def runInVM(m, job, VMs, adbport, vmlock, adbl, results, fcnt): name = multiprocessing.current_process().name formatter = logging.Formatter(fmt=LOGFORMAT, datefmt=LOGDATEFORMAT) pathForFile = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[ 'sha256'] + "-run.log" print "HH%sHH" % pathForFile handler = logging.FileHandler(pathForFile, mode='w') handler.setFormatter(formatter) vlogger = logger.getChild("worker" + name + ".vm") vlogger.setLevel(logging.DEBUG) vlogger.addHandler(handler) vlogger.info("logging started at " + pathForFile) rval = True if VMs[m].state in ["Reserved"]: with vmlock: VMlocal = VMs[m] VMlocal.state = "Starting" VMs[m] = VMlocal #emulator doens't observe system hosts: (must start emulator with -partition-size 128 (for example) to give room to write) #adb pull /etc/hosts #edit to 10.0.2.2 (your local machine) #adb remount #adb push hosts /etc/hosts t1 = time.time() #emulator -avd NAME -partition-size 128 -ports 5,2322 -no-window -tcpdump FILE -dns-server SERVER -http-proxy PROXY #TODO instead of wipe-data, would be best to re-create the VM EMUSTART = "%s/emulator -avd %s -partition-size %s -port %s -no-window -tcpdump %s -wipe-data" #./adb logcat #./adb install /storage/malware/RU.apk #./adb shell am broadcast -a android.intent.action.BOOT_COMPLETED #start (with specified ports) #emulator -ports X,Y @avd_X #wait for emulator to be fully started #./adb -s emulator-5584 wait-for-device EMUWAIT = "%s/adb -s %s wait-for-device" EMULOGCAT = "%s/adb -s %s logcat" #command #adb -s emualtor-X shell cmd EMUINSTALL = "%s/adb -s %s install %s" #<INTENT> specifications include these flags: # [-a <ACTION>] [-d <DATA_URI>] [-t <MIME_TYPE>] # [-c <CATEGORY> [-c <CATEGORY>] ...] # [-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...] # [--esn <EXTRA_KEY> ...] # [--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...] # [-e|--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...] #adb shell am broadcast -a android.intent.action.BOOT_COMPLETED -c android.intent.category.HOME -n net.fstab.checkit_android/.StartupReceiver #am broadcast -a android.intent.action.BOOT_COMPLETED EMUINTENT = "%s/adb -s %s shell am broadcast -a %s" #adb shell am start -n com.package.name/com.package.name.ActivityName #am start -a android.intent.action.MAIN -n com.iftitah.android.contact/com.iftitah.android.contact.Contact #am start -a <ACTION> -n <PACKAGE>/<PACKAGE><ACTIVITYCLASS> EMULAUNCH = "%s/adb -s %s shell am start -a %s -n %s/%s" #kill #could do adb shell stop #but why really? just going to reset for next run anyway # (though a stop would preserve state) #adb -s emulator-X emu kill EMUKILL = "%s/adb -s %s emu kill" #monkey #$ adb shell monkey -v -p your.package.name 100 --ignore-security-exceptions -s SEED EMUMONKEY = "%s/adb -s %s shell monkey -v -p %s 100 --ignore-security-exceptions -s %s --throttle 250" #update database with start values permissions_filename = job['sha256'] + ".xml" image_used = VMs[m].name start_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime()) msdb.updateStartRun(job['jobuuid'], image_used, start_time, permissions_filename, MSVERSION) vlogger.info(name + ":" + "...starting VM " + VMs[m].name) #start it cmd = EMUSTART % (SDKPATH, VMs[m].name, PSIZE, str(adbport), MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-orig.pcap") vlogger.info(name + ":" + cmd) pEmu = None try: args = shlex.split(cmd) pEmu = subprocess.Popen(args) except: vlogger.info(name + ":" + "emulator start error", sys.exc_info()[0]) sys.exit(1) #check for start error conditions: #emulator: WARNING: ignoring locked SD Card image at /path/to/avd/ms-sdk003-003/sdcard.img #it seems too many emulator instances are running on this machine. Aborting #wait for it to start cmd = EMUWAIT % (ADBPATH, "emulator-" + str(adbport)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) vlogger.info(name + ":" + "emulator wait returned: %d" % ret) except: vlogger.error(name + ":" + "emulator wait error: %s" % cmd) sys.exit(1) vlogger.info(name + ":" + "emulator-" + str(adbport) + " started") time.sleep(VM_POLL_REST * 3) with vmlock: VMlocal = VMs[m] VMlocal.state = "Running" VMs[m] = VMlocal #start logcat #start it cmd = EMULOGCAT % (SDKPATH, "emulator-" + str(adbport)) vlogger.info(name + ":" + cmd) pLogCat = None fLogCat = None try: args = shlex.split(cmd) vlogger.info(args) fLogCat = open( MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".logcat", "w") fNull = open("/dev/null") #TODO pLogCat = subprocess.Popen(args, stdin=fNull, stderr=fNull, stdout=fLogCat) except: vlogger.error(name + ": " + cmd) vlogger.error(formatExceptionInfo()) vlogger.error(name + ":" + "emulator logcat error", sys.exc_info()[0]) sys.exit(1) #install malicious app cmd = EMUINSTALL % (ADBPATH, "emulator-" + str(adbport), "'" + job['fullpath'] + "'") vlogger.info(name + ":" + cmd) try: ret = subprocess.check_output([cmd], shell=True) vlogger.info(name + ":" + "emulator install returned: %s" % ret) install_attempts = ADBTRIES while "Success" not in ret and install_attempts > 0: kick_adb_maybe(adbl, fcnt) vlogger.info(name + ":" + "install failed emulator install returned: %s" % ret) time.sleep(VM_POLL_REST) #TODO FIXME, track down why this sometimes stalls forever, seem on SDKs 11 and 14... ret = subprocess.check_output([cmd], shell=True) install_attempts -= 1 if install_attempts <= 0: syslog.syslog( VMs[m].name + ":" + "install failed emulator install returned: %s" % ret) vlogger.error( VMs[m].name + ":" + "install failed emulator install returned: %s" % ret) except: vlogger.error(name + ":" + "emulator install fatal error: %s" % cmd) vlogger.error(formatExceptionInfo()) sys.exit(1) #possible errors: #Error: Could not access the Package Manager. Is the system running? time.sleep(VM_POLL_REST * 3) #stimulate doc = etree.parse(MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".xml") package = doc.find('package') li = libIntent.libIntent("localhost", adbport) #for each rint for rint in doc.findall('rint'): vlogger.info(name + " handling " + str(rint.text)) li.handleRIntent(str(rint.text)) #for each permission (actions and rints _should_ catch all these....) for perm in doc.findall('permission'): vlogger.info(name + " handling " + str(perm.text)) li.handlePermission(str(perm.text)) #for each action for action in doc.findall('action'): vlogger.info(name + " handling " + str(action.text)) li.handleAction(str(action.text)) #BROADCASTS are done this way #cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), "android.intent.action.BOOT_COMPLETED") cmd = EMUINTENT % (ADBPATH, "emulator-" + str(adbport), str(action.text)) vlogger.info(name + ":" + cmd) try: #TODO check for "Broadcast completed" in output, repeat if necessary ret = subprocess.check_call([cmd], shell=True) except: syslog.syslog("app %s error sending intent %s" % (job['sha256'], str(action.text))) vlogger.error(name + ":" + "emulator intent error: %s" % cmd) vlogger.error(name + ":" + "emulator intent error: %d" % ret) #TODO exit is a little too harsh here, but should probably requeue somehow #sys.exit(1) #sys.exit(1) #somethings just don't have nice rint or actions li.sendCall() time.sleep(VM_POLL_REST) li.endAllCalls() #open app # TODO this should not be a for/for loop, the actions shoudl be paired with activities for activity in doc.findall('activity'): for action in doc.findall('action'): vlogger.info(name + ": " + "################## launching activity " + str(activity.text)) cmd = EMULAUNCH % (ADBPATH, "emulator-" + str(adbport), str(action.text), str( package.text), str(activity.text)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error(name + ":" + "emulator launch error: %s" % cmd) vlogger.error(name + ":" + "emulator launch error: %d" % ret) #TODO exit is a little too harsh here, but should probably requeue somehow #sys.exit(1) time.sleep(VM_POLL_REST * 5) #monkey around cmd = EMUMONKEY % (ADBPATH, "emulator-" + str(adbport), str(package.text), random.randint(1, 100)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_output([cmd], shell=True) vlogger.info(name + ":" + "emulator monkey returned: %s" % ret) # monkey_attempts = ADBTRIES # while "Success" not in ret and monkey_attempts > 0: # kick_adb_maybe(adbl, fcnt) # vlogger.info( name + ":" + "monkey failed emulator monkey returned: %s" % ret ) # time.sleep(VM_POLL_REST) # # ret = subprocess.check_output([cmd], shell=True) # monkey_attempts -= 1 # if monkey_attempts <= 0: # syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey returned: %s" % ret ) except: vlogger.error(name + ":" + "emulator monkey fatal error: %s" % cmd) syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey error: %s" % cmd) vlogger.error(formatExceptionInfo()) sys.exit(1) #kill cmd = EMUKILL % (ADBPATH, "emulator-" + str(adbport)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error(name + ":" + "emulator kill error") sys.exit(1) #cleanup if pEmu.poll() is not None: vlogger.info(name + ": " + "poll is " + str(pEmu.poll())) try: pEmu.terminate() except: vlogger.error(name + ": " + "pEmu term failed") #TODO if pLogCat.poll() is not None: #TODO pLogCat.terminate() fLogCat.flush() fLogCat.close() fNull.close() time.sleep(VM_POLL_REST) vlogger.info(name + ":" + "...stopping VM " + VMs[m].name) with vmlock: VMlocal = VMs[m] VMlocal.state = "Off" VMs[m] = VMlocal t2 = time.time() complete_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime()) results_file = job['sha256'] + ".pcap" msdb.updateFinishRun(job['jobuuid'], complete_time, results_file) #post process pcap, pretty crude for now, adb uses it's port and port+1; so two prunes #...and it seems that adb uses 5555 regardless of which even port is specified originalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[ 'sha256'] + "-orig.pcap" tmppcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[ 'sha256'] + "-temp.pcap" finalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[ 'sha256'] + ".pcap" #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(adbport)) cmd = "prune_pcap.sh %s %s %s" % (originalpcap, tmppcap, str(adbport)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error(name + ":" + "pcap prune error") sys.exit(1) #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(int(adbport)+1)) cmd = "prune_pcap.sh %s %s %s" % (tmppcap, finalpcap, str(int(adbport) + 1)) vlogger.info(name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error(name + ":" + "pcap prune error") sys.exit(1) #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(5555)) # cmd = "prune_pcap.sh %s %s %s" % (originalpcap,finalpcap, str(adbport)) # vlogger.info( name + ":" + cmd) # try: # ret = subprocess.check_call([cmd], shell=True) # except: # vlogger.error( name + ":" + "pcap prune error") # sys.exit(1) #TODO unique ip addresses #tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq vlogger.info(name + ":" + "sample took %s seconds process" % str(t2 - t1)) results.put(t2 - t1) elif VMs[m].state in ["Off"]: vlogger.info(name + ":" + VMs[m].name + "run error: found in state OFF!") rval = False elif VMs[m].state in ["Ready"]: vlogger.info(name + ":" + VMs[m].name + "run error: is running and not available for new malware") rval = False #if m.name in assignments: # if assignments[m.name]['timeout'] <= time.time(): # #do anything you want to wrap up # job_post_process(m) # job_cleanup(m) # vm_poweroff(m) #else: # if the machine is running but there is no job assigned to it then kill it # pcap_terminate(m) # vm_poweroff(m) # else: #not sure this is relevant...may need to remove it # vm_poweroff(m) #I need to get a list of states that I want to poweroff by default return rval
import sys import libIntent import time #this is designed to be used on a local machine with an instance of the #emulator running #it will test certain libIntent and adbconsole methods by speaking #directly to the adb port #sleeptime, so you can observe successes visually in the emulator n = 1 li = libIntent.libIntent("localhost",5554) time.sleep(n) li.sendSMStoDevice() time.sleep(n) li.setBatteryLevel() #li.unplugPower() li.sendCall() time.sleep(n) number = li.sendCall() time.sleep(n) li.endCall(number) time.sleep(n)
import sys import libIntent import time #this is designed to be used on a local machine with an instance of the #emulator running #it will test certain libIntent and adbconsole methods by speaking #directly to the adb port #sleeptime, so you can observe successes visually in the emulator n = 1 li = libIntent.libIntent("localhost", 5554) time.sleep(n) li.sendSMStoDevice() time.sleep(n) li.setBatteryLevel() #li.unplugPower() li.sendCall() time.sleep(n) number = li.sendCall() time.sleep(n) li.endCall(number) time.sleep(n)
def runInVM(m,job,VMs,adbport,vmlock,adbl,results, fcnt): name = multiprocessing.current_process().name formatter = logging.Formatter(fmt=LOGFORMAT,datefmt=LOGDATEFORMAT) pathForFile = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-run.log" print "HH%sHH" % pathForFile handler = logging.FileHandler(pathForFile, mode='w') handler.setFormatter(formatter) vlogger = logger.getChild("worker" + name + ".vm") vlogger.setLevel(logging.DEBUG) vlogger.addHandler(handler) vlogger.info("logging started at " + pathForFile) rval = True if VMs[m].state in ["Reserved"] : with vmlock: VMlocal = VMs[m]; VMlocal.state = "Starting" VMs[m] = VMlocal; #emulator doens't observe system hosts: (must start emulator with -partition-size 128 (for example) to give room to write) #adb pull /etc/hosts #edit to 10.0.2.2 (your local machine) #adb remount #adb push hosts /etc/hosts t1 = time.time() #emulator -avd NAME -partition-size 128 -ports 5,2322 -no-window -tcpdump FILE -dns-server SERVER -http-proxy PROXY #TODO instead of wipe-data, would be best to re-create the VM EMUSTART = "%s/emulator -avd %s -partition-size %s -port %s -no-window -tcpdump %s -wipe-data" #./adb logcat #./adb install /storage/malware/RU.apk #./adb shell am broadcast -a android.intent.action.BOOT_COMPLETED #start (with specified ports) #emulator -ports X,Y @avd_X #wait for emulator to be fully started #./adb -s emulator-5584 wait-for-device EMUWAIT = "%s/adb -s %s wait-for-device" EMULOGCAT = "%s/adb -s %s logcat" #command #adb -s emualtor-X shell cmd EMUINSTALL = "%s/adb -s %s install %s" #<INTENT> specifications include these flags: # [-a <ACTION>] [-d <DATA_URI>] [-t <MIME_TYPE>] # [-c <CATEGORY> [-c <CATEGORY>] ...] # [-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...] # [--esn <EXTRA_KEY> ...] # [--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...] # [-e|--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...] #adb shell am broadcast -a android.intent.action.BOOT_COMPLETED -c android.intent.category.HOME -n net.fstab.checkit_android/.StartupReceiver #am broadcast -a android.intent.action.BOOT_COMPLETED EMUINTENT = "%s/adb -s %s shell am broadcast -a %s" #adb shell am start -n com.package.name/com.package.name.ActivityName #am start -a android.intent.action.MAIN -n com.iftitah.android.contact/com.iftitah.android.contact.Contact #am start -a <ACTION> -n <PACKAGE>/<PACKAGE><ACTIVITYCLASS> EMULAUNCH = "%s/adb -s %s shell am start -a %s -n %s/%s" #kill #could do adb shell stop #but why really? just going to reset for next run anyway # (though a stop would preserve state) #adb -s emulator-X emu kill EMUKILL = "%s/adb -s %s emu kill" #monkey #$ adb shell monkey -v -p your.package.name 100 --ignore-security-exceptions -s SEED EMUMONKEY = "%s/adb -s %s shell monkey -v -p %s 100 --ignore-security-exceptions -s %s --throttle 250" #update database with start values permissions_filename = job['sha256'] + ".xml" image_used = VMs[m].name start_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime()) msdb.updateStartRun(job['jobuuid'],image_used,start_time,permissions_filename,MSVERSION) vlogger.info( name + ":" + "...starting VM " + VMs[m].name) #start it cmd = EMUSTART % ( SDKPATH, VMs[m].name, PSIZE, str(adbport), MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256']+ "-orig.pcap") vlogger.info( name + ":" + cmd) pEmu = None try: args = shlex.split(cmd) pEmu = subprocess.Popen(args) except: vlogger.info( name + ":" + "emulator start error", sys.exc_info()[0]) sys.exit(1) #check for start error conditions: #emulator: WARNING: ignoring locked SD Card image at /path/to/avd/ms-sdk003-003/sdcard.img #it seems too many emulator instances are running on this machine. Aborting #wait for it to start cmd = EMUWAIT % ( ADBPATH, "emulator-" + str(adbport)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) vlogger.info( name + ":" + "emulator wait returned: %d" % ret ) except: vlogger.error( name + ":" + "emulator wait error: %s" % cmd ) sys.exit(1) vlogger.info( name + ":" + "emulator-" + str(adbport) + " started") time.sleep(VM_POLL_REST * 3) with vmlock: VMlocal = VMs[m]; VMlocal.state = "Running" VMs[m] = VMlocal; #start logcat #start it cmd = EMULOGCAT % ( SDKPATH, "emulator-" + str(adbport)) vlogger.info( name + ":" + cmd) pLogCat = None fLogCat = None try: args = shlex.split(cmd) vlogger.info( args) fLogCat = open(MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".logcat","w") fNull = open("/dev/null") #TODO pLogCat = subprocess.Popen(args, stdin=fNull, stderr=fNull, stdout=fLogCat) except: vlogger.error( name + ": " + cmd ) vlogger.error( formatExceptionInfo()) vlogger.error( name + ":" + "emulator logcat error", sys.exc_info()[0]) sys.exit(1) #install malicious app cmd = EMUINSTALL % ( ADBPATH, "emulator-" + str(adbport), "'" + job['fullpath'] + "'") vlogger.info( name + ":" + cmd) try: ret = subprocess.check_output([cmd], shell=True) vlogger.info( name + ":" + "emulator install returned: %s" % ret ) install_attempts = ADBTRIES while "Success" not in ret and install_attempts > 0: kick_adb_maybe(adbl, fcnt) vlogger.info( name + ":" + "install failed emulator install returned: %s" % ret ) time.sleep(VM_POLL_REST) #TODO FIXME, track down why this sometimes stalls forever, seem on SDKs 11 and 14... ret = subprocess.check_output([cmd], shell=True) install_attempts -= 1 if install_attempts <= 0: syslog.syslog(VMs[m].name + ":" + "install failed emulator install returned: %s" % ret ) vlogger.error(VMs[m].name + ":" + "install failed emulator install returned: %s" % ret ) except: vlogger.error( name + ":" + "emulator install fatal error: %s" % cmd ) vlogger.error( formatExceptionInfo()) sys.exit(1) #possible errors: #Error: Could not access the Package Manager. Is the system running? time.sleep(VM_POLL_REST * 3) #stimulate doc = etree.parse( MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".xml") package = doc.find('package') li = libIntent.libIntent("localhost",adbport) #for each rint for rint in doc.findall('rint'): vlogger.info( name + " handling " + str(rint.text)) li.handleRIntent(str(rint.text)) #for each permission (actions and rints _should_ catch all these....) for perm in doc.findall('permission'): vlogger.info( name + " handling " + str(perm.text)) li.handlePermission(str(perm.text)) #for each action for action in doc.findall('action'): vlogger.info( name + " handling " + str(action.text)) li.handleAction(str(action.text)) #BROADCASTS are done this way #cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), "android.intent.action.BOOT_COMPLETED") cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), str(action.text)) vlogger.info( name + ":" + cmd) try: #TODO check for "Broadcast completed" in output, repeat if necessary ret = subprocess.check_call([cmd], shell=True) except: syslog.syslog("app %s error sending intent %s" % (job['sha256'],str(action.text))) vlogger.error( name + ":" + "emulator intent error: %s" % cmd ) vlogger.error( name + ":" + "emulator intent error: %d" % ret ) #TODO exit is a little too harsh here, but should probably requeue somehow #sys.exit(1) #sys.exit(1) #somethings just don't have nice rint or actions li.sendCall() time.sleep(VM_POLL_REST) li.endAllCalls() #open app # TODO this should not be a for/for loop, the actions shoudl be paired with activities for activity in doc.findall('activity'): for action in doc.findall('action'): vlogger.info( name + ": " + "################## launching activity " + str(activity.text)) cmd = EMULAUNCH % ( ADBPATH, "emulator-" + str(adbport), str(action.text), str(package.text), str(activity.text)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error( name + ":" + "emulator launch error: %s" % cmd ) vlogger.error( name + ":" + "emulator launch error: %d" % ret ) #TODO exit is a little too harsh here, but should probably requeue somehow #sys.exit(1) time.sleep(VM_POLL_REST * 5) #monkey around cmd = EMUMONKEY % ( ADBPATH, "emulator-" + str(adbport), str(package.text), random.randint(1,100)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_output([cmd], shell=True) vlogger.info( name + ":" + "emulator monkey returned: %s" % ret ) # monkey_attempts = ADBTRIES # while "Success" not in ret and monkey_attempts > 0: # kick_adb_maybe(adbl, fcnt) # vlogger.info( name + ":" + "monkey failed emulator monkey returned: %s" % ret ) # time.sleep(VM_POLL_REST) # # ret = subprocess.check_output([cmd], shell=True) # monkey_attempts -= 1 # if monkey_attempts <= 0: # syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey returned: %s" % ret ) except: vlogger.error( name + ":" + "emulator monkey fatal error: %s" % cmd ) syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey error: %s" % cmd ) vlogger.error( formatExceptionInfo()) sys.exit(1) #kill cmd = EMUKILL % ( ADBPATH, "emulator-" + str(adbport)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error( name + ":" + "emulator kill error") sys.exit(1) #cleanup if pEmu.poll() is not None: vlogger.info( name + ": " + "poll is " + str(pEmu.poll())) try: pEmu.terminate() except: vlogger.error( name + ": " + "pEmu term failed") #TODO if pLogCat.poll() is not None: #TODO pLogCat.terminate() fLogCat.flush() fLogCat.close() fNull.close() time.sleep(VM_POLL_REST) vlogger.info( name + ":" + "...stopping VM " + VMs[m].name) with vmlock: VMlocal = VMs[m]; VMlocal.state = "Off" VMs[m] = VMlocal; t2 = time.time() complete_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime()) results_file = job['sha256'] + ".pcap" msdb.updateFinishRun(job['jobuuid'],complete_time,results_file) #post process pcap, pretty crude for now, adb uses it's port and port+1; so two prunes #...and it seems that adb uses 5555 regardless of which even port is specified originalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-orig.pcap" tmppcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-temp.pcap" finalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".pcap" #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(adbport)) cmd = "prune_pcap.sh %s %s %s" % (originalpcap,tmppcap, str(adbport)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error( name + ":" + "pcap prune error") sys.exit(1) #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(int(adbport)+1)) cmd = "prune_pcap.sh %s %s %s" % (tmppcap,finalpcap, str(int(adbport)+1)) vlogger.info( name + ":" + cmd) try: ret = subprocess.check_call([cmd], shell=True) except: vlogger.error( name + ":" + "pcap prune error") sys.exit(1) #cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(5555)) # cmd = "prune_pcap.sh %s %s %s" % (originalpcap,finalpcap, str(adbport)) # vlogger.info( name + ":" + cmd) # try: # ret = subprocess.check_call([cmd], shell=True) # except: # vlogger.error( name + ":" + "pcap prune error") # sys.exit(1) #TODO unique ip addresses #tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq vlogger.info( name + ":" + "sample took %s seconds process" % str(t2 - t1)) results.put(t2-t1) elif VMs[m].state in ["Off"]: vlogger.info( name + ":" + VMs[m].name + "run error: found in state OFF!") rval = False elif VMs[m].state in ["Ready"]: vlogger.info( name + ":" + VMs[m].name + "run error: is running and not available for new malware") rval = False #if m.name in assignments: # if assignments[m.name]['timeout'] <= time.time(): # #do anything you want to wrap up # job_post_process(m) # job_cleanup(m) # vm_poweroff(m) #else: # if the machine is running but there is no job assigned to it then kill it # pcap_terminate(m) # vm_poweroff(m) # else: #not sure this is relevant...may need to remove it # vm_poweroff(m) #I need to get a list of states that I want to poweroff by default return rval