def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error('Unable to access file at path "%s", execution aborted', path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = f'"{path}" '
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessW(
path, arguments, None, None, None, creation_flags, None, os.getenv("TEMP"), byref(startup_info), byref(process_info)
)
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info('Successfully executed process from path "%s" with arguments "%s" with pid %d', path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error(
'Failed to execute process from path "%s" with arguments "%s" (Error: %s)',
path,
args,
get_error_string(KERNEL32.GetLastError()),
)
return False
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(
sys_file) or not os.path.exists(exe_file):
log.warning(
"No valid zer0m0n files to be used for process with pid %d, injection aborted",
self.pid)
return False
exe_name = service_name = driver_name = random_string(6)
inf_data = ('[Version]\r\n'
'Signature = "$Windows NT$"\r\n'
'Class = "ActivityMonitor"\r\n'
'ClassGuid = {{b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}}\r\n'
'Provider = %Prov%\r\n'
'DriverVer = 22/01/2014,1.0.0.0\r\n'
'CatalogFile = %DriverName%.cat\r\n'
'[DestinationDirs]\r\n'
'DefaultDestDir = 12\r\n'
'MiniFilter.DriverFiles = 12\r\n'
'[DefaultInstall]\r\n'
'OptionDesc = %ServiceDescription%\r\n'
'CopyFiles = MiniFilter.DriverFiles\r\n'
'[DefaultInstall.Services]\r\n' \
'AddService = %ServiceName%,,MiniFilter.Service\r\n'
'[DefaultUninstall]\r\n'
'DelFiles = MiniFilter.DriverFiles\r\n'
'[DefaultUninstall.Services]\r\n'
'DelService = %ServiceName%,0x200\r\n'
'[MiniFilter.Service]\r\n'
'DisplayName = %ServiceName%\r\n'
'Description = %ServiceDescription%\r\n'
'ServiceBinary = %12%\\%DriverName%.sys\r\n'
'Dependencies = "FltMgr"\r\n'
'ServiceType = 2\r\n'
'StartType = 3\r\n'
'ErrorControl = 1\r\n'
'LoadOrderGroup = "FSFilter Activity Monitor"\r\n'
'AddReg = MiniFilter.AddRegistry\r\n'
'[MiniFilter.AddRegistry]\r\n'
'HKR,,"DebugFlags",0x00010001 ,0x0\r\n'
'HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\n'
'HKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\n'
'HKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n'
'[MiniFilter.DriverFiles]\r\n'
'%DriverName%.sys\r\n'
'[SourceDisksFiles]\r\n'
'{driver_name}.sys = 1,,\r\n'
'[SourceDisksNames]\r\n'
'1 = %DiskId1%,,,\r\n'
'[Strings]\r\n'
'Prov = "{random_string8}"\r\n'
'ServiceDescription = "{random_string12}"\r\n'
'ServiceName = "{service_name}"\r\n'
'DriverName = "{driver_name}"\r\n'
'DiskId1 = "{service_name} Device Installation Disk"\r\n'
'DefaultInstance = "{service_name} Instance"\r\n'
'Instance1.Name = "{service_name} Instance"\r\n'
'Instance1.Altitude = "370050"\r\n'
'Instance1.Flags = 0x0'
).format(
service_name=service_name, driver_name=driver_name, random_string8=random_string(8), random_string12=random_string(12)
)
new_inf = os.path.join(os.getcwd(), "dll",
"{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll",
"{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : " + new_sys)
log.info("[-] Inf name : " + new_inf)
log.info("[-] Application name : " + new_exe)
log.info("[-] Service : " + service_name)
fh = open(new_inf, "w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system(
'cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '
+ new_inf + '"')
os.system("net start " + service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessW(new_exe, None, None, None, None, cr,
None, os.getenv("TEMP"), byref(si),
byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting " + exe_name + ".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileW(PATH_KERNEL_DRIVER,
GENERIC_READ | GENERIC_WRITE, 0, None,
OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid) + "_" + str(ppid) + "_" + str(
os.getpid()) + "_" + str(pi.dwProcessId) + "_" + str(
pid_vboxservice) + "_" + str(pid_vboxtray) + '\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0,
byref(bytes_returned), None)
msg = os.getcwd() + '\0'
KERNEL32.DeviceIoControl(hFile,
IOCTL_CUCKOO_PATH, str(msg, 'utf-8'),
len(str(msg, 'utf-8')), None, 0,
byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error('Unable to access file at path "%s", execution aborted',
path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = f'"{path}" '
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
# Use the custom execution directory if provided, otherwise launch in the same location
# where the sample resides (default %TEMP%)
if "executiondir" in self.options.keys():
execution_directory = self.options["executiondir"]
elif "curdir" in self.options.keys():
execution_directory = self.options["curdir"]
else:
execution_directory = os.getenv("TEMP")
# Try to create the custom directories so that the execution path is deemed valid
create_custom_folders(execution_directory)
created = KERNEL32.CreateProcessW(path, arguments, None, None, None,
creation_flags, None,
execution_directory,
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info(
'Successfully executed process from path "%s" with arguments "%s" with pid %d',
path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error(
'Failed to execute process from path "%s" with arguments "%s" (Error: %s)',
path,
args,
get_error_string(KERNEL32.GetLastError()),
)
return False
def spCreateProcessW(application_name, command_line, process_attributes,
thread_attributes, inherit_handles, creation_flags,
environment, current_directory, startup_info):
class STARTUPINFO(Structure):
_fields_ = [
("cb", c_uint),
("reserved1", c_void_p),
("desktop", c_void_p),
("title", c_void_p),
("unused1", c_uint * 7),
("flags", c_uint),
("show_window", c_uint16),
("reserved2", c_uint16),
("reserved3", c_void_p),
("std_input", c_void_p),
("std_output", c_void_p),
("std_error", c_void_p),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("process_handle", c_void_p),
("thread_handle", c_void_p),
("process_identifier", c_uint),
("thread_identifier", c_uint),
]
class Handle(int):
def Close(self):
KERNEL32.CloseHandle(self)
if environment:
environment = "\x00".join(
"%s=%s" % (k, v) for k, v in environment.items()
) + "\x00\x00"
si = STARTUPINFO()
si.cb = sizeof(STARTUPINFO)
if startup_info:
si.flags = startup_info.dwFlags
si.show_window = startup_info.wShowWindow
if si.flags & STARTF_USESTDHANDLES:
si.std_input = cast(int(startup_info.hStdInput), c_void_p)
si.std_output = cast(int(startup_info.hStdOutput), c_void_p)
si.std_error = cast(int(startup_info.hStdError), c_void_p)
pi = PROCESS_INFORMATION()
result = KERNEL32.CreateProcessW(
application_name, command_line, None, None, inherit_handles,
creation_flags, environment, current_directory, byref(si), byref(pi)
)
if not result:
# TODO We'll just assume this is correct for now.
raise WindowsError(KERNEL32.GetLastError())
return (
Handle(pi.process_handle), Handle(pi.thread_handle),
pi.process_identifier, pi.thread_identifier
)
