def upload_memdump(self):
"""Upload process memory dump.
@return: operation status.
"""
if not self.pid:
log.warning(
"No valid pid specified, memory dump cannot be uploaded")
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024 * 1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024 * 1024)
except:
infd.close()
nf.close()
log.warning("Upload of memory dump for process %d failed",
self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process %d uploaded", self.pid)
return True
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning(
"The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d",
bit_str, self.pid, ret)
return False
else:
log.error(
"Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.",
os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024 * 1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024 * 1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory " "dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error(
"Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.",
os.path.basename(bin_name),
bit_str,
)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024 * 1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024 * 1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
def finish(self):
log.info("starting to send data")
data = self.m.get_logs()
log.info("size of log: {}".format(len(data)))
nc = NetlogFile("files/proxyLog.log")
log.info("netlog initiated")
nc.send(data, retry=True)
log.info("netlog sent")
return True
def finish(self):
log.info("starting to send data")
data = self.m.get_logs()
log.info("size of log: {}".format(len(data)))
nc = NetlogFile("files/proxyLog.log")
log.info("netlog initiated")
nc.send(data, retry=True)
log.info("netlog sent")
return True
def run(self):
"""Run capturing of usage info.
@return: operation status.
"""
meminfo = MEMORYSTATUSEX()
meminfo.dwLength = sizeof(MEMORYSTATUSEX)
phquery = PVOID()
PDH.PdhOpenQuery(None, None, byref(phquery))
buflen = DWORD()
buflen.value = 0
PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time",
None, byref(buflen), 0)
buf = create_string_buffer(buflen.value + 1)
PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time",
buf, byref(buflen), 0)
counters = buf.raw.rstrip(b"\x00").split(b"\x00")
counter_handles = []
for counter in counters:
if b"_Total" in counter:
continue
phcounter = PVOID()
PDH.PdhAddCounterA(phquery, counter, None, byref(phcounter))
counter_handles.append(phcounter)
nf = NetlogFile()
nf.init("aux/usage.log")
PDH.PdhCollectQueryData(phquery)
while self.do_run:
time.sleep(2)
PDH.PdhCollectQueryData(phquery)
usage = PDH_FMT_COUNTERVALUE()
bigfloat = 0.0
for counter_handle in counter_handles:
PDH.PdhGetFormattedCounterValue(counter_handle, PDH_FMT_DOUBLE,
None, byref(usage))
if usage.doubleValue > bigfloat:
bigfloat = usage.doubleValue
KERNEL32.GlobalMemoryStatusEx(byref(meminfo))
usagedata = b"%d %d\n" % (meminfo.dwMemoryLoad, round(bigfloat))
nf.send(usagedata)
for counter_handle in counter_handles:
PDH.PdhRemoveCounter(counter_handle)
PDH.PdhCloseQuery(phquery)
nf.close()
return True
def stop(self):
log.info("Collecting EMET events...")
c = wmi.WMI(privileges=['Security'])
for event in c._raw_query('SELECT * FROM Win32_NTLogEvent'):
if event.SourceName == "EMET":
#https://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx maybe add more values?
dadada.append([event.SourceName, event.Category, event.Type, event.ComputerName, event.User, event.Message])
bleekscheet = "\n".join(str(x) for x in dadada)
nf = NetlogFile()
nf.init("logs/emet_events.log")
nf.send(bleekscheet)
nf.close()
return True
def finish(self):
data = self.m.get_logs()
nc = NetlogFile("files/proxyLog.log")
nc.send(data, retry=True)
return True
def finish(self):
data = self.m.get_logs()
nc = NetlogFile("files/proxyLog.log")
nc.send(data, retry=True)
return True
