def patch_acpi(self): # TODO This should be improved, but for now may suffice. keywords = { "VBOX": "LNVO", "vbox": "lnvo", "VirtualBox": "LENOVOTP", "innotek GmbH": "", } regkeys = [ ["SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data", "AcpiData"], ["SYSTEM\\ControlSet001\\Services\\mssmbios\\Data", "AcpiData"], ["SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data", "SMBiosData"], ["SYSTEM\\ControlSet001\\Services\\mssmbios\\Data", "SMBiosData"], ] for regkey, key in regkeys: value = query_value(HKEY_LOCAL_MACHINE, regkey, key) if value is None: continue for k, v in keywords.items(): value = value.replace(k, v) set_regkey(HKEY_LOCAL_MACHINE, regkey, key, REG_BINARY, value) if regkey_exists(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__"): rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__", "LENOVO") rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__", "LENOVO") rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__", "LENOVO")
def patch_scsi_identifiers(self): types = { "DiskPeripheral": self.HDD_IDENTIFIERS, "CdRomPeripheral": self.CDROM_IDENTIFIERS, } for row in itertools.product([0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3]): type_ = query_value( HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Type") value = query_value( HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Identifier") if not type_ or not value: continue value = value.lower() if "vbox" in value or "vmware" in value or "qemu" in value or "virtual" in value: if type_ in types: new_value = random.choice(types[type_]) else: log.warning( "Unknown SCSI type (%s), disguising it with a random string", type_) new_value = random_string(len(value)) set_regkey( HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Identifier", REG_SZ, new_value)
def start(self): if not self.options.get("dbgview"): return dbgview_path = os.path.join("bin", "dbgview.exe") if not os.path.exists(dbgview_path): log.error("DbgView.exe not found!") return # Make sure all logging makes it into DbgView. set_regkey(_winreg.HKEY_LOCAL_MACHINE, DebugPrintFilter, "", _winreg.REG_DWORD, 0xffffffff) self.filepath = os.path.join(self.analyzer.path, "bin", "dbgview.log") # Accept the EULA and enable Kernel Capture. subprocess.Popen([ dbgview_path, "/accepteula", "/t", "/k", "/l", self.filepath, ]) log.info("Successfully started DbgView.")
def test_setreg(): regkey = random_regkey() assert not regkey_exists(_winreg.HKEY_CURRENT_USER, regkey) assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") is None set_regkey(_winreg.HKEY_CURRENT_USER, regkey, "foo", _winreg.REG_SZ, "bar") assert regkey_exists(_winreg.HKEY_CURRENT_USER, regkey) assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") == "bar"
def change_productid(self): """Randomizes Windows ProductId. The Windows ProductId is occasionally used by malware to detect public setups of Cuckoo, e.g., Malwr.com. """ value = "{0}-{1}-{2}-{3}".format(random_integer(5), random_integer(3), random_integer(7), random_integer(5)) set_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductId", REG_SZ, value)
def test_setreg(): regkey = random_regkey() assert not regkey_exists(_winreg.HKEY_CURRENT_USER, regkey) assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") is None set_regkey( _winreg.HKEY_CURRENT_USER, regkey, "foo", _winreg.REG_SZ, "bar" ) assert regkey_exists(_winreg.HKEY_CURRENT_USER, regkey) assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") == "bar"
def patch_processor(self): keywords = { "QEMU Virtual CPU version 2.0.0": "Intel(R) Core(TM) i7 CPU @3GHz", } for idx in xrange(32): value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx, "ProcessorNameString") if value is None: continue for k, v in keywords.items(): value = value.replace(k, v) set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx, "ProcessorNameString", REG_SZ, value)
def patch_manufacturer(self): set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation", "BIOSVersion", REG_SZ, random.choice(self.BIOS_VERSIONS)) set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation", "BIOSReleaseDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES)) set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation", "SystemManufacturer", REG_SZ, random.choice(self.SYSTEM_MANUFACTURERS)) set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation", "SystemProductName", REG_SZ, random.choice(self.SYSTEM_PRODUCTNAMES))
def patch_bios(self): set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES)) set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosVersion", REG_MULTI_SZ, random.choice(self.SYSTEM_BIOS_VERSIONS)) set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosDate", REG_SZ, random.choice(self.VIDEO_BIOS_DATES)) set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosVersion", REG_MULTI_SZ, random.choice(self.VIDEO_BIOS_VERSIONS))
def patch_scsi_identifiers(self): types = { "DiskPeripheral": self.HDD_IDENTIFIERS, "CdRomPeripheral": self.CDROM_IDENTIFIERS, } for row in itertools.product([0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3]): type_ = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Type") value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Identifier") if not type_ or not value: continue value = value.lower() if "vbox" in value or "vmware" in value or "qemu" in value or "virtual" in value: if type_ in types: new_value = random.choice(types[type_]) else: log.warning("Unknown SCSI type (%s), disguising it with a random string", type_) new_value = random_string(len(value)) set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Identifier", REG_SZ, new_value)
def start(self): if not self.options.get("dbgview"): return dbgview_path = os.path.join("bin", "dbgview.exe") if not os.path.exists(dbgview_path): log.error("DbgView.exe not found!") return # Make sure all logging makes it into DbgView. set_regkey( _winreg.HKEY_LOCAL_MACHINE, DebugPrintFilter, "", _winreg.REG_DWORD, 0xffffffff ) self.filepath = os.path.join(self.analyzer.path, "bin", "dbgview.log") # Accept the EULA and enable Kernel Capture. subprocess.Popen([ dbgview_path, "/accepteula", "/t", "/k", "/l", self.filepath, ]) log.info("Successfully started DbgView.")
def patch_hdd_path(self): set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", "0", REG_SZ, random.choice(self.HDD_PATHS))
def set_regkey(self, key, type_, value): set_regkey( _winreg.HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\%s" % self.install_name, key, type_, value)
def set_regkey(self, key, type_, value): set_regkey( _winreg.HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\%s" % self.install_name, key, type_, value )