def __init__(self, working_dir=None):
BaseInterface.__init__(self, working_dir)
self.logger = get_my_logger(self.__class__.__name__)
self.is_dryrun = is_windows()
dbpath = os.path.join(self.working_dir, DEFAULT_DB_NAME)
# if os.path.exists(dbpath):
self.use_database(dbpath)
def __init__(self):
if common.is_linux():
envret = setenv()
if envret == False:
raise Exception(
"Can not set important environment!Maybe use XWayland.")
if common.is_x86_64():
misc_path = "lib/linux/x64/misc.so"
else:
misc_path = "lib/linux/x86/misc.so"
self._lib = CDLL(os.path.join(common.get_work_dir(), misc_path))
elif common.is_windows():
self._lib = CDLL(
os.path.join(common.get_work_dir(), "lib/windows/misc.dll"))
else:
raise Exception("Not support on macos")
ret = self._lib.GlobalInit()
if ret != 0:
raise Exception("MiscGlobalInitFailed")
self._buffer = create_string_buffer(4194304)
def runQuickScan(self):
root_paths = []
if common.is_linux():
root_paths = [("/root", True), ('/bin', True), ('/sbin', True),
('/usr/bin', True), ('/usr/local/bin', True)]
if common.is_darwin():
root_paths.append(('/users', True))
else:
root_paths.append(('/home', True))
if common.is_windows():
# root_paths = [('D:\\test\\木马\\',True)]
root = os.getenv('systemroot')[:1]
root_paths = [(root + ':\\users', True)]
# root_paths = [ (root+":\\Documents and Settings", True),
# (root+":\\windows", False),
# (root+":\\windows\\system32", True),
# (root+":\\windows\\syswow64\\system32", True),
# (root+":\\program files", True),
# (root+":\\Program Files (x86)", True)]
self.avoid_list.append((root + ':\\$Recycle.Bin').lower())
self.runVirusScan(root_paths)
def delete_locked_file(pathname):
"""Delete a file that is currently in use"""
if common.is_windows():
from ctypes import windll, c_ulong, c_buffer, byref, sizeof
if os.path.exists(pathname):
MOVEFILE_DELAY_UNTIL_REBOOT = 4
if 0 == windll.kernel32.MoveFileExW(pathname, None,
MOVEFILE_DELAY_UNTIL_REBOOT):
from ctypes import WinError
raise WinError()
def __init__(self, usb_plugged, usb_unplugged):
if common.is_windows():
from . import usb_detect_win as usb_detect_proxy
elif common.is_linux():
from . import usb_detect_linux as usb_detect_proxy
else:
raise "No support os " + __NAME__
self.name = "USB detector"
self.proxy = usb_detect_proxy
self.usb_plugged = usb_plugged
self.usb_unplugged = usb_unplugged
def __init__(self, file_created_captured, file_modified_captured):
if common.is_windows():
from . import fs_change_win as fs_change_proxy
elif common.is_linux():
from . import fs_change_linux as fs_change_proxy
else:
raise "No support os " + __NAME__
self.name = "Filesystem monitor"
self.proxy = fs_change_proxy
self.file_created_captured = file_created_captured
self.file_modified_captured = file_modified_captured
def load_jsons(self):
apps_path = os.path.join(self.json_path, "apps.json")
if not os.path.exists(apps_path):
Klogger().debug("apps.json does not exist")
raise Exception
try:
with open(apps_path, "r") as f:
raw_apps_list = json.load(f)
except Exception as e:
Klogger().debug("read apps.json fails with %s" % (str(e)))
raise
for each in raw_apps_list:
if (not 'id' in each or not 'label' in each
or not 'description' in each or not 'icon' in each):
Klogger().debug("Corrupted item in apps.json")
continue
if 'os' in each:
if each['os'] == "windows":
if not common.is_windows():
continue
elif each['os'] == "linux":
if not common.is_linux():
continue
else:
Klogger().debug("Unknown os in apps.json, id %s" %
(each['id']))
continue
item = {
"label": each['label'],
"description": each['description'],
"icon": each['icon']
}
if 'running' in each:
item['running'] = each['running']
self.apps_list[each['id']] = item
for pathname in self.json_files:
try:
item = clean_item(os.path.join(self.json_path, pathname))
except Exception as e:
Klogger().warn('error reading item: %s %s', pathname, e)
continue
self.kinds[item.id] = item
def runDeepScan(self):
root_paths = []
if common.is_linux() or common.is_darwin():
root_paths.append(("/", True))
self.avoid_list = ['/proc', '/dev', '/sys']
if common.is_windows():
for item in psutil.disk_partitions():
device, mountpoint, fstype, opts = item
if fstype:
root_paths.append((mountpoint, True))
self.avoid_list.append(
os.path.join(mountpoint, '$Recycle.Bin').lower())
self.runVirusScan(root_paths)
from core.cleaner import Kcleaner from core.vuls import Kvuls from core import security_audit_implement from utils import common, import_helper #import pcapy if common.is_linux(): import module.basic.overview if common.is_windows(): import module.basic.overview_win import wmi import win32timezone import win32file import login if common.is_darwin(): import module.basic.overview_mac import module.basic.heartbeat import module.basic.set_language import module.basic.get_info import module.basic.system_status import module.status.resource import module.hardening.vulscan import module.hardening.boot_services import module.terminal.new_pty import module.terminal.write_pty import module.terminal.resize_pty import module.terminal.kill_pty import module.vnc.init_vnc
def cpu_status(response):
virtualization = "None"
cpu_mhz = 0
num_threads = 0
num_process = 0
num_fds = 0
if os.path.exists("/proc/cpuinfo"):
with open("/proc/cpuinfo") as f:
data = f.readlines()
for line in data:
_tmp = line.split(":")
if len(_tmp) != 2:
continue
item, value = (_tmp[0].strip(), _tmp[1].strip())
if item == "cpu MHz":
try:
cpu_mhz = int(float(value))
except:
pass
elif item == "flags":
if "vmx" in value:
virtualization = "Intel VT-x"
if "svm" in value:
virtualization = "AMD-V"
for proc in psutil.process_iter():
try:
num_threads += proc.num_threads()
if common.is_linux():
num_fds += proc.num_fds()
elif common.is_windows():
num_fds += proc.num_handles()
except Exception as e:
pass
num_process += 1
#cache = cpu_cache()
freq = psutil.cpu_freq()
freq = [cpu_mhz, 0, cpu_mhz] if (not freq or len(freq) < 3) else freq
response["cpu"].append([Klanguage().to_ts(1505), "{}%".format(psutil.cpu_percent(interval = 0.2))])
response["cpu"].append([Klanguage().to_ts(1511), num_process])
response["cpu"].append([Klanguage().to_ts(1508), psutil.cpu_count(logical = False)])
response["cpu"].append([Klanguage().to_ts(1514), "{} Mhz".format(freq[0])])
response["cpu"].append([Klanguage().to_ts(1506), virtualization])
response["cpu"].append([Klanguage().to_ts(1509), num_threads])
response["cpu"].append([Klanguage().to_ts(1512), psutil.cpu_count(logical = True)])
response["cpu"].append([Klanguage().to_ts(1515), "{} Mhz".format(freq[1])])
response["cpu"].append([Klanguage().to_ts(1507), sys.byteorder])
response["cpu"].append([Klanguage().to_ts(1510), num_fds])
response["cpu"].append([Klanguage().to_ts(1513), str(datetime.now() - datetime.fromtimestamp(psutil.boot_time())).split(".")[0]])
response["cpu"].append([Klanguage().to_ts(1516), "{} Mhz".format(freq[2])])
def on_initializing(self, *args, **kwargs):
self.reset_monitor_second()
self.db_objs = {}
self.db_maps = {
"audit": Kpickle(constant.DB_AUDIT),
"baseline": Kpickle(constant.DB_BASELINE),
"basic": Kpickle(constant.DB_BASIC),
"fingerprint": Kpickle(constant.DB_FINGERPRINT),
"monitor": Kpickle(constant.DB_MONITOR),
"setting": Kpickle(constant.DB_SETTING),
"strategy": Kpickle(constant.DB_STRATEGY),
"ueba": Kpickle(constant.DB_UEBA),
"virus": Kpickle(constant.DB_VIRUS),
"virus_whitelist": Kpickle(constant.DB_VIRUS_WHITELIST),
"vuls": Kpickle(constant.DB_VULS)
}
db_objs = {
"audit": {
"feature": [],
"authentication": [],
"kernel": [],
"statistic": {
"critical": 0,
"warning": 0
},
"lasttime": 0
},
"baseline": {
"risks": {},
"lasttime": 0
},
"basic": {
"startup_counts": 0,
"uuid": None
},
"fingerprint": {
"port": {
"current": [],
"change": {},
"lasttime": 0
},
"account": {
"current": [],
"change": {},
"lasttime": 0
}
},
"monitor": {
"cpu": [],
"memory": [],
"net_io": {
"tx": [],
"rx": []
},
"disk_io": {
"read": [],
"write": []
},
"procs": [],
"times": [],
"minutes": 0,
"warnings": {
"cpu": [],
"memory": [],
"net_io": [],
"disk_io": []
}
},
"setting": {
"username": "",
"credential": ""
},
"strategy": {},
"ueba": {
"storys": {},
"lasttime": 0
},
"virus": {
"handledList": {},
"isolateList": {},
"untrustList": {},
"allHistory": [],
'lastScanedPath': '',
'finished': 0,
"lasttime": 0,
'searchedCount': 0
},
"virus_whitelist": {},
"vuls": {
"items": {},
"repaired_packages": [],
"record": [],
"lasttime": 0
}
}
for key in self.db_maps.keys():
try:
self.db_objs[key] = self.db_maps[key].load()
except Exception as e:
self.db_objs[key] = db_objs[key]
self.dump(key)
self.startup_update()
self.manual_struct_update()
if len(args) == 0:
if not self.get_obj("setting")["username"] or not self.get_obj(
"setting")["credential"]:
from core.logger import Klogger
Klogger().critical(
"Please use login.py to login Marsnake server first")
if common.is_windows():
import login
login.read_from_user()
return True
else:
return False
return True
def run(payload, socket):
monitor = Kdatabase().get_obj("monitor")
monitor_second = Kdatabase().get_monitor_second()
monitor_warnings = {
"cpu": {
"start_time": 0,
"end_time": 0,
"percent": 0.0,
"percent_count": 0,
"db": None
},
"memory": {
"start_time": 0,
"end_time": 0,
"percent": 0.0,
"percent_count": 0,
"db": None
}
}
counters_ts = 0
while True:
if Kevent().is_terminate():
print("resource thread terminate")
break
if not counters_ts:
psutil.cpu_percent()
disk_counters = psutil.disk_io_counters()
net_counters = psutil.net_io_counters()
counters_ts = datetime.now()
time.sleep(1)
continue
#update counters
now = datetime.now()
interval = (now - counters_ts).total_seconds()
counters_ts = now
if interval > 15.0:
Kdatabase().reset_monitor_second()
monitor_second = Kdatabase().get_monitor_second()
counters_ts = 0
continue
#calculate
net = psutil.net_io_counters()
tx_bytes = (net.bytes_sent - net_counters.bytes_sent) / interval
rx_bytes = (net.bytes_recv - net_counters.bytes_recv) / interval
net_counters = net
disk = psutil.disk_io_counters()
dru = (disk.read_bytes - disk_counters.read_bytes) / interval
dwu = (disk.write_bytes - disk_counters.write_bytes) / interval
disk_counters = disk
monitor_second["cpu"].append(psutil.cpu_percent())
monitor_second["memory"].append(psutil.virtual_memory()[2])
monitor_second["net_io"]["tx"].append(tx_bytes)
monitor_second["net_io"]["rx"].append(rx_bytes)
monitor_second["disk_io"]["read"].append(dru)
monitor_second["disk_io"]["write"].append(dwu)
if not "start_record" in monitor_second or not monitor_second["start_record"]:
monitor_second["start_record"] = now
for proc in psutil.process_iter():
try:
proc.cpu_percent()
except:
pass
if now > monitor_second["start_record"] + timedelta(seconds = RECORD_INTERVAL):
procs = {}
for proc in psutil.process_iter():
try:
if common.is_kernel_thread(proc):
continue
pid = proc.pid
username = "******"
status = "unknown"
beginat = int(time.time())
name = "unknown"
proc_read_bytes = 0
proc_write_bytes = 0
cpu_percent = 0.0
memory_percent = 0.0
thread_num = 0
fds_num = 0
with proc.oneshot():
try:
username = proc.username()
status = proc.status()
beginat = int(proc.create_time())
except:
continue
try:
cmdline = proc.cmdline()
exe = proc.exe()
if exe:
cmdline[0] = exe
name = " ".join(cmdline[:3])
except:
try:
name = proc.name()
except:
continue
try:
io = proc.io_counters()
proc_read_bytes = io[2]
proc_write_bytes = io[3]
except:
pass
try:
cpu_percent = proc.cpu_percent()
memory_percent = proc.memory_percent()
except:
pass
try:
thread_num = proc.num_threads()
if common.is_linux():
fds_num = proc.num_fds()
elif common.is_windows():
fds_num = proc.num_handles()
except:
pass
procs[pid] = {
"name" : name,
"username" : username,
"io_rb": proc_read_bytes,
"io_wb": proc_write_bytes,
"beginat" : beginat,
"status" : status,
"fd" : fds_num,
"thread" : thread_num,
"data" : (cpu_percent, memory_percent)
}
except Exception as e:
#print("pid : {} name : {} error : {}".format(pid, name, str(e)))
pass
upgrade_proc_status(monitor_second, monitor, procs, monitor_warnings)
monitor_second["start_record"] = monitor_second["start_record"] + timedelta(seconds = RECORD_INTERVAL)
if len(monitor_second["cpu"]) > 120:
pop_status(monitor_second)
if interval >= 1:
sleep = 1 - (interval - 1)
if sleep < 0:
sleep = 1
else:
sleep = 1
time.sleep(sleep)
def enum_process_by_users():
process_by_user = {}
# use monitor_second directly may be dangerous since there is no lock
monitor_second = Kdatabase().get_monitor_second().copy()
for proc in psutil.process_iter():
try:
if common.is_kernel_thread(proc):
continue
pid = proc.pid
if pid in monitor_second["procs"]:
saved_proc = monitor_second["procs"][pid]
username = saved_proc["username"]
name = saved_proc["name"]
cpu = saved_proc["data"][0]
memory = saved_proc["data"][1]
threads = saved_proc["thread"]
fds = saved_proc["fd"]
delta = int(time.time()) - saved_proc["beginat"]
delta = delta if delta > 0 else 1
io_read = saved_proc["io_rb"]
io_write = saved_proc["io_wb"]
status = saved_proc["status"]
with proc.oneshot():
try:
memory = proc.memory_percent()
except:
pass
try:
threads = proc.num_threads()
if common.is_linux():
fds = proc.num_fds()
elif common.is_windows():
fds = proc.num_handles()
except:
pass
try:
if "start_record" in monitor_second and monitor_second["start_record"]:
_delta = int(time.time()) - int(monitor_second["start_record"].timestamp())
if _delta <= 0:
_delta = 1
_io = proc.io_counters()
_io_read = _io[2]
_io_write = _io[3]
delta = _delta
io_read = _io_read - saved_proc["io_rb"]
io_write = _io_write - saved_proc["io_wb"]
except:
pass
try:
status = proc.status()
except:
pass
else:
username = "******"
name = "unknown"
cpu = 0.0
memory = 0.0
threads = 0
fds = 0
delta = 1
io_read = 0.0
io_write = 0.0
status = "unknown"
with proc.oneshot():
try:
username = proc.username()
status = proc.status()
except:
continue
try:
cmdline = proc.cmdline()
exe = proc.exe()
if exe:
cmdline[0] = exe
name = " ".join(cmdline[:3])
except:
try:
name = proc.name()
except:
continue
try:
memory = proc.memory_percent()
except:
pass
try:
threads = proc.num_threads()
if common.is_linux():
fds = proc.num_fds()
elif common.is_windows():
fds = proc.num_handles()
except:
pass
try:
_delta = int(time.time()) - int(proc.create_time())
if _delta <= 0:
_delta = 1
_io = proc.io_counters()
_io_read = _io[2]
_io_write = _io[3]
delta = _delta
io_read = _io_read
io_write = _io_write
except:
pass
if not username in process_by_user:
process_by_user[username] = {
"username": username,
"cpu": 0.0,
"memory": 0.0,
"fds": 0,
"threads": 0,
"disk_io": {
"read": 0.0,
"write": 0.0
},
"process": []
}
process_by_user[username]["cpu"] += cpu
process_by_user[username]["memory"] += memory
process_by_user[username]["fds"] += fds
process_by_user[username]["threads"] += threads
process_by_user[username]["disk_io"]["read"] += io_read / delta
process_by_user[username]["disk_io"]["write"] += io_write / delta
process_by_user[username]["process"].append({
"pid": pid,
"name": name,
"cpu": round(cpu, 2),
"memory": round(memory, 2),
"threads": threads,
"fds": fds,
"disk_io": {
"read": round((io_read / delta), 2),
"write": round((io_write / delta), 2)
},
"status": status
})
except Exception as e:
pass
for each in process_by_user.values():
each["cpu"] = round(each["cpu"], 2)
each["memory"] = round(each["memory"], 2)
each["disk_io"]["read"] = round(each["disk_io"]["read"], 2)
each["disk_io"]["write"] = round(each["disk_io"]["write"], 2)
return process_by_user
def list_process_by_users():
process_by_users = enum_process_by_users()
if common.is_linux():
result = []
useradd_users = lib.find_useradd_users()
import pwd
pwall_users = [ x[0] for x in pwd.getpwall() ]
users = [ x for x in useradd_users if x in pwall_users ]
if "root" in process_by_users:
users.insert(0, "root")
for user in users:
if user in process_by_users:
result.append(process_by_users[user])
del process_by_users[user]
if not process_by_users:
return result
non_useradd_users = {
"username": "******",
"cpu": 0.0,
"memory": 0.0,
"fds": 0,
"threads": 0,
"disk_io": {
"read": 0.0,
"write": 0.0
},
"process": []
}
for each in process_by_users.values():
non_useradd_users["cpu"] += each["cpu"]
non_useradd_users["memory"] += each["memory"]
non_useradd_users["fds"] += each["fds"]
non_useradd_users["threads"] += each["threads"]
non_useradd_users["disk_io"]["read"] += each["disk_io"]["read"]
non_useradd_users["disk_io"]["write"] += each["disk_io"]["write"]
non_useradd_users["process"] += each["process"]
non_useradd_users["cpu"] = round(non_useradd_users["cpu"], 2)
non_useradd_users["memory"] = round(non_useradd_users["memory"], 2)
non_useradd_users["disk_io"]["read"] = round(non_useradd_users["disk_io"]["read"], 2)
non_useradd_users["disk_io"]["write"] = round(non_useradd_users["disk_io"]["write"], 2)
result.append(non_useradd_users)
return result
elif common.is_windows():
for each in process_by_users.values():
if '\\' in each["username"]:
each["username"] = each["username"].split("\\")[1]
return list(process_by_users.values())
else:
return list(process_by_users.values())