def get_pshconnection(pshport):
p = psutil.Process(4)
attackers = []
for conn in p.connections():
if (conn.laddr[1] == pshport and conn.raddr!=() and conn.laddr[0]<>conn.raddr[0]):
pshutils.print_console(pshutils.INFO_LEVEL,(str(conn)))
attackers.append(conn.raddr[0])
attackers = set(attackers)
return attackers
def get_pshconnection(pshport):
p = psutil.Process(4)
attackers = []
for conn in p.connections():
if (conn.laddr[1] == pshport and conn.raddr != ()
and conn.laddr[0] <> conn.raddr[0]):
pshutils.print_console(pshutils.INFO_LEVEL, (str(conn)))
attackers.append(conn.raddr[0])
attackers = set(attackers)
return attackers
def post_recv(self, event, retval):
#print "post_recv is called\n"
process = event.get_process()
tid = event.get_tid()
params = event.hook.get_params(tid)
buf = event.get_process().peek_string(params[1])
buflen = len(buf)
if (buflen>1 and (buf.find('function')>=0 or buf.find('Get')>=0 or buf.find('http')>=0 or buf.find('Post')>=0)):
eventlog = "capturing: " + str(len(buf))
pshutils.print_console(pshutils.INFO_LEVEL,eventlog)
#print buf
remote_trace(list(self._attackers),buf)
def monitor_wsmprovhost(pid,ref):
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
pshutils.print_console(pshutils.SUCCESS_LEVEL,("hooking " + str(pid)))
#print "hooking",pid
myHandler = WSMProvHostEventHandler()
myHandler.attackers = get_pshconnection(5985)
thread = Thread(target=intercept_wsmprovhost,args=(pid,myHandler))
thread.start()
time.sleep(1)
pshutils.print_console(pshutils.INFO_LEVEL,("back to main from " + str(pid)))
def post_recv(self, event, retval):
#print "post_recv is called\n"
process = event.get_process()
tid = event.get_tid()
params = event.hook.get_params(tid)
buf = event.get_process().peek_string(params[1])
buflen = len(buf)
if (buflen > 1
and (buf.find('function') >= 0 or buf.find('Get') >= 0
or buf.find('http') >= 0 or buf.find('Post') >= 0)):
eventlog = "capturing: " + str(len(buf))
pshutils.print_console(pshutils.INFO_LEVEL, eventlog)
#print buf
remote_trace(list(self._attackers), buf)
def monitor_wsmprovhost(pid, ref):
system = winappdbg.System()
system.request_debug_privileges()
system.scan_processes()
pshutils.print_console(pshutils.SUCCESS_LEVEL, ("hooking " + str(pid)))
#print "hooking",pid
myHandler = WSMProvHostEventHandler()
myHandler.attackers = get_pshconnection(5985)
thread = Thread(target=intercept_wsmprovhost, args=(pid, myHandler))
thread.start()
time.sleep(1)
pshutils.print_console(pshutils.INFO_LEVEL,
("back to main from " + str(pid)))
def pre_ExitProcess(self, event, ra, uExitCode):
print "Pre_ExitProcess is called"
process = event.get_process()
pshmemTbl = search_mem(process)
for key in pshmemTbl:
pshutils.print_console(pshutils.INFO_LEVEL,(key))
pshutils.print_console(pshutils.INFO_LEVEL,(pshmemTbl[key][0]+" : "+pshmemTbl[key][1]))
pshutils.print_console(pshutils.INFO_LEVEL,("---------------------------------------------"))
#print key
#print pshmemTbl[key][0],":",pshmemTbl[key][1]
#print "---------------------------------------------"
logs = "[" + pshmemTbl[key][0] + "]: " + pshmemTbl[key][1]
remote_trace(list(self._attackers),logs)
print process.get_pid(), "Now exiting"
def pre_CreateProcessW(self, event, ra, lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,
lpCurrentDirectory,lpStartupInfo,lpProcessInformation
):
pshutils.print_console(pshutils.INFO_LEVEL,("pre_CreateProcessW is called"))
#print "pre_CreateProcessW is called\n"
process = event.get_process()
try:
appname = process.peek_string(lpApplicationName, fUnicode=True)
cmdline = process.peek_string(lpCommandLine, fUnicode=True)
cmdlist = [appname,cmdline]
pshutils.print_console(pshutils.INFO_LEVEL,cmdlist)
#print cmdlist
remote_trace(list(self._attackers),cmdlist)
except Exception, e:
pshutils.print_console(pshutils.ERROR_LEVEL,("[-] Error in hooking " + str(e)))
def pre_ExitProcess(self, event, ra, uExitCode):
print "Pre_ExitProcess is called"
process = event.get_process()
pshmemTbl = search_mem(process)
for key in pshmemTbl:
pshutils.print_console(pshutils.INFO_LEVEL, (key))
pshutils.print_console(
pshutils.INFO_LEVEL,
(pshmemTbl[key][0] + " : " + pshmemTbl[key][1]))
pshutils.print_console(
pshutils.INFO_LEVEL,
("---------------------------------------------"))
#print key
#print pshmemTbl[key][0],":",pshmemTbl[key][1]
#print "---------------------------------------------"
logs = "[" + pshmemTbl[key][0] + "]: " + pshmemTbl[key][1]
remote_trace(list(self._attackers), logs)
print process.get_pid(), "Now exiting"
def pre_CreateProcessW(self, event, ra, lpApplicationName, lpCommandLine,
lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment,
lpCurrentDirectory, lpStartupInfo,
lpProcessInformation):
pshutils.print_console(pshutils.INFO_LEVEL,
("pre_CreateProcessW is called"))
#print "pre_CreateProcessW is called\n"
process = event.get_process()
try:
appname = process.peek_string(lpApplicationName, fUnicode=True)
cmdline = process.peek_string(lpCommandLine, fUnicode=True)
cmdlist = [appname, cmdline]
pshutils.print_console(pshutils.INFO_LEVEL, cmdlist)
#print cmdlist
remote_trace(list(self._attackers), cmdlist)
except Exception, e:
pshutils.print_console(pshutils.ERROR_LEVEL,
("[-] Error in hooking " + str(e)))