def analysis_start(self):
"""
Commands to execute when starting analysis. Once this returns the
analysis will wait for commands from the user.
NOTE: Any threads will continue execute until a stop command is
received
"""
# Analysis is done after this function returns
self.CONTINUE_EXECUTION = True
# Extract some important variables
volatility_profile = self.machine.config.volatility_profile
machine = self.machine
# Create a queue and data handler
# This enables us to do many to many data flows
self.data_queue = multiprocessing.Queue()
self.data_handler = DataHandler(self.data_queue)
# RabbitMQ queue name
self.rabbitmq = LOPHI_RabbitMQ_Producer(
self.services_host,
self.data_handler.new_queue(),
G.RabbitMQ.SENSOR,
exchange_type=G.RabbitMQ.TYPE_FANOUT,
exchange=G.RabbitMQ.EXCHANGE_FANOUT)
# Start data paths
self.data_handler.start()
self.rabbitmq.start()
# Memory Analysis
print "Starting memory analysis..."
self.mem_analysis = MemoryAnalysisEngine(self.machine,
self.data_queue,
plugins=['pslist'])
self.mem_analysis.start()
# Disk analysis Analysis
print "Starting disk analysis..."
self.disk_analysis = DiskAnalysisEngine(self.machine, self.data_queue)
self.disk_analysis.start()
def analysis_start(self):
"""
Commands to execute when starting analysis. Once this returns the
analysis will wait for commands from the user.
NOTE: Any threads will continue execute until a stop command is
received
"""
# Analysis is done after this function returns
self.CONTINUE_EXECUTION = True
# Extract some important variables
volatility_profile = self.lophi_command.volatility_profile
lophi_command = self.lophi_command
machine = self.machine
sample_doc_id = lophi_command.sample_doc_id
# Initialize our database
DB_samples = DatastoreSamples(self.services_host)
# Copy the sample to the ftp server temporarily so that the SUA can download it
# store the temp directory name
# 'sc stop rootkit','sc delete rootkit',
setup_commands = ['start taskmgr']
self.local_path = DB_samples.copy_sample_to_ftp(
sample_doc_id, commands=setup_commands)
remote_path = os.path.relpath(self.local_path, G.FTP_ROOT)
lophi_command.ftp_info['dir'] = remote_path
# Create a queue and data handler
# This enables us to do many to many data flows
self.data_queue = multiprocessing.Queue()
self.data_handler = DataHandler(self.data_queue)
# RabbitMQ queue name
self.rabbitmq = LOPHI_RabbitMQ_Producer(
self.services_host,
self.data_handler.new_queue(),
G.RabbitMQ.SENSOR,
exchange_type=G.RabbitMQ.TYPE_FANOUT,
exchange=G.RabbitMQ.EXCHANGE_FANOUT)
# Start data paths
self.data_handler.start()
self.rabbitmq.start()
# Memory Analysis
print "Starting memory analysis..."
self.mem_analysis = MemoryAnalysisEngine(self.machine,
self.data_queue,
plugins=['pslist', 'ssdt'])
self.mem_analysis.start()
# Memory Analysis
print "Starting disk analysis..."
self.disk_analysis = DiskAnalysisEngine(self.machine, self.data_queue)
self.disk_analysis.start()
# Send keypresses to download binary
print "* Sending keypresses..."
# Get our keypress generator
kpg = machine.keypress_get_generator()
# Check ftp info, and send commands to execute malware
if lophi_command.ftp_info['ip'] is not None and lophi_command.ftp_info[
'dir'] is not None:
print "* Executing ftp commands..."
ftp_script = kpg.get_ftp_script(volatility_profile,
lophi_command.ftp_info)
machine.keypress_send(ftp_script)
else:
print "** No ftp info given."