def cuckoo_run(target_path):
# Every analysis package can retrieve a list of multiple process IDs it
# might have generated. All processes added to this list will be added to
# the monitored list, and Cuckoo will wait for all of the to complete their
# execution before ending the analysis.
pids = []
# The following functions are used to launch a process with the simplified
# "cuckoo_execute" function. This function takes as arguments (in specific
# order):
# - a path to the executable to launch
# - arguments to be passed on execution
# - a boolean value to specify if the process have to be created in
# suspended mode or not (it's recommended to set it to True if the
# process is supposed to be injected and monitored).
suspended = True
(pid, h_thread) = cuckoo_execute(target_path, None, suspended)
# The function "cuckoo_monitor" invoke the DLL injection and resume the
# process if it was suspended. It needs the process id and the main thread
# handle returned by "cuckoo_execute" and the same boolean value to tell it
# if it needs to resume the process.
cuckoo_monitor(pid, h_thread, suspended)
# Append all the process IDs you want to the list, and return the list.
pids.append(pid)
return pids
def cuckoo_run(target_path):
# Every analysis package can retrieve a list of multiple process IDs it
# might have generated. All processes added to this list will be added to
# the monitored list, and Cuckoo will wait for all of the to complete their
# execution before ending the analysis.
pids = []
# The following functions are used to launch a process with the simplified
# "cuckoo_execute" function. This function takes as arguments (in specific
# order):
# - a path to the executable to launch
# - arguments to be passed on execution
# - a boolean value to specify if the process have to be created in
# suspended mode or not (it's recommended to set it to True if the
# process is supposed to be injected and monitored).
suspended = True
(pid, h_thread) = cuckoo_execute(target_path, None, suspended)
# The function "cuckoo_monitor" invoke the DLL injection and resume the
# process if it was suspended. It needs the process id and the main thread
# handle returned by "cuckoo_execute" and the same boolean value to tell it
# if it needs to resume the process.
cuckoo_monitor(pid, h_thread, suspended)
# Append all the process IDs you want to the list, and return the list.
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(rundll32, target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(rundll32, target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
adobe_reader = "C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(adobe_reader, "\"%s\"" % target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
office_word = "C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"
suspended = True
(pid, h_thread) = cuckoo_execute(office_word, "\"%s\"" % target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
php = "C:\\php\\php.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(php, '"%s"' % target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
php = "C:\\php\\php.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(php, "\"%s\"" % target_path, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
office_word = "C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"
suspended = True
(pid, h_thread) = cuckoo_execute(office_word, "\"%s\"" % target_path,
suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
pids = []
# Customize this Path with the correct one on your Windows setup.
adobe_reader = "C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe"
suspended = True
(pid, h_thread) = cuckoo_execute(adobe_reader, "\"%s\"" % target_path,
suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
config = ConfigParser.ConfigParser()
config.read(target_path)
url = config.get("InternetShortcut", "URL")
pids = []
internet_explorer = "C:\\Program Files\\Internet Explorer\\iexplore.exe"
suspended = False
(pid, h_thread) = cuckoo_execute(internet_explorer, url, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
config = ConfigParser.ConfigParser()
config.read(target_path)
url = config.get("InternetShortcut", "URL")
pids = []
internet_explorer = "C:\\Program Files\\Internet Explorer\\iexplore.exe"
suspended = False
(pid, h_thread) = cuckoo_execute(internet_explorer, url, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
config = ConfigParser.ConfigParser()
config.read(target_path)
url = config.get("InternetShortcut", "URL")
pids = []
firefox = "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
suspended = False
(pid, h_thread) = cuckoo_execute(firefox, "%s" % url, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids
def cuckoo_run(target_path):
config = ConfigParser.ConfigParser()
config.read(target_path)
url = config.get("InternetShortcut", "URL")
pids = []
firefox = "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
suspended = False
(pid, h_thread) = cuckoo_execute(firefox, "%s" % url, suspended)
cuckoo_monitor(pid, h_thread, suspended)
pids.append(pid)
return pids