def init_modules():
"""Initialize plugins."""
log.debug("Imported modules...")
categories = (
"auxiliary",
"machinery",
"processing",
"signatures",
"reporting",
)
# Call the init_once() static method of each plugin/module. If an exception
# is thrown in that initialization call, then a hard error is appropriate.
for category in categories:
for module in cuckoo.plugins[category]:
module.init_once()
for category in categories:
log.debug("Imported \"%s\" modules:", category)
entries = cuckoo.plugins[category]
for entry in entries:
if entry == entries[-1]:
log.debug("\t `-- %s", entry.__name__)
else:
log.debug("\t |-- %s", entry.__name__)
# Initialize the RunSignatures module with all available Signatures and
# the ExtractManager with all available Extractors.
RunSignatures.init_once()
ExtractManager.init_once()
def init_modules():
"""Initializes plugins."""
log.debug("Imported modules...")
categories = (
"auxiliary", "machinery", "processing", "signatures", "reporting",
)
# Call the init_once() static method of each plugin/module. If an exception
# is thrown in that initialization call, then a hard error is appropriate.
for category in categories:
for module in cuckoo.plugins[category]:
module.init_once()
for category in categories:
log.debug("Imported \"%s\" modules:", category)
entries = cuckoo.plugins[category]
for entry in entries:
if entry == entries[-1]:
log.debug("\t `-- %s", entry.__name__)
else:
log.debug("\t |-- %s", entry.__name__)
# Initialize the RunSignatures module with all available Signatures and
# the ExtractManager with all available Extractors.
RunSignatures.init_once()
ExtractManager.init_once()
def test_ident_shellcode():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
init_yara()
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode(
"".join(chr(int(x, 16)) for x in sc[2:-1].split(","))
)
ExtractManager.init_once()
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command(
"powershell -e %s" % ps1.encode("base64").replace("\n", "")
)
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
def test_ident_shellcode():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
init_yara()
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode("".join(
chr(int(x, 16)) for x in sc[2:-1].split(",")))
ExtractManager.init_once()
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command("powershell -e %s" %
ps1.encode("base64").replace("\n", ""))
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
def test_cfgextr():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
class Trigger1(Extractor):
yara_rules = "Trigger1"
def handle_yara(self, filepath, match):
self.push_config({
"family": "barfoo",
"version": "baz",
})
ExtractManager.init_once()
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.handle_yara(
None,
YaraMatch({
"name": "Trigger1",
"meta": None,
"offsets": None,
"strings": [],
}))
assert len(em.items) == 1
results = {
"extracted": em.results(),
"metadata": {},
"info": {},
}
RunSignatures(results).run()
assert results == {
"info": {
"score": 10.0,
},
"metadata": {
"cfgextr": [{
"family": "barfoo",
"version": "baz",
}],
},
"extracted": mock.ANY,
"signatures": [],
}
def test_cfgextr():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
class Trigger1(Extractor):
yara_rules = "Trigger1"
def handle_yara(self, filepath, match):
self.push_config({
"family": "barfoo",
"version": "baz",
})
ExtractManager.init_once()
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.handle_yara(None, YaraMatch({
"name": "Trigger1",
"meta": None,
"offsets": None,
"strings": [],
}))
assert len(em.items) == 1
results = {
"extracted": em.results(),
"metadata": {},
"info": {},
}
RunSignatures(results).run()
assert results == {
"info": {
"score": 10.0,
},
"metadata": {
"cfgextr": [{
"family": "barfoo",
"version": "baz",
}],
},
"extracted": mock.ANY,
"signatures": [],
}
def setup_module():
set_cwd(tempfile.mktemp())
shutil.copytree(os.path.expanduser("~/.cuckoo"), cwd())
reload_signatures()
ExtractManager._instances = {}
ExtractManager.init_once()
def setup_module():
set_cwd(tempfile.mktemp())
shutil.copytree(os.path.expanduser("~/.cuckoo"), cwd())
reload_signatures()
ExtractManager._instances = {}
ExtractManager.init_once()
