 and md5 hashes were added to the database
  64. /      Inputs:  
  65. /     Outputs:    Time taken for update and signatures updated
  66. / =====================================================================================
  67. qupdate:{
  68.   start:.z.t;                                              / Start timer
  69.   start_v:count virus_sigs;                                / Count database signatures
  70.   start_m:count md5_sigs;
  71.  
  72.   value"\\l qupdate/qupdate.q";                            / Run qupdate.q script
  73.  
  74.   finish:.z.t;
  75.   finish_v:count virus_sigs;
  76.   finish_m:count md5_sigs;
  77.  
  78.   out: "Total time taken: ", (string finish-start);        / Save output data
  79.   out:(out;"MD5 Signatures Updated: ", (string finish_m-start_m));
  80.   out,: "Malware Signatures Updated: ", (string finish_v-start_v);
  81.   out
  82.   }
  83.  
  84. / ===  FUNCTION  ======================================================================
  85. /        Name:    qscan
  86. / Description:    Changes Q into the directory provided
  87. /                 Creates a handle from filename and directory
  88. /                 Gets directory files (not including directory)
  89. /                 Scans the system using the fscan function
  90. /      Inputs:    filename -> file to be scanned
  91. /                 dir      -> path/to/file/
  92. /     Outputs:    output   -> log information on the scan
  93. / =====================================================================================
  94. qscan:{[filename;dir]
  95.   home:system["pwd"];                                      / Save current directory
  96.   system ["cd ",dir];                                      / Change to scan directory
  97.   path:system["pwd"];                                      / Get current directory path
  98.  
  99.  /directory::system ["ls -l ",dir," | awk 'NR!=1 && !/(^d|^l)/ {print $NF}'"];
  100.  
  101.   handle:`$(raze ":",path);                                / Create file handle
  102.  
  103.  / Get a vector containg just the files in the current directory  
  104.   directory: string (key handle)[where -11h~/:type each key each(` sv'handle,/:key handle)];
  105.  
  106.  / if filename exists then check that the filename exists in directory
  107.   error:$[not ""~filename;not max directory like (filename);0b];
  108.   $[error;'`$"Error Reading File (Possibly does not Exist)";];
  109.  
  110.   $[""~filename;output:{fscan[x]}each directory;output:fscan[filename]]; / Scan files
  111.  
  112.   system ["cd ",raze home];                                / Return to last directory
  113.   output
  114.   }
  115.  
  116. / ===  FUNCTION  ======================================================================
  117. /        Name:    fscan
  118. / Description:    Loads a file into Q using load_file[]
  119. /                 Scans MD5 database
  120. /                 Scans virus sig database
  121. /                 Times scan
  122. /      Inputs:    filename -> file to be scanned
  123. /     Outputs:    out      -> log of scan information
  124. / =====================================================================================
  125. fscan:{[filename]
  126.   start:.z.t;                                              / Start timer
  127.   load_file[filename];                                    / Load file
  128.   out:("Filename: ",filename);            
  129.  
  130.   $[not 0~count filetype;                                  / Check file exists
  131.     ftype:("Recognised: ", raze fname[`Name]);
  132.     ftype:"Not Recognised"
  133.     ];
  134.  
  135.  / Log data
  136.   out:(out;("File size: ", (raze string (count file_hex)%2000)," kb"));
  137.   out,:("File extention: .", raze string ext);
  138.   out,:("File MD5: ", raze string file_md5);
  139.   out,:ftype;
  140.  
  141.   $[settings[`md5];[                                      / If md5 is switched on
  142.       out,:"Scanning md5 database...";
  143.       md5_results:vregex[file_md5;md5_sigs[`MD5]];        / Scan the file
  144.  
  145.       $[0~max md5_results;                                / Generate results data
  146.         out,:"MD5 Database: Not Infected";
  147.         [malware:md5_sigs[`MalwareName][where md5_results];out,:raze "Malware Detected: ", string malware;]];
  148.       ];
  149.     [out,:"not scanning";
  150.     out,:"MD5 Database not scanned (turn on in settings)";]];
  151.  
  152.   $[settings[`virus];[                                      / Virus scanning on
  153.       out,: "Scanning malware signature database (warning may take some time)...";
  154.  
  155.      / Select the viruses matching the inputted files filetype signature
  156.       $[filetype[`fileType]~10;viruses:virus_sigs;viruses:select from virus_sigs where TargetType=filetype[`fileType]];  
  157.       virus_results:vregex[file_hex;viruses[`HexSig]];
  158.       $[0~max virus_results;
  159.         out,: "Malware Database: Not Infected";
  160.         [malware:viruses[where virus_results];out,:raze "Malware Detected: ", string malware[`MalwareName];]];
  161.       ];
  162.  
  163.     [out,:"not scanning";
  164.     out,:"Virus Signature Database not scanned (turn on in settings)";]
  165.     ];
  166.  
  167.  / Log information and return the log
  168.   finish:.z.t;
  169.   out,: "Total time taken: ", (string finish-start);
  170.   $[settings[`verbose];out;out[0 6 8]]
  171.   }
  172.  
  173. / ===  FUNCTION  ======================================================================
  174. /        Name:    qsettings
  175. / Description:    Updates the current scan settings
  176. /      Inputs:    updateSettings -> vector of 0's and 1's containing updated settings
  177. /     Outputs:  
  178. / =====================================================================================
  179. qsettings:{[updateSettings]
  180.   settings[`md5`virus`verbose`updates]:1h$(updateSettings);
  181.   save `:database/settings;
  182.   }
Advertisement
RAW Paste Data Copied
Advertisement