Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- / =====================================================================================
- / Filename: load_db.q
- / Description: Loads three files (main.ndb, main.hdb and ftsigs). The script
- / proccesses each file converting it into a format that QScanner
- / Version: 1.0
- / Created: 23/02/12 15:42:19
- / Author: Oliver Fletcher, ttolf@lboro.ac.uk
- / University: Loughborough University
- / =====================================================================================
- virus_sigs:("SISS";":") 0: `:main.ndb / Load main.ndb, convert to
- virus_sigs:virus_sigs _2; / string and flip to a table
- virus_sigs[2]:string virus_sigs[2];
- virus_sigs:flip `MalwareName`TargetType`HexSig!(virus_sigs)
- md5_sigs: ("SIS";":") 0: `:main.hdb / Load main.hdb, convert to
- md5_sigs[0]:string md5_sigs[0]; / string and flip to a table
- md5_sigs: flip `MD5`Size`MalwareName!(md5_sigs)
- virus_sigs[`HexSig]:{[xx] / ClamAV contains ? as wild
- ssr[xx;"?";"."] / cards. Use ssr to replace
- }peach virus_sigs[`HexSig]; / them with . for regex
- virus_sigs[`HexSig]:{[xx] / Convert * to .*
- ssr[xx;"*";".*"]
- }peach virus_sigs[`HexSig];
- virus_sigs[`HexSig]:{[xx] / Convert {n+}.. to a regex
- xx:"{" vs xx;xx:"}" vs/: xx;xx / format.
- }peach virus_sigs[`HexSig];
- adjust:{[c]$[c like "-*";t:"(..){0",c,"}"; / Adjust replaces:
- $[c like "*-";t:"(..){",c,"}"; / -* with "(..){0",c,"}"
- $[c like "*?-?*";t:"(..){",c,"}"; / *- with "(..){",c,"}"
- t:"(..){",c,"}"]]];t}; / *?-?* with "(..){",c,"}"
- / else "(..){",c,"}"
- virus_sigs[`HexSig]:{[zz] / Apply to the list of lists
- {[xx]
- $[(count xx)~2;adjust[xx[0]],xx[1];xx]
- }each zz
- }each virus_sigs[`HexSig];
- / Raze then replace - with ,
- virus_sigs[`HexSig]:raze each raze each virus_sigs[`HexSig];
- virus_sigs[`HexSig]:{[ex]ssr[ex;"-";","]}each virus_sigs[`HexSig];
- filetype_sigs:("ISS";",") 0: `:ftsigs.db / Load file type sigs
- filetype_sigs[1]:string filetype_sigs[1];
- filetype_sigs:flip `fileType`Sig`Ext!(filetype_sigs);
- / Add a table of file types
- filetype_iden:([]Id:(0;1;2;3;4;5;6;7;8;9;10);Name:("Any file type";"Windows PE";"OLE";"Normalized HTML";"E-mail file";"Images";"ELF";"Normalized ASCII file";"Unused";"Mach-O binaries";"Unknown"));
- save `:filetype_iden
- save `:filetype_sigs
- save `:md5_sigs
- save `:virus_sigs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement