def run(self):
global PROCESS_LOCK
PROCESS_LOCK.acquire()
log = logging.getLogger("Core.PipeHandler")
try:
data = create_string_buffer(BUFSIZE)
# Read data from pipe connection.
while True:
bytes_read = c_int(0)
success = cuckoo.defines.KERNEL32.ReadFile(self.h_pipe,
data,
sizeof(data),
byref(bytes_read),
None)
if not success or bytes_read.value == 0:
if cuckoo.defines.KERNEL32.GetLastError() == cuckoo.defines.ERROR_BROKEN_PIPE:
# Client disconnected.
pass
break
if data:
command = data.value.strip()
# If the acquired data is a valid PID to monitor, inject it.
if re.match("PID:", command):
pid = int(command[4:])
log.debug("Received request to analyze process with PID %d."
% pid)
if pid > -1:
# Check if the process has not been injected previously.
if pid not in PROCESS_LIST:
# If injection is successful, add the newly monitored
# process to global list too.
if cuckoo_inject(pid, CUCKOO_DLL_PATH):
PROCESS_LIST.append(pid)
else:
log.error("Failed injecting process with "
"PID \"%s\" (0x%08x)." % (pid, pid))
else:
log.debug("Process with PID \"%d\" (0x%08x) " \
"already in monitored process list. Skip."
% (pid, pid))
# If the acquired data is a path to a file to dump, add it to
# the list.
elif re.match("FILE:", command):
file_path = command[5:]
add_file_to_list(file_path)
finally:
PROCESS_LOCK.release()
return True
def run(self):
global PROCESS_LOCK
PROCESS_LOCK.acquire()
log = logging.getLogger("Core.PipeHandler")
try:
data = create_string_buffer(BUFSIZE)
# Read data from pipe connection.
while True:
bytes_read = c_int(0)
success = cuckoo.defines.KERNEL32.ReadFile(
self.h_pipe, data, sizeof(data), byref(bytes_read), None)
if not success or bytes_read.value == 0:
if cuckoo.defines.KERNEL32.GetLastError(
) == cuckoo.defines.ERROR_BROKEN_PIPE:
# Client disconnected.
pass
break
if data:
command = data.value.strip()
# If the acquired data is a valid PID to monitor, inject it.
if re.match("PID:", command):
pid = int(command[4:])
log.debug(
"Received request to analyze process with PID %d." %
pid)
if pid > -1:
# Check if the process has not been injected previously.
if pid not in PROCESS_LIST:
# If injection is successful, add the newly monitored
# process to global list too.
if cuckoo_inject(pid, CUCKOO_DLL_PATH):
PROCESS_LIST.append(pid)
else:
log.error("Failed injecting process with "
"PID \"%s\" (0x%08x)." % (pid, pid))
else:
log.debug("Process with PID \"%d\" (0x%08x) " \
"already in monitored process list. Skip."
% (pid, pid))
# If the acquired data is a path to a file to dump, add it to
# the list.
elif re.match("FILE:", command):
file_path = command[5:]
add_file_to_list(file_path)
finally:
PROCESS_LOCK.release()
return True
def cuckoo_monitor(pid=-1, h_thread=-1, suspended=False, dll_path=None):
"""
Invokes injection and resume of the specified process.
@param pid: PID of the process to monitor
@param h_thread: handle of the thread of the process to monitor
@param suspended: boolean value enabling or disabling the resume of the
specified process from suspended mode
@param dll_path: path to the DLL to inject, if none is specified it will use
the default DLL
"""
log = logging.getLogger("Monitor.Monitor")
# The package run function should return the process id, if it's valid
# I can inject it with Cuckoo's DLL or specified custom DLL.
if pid > -1:
if not dll_path or dll_path == CUCKOO_DLL_PATH:
dll_path = CUCKOO_DLL_PATH
log.info("Using default Cuckoo DLL \"%s\"." % dll_path)
else:
log.info("Using custom DLL \"%s\"." % dll_path)
if not cuckoo_inject(pid, dll_path):
log.error("Unable to inject process with ID \"%d\" with DLL " \
"\"%s\" (GLE=%s)."
% (pid, dll_path, cuckoo.defines.KERNEL32.GetLastError()))
return False
else:
log.info(
"Original process with PID \"%d\" successfully injected." %
pid)
# Resume the process in case it was created in suspended mode.
if suspended and h_thread > -1:
if not cuckoo_resumethread(h_thread):
return False
return True
def cuckoo_monitor(pid = -1, h_thread = -1, suspended = False, dll_path = None):
"""
Invokes injection and resume of the specified process.
@param pid: PID of the process to monitor
@param h_thread: handle of the thread of the process to monitor
@param suspended: boolean value enabling or disabling the resume of the
specified process from suspended mode
@param dll_path: path to the DLL to inject, if none is specified it will use
the default DLL
"""
log = logging.getLogger("Monitor.Monitor")
# The package run function should return the process id, if it's valid
# I can inject it with Cuckoo's DLL or specified custom DLL.
if pid > -1:
if not dll_path or dll_path == CUCKOO_DLL_PATH:
dll_path = CUCKOO_DLL_PATH
log.info("Using default Cuckoo DLL \"%s\"." % dll_path)
else:
log.info("Using custom DLL \"%s\"." % dll_path)
if not cuckoo_inject(pid, dll_path):
log.error("Unable to inject process with ID \"%d\" with DLL " \
"\"%s\" (GLE=%s)."
% (pid, dll_path, cuckoo.defines.KERNEL32.GetLastError()))
return False
else:
log.info("Original process with PID \"%d\" successfully injected."
% pid)
# Resume the process in case it was created in suspended mode.
if suspended and h_thread > -1:
if not cuckoo_resumethread(h_thread):
return False
return True
