import logging import tempfile import syscalls import execute import fcntl syscalls.declare_syscall_sets({ "Check" : ["stat", "stat64", "access"], "FileCreate" : ["creat", "link", "mknod", "open", "rename"], "LinkCreate" : ["link", "symlink", "rename"], "DirCreate" : ["mkdir", "rename"], "FileRemove" : ["unlink", "rename", "mknod", "rename"], "LinkRemove" : ["unlink", "rename"], "DirRemove" : ["rmdir", "rename"], "FileWrite" : ["chmod", "chown", "truncate", "open"], "FileRead" : ["open", "execve"], "LinkWrite" : ["link", "symlink"], "LinkRead" : ["readlink"], "DirWrite" : ["chmod", "chown", "open"], "DirRead" : ["mount", "chdir", "chroot", "open", "execve"], "ProcCreat" : ["fork", "vfork", "clone"], "DirChange" : ["chdir", "chroot"], }) ################################################################## patterns = list() attackers = list() queriers = list()
class PredetectBookmarks: def need_bookmark(self, event, before=False, after=False): return False def upon_bookmark(self, event, exe, before=False, after=False): assert False def after_replay(self, graph, event): pass def __init__(self): pass syscalls.declare_syscall_sets({ "ChangePath" : ["chroot", "chdir", "fchdir"], }) class BookmarksForPaths(PredetectBookmarks): def need_bookmark(self, event, before=False, after=False): return (before and event == event.proc.syscalls[0]) or \ (after and event.nr in SYS_ChangePath) def upon_bookmark(self, event, exe, before=False, after=False): pid = exe.pids[event.proc.pid] proc = exe.chroot + '/proc' cwd = os.readlink('%s/%d/cwd' % (proc, pid)) root = os.readlink('%s/%d/root' % (proc, pid)) event.proc.cwd = \ os.path.normpath('/' + os.path.relpath(cwd, root)) event.proc.root = \