Skip to content

ScanRar

Extracts files from RAR archives.

Attributes:

Name Type Description
password

List of passwords to use when bruteforcing encrypted files.
Options

limit: Maximum number of files to extract. Defaults to 1000. password_file: Location of passwords file for rar archives. Defaults to /etc/strelka/passwords.dat

Source code in strelka/src/python/strelka/scanners/scan_rar.py 
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
class ScanRar(strelka.Scanner):
    """Extracts files from RAR archives.

    Attributes:
        password: List of passwords to use when bruteforcing encrypted files.

    Options:
        limit: Maximum number of files to extract.
            Defaults to 1000.
        password_file: Location of passwords file for rar archives.
            Defaults to /etc/strelka/passwords.dat
    """

    def init(self):
        self.passwords = []

    def scan(self, data, file, options, expire_at):
        file_limit = options.get("limit", 100)
        size_limit = options.get("size_limit", 250000000)
        limit_metadata = options.get("limit_metadata", True)
        crack_pws = options.get("crack_pws", False)
        log_pws = options.get("log_pws", True)
        password_file = options.get("password_file", "/etc/strelka/passwords.dat")

        # Gather count and list of files to be extracted
        self.event["total"] = {"files": 0, "extracted": 0}
        self.event["files"] = []

        # Temporary top level compression metrics
        compress_size_total = 0
        file_size_total = 0

        if crack_pws:
            if not self.passwords:
                if os.path.isfile(password_file):
                    with open(password_file, "rb") as f:
                        for line in f:
                            self.passwords.append(line.strip())

                    if (
                        len(self.passwords) == 0
                        and "no_passwords_loaded" not in self.flags
                    ):
                        self.flags.append("no_passwords_loaded")
                else:
                    if "password_file_missing" not in self.flags:
                        self.flags.append("password_file_missing")

        self.passwords.insert(0, None)

        with io.BytesIO(data) as rar_io:
            try:
                with rarfile.RarFile(rar_io, part_only=True) as rar_obj:
                    # If any file in the archive is encrypted, set a flag
                    if (
                        rar_obj.needs_password()
                        and "password_protected" not in self.flags
                    ):
                        self.flags.append("password_protected")

                    # If filename encryption is enabled, set a flag
                    if (
                        rar_obj.needs_password()
                        and len(list(rar_obj.infolist())) == 0
                        and "encrypted_filenames" not in self.flags
                    ):
                        self.flags.append("encrypted_filenames")

                    # If filename encryption is enabled, attempt to recover the password
                    if (
                        crack_pws
                        and self.passwords
                        and len(list(rar_obj.infolist())) == 0
                    ):
                        for password in self.passwords:
                            try:
                                # Re-instantiate rarfile to address password change behavior
                                rar_obj = rarfile.RarFile(rar_io, part_only=True)
                                rar_obj.setpassword(
                                    password.decode("utf-8") if password else None
                                )

                                if list(rar_obj.infolist()):
                                    self.passwords.insert(
                                        0,
                                        self.passwords.pop(
                                            self.passwords.index(password)
                                        ),
                                    )

                                    break
                            except rarfile.RarWrongPassword:
                                pass
                            except rarfile.PasswordRequired:
                                pass
                            except rarfile.BadRarFile:
                                pass

                        if (
                            len(list(rar_obj.infolist())) == 0
                            and "no_password_match_found" not in self.flags
                        ):
                            self.flags.append("no_password_match_found")

                    if rar_obj.comment:
                        self.event["comment"] = rar_obj.comment

                    filelist = rar_obj.infolist()

                    # Count the file entries, in case the function encounters an unhandled exception
                    for compressed_file in filelist:
                        if compressed_file.is_dir():
                            continue
                        self.event["total"]["files"] += 1

                    # For each file in rar, gather metadata and pass extracted file back to Strelka
                    for i, name in enumerate(filelist):
                        if not name.isdir():
                            extract = True
                            extracted = False
                            compression_rate = 0

                            try:
                                extract_data = b""
                                compressed_file = rar_obj.getinfo(name)

                                if compressed_file.file_size > size_limit:
                                    extract = False
                                    if "file_size_limit" not in self.flags:
                                        self.flags.append("file_size_limit")

                                if self.event["total"]["extracted"] >= file_limit:
                                    extract = False
                                    if "file_count_limit" not in self.flags:
                                        self.flags.append("file_count_limit")

                                if (
                                    compressed_file.file_size > 0
                                    and compressed_file.compress_size > 0
                                ):
                                    compress_size_total += compressed_file.compress_size
                                    file_size_total += compressed_file.file_size

                                    size_difference = (
                                        compressed_file.file_size
                                        - compressed_file.compress_size
                                    )
                                    compression_rate = (
                                        size_difference * 100.0
                                    ) / compressed_file.file_size

                                self.event["host_os"] = HOST_OS_MAPPING[
                                    compressed_file.host_os
                                ]

                                try:
                                    rar_data_io = rar_obj.open(
                                        compressed_file, mode="r"
                                    )
                                    if rar_data_io.readable():
                                        extract_data = rar_data_io.readall()
                                except Exception:
                                    try:
                                        # rar_obj = rarfile.RarFile(rar_io, part_only=True)
                                        rar_data_io = rar_obj.open(
                                            compressed_file,
                                            mode="r",
                                            pwd="",
                                        )
                                        if rar_data_io.readable():
                                            extract_data = rar_data_io.readall()

                                    except Exception:
                                        if "password_protected" not in self.flags:
                                            self.flags.append("password_protected")

                                        for password in self.passwords:
                                            try:
                                                # rar_obj = rarfile.RarFile(rar_io, part_only=True)
                                                rar_data_io = rar_obj.open(
                                                    compressed_file,
                                                    mode="r",
                                                    pwd=(
                                                        password.decode("utf-8")
                                                        if password
                                                        else None
                                                    ),
                                                )
                                                if rar_data_io.readable():
                                                    extract_data = rar_data_io.readall()
                                                    self.passwords.insert(
                                                        0,
                                                        self.passwords.pop(
                                                            self.passwords.index(
                                                                password
                                                            )
                                                        ),
                                                    )
                                                    if (
                                                        password
                                                        and crack_pws
                                                        and log_pws
                                                    ):
                                                        if (
                                                            "password"
                                                            not in self.event.keys()
                                                        ):
                                                            self.event["password"] = []
                                                        if password.decode(
                                                            "utf-8"
                                                        ) not in self.event.get(
                                                            "password", []
                                                        ):
                                                            self.event[
                                                                "password"
                                                            ].append(
                                                                password.decode("utf-8")
                                                            )
                                                    break
                                            except (
                                                RuntimeError,
                                                rarfile.RarCRCError,
                                                rarfile.RarWrongPassword,
                                                rarfile.BadRarFile,
                                                rarfile.PasswordRequired,
                                            ):
                                                pass

                                # If we're cracking passwords, a file was encrypted, but failed to decrypt, set a flag
                                if (
                                    crack_pws
                                    and compressed_file.needs_password()
                                    and not extract_data
                                    and "no_password_match_found" not in self.flags
                                ):
                                    self.flags.append("no_password_match_found")

                                # If there's data in it, and no limits have been met, emit the file
                                if extract_data and extract:
                                    # Send extracted file back to Strelka
                                    self.emit_file(
                                        extract_data, name=f"{compressed_file.filename}"
                                    )

                                    extracted = True

                                if not (
                                    limit_metadata
                                    and self.event["total"]["extracted"] >= file_limit
                                ):
                                    self.event["files"].append(
                                        {
                                            "file_name": compressed_file.filename,
                                            "datetime": compressed_file.mtime.isoformat(),
                                            "ctime": (
                                                compressed_file.ctime.isoformat()
                                                if isinstance(
                                                    compressed_file.ctime,
                                                    datetime.datetime,
                                                )
                                                else None
                                            ),
                                            "mtime": (
                                                compressed_file.mtime.isoformat()
                                                if isinstance(
                                                    compressed_file.mtime,
                                                    datetime.datetime,
                                                )
                                                else None
                                            ),
                                            "atime": (
                                                compressed_file.atime.isoformat()
                                                if isinstance(
                                                    compressed_file.atime,
                                                    datetime.datetime,
                                                )
                                                else None
                                            ),
                                            "file_size": compressed_file.file_size,
                                            "compression_size": compressed_file.compress_size,
                                            "compression_rate": round(
                                                compression_rate, 2
                                            ),
                                            "extracted": extracted,
                                            "encrypted": compressed_file.needs_password(),
                                        }
                                    )

                                if extracted:
                                    self.event["total"]["extracted"] += 1

                            except NotImplementedError:
                                self.flags.append("unsupport_compression")
                            except RuntimeError:
                                self.flags.append("runtime_error")
                            except ValueError:
                                self.flags.append("value_error")

            except rarfile.BadRarFile:
                self.flags.append("bad_rar")
                raise

            # Top level compression metric
            if file_size_total > 0 and compress_size_total > 0:
                size_difference_total = file_size_total - compress_size_total
                self.event["compression_rate"] = round(
                    (size_difference_total * 100.0) / file_size_total, 2
                )
            else:
                self.event["compression_rate"] = 0.00

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
application/x-rar
rar_file

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
comment
str
compression_rate
float
elapsed
str
files
list
files.atime
NoneType
files.atime
str
files.compression_rate
float
files.compression_size
int
files.ctime
NoneType
files.ctime
str
files.datetime
str
files.encrypted
bool
files.extracted
bool
files.file_name
str
files.file_size
int
files.mtime
str
flags
list
host_os
str
password
list
total
dict
total.extracted
int
total.files
int

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": [],
        "total": {"files": 3, "extracted": 3},
        "host_os": "RAR_OS_WIN32",
        "files": [
            {
                "file_name": "hidden/lorem-hidden.txt",
                "datetime": "2022-12-12T03:12:55.499569400+00:00",
                "atime": None,
                "ctime": None,
                "mtime": "2022-12-12T03:12:55.499569400+00:00",
                "file_size": 4015,
                "compression_size": 1484,
                "compression_rate": 63.04,
                "extracted": True,
                "encrypted": False,
            },
            {
                "file_name": "hidden/lorem-readonly.txt",
                "datetime": "2022-12-12T03:12:55.499569400+00:00",
                "atime": None,
                "ctime": None,
                "mtime": "2022-12-12T03:12:55.499569400+00:00",
                "file_size": 4015,
                "compression_size": 1484,
                "compression_rate": 63.04,
                "extracted": True,
                "encrypted": False,
            },
            {
                "file_name": "lorem.txt",
                "datetime": "2022-12-12T03:12:55.499569400+00:00",
                "atime": None,
                "ctime": None,
                "mtime": "2022-12-12T03:12:55.499569400+00:00",
                "file_size": 4015,
                "compression_size": 1484,
                "compression_rate": 63.04,
                "extracted": True,
                "encrypted": False,
            },
        ],
        "compression_rate": 63.04,
    }