def test_basics(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd(analysis=1)) init_yara() em = ExtractManager(1) em.write_extracted("foo", "bar") filepath = cwd("extracted", "0.foo", analysis=1) assert open(filepath, "rb").read() == "bar" scr = Scripting() cmd = scr.parse_command( "powershell -e %s" % "foobar".encode("utf-16le").encode("base64") ) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read() == "foobar" em.push_command_line( "powershell -e %s" % "world!".encode("utf-16le").encode("base64") ) filepath = cwd("extracted", "1.ps1", analysis=1) assert open(filepath, "rb").read() == "world!"
def test_basics(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd(analysis=1)) init_yara() em = ExtractManager(1) em.write_extracted("foo", "bar") filepath = cwd("extracted", "0.foo", analysis=1) assert open(filepath, "rb").read() == "bar" scr = Scripting() cmd = scr.parse_command("powershell -e %s" % "foobar".encode("utf-16le").encode("base64")) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read() == "foobar" em.push_command_line("powershell -e %s" % "world!".encode("utf-16le").encode("base64")) filepath = cwd("extracted", "1.ps1", analysis=1) assert open(filepath, "rb").read() == "world!"
def test_ident_shellcode(p): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd("yara", "scripts")) open(cwd("yara", "scripts", "1.yar"), "wb").write(""" rule Shellcode1 { strings: $Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase condition: all of them } """) # No Yara has been installed. if not init_yara(True): return class Shellcode1(Extractor): yara_rules = "Shellcode1" def handle_yara(self, filepath, match): sc = match.string("Shellcode", 0) self.push_shellcode( "".join(chr(int(x, 16)) for x in sc[2:-1].split(",")) ) p.return_value = Shellcode1, sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read()) sc = ",".join("0x%02x" % ord(ch) for ch in sc) scr = Scripting() ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le") cmd = scr.parse_command( "powershell -e %s" % ps1.encode("base64").replace("\n", "") ) mkdir(cwd(analysis=1)) em = ExtractManager(1) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) assert len(em.items) == 2 filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc") buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read() assert "call 0x88" in buf assert "0x00c1: push 0xc69f8957" in buf assert ".db 'www.service.chrome-up.date',0" in buf
def test_ident_shellcode(p): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd("yara", "scripts")) open(cwd("yara", "scripts", "1.yar"), "wb").write(""" rule Shellcode1 { strings: $Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase condition: all of them } """) # No Yara has been installed. if not init_yara(True): return class Shellcode1(Extractor): yara_rules = "Shellcode1" def handle_yara(self, filepath, match): sc = match.string("Shellcode", 0) self.push_shellcode("".join( chr(int(x, 16)) for x in sc[2:-1].split(","))) p.return_value = Shellcode1, sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read()) sc = ",".join("0x%02x" % ord(ch) for ch in sc) scr = Scripting() ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le") cmd = scr.parse_command("powershell -e %s" % ps1.encode("base64").replace("\n", "")) mkdir(cwd(analysis=1)) em = ExtractManager(1) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) assert len(em.items) == 2 filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc") buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read() assert "call 0x88" in buf assert "0x00c1: push 0xc69f8957" in buf assert ".db 'www.service.chrome-up.date',0" in buf
class ExtractScripts(BehaviorHandler): """Extracts embedded scripts in command-line parameters.""" key = "extracted" event_types = ["process"] def __init__(self, *args, **kwargs): super(ExtractScripts, self).__init__(*args, **kwargs) self.scr = Scripting() self.ex = ExtractManager.for_task(self.analysis.task["id"]) def handle_event(self, process): command = self.scr.parse_command(process["command_line"]) if command and command.get_script(): self.ex.push_script(process, command) def run(self): pass
def setup(self): self.scr = Scripting()
class TestScripting(object): def setup(self): self.scr = Scripting() def test_cmd_ping(self): obj = self.scr.parse_command("cmd /c ping 8.8.8.8") assert obj.program == "cmd" assert obj.ext == "bat" assert obj.args == { "remains": False, "command": ["ping", "8.8.8.8"], } assert not obj.children assert obj.astree() == { "args": { "remains": False, "command": ["ping", "8.8.8.8"], }, "children": [], } def test_cmd_fullpath(self): obj = self.scr.parse_command( "C:\\\\Windows\\\\System32\\\\cmd.exe /k ping 8.8.8.8" ) assert obj.program == "cmd" assert obj.ext == "bat" assert obj.args == { "remains": True, "command": [ "ping", "8.8.8.8", ], } def test_cmd_cmd_cmd_ping(self): obj = self.scr.parse_command( "cmd /c CMD.EXE /c cmd.exE /c ping 8.8.8.8" ) assert obj.program == "cmd" assert obj.ext == "bat" assert obj.args == { "remains": False, "command": ["CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8"], } assert len(obj.children) == 1 assert obj.children[0].args == { "remains": False, "command": ["cmd.exE", "/c", "ping", "8.8.8.8"], } assert len(obj.children[0].children) == 1 assert obj.children[0].children[0].args == { "remains": False, "command": ["ping", "8.8.8.8"], } assert not obj.children[0].children[0].children assert obj.astree() == { "args": { "remains": False, "command": [ "CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8", ], }, "children": [{ "args": { "remains": False, "command": ["cmd.exE", "/c", "ping", "8.8.8.8"], }, "children": [{ "args": { "remains": False, "command": ["ping", "8.8.8.8"], }, "children": [], }], }], } def test_cmd_powershell(self): obj = self.scr.parse_command(""" cmd /c powershell -nop -ep bypass -enc ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA= """) assert obj.program == "cmd" assert obj.ext == "bat" assert obj.args == { "remains": False, "command": [ "powershell", "-nop", "-ep", "bypass", "-enc", "ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=", ] } assert len(obj.children) == 1 assert obj.children[0].args == { "noprofile": True, "executionpolicy": "bypass", "encodedcommand": 'echo "Recursive"', } assert not obj.children[0].children def test_powershell_encodedcommand(self): obj = self.scr.parse_command(""" powershell -nop -ep bypass -enc ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA= """) assert obj.program == "powershell" assert obj.ext == "ps1" assert obj.args == { "noprofile": True, "executionpolicy": "bypass", "encodedcommand": 'echo "Recursive"', } assert not obj.children assert obj.get_script() == 'echo "Recursive"' def test_powershell_command(self): obj = self.scr.parse_command(""" powershell -nop -ep bypass -Command ping '8.8.8.8' """) assert obj.program == "powershell" assert obj.ext == "ps1" assert obj.get_script() == "ping '8.8.8.8'"
def test_on_extract(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() Database().connect() mkdir(cwd(analysis=2)) cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4") ex = ExtractManager.for_task(2) ex.push_script({ "pid": 1, "first_seen": 2, }, cmd) results = RunProcessing(task=Dictionary({ "id": 2, "category": "file", "target": __file__, })).run() assert results["extracted"] == [{ "category": "script", "pid": 1, "first_seen": 2, "program": "cmd", "raw": cwd("extracted", "0.bat", analysis=2), "yara": [], "info": {}, }] class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_yara(self): pass on_extract = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() sig1.on_extract.assert_called_once() em = sig1.on_extract.call_args_list[0][0][0] assert em.category == "script"
def push_command_line(self, cmdline, process=None): command = Scripting().parse_command(cmdline) if command and command.get_script(): self.push_script(process, command)
def __init__(self, *args, **kwargs): super(ExtractScripts, self).__init__(*args, **kwargs) self.scr = Scripting() self.ex = ExtractManager.for_task(self.analysis.task["id"])