def upload_memdump(self): """Upload process memory dump. @return: operation status. """ if not self.pid: log.warning( "No valid pid specified, memory dump cannot be uploaded") return False bin_name = "" bit_str = "" file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid)) nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid))) infd = open(file_path, "rb") buf = infd.read(1024 * 1024) try: while buf: nf.send(buf, retry=True) buf = infd.read(1024 * 1024) except: infd.close() nf.close() log.warning("Upload of memory dump for process %d failed", self.pid) return False infd.close() nf.close() log.info("Memory dump of process %d uploaded", self.pid) return True
def dump_memory(self): """Dump process memory. @return: operation status. """ if not self.pid: log.warning("No valid pid specified, memory dump aborted") return False if not self.is_alive(): log.warning( "The process with pid %d is not alive, memory " "dump aborted", self.pid) return False bin_name = "" bit_str = "" file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid)) if self.is_64bit(): orig_bin_name = LOADER64_NAME bit_str = "64-bit" else: orig_bin_name = LOADER32_NAME bit_str = "32-bit" bin_name = os.path.join(os.getcwd(), orig_bin_name) if os.path.exists(bin_name): ret = subprocess.call([bin_name, "dump", str(self.pid), file_path]) if ret == 1: log.info("Dumped %s process with pid %d", bit_str, self.pid) else: log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret) return False else: log.error( "Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str) return False nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid))) infd = open(file_path, "rb") buf = infd.read(1024 * 1024) try: while buf: nf.send(buf, retry=True) buf = infd.read(1024 * 1024) except: infd.close() nf.close() log.warning("Memory dump of process with pid %d failed", self.pid) return False infd.close() nf.close() log.info("Memory dump of process with pid %d completed", self.pid) return True
def dump_memory(self): """Dump process memory. @return: operation status. """ if not self.pid: log.warning("No valid pid specified, memory dump aborted") return False if not self.is_alive(): log.warning("The process with pid %d is not alive, memory " "dump aborted", self.pid) return False bin_name = "" bit_str = "" file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid)) if self.is_64bit(): orig_bin_name = LOADER64_NAME bit_str = "64-bit" else: orig_bin_name = LOADER32_NAME bit_str = "32-bit" bin_name = os.path.join(os.getcwd(), orig_bin_name) if os.path.exists(bin_name): ret = subprocess.call([bin_name, "dump", str(self.pid), file_path]) if ret == 1: log.info("Dumped %s process with pid %d", bit_str, self.pid) else: log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret) return False else: log.error( "Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str, ) return False nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid))) infd = open(file_path, "rb") buf = infd.read(1024 * 1024) try: while buf: nf.send(buf, retry=True) buf = infd.read(1024 * 1024) except: infd.close() nf.close() log.warning("Memory dump of process with pid %d failed", self.pid) return False infd.close() nf.close() log.info("Memory dump of process with pid %d completed", self.pid) return True
def finish(self): log.info("starting to send data") data = self.m.get_logs() log.info("size of log: {}".format(len(data))) nc = NetlogFile("files/proxyLog.log") log.info("netlog initiated") nc.send(data, retry=True) log.info("netlog sent") return True
def finish(self): log.info("starting to send data") data = self.m.get_logs() log.info("size of log: {}".format(len(data))) nc = NetlogFile("files/proxyLog.log") log.info("netlog initiated") nc.send(data, retry=True) log.info("netlog sent") return True
def run(self): """Run capturing of usage info. @return: operation status. """ meminfo = MEMORYSTATUSEX() meminfo.dwLength = sizeof(MEMORYSTATUSEX) phquery = PVOID() PDH.PdhOpenQuery(None, None, byref(phquery)) buflen = DWORD() buflen.value = 0 PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time", None, byref(buflen), 0) buf = create_string_buffer(buflen.value + 1) PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time", buf, byref(buflen), 0) counters = buf.raw.rstrip(b"\x00").split(b"\x00") counter_handles = [] for counter in counters: if b"_Total" in counter: continue phcounter = PVOID() PDH.PdhAddCounterA(phquery, counter, None, byref(phcounter)) counter_handles.append(phcounter) nf = NetlogFile() nf.init("aux/usage.log") PDH.PdhCollectQueryData(phquery) while self.do_run: time.sleep(2) PDH.PdhCollectQueryData(phquery) usage = PDH_FMT_COUNTERVALUE() bigfloat = 0.0 for counter_handle in counter_handles: PDH.PdhGetFormattedCounterValue(counter_handle, PDH_FMT_DOUBLE, None, byref(usage)) if usage.doubleValue > bigfloat: bigfloat = usage.doubleValue KERNEL32.GlobalMemoryStatusEx(byref(meminfo)) usagedata = b"%d %d\n" % (meminfo.dwMemoryLoad, round(bigfloat)) nf.send(usagedata) for counter_handle in counter_handles: PDH.PdhRemoveCounter(counter_handle) PDH.PdhCloseQuery(phquery) nf.close() return True
def stop(self): log.info("Collecting EMET events...") c = wmi.WMI(privileges=['Security']) for event in c._raw_query('SELECT * FROM Win32_NTLogEvent'): if event.SourceName == "EMET": #https://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx maybe add more values? dadada.append([event.SourceName, event.Category, event.Type, event.ComputerName, event.User, event.Message]) bleekscheet = "\n".join(str(x) for x in dadada) nf = NetlogFile() nf.init("logs/emet_events.log") nf.send(bleekscheet) nf.close() return True
def finish(self): data = self.m.get_logs() nc = NetlogFile("files/proxyLog.log") nc.send(data, retry=True) return True
def finish(self): data = self.m.get_logs() nc = NetlogFile("files/proxyLog.log") nc.send(data, retry=True) return True