def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def debug(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
p = Process(options=self.options, config=self.config)
if not p.execute(
path=path, args=args, suspended=suspended,
kernel_analysis=False):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
is_64bit = p.is_64bit()
if is_64bit:
p.debug_inject(dll_64, interest, childprocess=False)
else:
p.debug_inject(dll, interest, childprocess=False)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError("Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
self.run_ie()
p.close()
return p.pid
else:
self.run_ie()
return None
def start(self, path):
word = self.get_path()
if not word:
raise CuckooPackageError("Unable to find any Microsoft "
"Office Word executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=word, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft "
"Office Word process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(
path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript,
args="\"{0}\"".format(path),
suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError(
"Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(
path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial PowerShell process, analysis aborted"
)
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
control = self.get_path()
if not control:
raise CuckooPackageError("Unable to find any control.exe "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=control, args="\"%s\"" % path,
suspended=suspended):
raise CuckooPackageError("Unable to execute initial Control "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe",
args=args,
suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args='"%s"' % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: "
"{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
#no name provided try to find a better name
if len(zipinfos) > 0:
#take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: " "{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
# no name provided try to find a better name
if len(zipinfos) > 0:
# take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
free = self.options.get("free")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process(options=self.options, config=self.config)
if not p.execute(path=path,
args=args,
suspended=suspended,
kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
is_64bit = p.is_64bit()
if not kernel_analysis:
if is_64bit:
p.inject(dll_64, INJECT_QUEUEUSERAPC, interest)
else:
p.inject(dll, INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process()
if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
if not kernel_analysis:
p.inject(dll, interest)
p.resume()
p.close()
return p.pid
