Example #1
0
def get_pshconnection(pshport):
    p = psutil.Process(4)
    attackers = []
    for conn in p.connections():
        if (conn.laddr[1] == pshport and conn.raddr!=() and conn.laddr[0]<>conn.raddr[0]):
            pshutils.print_console(pshutils.INFO_LEVEL,(str(conn)))
            attackers.append(conn.raddr[0])
    attackers = set(attackers)
    return attackers
Example #2
0
def get_pshconnection(pshport):
    p = psutil.Process(4)
    attackers = []
    for conn in p.connections():
        if (conn.laddr[1] == pshport and conn.raddr != ()
                and conn.laddr[0] <> conn.raddr[0]):
            pshutils.print_console(pshutils.INFO_LEVEL, (str(conn)))
            attackers.append(conn.raddr[0])
    attackers = set(attackers)
    return attackers
Example #3
0
    def post_recv(self, event, retval):
        #print "post_recv is called\n"
        process = event.get_process()
        tid     = event.get_tid()
        params  = event.hook.get_params(tid)

        buf    = event.get_process().peek_string(params[1])
        buflen = len(buf)
        if (buflen>1 and (buf.find('function')>=0 or buf.find('Get')>=0 or buf.find('http')>=0 or buf.find('Post')>=0)):
            eventlog = "capturing: " + str(len(buf))
            pshutils.print_console(pshutils.INFO_LEVEL,eventlog)
            #print buf
            remote_trace(list(self._attackers),buf)
Example #4
0
def monitor_wsmprovhost(pid,ref):
    system = winappdbg.System()
    system.request_debug_privileges()
    system.scan_processes()

    pshutils.print_console(pshutils.SUCCESS_LEVEL,("hooking " + str(pid)))
    #print "hooking",pid    

    myHandler =  WSMProvHostEventHandler()
    myHandler.attackers = get_pshconnection(5985) 
    thread = Thread(target=intercept_wsmprovhost,args=(pid,myHandler))
    thread.start()
    time.sleep(1)

    pshutils.print_console(pshutils.INFO_LEVEL,("back to main from " + str(pid)))
Example #5
0
    def post_recv(self, event, retval):
        #print "post_recv is called\n"
        process = event.get_process()
        tid = event.get_tid()
        params = event.hook.get_params(tid)

        buf = event.get_process().peek_string(params[1])
        buflen = len(buf)
        if (buflen > 1
                and (buf.find('function') >= 0 or buf.find('Get') >= 0
                     or buf.find('http') >= 0 or buf.find('Post') >= 0)):
            eventlog = "capturing: " + str(len(buf))
            pshutils.print_console(pshutils.INFO_LEVEL, eventlog)
            #print buf
            remote_trace(list(self._attackers), buf)
Example #6
0
def monitor_wsmprovhost(pid, ref):
    system = winappdbg.System()
    system.request_debug_privileges()
    system.scan_processes()

    pshutils.print_console(pshutils.SUCCESS_LEVEL, ("hooking " + str(pid)))
    #print "hooking",pid

    myHandler = WSMProvHostEventHandler()
    myHandler.attackers = get_pshconnection(5985)
    thread = Thread(target=intercept_wsmprovhost, args=(pid, myHandler))
    thread.start()
    time.sleep(1)

    pshutils.print_console(pshutils.INFO_LEVEL,
                           ("back to main from " + str(pid)))
Example #7
0
 def pre_ExitProcess(self, event, ra, uExitCode):
     print "Pre_ExitProcess is called"
     process = event.get_process()        
     pshmemTbl = search_mem(process)
     for key in pshmemTbl:
         pshutils.print_console(pshutils.INFO_LEVEL,(key))
         pshutils.print_console(pshutils.INFO_LEVEL,(pshmemTbl[key][0]+" : "+pshmemTbl[key][1]))
         pshutils.print_console(pshutils.INFO_LEVEL,("---------------------------------------------"))
         #print key
         #print pshmemTbl[key][0],":",pshmemTbl[key][1]
         #print "---------------------------------------------"
                        
         logs = "[" + pshmemTbl[key][0] + "]: " + pshmemTbl[key][1]
         remote_trace(list(self._attackers),logs)
     print process.get_pid(), "Now exiting"
Example #8
0
 def pre_CreateProcessW(self, event, ra, lpApplicationName, lpCommandLine, lpProcessAttributes,
                    lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,
                    lpCurrentDirectory,lpStartupInfo,lpProcessInformation
                    ):
     pshutils.print_console(pshutils.INFO_LEVEL,("pre_CreateProcessW is called"))
     #print "pre_CreateProcessW is called\n"
                     
     process = event.get_process()
     try:
         appname = process.peek_string(lpApplicationName, fUnicode=True)
         cmdline = process.peek_string(lpCommandLine, fUnicode=True)
         cmdlist = [appname,cmdline]
         pshutils.print_console(pshutils.INFO_LEVEL,cmdlist)    
         #print cmdlist
         remote_trace(list(self._attackers),cmdlist)
     except Exception, e:
         pshutils.print_console(pshutils.ERROR_LEVEL,("[-] Error in hooking " + str(e)))
Example #9
0
    def pre_ExitProcess(self, event, ra, uExitCode):
        print "Pre_ExitProcess is called"
        process = event.get_process()
        pshmemTbl = search_mem(process)
        for key in pshmemTbl:
            pshutils.print_console(pshutils.INFO_LEVEL, (key))
            pshutils.print_console(
                pshutils.INFO_LEVEL,
                (pshmemTbl[key][0] + " : " + pshmemTbl[key][1]))
            pshutils.print_console(
                pshutils.INFO_LEVEL,
                ("---------------------------------------------"))
            #print key
            #print pshmemTbl[key][0],":",pshmemTbl[key][1]
            #print "---------------------------------------------"

            logs = "[" + pshmemTbl[key][0] + "]: " + pshmemTbl[key][1]
            remote_trace(list(self._attackers), logs)
        print process.get_pid(), "Now exiting"
Example #10
0
    def pre_CreateProcessW(self, event, ra, lpApplicationName, lpCommandLine,
                           lpProcessAttributes, lpThreadAttributes,
                           bInheritHandles, dwCreationFlags, lpEnvironment,
                           lpCurrentDirectory, lpStartupInfo,
                           lpProcessInformation):
        pshutils.print_console(pshutils.INFO_LEVEL,
                               ("pre_CreateProcessW is called"))
        #print "pre_CreateProcessW is called\n"

        process = event.get_process()
        try:
            appname = process.peek_string(lpApplicationName, fUnicode=True)
            cmdline = process.peek_string(lpCommandLine, fUnicode=True)
            cmdlist = [appname, cmdline]
            pshutils.print_console(pshutils.INFO_LEVEL, cmdlist)
            #print cmdlist
            remote_trace(list(self._attackers), cmdlist)
        except Exception, e:
            pshutils.print_console(pshutils.ERROR_LEVEL,
                                   ("[-] Error in hooking " + str(e)))