def runInVM(m, job, VMs, adbport, vmlock, adbl, results, fcnt):
name = multiprocessing.current_process().name
formatter = logging.Formatter(fmt=LOGFORMAT, datefmt=LOGDATEFORMAT)
pathForFile = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[
'sha256'] + "-run.log"
print "HH%sHH" % pathForFile
handler = logging.FileHandler(pathForFile, mode='w')
handler.setFormatter(formatter)
vlogger = logger.getChild("worker" + name + ".vm")
vlogger.setLevel(logging.DEBUG)
vlogger.addHandler(handler)
vlogger.info("logging started at " + pathForFile)
rval = True
if VMs[m].state in ["Reserved"]:
with vmlock:
VMlocal = VMs[m]
VMlocal.state = "Starting"
VMs[m] = VMlocal
#emulator doens't observe system hosts: (must start emulator with -partition-size 128 (for example) to give room to write)
#adb pull /etc/hosts
#edit to 10.0.2.2 (your local machine)
#adb remount
#adb push hosts /etc/hosts
t1 = time.time()
#emulator -avd NAME -partition-size 128 -ports 5,2322 -no-window -tcpdump FILE -dns-server SERVER -http-proxy PROXY
#TODO instead of wipe-data, would be best to re-create the VM
EMUSTART = "%s/emulator -avd %s -partition-size %s -port %s -no-window -tcpdump %s -wipe-data"
#./adb logcat
#./adb install /storage/malware/RU.apk
#./adb shell am broadcast -a android.intent.action.BOOT_COMPLETED
#start (with specified ports)
#emulator -ports X,Y @avd_X
#wait for emulator to be fully started
#./adb -s emulator-5584 wait-for-device
EMUWAIT = "%s/adb -s %s wait-for-device"
EMULOGCAT = "%s/adb -s %s logcat"
#command
#adb -s emualtor-X shell cmd
EMUINSTALL = "%s/adb -s %s install %s"
#<INTENT> specifications include these flags:
# [-a <ACTION>] [-d <DATA_URI>] [-t <MIME_TYPE>]
# [-c <CATEGORY> [-c <CATEGORY>] ...]
# [-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...]
# [--esn <EXTRA_KEY> ...]
# [--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...]
# [-e|--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...]
#adb shell am broadcast -a android.intent.action.BOOT_COMPLETED -c android.intent.category.HOME -n net.fstab.checkit_android/.StartupReceiver
#am broadcast -a android.intent.action.BOOT_COMPLETED
EMUINTENT = "%s/adb -s %s shell am broadcast -a %s"
#adb shell am start -n com.package.name/com.package.name.ActivityName
#am start -a android.intent.action.MAIN -n com.iftitah.android.contact/com.iftitah.android.contact.Contact
#am start -a <ACTION> -n <PACKAGE>/<PACKAGE><ACTIVITYCLASS>
EMULAUNCH = "%s/adb -s %s shell am start -a %s -n %s/%s"
#kill
#could do adb shell stop
#but why really? just going to reset for next run anyway
# (though a stop would preserve state)
#adb -s emulator-X emu kill
EMUKILL = "%s/adb -s %s emu kill"
#monkey
#$ adb shell monkey -v -p your.package.name 100 --ignore-security-exceptions -s SEED
EMUMONKEY = "%s/adb -s %s shell monkey -v -p %s 100 --ignore-security-exceptions -s %s --throttle 250"
#update database with start values
permissions_filename = job['sha256'] + ".xml"
image_used = VMs[m].name
start_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime())
msdb.updateStartRun(job['jobuuid'], image_used, start_time,
permissions_filename, MSVERSION)
vlogger.info(name + ":" + "...starting VM " + VMs[m].name)
#start it
cmd = EMUSTART % (SDKPATH, VMs[m].name, PSIZE, str(adbport),
MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" +
job['sha256'] + "-orig.pcap")
vlogger.info(name + ":" + cmd)
pEmu = None
try:
args = shlex.split(cmd)
pEmu = subprocess.Popen(args)
except:
vlogger.info(name + ":" + "emulator start error",
sys.exc_info()[0])
sys.exit(1)
#check for start error conditions:
#emulator: WARNING: ignoring locked SD Card image at /path/to/avd/ms-sdk003-003/sdcard.img
#it seems too many emulator instances are running on this machine. Aborting
#wait for it to start
cmd = EMUWAIT % (ADBPATH, "emulator-" + str(adbport))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
vlogger.info(name + ":" + "emulator wait returned: %d" % ret)
except:
vlogger.error(name + ":" + "emulator wait error: %s" % cmd)
sys.exit(1)
vlogger.info(name + ":" + "emulator-" + str(adbport) + " started")
time.sleep(VM_POLL_REST * 3)
with vmlock:
VMlocal = VMs[m]
VMlocal.state = "Running"
VMs[m] = VMlocal
#start logcat
#start it
cmd = EMULOGCAT % (SDKPATH, "emulator-" + str(adbport))
vlogger.info(name + ":" + cmd)
pLogCat = None
fLogCat = None
try:
args = shlex.split(cmd)
vlogger.info(args)
fLogCat = open(
MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] +
".logcat", "w")
fNull = open("/dev/null")
#TODO pLogCat = subprocess.Popen(args, stdin=fNull, stderr=fNull, stdout=fLogCat)
except:
vlogger.error(name + ": " + cmd)
vlogger.error(formatExceptionInfo())
vlogger.error(name + ":" + "emulator logcat error",
sys.exc_info()[0])
sys.exit(1)
#install malicious app
cmd = EMUINSTALL % (ADBPATH, "emulator-" + str(adbport),
"'" + job['fullpath'] + "'")
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_output([cmd], shell=True)
vlogger.info(name + ":" + "emulator install returned: %s" % ret)
install_attempts = ADBTRIES
while "Success" not in ret and install_attempts > 0:
kick_adb_maybe(adbl, fcnt)
vlogger.info(name + ":" +
"install failed emulator install returned: %s" %
ret)
time.sleep(VM_POLL_REST)
#TODO FIXME, track down why this sometimes stalls forever, seem on SDKs 11 and 14...
ret = subprocess.check_output([cmd], shell=True)
install_attempts -= 1
if install_attempts <= 0:
syslog.syslog(
VMs[m].name + ":" +
"install failed emulator install returned: %s" % ret)
vlogger.error(
VMs[m].name + ":" +
"install failed emulator install returned: %s" % ret)
except:
vlogger.error(name + ":" +
"emulator install fatal error: %s" % cmd)
vlogger.error(formatExceptionInfo())
sys.exit(1)
#possible errors:
#Error: Could not access the Package Manager. Is the system running?
time.sleep(VM_POLL_REST * 3)
#stimulate
doc = etree.parse(MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" +
job['sha256'] + ".xml")
package = doc.find('package')
li = libIntent.libIntent("localhost", adbport)
#for each rint
for rint in doc.findall('rint'):
vlogger.info(name + " handling " + str(rint.text))
li.handleRIntent(str(rint.text))
#for each permission (actions and rints _should_ catch all these....)
for perm in doc.findall('permission'):
vlogger.info(name + " handling " + str(perm.text))
li.handlePermission(str(perm.text))
#for each action
for action in doc.findall('action'):
vlogger.info(name + " handling " + str(action.text))
li.handleAction(str(action.text))
#BROADCASTS are done this way
#cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), "android.intent.action.BOOT_COMPLETED")
cmd = EMUINTENT % (ADBPATH, "emulator-" + str(adbport),
str(action.text))
vlogger.info(name + ":" + cmd)
try:
#TODO check for "Broadcast completed" in output, repeat if necessary
ret = subprocess.check_call([cmd], shell=True)
except:
syslog.syslog("app %s error sending intent %s" %
(job['sha256'], str(action.text)))
vlogger.error(name + ":" + "emulator intent error: %s" % cmd)
vlogger.error(name + ":" + "emulator intent error: %d" % ret)
#TODO exit is a little too harsh here, but should probably requeue somehow
#sys.exit(1)
#sys.exit(1)
#somethings just don't have nice rint or actions
li.sendCall()
time.sleep(VM_POLL_REST)
li.endAllCalls()
#open app
# TODO this should not be a for/for loop, the actions shoudl be paired with activities
for activity in doc.findall('activity'):
for action in doc.findall('action'):
vlogger.info(name + ": " +
"################## launching activity " +
str(activity.text))
cmd = EMULAUNCH % (ADBPATH, "emulator-" + str(adbport),
str(action.text), str(
package.text), str(activity.text))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error(name + ":" +
"emulator launch error: %s" % cmd)
vlogger.error(name + ":" +
"emulator launch error: %d" % ret)
#TODO exit is a little too harsh here, but should probably requeue somehow
#sys.exit(1)
time.sleep(VM_POLL_REST * 5)
#monkey around
cmd = EMUMONKEY % (ADBPATH, "emulator-" + str(adbport),
str(package.text), random.randint(1, 100))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_output([cmd], shell=True)
vlogger.info(name + ":" + "emulator monkey returned: %s" % ret)
# monkey_attempts = ADBTRIES
# while "Success" not in ret and monkey_attempts > 0:
# kick_adb_maybe(adbl, fcnt)
# vlogger.info( name + ":" + "monkey failed emulator monkey returned: %s" % ret )
# time.sleep(VM_POLL_REST)
#
# ret = subprocess.check_output([cmd], shell=True)
# monkey_attempts -= 1
# if monkey_attempts <= 0:
# syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey returned: %s" % ret )
except:
vlogger.error(name + ":" + "emulator monkey fatal error: %s" % cmd)
syslog.syslog(VMs[m].name + ":" +
"monkey failed emulator monkey error: %s" % cmd)
vlogger.error(formatExceptionInfo())
sys.exit(1)
#kill
cmd = EMUKILL % (ADBPATH, "emulator-" + str(adbport))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error(name + ":" + "emulator kill error")
sys.exit(1)
#cleanup
if pEmu.poll() is not None:
vlogger.info(name + ": " + "poll is " + str(pEmu.poll()))
try:
pEmu.terminate()
except:
vlogger.error(name + ": " + "pEmu term failed")
#TODO if pLogCat.poll() is not None:
#TODO pLogCat.terminate()
fLogCat.flush()
fLogCat.close()
fNull.close()
time.sleep(VM_POLL_REST)
vlogger.info(name + ":" + "...stopping VM " + VMs[m].name)
with vmlock:
VMlocal = VMs[m]
VMlocal.state = "Off"
VMs[m] = VMlocal
t2 = time.time()
complete_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime())
results_file = job['sha256'] + ".pcap"
msdb.updateFinishRun(job['jobuuid'], complete_time, results_file)
#post process pcap, pretty crude for now, adb uses it's port and port+1; so two prunes
#...and it seems that adb uses 5555 regardless of which even port is specified
originalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[
'sha256'] + "-orig.pcap"
tmppcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[
'sha256'] + "-temp.pcap"
finalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job[
'sha256'] + ".pcap"
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(adbport))
cmd = "prune_pcap.sh %s %s %s" % (originalpcap, tmppcap, str(adbport))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error(name + ":" + "pcap prune error")
sys.exit(1)
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(int(adbport)+1))
cmd = "prune_pcap.sh %s %s %s" % (tmppcap, finalpcap,
str(int(adbport) + 1))
vlogger.info(name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error(name + ":" + "pcap prune error")
sys.exit(1)
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(5555))
# cmd = "prune_pcap.sh %s %s %s" % (originalpcap,finalpcap, str(adbport))
# vlogger.info( name + ":" + cmd)
# try:
# ret = subprocess.check_call([cmd], shell=True)
# except:
# vlogger.error( name + ":" + "pcap prune error")
# sys.exit(1)
#TODO unique ip addresses
#tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq
vlogger.info(name + ":" +
"sample took %s seconds process" % str(t2 - t1))
results.put(t2 - t1)
elif VMs[m].state in ["Off"]:
vlogger.info(name + ":" + VMs[m].name +
"run error: found in state OFF!")
rval = False
elif VMs[m].state in ["Ready"]:
vlogger.info(name + ":" + VMs[m].name +
"run error: is running and not available for new malware")
rval = False
#if m.name in assignments:
# if assignments[m.name]['timeout'] <= time.time():
# #do anything you want to wrap up
# job_post_process(m)
# job_cleanup(m)
# vm_poweroff(m)
#else: # if the machine is running but there is no job assigned to it then kill it
# pcap_terminate(m)
# vm_poweroff(m)
# else: #not sure this is relevant...may need to remove it
# vm_poweroff(m) #I need to get a list of states that I want to poweroff by default
return rval
import sys
import libIntent
import time
#this is designed to be used on a local machine with an instance of the
#emulator running
#it will test certain libIntent and adbconsole methods by speaking
#directly to the adb port
#sleeptime, so you can observe successes visually in the emulator
n = 1
li = libIntent.libIntent("localhost",5554)
time.sleep(n)
li.sendSMStoDevice()
time.sleep(n)
li.setBatteryLevel()
#li.unplugPower()
li.sendCall()
time.sleep(n)
number = li.sendCall()
time.sleep(n)
li.endCall(number)
time.sleep(n)
import sys
import libIntent
import time
#this is designed to be used on a local machine with an instance of the
#emulator running
#it will test certain libIntent and adbconsole methods by speaking
#directly to the adb port
#sleeptime, so you can observe successes visually in the emulator
n = 1
li = libIntent.libIntent("localhost", 5554)
time.sleep(n)
li.sendSMStoDevice()
time.sleep(n)
li.setBatteryLevel()
#li.unplugPower()
li.sendCall()
time.sleep(n)
number = li.sendCall()
time.sleep(n)
li.endCall(number)
time.sleep(n)
def runInVM(m,job,VMs,adbport,vmlock,adbl,results, fcnt):
name = multiprocessing.current_process().name
formatter = logging.Formatter(fmt=LOGFORMAT,datefmt=LOGDATEFORMAT)
pathForFile = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-run.log"
print "HH%sHH" % pathForFile
handler = logging.FileHandler(pathForFile, mode='w')
handler.setFormatter(formatter)
vlogger = logger.getChild("worker" + name + ".vm")
vlogger.setLevel(logging.DEBUG)
vlogger.addHandler(handler)
vlogger.info("logging started at " + pathForFile)
rval = True
if VMs[m].state in ["Reserved"] :
with vmlock:
VMlocal = VMs[m];
VMlocal.state = "Starting"
VMs[m] = VMlocal;
#emulator doens't observe system hosts: (must start emulator with -partition-size 128 (for example) to give room to write)
#adb pull /etc/hosts
#edit to 10.0.2.2 (your local machine)
#adb remount
#adb push hosts /etc/hosts
t1 = time.time()
#emulator -avd NAME -partition-size 128 -ports 5,2322 -no-window -tcpdump FILE -dns-server SERVER -http-proxy PROXY
#TODO instead of wipe-data, would be best to re-create the VM
EMUSTART = "%s/emulator -avd %s -partition-size %s -port %s -no-window -tcpdump %s -wipe-data"
#./adb logcat
#./adb install /storage/malware/RU.apk
#./adb shell am broadcast -a android.intent.action.BOOT_COMPLETED
#start (with specified ports)
#emulator -ports X,Y @avd_X
#wait for emulator to be fully started
#./adb -s emulator-5584 wait-for-device
EMUWAIT = "%s/adb -s %s wait-for-device"
EMULOGCAT = "%s/adb -s %s logcat"
#command
#adb -s emualtor-X shell cmd
EMUINSTALL = "%s/adb -s %s install %s"
#<INTENT> specifications include these flags:
# [-a <ACTION>] [-d <DATA_URI>] [-t <MIME_TYPE>]
# [-c <CATEGORY> [-c <CATEGORY>] ...]
# [-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...]
# [--esn <EXTRA_KEY> ...]
# [--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...]
# [-e|--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...]
#adb shell am broadcast -a android.intent.action.BOOT_COMPLETED -c android.intent.category.HOME -n net.fstab.checkit_android/.StartupReceiver
#am broadcast -a android.intent.action.BOOT_COMPLETED
EMUINTENT = "%s/adb -s %s shell am broadcast -a %s"
#adb shell am start -n com.package.name/com.package.name.ActivityName
#am start -a android.intent.action.MAIN -n com.iftitah.android.contact/com.iftitah.android.contact.Contact
#am start -a <ACTION> -n <PACKAGE>/<PACKAGE><ACTIVITYCLASS>
EMULAUNCH = "%s/adb -s %s shell am start -a %s -n %s/%s"
#kill
#could do adb shell stop
#but why really? just going to reset for next run anyway
# (though a stop would preserve state)
#adb -s emulator-X emu kill
EMUKILL = "%s/adb -s %s emu kill"
#monkey
#$ adb shell monkey -v -p your.package.name 100 --ignore-security-exceptions -s SEED
EMUMONKEY = "%s/adb -s %s shell monkey -v -p %s 100 --ignore-security-exceptions -s %s --throttle 250"
#update database with start values
permissions_filename = job['sha256'] + ".xml"
image_used = VMs[m].name
start_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime())
msdb.updateStartRun(job['jobuuid'],image_used,start_time,permissions_filename,MSVERSION)
vlogger.info( name + ":" + "...starting VM " + VMs[m].name)
#start it
cmd = EMUSTART % ( SDKPATH, VMs[m].name, PSIZE, str(adbport), MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256']+ "-orig.pcap")
vlogger.info( name + ":" + cmd)
pEmu = None
try:
args = shlex.split(cmd)
pEmu = subprocess.Popen(args)
except:
vlogger.info( name + ":" + "emulator start error", sys.exc_info()[0])
sys.exit(1)
#check for start error conditions:
#emulator: WARNING: ignoring locked SD Card image at /path/to/avd/ms-sdk003-003/sdcard.img
#it seems too many emulator instances are running on this machine. Aborting
#wait for it to start
cmd = EMUWAIT % ( ADBPATH, "emulator-" + str(adbport))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
vlogger.info( name + ":" + "emulator wait returned: %d" % ret )
except:
vlogger.error( name + ":" + "emulator wait error: %s" % cmd )
sys.exit(1)
vlogger.info( name + ":" + "emulator-" + str(adbport) + " started")
time.sleep(VM_POLL_REST * 3)
with vmlock:
VMlocal = VMs[m];
VMlocal.state = "Running"
VMs[m] = VMlocal;
#start logcat
#start it
cmd = EMULOGCAT % ( SDKPATH, "emulator-" + str(adbport))
vlogger.info( name + ":" + cmd)
pLogCat = None
fLogCat = None
try:
args = shlex.split(cmd)
vlogger.info( args)
fLogCat = open(MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".logcat","w")
fNull = open("/dev/null")
#TODO pLogCat = subprocess.Popen(args, stdin=fNull, stderr=fNull, stdout=fLogCat)
except:
vlogger.error( name + ": " + cmd )
vlogger.error( formatExceptionInfo())
vlogger.error( name + ":" + "emulator logcat error", sys.exc_info()[0])
sys.exit(1)
#install malicious app
cmd = EMUINSTALL % ( ADBPATH, "emulator-" + str(adbport), "'" + job['fullpath'] + "'")
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_output([cmd], shell=True)
vlogger.info( name + ":" + "emulator install returned: %s" % ret )
install_attempts = ADBTRIES
while "Success" not in ret and install_attempts > 0:
kick_adb_maybe(adbl, fcnt)
vlogger.info( name + ":" + "install failed emulator install returned: %s" % ret )
time.sleep(VM_POLL_REST)
#TODO FIXME, track down why this sometimes stalls forever, seem on SDKs 11 and 14...
ret = subprocess.check_output([cmd], shell=True)
install_attempts -= 1
if install_attempts <= 0:
syslog.syslog(VMs[m].name + ":" + "install failed emulator install returned: %s" % ret )
vlogger.error(VMs[m].name + ":" + "install failed emulator install returned: %s" % ret )
except:
vlogger.error( name + ":" + "emulator install fatal error: %s" % cmd )
vlogger.error( formatExceptionInfo())
sys.exit(1)
#possible errors:
#Error: Could not access the Package Manager. Is the system running?
time.sleep(VM_POLL_REST * 3)
#stimulate
doc = etree.parse( MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".xml")
package = doc.find('package')
li = libIntent.libIntent("localhost",adbport)
#for each rint
for rint in doc.findall('rint'):
vlogger.info( name + " handling " + str(rint.text))
li.handleRIntent(str(rint.text))
#for each permission (actions and rints _should_ catch all these....)
for perm in doc.findall('permission'):
vlogger.info( name + " handling " + str(perm.text))
li.handlePermission(str(perm.text))
#for each action
for action in doc.findall('action'):
vlogger.info( name + " handling " + str(action.text))
li.handleAction(str(action.text))
#BROADCASTS are done this way
#cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), "android.intent.action.BOOT_COMPLETED")
cmd = EMUINTENT % ( ADBPATH, "emulator-" + str(adbport), str(action.text))
vlogger.info( name + ":" + cmd)
try:
#TODO check for "Broadcast completed" in output, repeat if necessary
ret = subprocess.check_call([cmd], shell=True)
except:
syslog.syslog("app %s error sending intent %s" % (job['sha256'],str(action.text)))
vlogger.error( name + ":" + "emulator intent error: %s" % cmd )
vlogger.error( name + ":" + "emulator intent error: %d" % ret )
#TODO exit is a little too harsh here, but should probably requeue somehow
#sys.exit(1)
#sys.exit(1)
#somethings just don't have nice rint or actions
li.sendCall()
time.sleep(VM_POLL_REST)
li.endAllCalls()
#open app
# TODO this should not be a for/for loop, the actions shoudl be paired with activities
for activity in doc.findall('activity'):
for action in doc.findall('action'):
vlogger.info( name + ": " + "################## launching activity " + str(activity.text))
cmd = EMULAUNCH % ( ADBPATH, "emulator-" + str(adbport), str(action.text), str(package.text), str(activity.text))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error( name + ":" + "emulator launch error: %s" % cmd )
vlogger.error( name + ":" + "emulator launch error: %d" % ret )
#TODO exit is a little too harsh here, but should probably requeue somehow
#sys.exit(1)
time.sleep(VM_POLL_REST * 5)
#monkey around
cmd = EMUMONKEY % ( ADBPATH, "emulator-" + str(adbport), str(package.text), random.randint(1,100))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_output([cmd], shell=True)
vlogger.info( name + ":" + "emulator monkey returned: %s" % ret )
# monkey_attempts = ADBTRIES
# while "Success" not in ret and monkey_attempts > 0:
# kick_adb_maybe(adbl, fcnt)
# vlogger.info( name + ":" + "monkey failed emulator monkey returned: %s" % ret )
# time.sleep(VM_POLL_REST)
#
# ret = subprocess.check_output([cmd], shell=True)
# monkey_attempts -= 1
# if monkey_attempts <= 0:
# syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey returned: %s" % ret )
except:
vlogger.error( name + ":" + "emulator monkey fatal error: %s" % cmd )
syslog.syslog(VMs[m].name + ":" + "monkey failed emulator monkey error: %s" % cmd )
vlogger.error( formatExceptionInfo())
sys.exit(1)
#kill
cmd = EMUKILL % ( ADBPATH, "emulator-" + str(adbport))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error( name + ":" + "emulator kill error")
sys.exit(1)
#cleanup
if pEmu.poll() is not None:
vlogger.info( name + ": " + "poll is " + str(pEmu.poll()))
try:
pEmu.terminate()
except:
vlogger.error( name + ": " + "pEmu term failed")
#TODO if pLogCat.poll() is not None:
#TODO pLogCat.terminate()
fLogCat.flush()
fLogCat.close()
fNull.close()
time.sleep(VM_POLL_REST)
vlogger.info( name + ":" + "...stopping VM " + VMs[m].name)
with vmlock:
VMlocal = VMs[m];
VMlocal.state = "Off"
VMs[m] = VMlocal;
t2 = time.time()
complete_time = time.strftime("%Y-%m-%d-%H:%M:%S", time.gmtime())
results_file = job['sha256'] + ".pcap"
msdb.updateFinishRun(job['jobuuid'],complete_time,results_file)
#post process pcap, pretty crude for now, adb uses it's port and port+1; so two prunes
#...and it seems that adb uses 5555 regardless of which even port is specified
originalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-orig.pcap"
tmppcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + "-temp.pcap"
finalpcap = MALWAREJOBSBASE + "/" + job['jobuuid'] + "/" + job['sha256'] + ".pcap"
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(adbport))
cmd = "prune_pcap.sh %s %s %s" % (originalpcap,tmppcap, str(adbport))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error( name + ":" + "pcap prune error")
sys.exit(1)
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(int(adbport)+1))
cmd = "prune_pcap.sh %s %s %s" % (tmppcap,finalpcap, str(int(adbport)+1))
vlogger.info( name + ":" + cmd)
try:
ret = subprocess.check_call([cmd], shell=True)
except:
vlogger.error( name + ":" + "pcap prune error")
sys.exit(1)
#cmd = "prune_pcap.sh %s %s %s" % (os.path.dirname(job['fullpath']) + "/" + job['sha256']+ "-orig.pcap",os.path.dirname(job['fullpath']) + "/" + job['sha256']+ ".pcap", str(5555))
# cmd = "prune_pcap.sh %s %s %s" % (originalpcap,finalpcap, str(adbport))
# vlogger.info( name + ":" + cmd)
# try:
# ret = subprocess.check_call([cmd], shell=True)
# except:
# vlogger.error( name + ":" + "pcap prune error")
# sys.exit(1)
#TODO unique ip addresses
#tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq
vlogger.info( name + ":" + "sample took %s seconds process" % str(t2 - t1))
results.put(t2-t1)
elif VMs[m].state in ["Off"]:
vlogger.info( name + ":" + VMs[m].name + "run error: found in state OFF!")
rval = False
elif VMs[m].state in ["Ready"]:
vlogger.info( name + ":" + VMs[m].name + "run error: is running and not available for new malware")
rval = False
#if m.name in assignments:
# if assignments[m.name]['timeout'] <= time.time():
# #do anything you want to wrap up
# job_post_process(m)
# job_cleanup(m)
# vm_poweroff(m)
#else: # if the machine is running but there is no job assigned to it then kill it
# pcap_terminate(m)
# vm_poweroff(m)
# else: #not sure this is relevant...may need to remove it
# vm_poweroff(m) #I need to get a list of states that I want to poweroff by default
return rval
