def test_system_drive(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
gm_win = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
gm_win.environ["SYSTEMDRIVE"] = "C:"
gm_lin = GuestManager("cuckoo1", "1.2.3.4", "linux", 1, None)
assert gm_win.determine_system_drive() == "C:/"
assert gm_lin.determine_system_drive() == "/"
def test_temp_path(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
gm_win = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
gm_win.environ["TEMP"] = "C:\\Users\\user\\AppData\\Local\\Temp"
gm_lin = GuestManager("cuckoo1", "1.2.3.4", "linux", 1, None)
assert gm_lin.determine_temp_path() == "/tmp"
assert gm_win.determine_temp_path() == "C:\\Users\\user\\AppData\\Local\\Temp"
def test_start_analysis_nofile(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
target = mock.MagicMock()
target.is_file = False
analysis = mock.MagicMock()
analysis.status = "starting"
gm = GuestManager(
"cuckoo1", "1.2.3.4", "windows", 1, None, analysis,
target
)
gm.wait_available = mock.MagicMock()
httpresponse = mock.MagicMock()
httpresponse.status_code = 200
httpresponse.json.return_value = {
"version": 0.8,
"features": ["pinning", "execpy"]
}
gm.post = mock.MagicMock()
gm.get = mock.MagicMock(return_value=httpresponse)
gm.query_environ = mock.MagicMock()
gm.upload_analyzer = mock.MagicMock()
gm.add_config = mock.MagicMock()
gm.determine_temp_path = mock.MagicMock(return_value="/tmp/sIYUbJJ")
gm.analysis_manager = mock.MagicMock()
gm.start_analysis({"timeout": 60, "file_name": "doge"}, None)
assert gm.analysis.status == "starting"
gm.get.assert_called_with("/pinning")
gm.target.helper.get_filepointer.assert_not_called()
gm.post.assert_called_once_with("/execpy", data=mock.ANY)
def test_do_not_get_exception(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
responses.add(responses.GET, "http://1.2.3.4:8000/", status=501)
gm = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
assert gm.get("/", do_raise=False).status_code == 501
def init(self, db):
# If for some reason the task dir does not exist, stop the analysis
# because it should have been created upon submission
if not self.task.dir_exists():
log.error("Task directory for task #%s does not exist",
self.task.id)
return False
if not URLDiaries.init_done:
URLDiaries.init()
self.curr_block = self.new_target_block()
if not self.curr_block:
log.error("Empty target list, cannot proceed.")
return False
self.rt = RealTimeHandler()
self.ev_client = EventClient()
self.URL_BLOCKSIZE = int(
self.task.options.get("urlblocksize", self.URL_BLOCKSIZE))
self.SECS_PER_BLOCK = int(
self.task.options.get("blocktime", self.SECS_PER_BLOCK))
self.aborted = False
self.completed = False
# Write task to disk in json file
self.task.write_task_json()
self.build_options(
options={
"category": "url",
"target": ",".join(self.curr_block.keys()),
"enforce_timeout": True,
"timeout": len(self.task.targets) * self.SECS_PER_BLOCK * 3
})
self.guest_manager = GuestManager(
self.machine.name, self.machine.ip, self.machine.platform,
self.task, self, self.analysis,
self.curr_block.get(
self.curr_block.keys().pop(0)).get("target_obj"))
self.aux = RunAuxiliary(self.task.task_dict, self.machine,
self.guest_manager)
# The wait/agent status checking etc is run in a separate thread. This
# allows the analysis manager to perform other actions while the
# analysis is running
self.gm_wait_th = threading.Thread(
target=self.guest_manager.wait_for_completion)
self.gm_wait_th.daemon = True
self.detection_events = []
self.netflow_events = []
self.js_events = []
self.realtime_finished = set()
self.tlskeys_response = None
self.realtime_error = False
self.requestfinder = RequestFinder(self.task.id)
self.all_pids_targets = {}
return True
def test_post_exception(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
responses.add(responses.POST, "http://1.2.3.4:8000/store", status=500)
gm = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
with pytest.raises(requests.HTTPError):
gm.post("/store", data={"filepath": "hehe"})
def test_get_exception(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
responses.add(responses.GET, "http://1.2.3.4:8000/", status=400)
gm = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
with pytest.raises(requests.HTTPError):
gm.get("/")
def test_analyzer_path(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
responses.add(responses.POST, "http://1.2.3.4:8000/mkdir", status=200)
gm_win = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
gm_win.environ["SYSTEMDRIVE"] = "C:"
gm_win.options["options"] = "analpath=tempdir"
gm_win.determine_analyzer_path()
gm_lin = GuestManager("cuckoo1", "1.2.3.4", "linux", 1, None)
gm_lin.options["options"] = "analpath=tempdir"
gm_lin.determine_analyzer_path()
assert gm_lin.analyzer_path == "/tempdir"
assert gm_win.analyzer_path == "C:/tempdir"
def test_no_critical_error_at_finish(self, p, q, r, s):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
gm = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
gm.timeout = 6
p.guest_get_status.return_value = "running"
q.time.side_effect = [1, 2, 3, 4, 5, 6, 7, 8, 9]
gm.wait_for_completion()
assert q.time.call_count == 8
assert "end of analysis" in r.info.call_args_list[-1][0][0]
def test_start_analysis_timeout(self):
set_cwd(tempfile.mkdtemp())
cuckoo_create(cfg={
"cuckoo": {
"timeouts": {
"critical": 123,
},
},
})
gm = GuestManager("cuckoo1", "1.2.3.4", "windows", 1, None)
gm.wait_available = mock.MagicMock(side_effect=Exception)
with pytest.raises(Exception):
gm.start_analysis({"timeout": 42}, None)
assert gm.timeout == 165
def launch_analysis(self):
"""Start analysis."""
succeeded = False
if self.task.category == "file" or self.task.category == "archive":
target = os.path.basename(self.task.target)
else:
target = self.task.target
log.info("Starting analysis of %s \"%s\" (task #%d, options \"%s\")",
self.task.category.upper(),
target,
self.task.id,
emit_options(self.task.options),
extra={
"action": "task.init",
"status": "starting",
"task_id": self.task.id,
"target": target,
"category": self.task.category,
"package": self.task.package,
"options": emit_options(self.task.options),
"custom": self.task.custom,
})
# Initialize the analysis.
if not self.init():
logger("Failed to initialize", action="task.init", status="error")
return False
# Acquire analysis machine.
try:
self.acquire_machine()
except CuckooOperationalError as e:
machine_lock.release()
log.error("Cannot acquire machine: %s",
e,
extra={
"action": "vm.acquire",
"status": "error",
})
return False
self.rs_port = self.machine.resultserver_port or ResultServer().port
# At this point we can tell the ResultServer about it.
try:
ResultServer().add_task(self.task, self.machine)
except Exception as e:
machinery.release(self.machine.label)
self.errors.put(e)
# Initialize the guest manager.
self.guest_manager = GuestManager(self.machine.name, self.machine.ip,
self.machine.platform, self.task.id,
self)
self.aux = RunAuxiliary(self.task, self.machine, self.guest_manager)
self.aux.start()
# Generate the analysis configuration file.
options = self.build_options()
# Check if the current task has remotecontrol
# enabled before starting the machine.
control_enabled = (config("cuckoo:remotecontrol:enabled")
and "remotecontrol" in self.task.options)
if control_enabled:
try:
machinery.enable_remote_control(self.machine.label)
except NotImplementedError:
log.error(
"Remote control support has not been implemented for the "
"configured machinery module: %s",
config("cuckoo:cuckoo:machinery"))
try:
unlocked = False
self.interface = None
# Mark the selected analysis machine in the database as started.
guest_log = self.db.guest_start(self.task.id, self.machine.name,
self.machine.label,
machinery.__class__.__name__)
logger("Starting VM",
action="vm.start",
status="pending",
vmname=self.machine.name)
# Start the machine.
machinery.start(self.machine.label, self.task)
logger("Started VM",
action="vm.start",
status="success",
vmname=self.machine.name)
# retrieve the port used for remote control
if control_enabled:
try:
params = machinery.get_remote_control_params(
self.machine.label)
self.db.set_machine_rcparams(self.machine.label, params)
except NotImplementedError:
log.error(
"Remote control support has not been implemented for the "
"configured machinery module: %s",
config("cuckoo:cuckoo:machinery"))
# Enable network routing.
self.route_network()
# By the time start returns it will have fully started the Virtual
# Machine. We can now safely release the machine lock.
machine_lock.release()
unlocked = True
# Run and manage the components inside the guest unless this
# machine has the "noagent" option specified (please refer to the
# wait_finish() function for more details on this function).
if "noagent" not in self.machine.options:
self.guest_manage(options)
else:
self.wait_finish()
succeeded = True
except CuckooMachineSnapshotError as e:
log.error(
"Unable to restore to the snapshot for this Virtual Machine! "
"Does your VM have a proper Snapshot and can you revert to it "
"manually? VM: %s, error: %s",
self.machine.name,
e,
extra={
"action": "vm.resume",
"status": "error",
"vmname": self.machine.name,
})
except CuckooMachineError as e:
if not unlocked:
machine_lock.release()
log.error("Error starting Virtual Machine! VM: %s, error: %s",
self.machine.name,
e,
extra={
"action": "vm.start",
"status": "error",
"vmname": self.machine.name,
})
except CuckooGuestCriticalTimeout as e:
if not unlocked:
machine_lock.release()
log.error(
"Error from machine '%s': it appears that this Virtual "
"Machine hasn't been configured properly as the Cuckoo Host "
"wasn't able to connect to the Guest. There could be a few "
"reasons for this, please refer to our documentation on the "
"matter: %s",
self.machine.name,
faq("troubleshooting-vm-network-configuration"),
extra={
"error_action": "vmrouting",
"action": "guest.handle",
"status": "error",
"task_id": self.task.id,
})
except CuckooGuestError as e:
if not unlocked:
machine_lock.release()
log.error("Error from the Cuckoo Guest: %s",
e,
extra={
"action": "guest.handle",
"status": "error",
"task_id": self.task.id,
})
finally:
# Stop Auxiliary modules.
if not self.stopped_aux:
self.stopped_aux = True
self.aux.stop()
# Take a memory dump of the machine before shutting it off.
if self.cfg.cuckoo.memory_dump or self.task.memory:
logger("Taking full memory dump",
action="vm.memdump",
status="pending",
vmname=self.machine.name)
try:
dump_path = os.path.join(self.storage, "memory.dmp")
machinery.dump_memory(self.machine.label, dump_path)
logger("Taken full memory dump",
action="vm.memdump",
status="success",
vmname=self.machine.name)
except NotImplementedError:
log.error(
"The memory dump functionality is not available for "
"the current machine manager.",
extra={
"action": "vm.memdump",
"status": "error",
"vmname": self.machine.name,
})
except CuckooMachineError as e:
log.error("Machinery error: %s",
e,
extra={
"action": "vm.memdump",
"status": "error",
})
logger("Stopping VM",
action="vm.stop",
status="pending",
vmname=self.machine.name)
try:
# Stop the analysis machine.
machinery.stop(self.machine.label)
except CuckooMachineError as e:
log.warning("Unable to stop machine %s: %s",
self.machine.label,
e,
extra={
"action": "vm.stop",
"status": "error",
"vmname": self.machine.name,
})
logger("Stopped VM",
action="vm.stop",
status="success",
vmname=self.machine.name)
# Disable remote control after stopping the machine
# if it was enabled for the task.
if control_enabled:
try:
machinery.disable_remote_control(self.machine.label)
except NotImplementedError:
log.error(
"Remote control support has not been implemented for the "
"configured machinery module: %s",
config("cuckoo:cuckoo:machinery"))
# Mark the machine in the database as stopped. Unless this machine
# has been marked as dead, we just keep it as "started" in the
# database so it'll not be used later on in this session.
self.db.guest_stop(guest_log)
# After all this, we can make the ResultServer forget about the
# internal state for this analysis task.
ResultServer().del_task(self.task, self.machine)
# Drop the network routing rules if any.
if not self.unrouted_network:
self.unroute_network()
try:
# Release the analysis machine. But only if the machine has
# not turned dead yet.
machinery.release(self.machine.label)
except CuckooMachineError as e:
log.error(
"Unable to release machine %s, reason %s. You might need "
"to restore it manually.",
self.machine.label,
e,
extra={
"action": "vm.release",
"status": "error",
"vmname": self.machine.name,
})
return succeeded
def init(self, db):
"""Executed by the scheduler. Prepares the analysis for starting."""
# Used at the processing and final stage to determine is processing
# was run and successful
self.processing_success = False
# TODO remove this when the latest RDP/VNC machine additions/changes
# have been added. Currently, the enabling requires a db change at
# the start of a machine
self.db = db
# If for some reason the task dir does not exist, stop the analysis
# because it should have been created upon submission
if not self.task.dir_exists():
log.error("Task directory for task #%s does not exist",
self.task.id)
return False
self.guest_manager = GuestManager(self.machine.name, self.machine.ip,
self.machine.platform, self.task,
self, self.analysis, self.target)
self.aux = RunAuxiliary(self.task.task_dict, self.machine,
self.guest_manager)
self.rt = RealTimeHandler()
# Check if the current task has remotecontrol
# enabled before starting the machine.
self.control_enabled = (config("cuckoo:remotecontrol:enabled")
and "remotecontrol" in self.task.options)
# Write task to disk in json file
self.task.write_task_json()
if not self.target.target:
self.build_options()
return True
options = {
"category": self.target.category,
"target": self.target.target
}
if self.target.is_file:
if not self.target.copy_exists():
log.error("The file to submit '%s' does not exist",
self.target.copied_binary)
return False
if not self.target.helper.is_readable():
log.error(
"Unable to read target file %s, please check if it is"
" readable for the user executing Cuckoo Sandbox",
self.target.copied_binary)
return False
task_options = {}
package, activity = self.target.helper.get_apk_entry()
if package and activity:
task_options["apk_entry"] = "%s:%s" % (package, activity)
options.update({
"file_name":
os.path.basename(self.target.target),
"file_type":
self.target.helper.get_type(),
"pe_exports":
",".join(self.target.helper.get_exported_functions()),
"options":
task_options
})
self.build_options(options=options)
return True
