def test_basics():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
init_yara()
em = ExtractManager(1)
em.write_extracted("foo", "bar")
filepath = cwd("extracted", "0.foo", analysis=1)
assert open(filepath, "rb").read() == "bar"
scr = Scripting()
cmd = scr.parse_command("powershell -e %s" %
"foobar".encode("utf-16le").encode("base64"))
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read() == "foobar"
em.push_command_line("powershell -e %s" %
"world!".encode("utf-16le").encode("base64"))
filepath = cwd("extracted", "1.ps1", analysis=1)
assert open(filepath, "rb").read() == "world!"
def test_basics():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
init_yara()
em = ExtractManager(1)
em.write_extracted("foo", "bar")
filepath = cwd("extracted", "0.foo", analysis=1)
assert open(filepath, "rb").read() == "bar"
scr = Scripting()
cmd = scr.parse_command(
"powershell -e %s" % "foobar".encode("utf-16le").encode("base64")
)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read() == "foobar"
em.push_command_line(
"powershell -e %s" % "world!".encode("utf-16le").encode("base64")
)
filepath = cwd("extracted", "1.ps1", analysis=1)
assert open(filepath, "rb").read() == "world!"
def test_ident_shellcode(p):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
# No Yara has been installed.
if not init_yara(True):
return
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode(
"".join(chr(int(x, 16)) for x in sc[2:-1].split(","))
)
p.return_value = Shellcode1,
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command(
"powershell -e %s" % ps1.encode("base64").replace("\n", "")
)
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
def test_ident_shellcode(p):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
# No Yara has been installed.
if not init_yara(True):
return
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode("".join(
chr(int(x, 16)) for x in sc[2:-1].split(",")))
p.return_value = Shellcode1,
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command("powershell -e %s" %
ps1.encode("base64").replace("\n", ""))
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
class ExtractScripts(BehaviorHandler):
"""Extracts embedded scripts in command-line parameters."""
key = "extracted"
event_types = ["process"]
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def handle_event(self, process):
command = self.scr.parse_command(process["command_line"])
if command and command.get_script():
self.ex.push_script(process, command)
def run(self):
pass
class ExtractScripts(BehaviorHandler):
"""Extracts embedded scripts in command-line parameters."""
key = "extracted"
event_types = ["process"]
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def handle_event(self, process):
command = self.scr.parse_command(process["command_line"])
if command and command.get_script():
self.ex.push_script(process, command)
def run(self):
pass
class TestScripting(object):
def setup(self):
self.scr = Scripting()
def test_cmd_ping(self):
obj = self.scr.parse_command("cmd /c ping 8.8.8.8")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children
assert obj.astree() == {
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}
def test_cmd_fullpath(self):
obj = self.scr.parse_command(
"C:\\\\Windows\\\\System32\\\\cmd.exe /k ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": True,
"command": [
"ping", "8.8.8.8",
],
}
def test_cmd_cmd_cmd_ping(self):
obj = self.scr.parse_command(
"cmd /c CMD.EXE /c cmd.exE /c ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children[0].children) == 1
assert obj.children[0].children[0].args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children[0].children[0].children
assert obj.astree() == {
"args": {
"remains": False,
"command": [
"CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8",
],
},
"children": [{
"args": {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
},
"children": [{
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}],
}],
}
def test_cmd_powershell(self):
obj = self.scr.parse_command("""
cmd /c powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": [
"powershell", "-nop", "-ep", "bypass", "-enc",
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=",
]
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children[0].children
def test_powershell_encodedcommand(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children
assert obj.get_script() == 'echo "Recursive"'
def test_powershell_command(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -Command ping '8.8.8.8'
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.get_script() == "ping '8.8.8.8'"
class TestScripting(object):
def setup(self):
self.scr = Scripting()
def test_cmd_ping(self):
obj = self.scr.parse_command("cmd /c ping 8.8.8.8")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children
assert obj.astree() == {
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}
def test_cmd_fullpath(self):
obj = self.scr.parse_command(
"C:\\\\Windows\\\\System32\\\\cmd.exe /k ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": True,
"command": [
"ping", "8.8.8.8",
],
}
def test_cmd_cmd_cmd_ping(self):
obj = self.scr.parse_command(
"cmd /c CMD.EXE /c cmd.exE /c ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children[0].children) == 1
assert obj.children[0].children[0].args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children[0].children[0].children
assert obj.astree() == {
"args": {
"remains": False,
"command": [
"CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8",
],
},
"children": [{
"args": {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
},
"children": [{
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}],
}],
}
def test_cmd_powershell(self):
obj = self.scr.parse_command("""
cmd /c powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": [
"powershell", "-nop", "-ep", "bypass", "-enc",
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=",
]
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children[0].children
def test_powershell_encodedcommand(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children
assert obj.get_script() == 'echo "Recursive"'
def test_powershell_command(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -Command ping '8.8.8.8'
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.get_script() == "ping '8.8.8.8'"