QuickSand is a module to scan streams inside documents with Yara
Project description
QuickSand.io Version 2
QuickSand.io Python Library and Command Line Tool
Files:
-
quicksand.py: Main quicksand class and CLI tool
-
quicksand_exe.yara: Yara rules to detect executables.
-
quicksand_exploits.yara: Yara rules to detect exploits in documents.
-
quicksand_pdf.yara: Yara rules to detect exploits in PDFs.
-
requirements.txt: pip dependancies
-
Dockerfile for building an Amazon Lambda environment
-
helper script for building Amazon Lambda environment
Requirements
pip3 install -r requirements.txt
Python modules
-
pdfreader
-
oletools
-
cryptography
-
zipfile38
-
olefile
-
yara-python
Yara-python note:
We recommend you installing yara-python from source as the pip builds on some operating systems might not be fully functional (hash module in particular.)
Install
Usage CLI
Single file
python3 quicksand.py document.doc
Directory of Files
python3 quicksand.py malware/
Usage Python Module
File from memory
from quicksand import quicksand
import pprint
qs = quicksand(data, timeout=18, strings=True)
qs.process()
pprint.pprint(qs.results)
Filename
from quicksand import quicksand
qs2 = quicksand("file.doc")
qs2.process()
qs.results
Process a Directory
from quicksand import quicksand
qs = quicksand.readDir("malware")
qs
Returns a dictionary of filename: qs_results.
Extract Streams As Files
from quicksand import quicksand
import os
qs = quicksand("malware.doc", capture=True, debug=True)
qs.process()
print (qs.results)
if not os.path.isdir("tmp"):
os.mkdir("tmp")
for item in qs.results['streams']:
print (item)
f = open('tmp/' + str(item), 'wb')
f.write(qs.results['streams'][item])
f.close()
Writes extracted streams to ./tmp.
Extra Options for Constructor
-
capture: True|False return content of extracted streams
-
debug: True|False print debugging messages to stdout
-
exploityara: Path to exploit yara rules
-
execyara: Path to executable yara rules
-
pdfyara: PDF Exploits yara rules
Jupyter Notes
Python won't be able to figure out the path to the yara signatures on it's own in Jupyter. You can either copy the yara files to the working directory with the .ipynb file, or provide the paths at run time:
from quicksand_release.quicksand import quicksand
import os
qs = quicksand("malware/7ab0d0424eb9d655c0ee6d4a23473abf0c875892745336cb17fba7274dfe11a4", capture=True, debug=True, exploityara="/Users/user/Documents/GitHub/jupyter/quicksand_release/quicksand_exploits.yara", pdfyara="/Users/user/Documents/GitHub/jupyter/quicksand_release/quicksand_pdf.yara",execyara="/Users/user/Documents/GitHub/jupyter/quicksand_release/quicksand_exe.yara" )
qs.process()
print (qs.results)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for quicksand-2.0.7-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c7e848e556eda8cbd684308de385ae5166fc5f5de1f1dca3347005f310a4082e |
|
| MD5 | 5b9fdcf8a7e6068d173915066a8a1b79 |
|
| BLAKE2b-256 | aaa6eb4e7b9caafb18519aa31e3860385d47d88b3872119f6363f954757fa1c4 |
