Fix argument of BitsParser.load_qmgr_jobs in process_file method#2
Open
tonykarg wants to merge 2 commits intofireeye:masterfrom
Open
Fix argument of BitsParser.load_qmgr_jobs in process_file method#2tonykarg wants to merge 2 commits intofireeye:masterfrom
tonykarg wants to merge 2 commits intofireeye:masterfrom
Conversation
added 2 commits
April 7, 2021 15:23
Instead of passing bytes-like object (file_data) bits_parser's (https://github.com/ANSSI-FR/bits_parser) method bits/bits.py->load_file(cls, fp) expects str-like object (simple file path) . It can be seen here: https://github.com/ANSSI-FR/bits_parser/blob/717337cd7a0f97561b77543fb0cebb4e7ce7c0b7/bits/bits.py#L47 Without this change BitsParser fails to parse old format qmgr state files (with .dat extension) with next exception: Processing file <path>\qmgr0.dat Exception occurred processing file <path>\qmgr0.dat: Traceback (most recent call last): File "BitsParser.py", line 366, in process_file jobs = self.load_qmgr_jobs(file_data) File "BitsParser.py", line 101, in load_qmgr_jobs analyzer = bits.Bits.load_file(file_data) File "<python_path>\bits.py", line 46, in load_file path = Path(fp).resolve() File "<python_path>\lib\pathlib.py", line 1027, in __new__ self = cls._from_parts(args, init=False) File "<python_path>\lib\pathlib.py", line 674, in _from_parts drv, root, parts = self._parse_args(args) File "<python_path>\lib\pathlib.py", line 666, in _parse_args % type(a)) TypeError: argument should be a str object or an os.PathLike object returning str, not <class 'bytes'>
Added csv_writer.py. It's nearly exact copy of file bits/writer.py from bits_parser: https://github.com/ANSSI-FR/bits_parser/blob/master/bits/writer.py I just changed DEFAULT_VALUES dictionary keys for correct mapping with keys from FireEye's BitsParser. Also added some code in BitsParser.py. To output in csv format simply specify ".csv" extension in output filename, when using -o|--output argument. For example: python BitsParser.py -o "csv_output.csv" It will append data from all processed files into specified output file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Instead of passing bytes-like object (
file_data) to bits_parser's (https://github.com/ANSSI-FR/bits_parser) methodbits/bits.py->load_file(cls, fp)which expects str-like object (simple file path) , simply passfile_pathargument ofBitsParser.process_filemethod.Here it is shown how passed argument is treated in
bits_parser/bits/bits.py->load_filehttps://github.com/ANSSI-FR/bits_parser/blob/717337cd7a0f97561b77543fb0cebb4e7ce7c0b7/bits/bits.py#L47
Without this change BitsParser fails to parse old format qmgr state files (with .dat extension) with next exception: