def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
if not dmp.endswith(".dmp"):
continue
dump_path = os.path.join(self.pmemory_path, dmp)
dump_file = File(dump_path)
pid, num = map(int, re.findall("(\\d+)", dmp))
regions = []
for region in roach.procmem(dump_path).regions:
regions.append(region.to_json())
proc = dict(
file=dump_path,
pid=pid,
num=num,
yara=dump_file.get_yara("memory"),
urls=list(dump_file.get_urls()),
regions=regions,
)
ExtractManager.for_task(self.task["id"]).peek_procmem(proc)
if self.options.get("idapro"):
self.create_idapy(proc)
if self.options.get("extract_img"):
proc["extracted"] = list(
self.dump_images(proc,
self.options.get("extract_dll")))
proc["extracted"] += list(self.dump_dex(proc))
if self.options.get("dump_delete"):
try:
os.remove(dump_path)
except OSError:
log.error(
"Unable to delete memory dump file at path \"%s\"",
dump_path)
results.append(proc)
results.sort(key=lambda x: (x["pid"], x["num"]))
return results
def run(self):
"""Run analysis.
@return: structured results.
"""
self.key = "procmemory"
results = []
if os.path.exists(self.pmemory_path):
for dmp in os.listdir(self.pmemory_path):
if not dmp.endswith(".dmp"):
continue
dump_path = os.path.join(self.pmemory_path, dmp)
dump_file = File(dump_path)
pid, num = map(int, re.findall("(\\d+)", dmp))
regions = []
for region in roach.procmem(dump_path).regions:
regions.append(region.to_json())
proc = dict(
file=dump_path, pid=pid, num=num,
yara=dump_file.get_yara("memory"),
urls=list(dump_file.get_urls()),
regions=regions,
)
ExtractManager.for_task(self.task["id"]).peek_procmem(proc)
if self.options.get("idapro"):
self.create_idapy(proc)
if self.options.get("extract_img"):
proc["extracted"] = list(self.dump_images(
proc, self.options.get("extract_dll")
))
if self.options.get("dump_delete"):
try:
os.remove(dump_path)
except OSError:
log.error(
"Unable to delete memory dump file at path \"%s\"",
dump_path
)
results.append(proc)
results.sort(key=lambda x: (x["pid"], x["num"]))
return results
def process_extracted(self):
task_id = self.results.get("info", {}).get("id")
if not task_id:
return
for item in ExtractManager.for_task(task_id).results():
for sig in self.signatures:
self.call_signature(sig, sig.on_extract, ExtractedMatch(item))
def process_extracted(self):
task_id = self.results.get("info", {}).get("id")
if not task_id:
return
for item in ExtractManager.for_task(task_id).results():
for sig in self.signatures:
self.call_signature(sig, sig.on_extract, ExtractedMatch(item))
def init(package, *filename):
id_ = task_id()
init_analysis(id_, package, *filename)
init_yara()
s = Static()
s.set_task({
"id": id_,
"category": "file",
"package": package,
"target": filename[-1],
})
s.file_path = cwd("binary", analysis=id_)
e = ExtractManager.for_task(id_)
return s.run(), e.results()
def init(package, *filename):
id_ = task_id()
init_analysis(id_, package, *filename)
init_yara()
s = Static()
s.set_task({
"id": id_,
"category": "file",
"package": package,
"target": filename[-1],
})
s.file_path = cwd("binary", analysis=id_)
e = ExtractManager.for_task(id_)
return s.run(), e.results()
def test_push_script_recursive():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
open(cwd("yara", "office", "ole.yar"), "wb").write("""
rule OleInside {
strings:
$s1 = "Win32_Process"
condition:
filename matches /word\/vbaProject.bin/ and $s1
}
""")
init_yara()
s = Static()
s.file_path = "tests/files/createproc1.docm"
s.set_task({
"id": 1,
"category": "file",
"target": s.file_path,
"package": "doc",
})
s.run()
assert ExtractManager.for_task(1).results()[0]["yara"] == [{
"name":
"OleInside",
"meta": {
"description": "(no description)",
},
"offsets": {
"s1": [
(3933, 0),
],
},
"strings": [
"Win32_Process".encode("base64").strip(),
],
}]
def test_push_script_recursive():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
open(cwd("yara", "office", "ole.yar"), "wb").write("""
rule OleInside {
strings:
$s1 = "Win32_Process"
condition:
filename matches /word\/vbaProject.bin/ and $s1
}
""")
init_yara()
s = Static()
s.file_path = "tests/files/createproc1.docm"
s.set_task({
"id": 1,
"category": "file",
"target": s.file_path,
"package": "doc",
})
s.run()
assert ExtractManager.for_task(1).results()[0]["yara"] == [{
"name": "OleInside",
"meta": {
"description": "(no description)",
},
"offsets": {
"s1": [
(3933, 0),
],
},
"strings": [
"Win32_Process".encode("base64").strip(),
],
}]
def __init__(self, filepath, task_id):
self.filepath = filepath
self.files = {}
self.ex = ExtractManager.for_task(task_id)
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category":
"script",
"pid":
1,
"first_seen":
2,
"program":
"cmd",
"raw":
cwd("extracted", "0.bat", analysis=2),
"yara": [],
"info": {},
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category": "script",
"pid": 1,
"first_seen": 2,
"program": "cmd",
"script": cwd("extracted", "0.bat", analysis=2),
"yara": [],
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def run(self):
return ExtractManager.for_task(self.task.id).results()
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def __init__(self, filepath, task_id):
self.filepath = filepath
self.files = {}
self.ex = ExtractManager.for_task(task_id)
def run(self):
return ExtractManager.for_task(self.task.id).results()
