-
Notifications
You must be signed in to change notification settings - Fork 155
Scanning Module List
askkemp edited this page Jul 29, 2017
·
2 revisions
The scanning that is conducted by Laika BOSS consists of individual modules. Each module is its own program that focuses on a particular sub-component of the overall file analysis.
The current modules that exist use a naming format to classify the purpose of the module:
- DECODE - Performs a decode action (e.g. base64 decode)
- EXPLODE - Takes one objects and turns it into many (e.g. extracting files from ZIPs or RARS. Streams from OLEs.)
- LOG - Method to log scan results
- META - Creates or extracts metadata
- SCAN - Performs a scan of a object (e.g. YARA, ClamAV)
Below is a list of each Laika BOSS module and its purpose.
| Module Name | Module File | Purpose |
|---|---|---|
| DECODE_BASE64 | decode_base64.py | Performs base64 decode routine on object |
| DISPOSITIONER | dispositioner.py | Reads in disposition configuration file |
| EXPLODE_EMAIL | explode_email.py | Extracts messages objects (headers/payloads) from email object |
| EXPLODE_GZIP | explode_gzip.py | Extracts objects from GZIP file |
| EXPLODE_HELLOWORLD | explode_helloworld.py | Template for module development which includes code comments |
| EXPLODE_OLE | explode_ole.py | Extracts streams from OLE files |
| EXPLODE_PKCS7 | explode_pkcs7.py | Extracts metadata from x509 certificates (PEM or DER format) |
| EXPLODE_RAR | explode_rar.py | Extracts objects from RAR file. Supports password wordlist. |
| EXPLODE_RTF | explode_rtf.py | Extracted embedded objects in a RTF file. Adds metadata when possible. |
| EXPLODE_SWF | explode_swf.py | Basic Flash (FWS/CWS) extraction |
| EXPLODE_UPX | explode_upx.py | Decompresses UPX compressed executable |
| EXPLODE_VBA | explode_vba.py | Extract embedded VBA macro and forms in various types of documents |
| EXPLODE_XDP | explode_xdp.py | Extracts XML Data Package (XDP) |
| EXPLODE_ZIP | explode_zip.py | Extracts objects from ZIP files. Supports password wordlist. |
| LISTCHECK | listcheck.py | |
| LOG_FLUENT | log_fluent.py | Logs scan results using fluentd |
| META_EMAIL | meta_email.py | Creates metadata from email |
| META_EXIFTOOL | meta_exiftool.py | Captures metadata extracted by EXIFTOOL |
| META_HASH | meta_hash.py | Creates hash of file using various algorithms |
| META_JAVA_CLASS | meta_java_class.py | Creates metadata (requires/provides/constants) from Java class object |
| META_JAVA_MANIFEST | meta_java_manifest.py | Extracts metadata from JAR manifest |
| META_PE | meta_pe.py | Extracts medata from PE |
| META_X509 | meta_x509.py | Extracts metadata from x509 certificates |
| SCAN_CLAMAV | scan_clamav.py | Scans object with the ClamAV daemon |
| SCAN_YARA | scan_yara.py | Scans object with YARA |
| TACTICAL | tactical.py | When shell-based commands are needed to be ran |