def start(self, path):
# TODO: proper constructor for MySQL connection handler
host = "10.0.20.1"
user = "******"
passwd = "avtest"
dbname = "avtest"
conn = MySQLdb.connect(host, user, passwd, dbname)
cursor = conn.cursor()
task_id = self.get_task_id()
p = Process()
if "arguments" in self.options:
x = p.execute(path=path, args=self.options["arguments"], suspended=False)
else:
x = p.execute(path=path, suspended=False)
if x == True:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(1, task_id))
conn.commit()
elif x == False:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(2, task_id))
conn.commit()
else:
return False
return p.pid
def start(self, path):
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
p = Process()
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
# TODO: proper constructor for MySQL connection handler
host = "10.0.20.1"
user = "******"
passwd = "avtest"
dbname = "avtest"
conn = MySQLdb.connect(host, user, passwd, dbname)
cursor = conn.cursor()
task_id = self.get_task_id()
p = Process()
if "arguments" in self.options:
x = p.execute(path=path,
args=self.options["arguments"],
suspended=False)
else:
x = p.execute(path=path, suspended=False)
if x == True:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(1, task_id))
conn.commit()
elif x == False:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(2, task_id))
conn.commit()
else:
return False
return p.pid
def start(self, path):
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
p = Process()
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\WINDOWS\\system32\\cmd.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
free = self.options.get("free")
dll = self.options.get("dll")
p.execute(path="bin/flashplayer.exe", args=path, suspended=True)
p.inject(dll, path)
p.resume()
if free:
return None
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
execsc = "extra/execsc.exe"
p.execute(path=execsc, args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(
path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(
path="C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
self.procmon = Process()
p = Process()
self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False)
self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/WaitForIdle", suspended=False)
url = self.options["url"]
url = url + "=" * (-len(url) % 4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False)
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/WaitForIdle", suspended=False)
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False)
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/WaitForIdle", suspended = False)
if "arguments" in self.options:
p.execute(path = path, args = self.options["arguments"], suspended = True)
else:
p.execute(path = path, suspended = True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
# p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
url = self.options["url"]
url = url + "=" * (-len(url)%4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
self.procmon = Process()
p = Process()
self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False)
self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/WaitForIdle", suspended = False)
url = self.options["url"]
url = url + "=" * (-len(url)%4)
url = base64.b64decode(url)
p.execute(path = "C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended = True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
# p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
url = self.options["url"]
url = url + "=" * (-len(url) % 4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe",
args=url,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
p = Process()
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
if self.options.get("free", "no") != "yes":
p.inject()
p.resume()
return p.pid
def run(self):
self.do_run = self.options.get("startbrowser", False)
url = self.options.get("url")
browserdelay = int(self.options.get("browserdelay", "30"))
while self.do_run:
time.sleep(1)
self.seconds_elapsed = self.seconds_elapsed + 1
if self.seconds_elapsed == browserdelay:
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie = Process()
if not url:
url = "https://www.yahoo.com/"
ie.execute(path=iexplore, args="\"" + url + "\"", suspended=False)
ie.close()
def start(self, path):
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def execute(self, path, args, mode=None, maximize=False, env=None,
source=None, trigger=None):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param mode: monitor mode - which functions to instrument
@param maximize: whether the GUI should start maximized
@param env: additional environment variables
@param source: parent process of our process
@param trigger: trigger to indicate analysis start
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
source = source or self.options.get("from")
mode = mode or self.options.get("mode")
# Setup pre-defined registry keys.
self.init_regkeys(self.REGKEYS)
p = Process()
if not p.execute(path=path, args=args, dll=dll, free=free,
curdir=self.curdir, source=source, mode=mode,
maximize=maximize, env=env, trigger=trigger):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted."
)
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError(
"Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(
path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial PowerShell process, analysis aborted"
)
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
word = self.get_path()
if not word:
raise CuckooPackageError("Unable to find any Microsoft "
"Office Word executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=word, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft "
"Office Word process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def run(self):
startbrowser = self.options.get("startbrowser")
url = self.options.get("url")
if not startbrowser:
return True
while self.do_run:
time.sleep(1000)
self.seconds_elapsed = self.seconds_elapsed + 1
if self.seconds_elapsed == 30:
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie = Process()
if not url:
url = "https://www.yahoo.com/"
ie.execute(path=iexplore, args="\"" + url + "\"", suspended=False)
ie.close()
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript,
args="\"{0}\"".format(path),
suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError(
"Unable to find any Microsoft Office Excel executable available"
)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args="\"%s\"" % path,
suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial Microsoft Office Excel process, analysis aborted"
)
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
with ZipFile(path, "r") as archive:
try:
archive.extractall(root)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
archive.extractall(path=root, pwd="infected")
except RuntimeError as e:
raise CuckooPackageError(
"Unable to extract Zip file, unknown password?")
file_path = os.path.join(root, self.options.get("file", "sample.exe"))
free = self.options.get("free", False)
args = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe",
args=args,
suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java executable available")
free = self.options.get("free", False)
class_path = self.options.get("class", None)
suspended = True
if free:
suspended = False
if class_path:
args = '-cp "%s" %s' % (path, class_path)
else:
args = '-jar "%s"' % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def execute(self, path, args, mode=None, maximize=False):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param mode: monitor mode - which functions to instrument
@param maximize: whether the GUI should start maximized
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
source = self.options.get("from")
# Setup pre-defined registry keys.
self.init_regkeys(self.REGKEYS)
p = Process()
if not p.execute(path=path,
args=args,
dll=dll,
free=free,
curdir=self.curdir,
source=source,
mode=mode,
maximize=maximize):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
self.run_ie()
p.close()
return p.pid
else:
self.run_ie()
return None
def start(self, path):
root = os.environ["TEMP"]
with ZipFile(path, "r") as archive:
try:
archive.extractall(root)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
archive.extractall(path=root, pwd="infected")
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file, unknown password?")
file_path = os.path.join(root, self.options.get("file", "sample.exe"))
free = self.options.get("free", False)
args = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def execute(self, path, args):
p = Process()
if not p.execute(path=path, args=args, suspended=True):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError("Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
if os.getenv("ProgramFiles(x86)"):
iex86 = os.path.join(os.getenv("ProgramFiles(x86)"), "Internet Explorer", "iexplore.exe")
else:
iex86 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
if os.path.exists(iex86):
iexplore = iex86
else:
iexplore = ie32
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(
path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
if os.getenv("ProgramFiles(x86)"):
iex86 = os.path.join(os.getenv("ProgramFiles(x86)"),
"Internet Explorer", "iexplore.exe")
else:
iex86 = os.path.join(os.getenv("ProgramFiles"),
"Internet Explorer", "iexplore.exe")
ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
if os.path.exists(iex86):
iexplore = iex86
else:
iexplore = ie32
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args='"%s"' % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process()
if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
if not kernel_analysis:
p.inject(dll, interest)
p.resume()
p.close()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
free = self.options.get("free", False)
suspended = not free
kernel_analysis = bool(self.options.get("kernel_analysis", False))
p = Process(options=self.options, config=self.config)
if not p.execute(path=path,
args=args,
suspended=suspended,
kernel_analysis=kernel_analysis):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted")
if free:
return None
if not kernel_analysis:
p.inject(INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def execute(self, path, args):
p = Process()
if not p.execute(path=path, args=args, suspended=True):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def start(self, path):
control = self.get_path()
if not control:
raise CuckooPackageError("Unable to find any control.exe "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=control, args="\"%s\"" % path,
suspended=suspended):
raise CuckooPackageError("Unable to execute initial Control "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def debug(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
p = Process(options=self.options, config=self.config)
if not p.execute(
path=path, args=args, suspended=suspended,
kernel_analysis=False):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
is_64bit = p.is_64bit()
if is_64bit:
p.debug_inject(dll_64, interest, childprocess=False)
else:
p.debug_inject(dll, interest, childprocess=False)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
if not path.endswith('.cpl'):
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
exe_path = "C:\\WINDOWS\\system32\\rundll32.exe"
else:
args = "{0}".format(path)
if arguments:
args += " {0}".format(arguments)
exe_path = "C:\\WINDOWS\\system32\\control.exe"
log.info("starting DLL with: %s" % (args))
p = Process()
#if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
if not p.execute(path=exe_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None