undefined如何安装$pipinstallmmpi备注:Windows安装yara-python,点此下载命令执行$mmpi-run$email_pathquickstartfrommmpiimportmmpidefmain():emp=mmpi()emp.parse('test.eml')report=emp.get_report()print(report)if__name__=="__main__":main()输出格式{//固定字段"headers":[],"body":[],"attachments":[],"signatures":[]//动态字段"vba":[],"rtf":[],......}工具说明mmpi完全基于python开发,使用python原生email,html、zip库分析,基于oletools定制修改,支持office文档和rtf文档的分析,结合yara实现其他文件的检测。undefinedfile_type=info.get('type')file_name=info.get('name')space_count=file_name.count('')如果'exe'==file_typeandspace_count>20:self.mark(type="zip",tag=self.name,data=info.get('name'))returnself.has_marks()returnNoneDLL劫持检测检测规则:压缩包中同时存在于exe和dll文件classDLLHijacking(Signature):authors=["ddvv"]sig_type='zip'name="dll_hijacking"severity=9description="DLLHijacking"defon_complete(self):results=self.get_results()forresultinresults:ifresult.get('type','')==self.sig_type:infos=result.get('value',{}).get('infos',[])file_types=[info.get('type')forinfoininfos]ifset(['exe','dll']).issubset(file_types):self.mark(type="ziundefinedRTF文档属于恶意邮件,包括发件人和收件人信息、主题信息、发送时间、邮件正文和附件信息。vba和rtf字段是附件检测的基本信息。signatures字段描述命中规则。{"headers":[{"From":[{"name":"MohdMukhrizRamli(MLNG/GNE)","addr":"info@vm1599159.3ssd.had.wf"}],"To":[{"name":"","addr":""}],"Subject":"Re:ProformaInvoice","Date":"2020-11-2412:37:38UTC+01:00","X-Originating-IP":[]}],"body":[{"type":"text","content":"\n亲爱的先生,\n\n请在形式发票上签名以便我付款尽快。\n\n附件是形式发票,\n\n请尽快回复,\n\n感谢和问候'\n\nRAJASHEKAR\n\nundefined,"data_size":912305,"md5":"a5cee525de80eb537cfea247271ad714"}],"signatures":[{"name":"rtf_suspicious_detected","description":"RTFSuspiciousDetected","severity":3,"marks":[{"type":"rtf","tag":"rtf_suspicious_detected"}],"markcount":1},{"name":"rtf_exploit_detected","description":"RTFExploitDetected","severity":9,"marks":[{"type":"rtf","tag":"rtf_exploit_detected"}],"markcount":1}]}以上就是本次分享的全部内容,现在欢迎想要学习编程的朋友关注Python技术大本营获取更多技能教程
