def start(self, path): # TODO: proper constructor for MySQL connection handler host = "10.0.20.1" user = "******" passwd = "avtest" dbname = "avtest" conn = MySQLdb.connect(host, user, passwd, dbname) cursor = conn.cursor() task_id = self.get_task_id() p = Process() if "arguments" in self.options: x = p.execute(path=path, args=self.options["arguments"], suspended=False) else: x = p.execute(path=path, suspended=False) if x == True: cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s", (1, task_id)) conn.commit() elif x == False: cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s", (2, task_id)) conn.commit() else: return False return p.pid
def finish(self): if self.options.get("procmemdump", False): for pid in self.pids: p = Process(pid=pid) p.dump_memory() return True
def execute(self, path, args): p = Process() if not p.execute(path=path, args=args, suspended=True): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") return p.pid
def start(self): proc_info = PROCESSENTRY32() proc_info.dwSize = sizeof(PROCESSENTRY32) snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) flag = KERNEL32.Process32First(snapshot, byref(proc_info)) pid = 0 while flag: if proc_info.sz_exeFile == b"lsass.exe": pid = proc_info.th32ProcessID log.info("lsass.exe found, pid %d", pid) flag = 0 flag = KERNEL32.Process32Next(snapshot, byref(proc_info)) if not pid: log.warning("Unable to find lsass.exe process.") return try: p = Process(options=self.options, config=self.config, pid=pid) filepath = p.get_filepath() p.inject(injectmode=0, interest=filepath, nosleepskip=True) except CuckooError as e: if "process access denied" in e.message: log.warning("You're not running the Agent as Administrator.") else: log.warning( "An unknown error occurred while trying to inject into " "the lsass.exe process to dump TLS master secrets: %s", e) del self.options["tlsdump"]
def execute(self, path, args, mode=None, maximize=False): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param mode: monitor mode - which functions to instrument @param maximize: whether the GUI should start maximized @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") source = self.options.get("from", "explorer.exe") # Setup pre-defined registry keys. self.init_regkeys(self.REGKEYS) p = Process() if not p.execute(path=path, args=args, dll=dll, free=free, curdir=self.curdir, source=source, mode=mode, maximize=maximize): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") return p.pid
def execute(self, path, args, mode=None, maximize=False, env=None, source=None, trigger=None): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param mode: monitor mode - which functions to instrument @param maximize: whether the GUI should start maximized @param env: additional environment variables @param source: parent process of our process @param trigger: trigger to indicate analysis start @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") source = source or self.options.get("from") mode = mode or self.options.get("mode") # Setup pre-defined registry keys. self.init_regkeys(self.REGKEYS) p = Process() if not p.execute(path=path, args=args, dll=dll, free=free, curdir=self.curdir, source=source, mode=mode, maximize=maximize, env=env, trigger=trigger): raise CuckooPackageError( "Unable to execute the initial process, analysis aborted." ) return p.pid
def start(self, path): try: sc = self.get_path("sc.exe") servicename = self.options.get("servicename", "CAPEService") servicedesc = self.options.get("servicedesc", "CAPE Service") arguments = self.options.get("arguments") if "." not in os.path.basename(path): new_path = path + ".exe" os.rename(path, new_path) path = new_path binPath = "\"{0}\"".format(path) if arguments: binPath += " {0}".format(arguments) scm_handle = ADVAPI32.OpenSCManagerA(None, None, SC_MANAGER_ALL_ACCESS) if scm_handle == 0: log.info("Failed to open SCManager") log.info(ctypes.FormatError()) return service_handle = ADVAPI32.CreateServiceA( scm_handle, servicename, servicedesc, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, binPath, None, None, None, None, None) if service_handle == 0: log.info("Failed to create service") log.info(ctypes.FormatError()) return log.info("Created service (handle: 0x%x)", service_handle) servproc = Process(options=self.options, config=self.config, pid=self.config.services_pid, suspended=False) filepath = servproc.get_filepath() is_64bit = servproc.is_64bit() if is_64bit: servproc.inject(injectmode=INJECT_QUEUEUSERAPC, interest=filepath, nosleepskip=True) else: servproc.inject(injectmode=INJECT_QUEUEUSERAPC, interest=filepath, nosleepskip=True) servproc.close() KERNEL32.Sleep(500) service_launched = ADVAPI32.StartServiceA(service_handle, 0, None) if service_launched == True: log.info("Successfully started service") else: log.info(ctypes.FormatError()) log.info("Failed to start service") ADVAPI32.CloseServiceHandle(service_handle) ADVAPI32.CloseServiceHandle(scm_handle) return except Exception as e: log.info(sys.exc_info()[0]) log.info(e) log.info(e.__dict__) log.info(e.__class__) log.exception(e)
def start(self, path): p = Process() dll = self.options.get("dll") p.execute(path="bin/execsc.exe", args=[path], suspended=True) p.inject(dll) p.resume() p.wait() return p.pid
def test_is32bit_process(): p = Process() with chdir("cuckoo/data/analyzer/windows"): # Normally the user shouldn't be able to access the SYSTEM process. with pytest.raises(CuckooError) as e: p.is32bit(pid=4) e.match("process access denied$")
def run_ie(self): time.sleep(30) iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") ie = Process() if not ie.execute(path=iexplore, args="\"https://www.yahoo.com/\"", suspended=False): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") return None
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock( datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def stop(self): """Stop all pids of this analysis package""" for pid in self.initial_pids: p = Process(pid=pid) if p.is_alive(): try: p.terminate() except Exception: continue
def test_is32bit_process(): p = Process() with chdir("cuckoo/data/analyzer/windows"): # Normally (i.e., when not Administrator) the user shouldn't be able # to access the lsass.exe process. with pytest.raises(CuckooError) as e: p.is32bit(process_name="lsass.exe") e.match("process access denied$")
def terminate_tracked(self): log.info("Terminating all remaining processes") for pid in self.pids: p = Process(pid=pid) if p.is_alive(): try: p.terminate() except Exception: continue
def initialize(self): Process.set_config(self.config) self.config.logpipe = get_pipe_path(random_string(16, 32)) self.config.pipe = self.config.options.get( "pipe", get_pipe_path(random_string(16, 32)) ) self.msgclient = MessageClient( self.config.ip, self.config.port, self )
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock(datetime.datetime.strptime( self.config.clock, "%Y%m%dT%H:%M:%S" )) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_privilege("SeDebugPrivilege") grant_privilege("SeLoadDriverPrivilege") # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. if not os.path.exists('analysis.conf'): log.error('analysis.conf does not exist') sys.exit(1) self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) #TODO evan - reset if you want to change the clock # Set virtual machine clock. # set_clock(datetime.datetime.strptime( # self.config.clock, "%Y%m%dT%H:%M:%S" # )) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\??\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\??\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\??\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start()
def finish(self): """Finish run. If specified to do so, this method dumps the memory of all running processes. """ if self.options.get("procmemdump"): for pid in self.pids: p = Process(pid=pid) p.dump_memory() return True
def execute(self, path, args, mode=None, maximize=False, env=None, source=None, trigger=None): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param mode: monitor mode - which functions to instrument @param maximize: whether the GUI should start maximized @param env: additional environment variables @param source: parent process of our process @param trigger: trigger to indicate analysis start @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") analysis = self.options.get("analysis") # Kernel analysis overrides the free argument. if analysis == "kernel": free = True source = source or self.options.get("from") mode = mode or self.options.get("mode") if not trigger and self.options.get("trigger"): if self.options["trigger"] == "exefile": trigger = "file:%s" % path # Setup pre-defined registry keys. if self.set_regkeys: self.init_regkeys(self.REGKEYS) self.set_regkeys = False p = Process() if not p.execute(path=path, args=args, dll=dll, free=free, curdir=self.curdir, source=source, mode=mode, maximize=maximize, env=env, trigger=trigger): raise CuckooPackageError( "Unable to execute the initial process, analysis aborted.") self.initial_pids.append(p.pid) return p.pid
def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe") cmd_args = "/c start \"{0}\"".format(path) p = Process() if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def execute(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") suspended = True if free: suspended = False kernel_analysis = self.options.get("kernel_analysis", False) if kernel_analysis != False: kernel_analysis = True p = Process() if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") if free: return None if not kernel_analysis: p.inject(dll, interest) p.resume() p.close() return p.pid
def debug(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ dll = self.options.get("dll") gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True p = Process() if not p.execute( path=path, args=args, suspended=suspended, kernel_analysis=False): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") p.debug_inject(dll, INJECT_QUEUEUSERAPC, interest) p.resume() p.close() return p.pid
def start(self, path): free = self.options.get("free", False) args = self.options.get("arguments", None) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() self.run_ie() p.close() return p.pid else: self.run_ie() return None
def execute(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ free = self.options.get("free", False) suspended = not free kernel_analysis = bool(self.options.get("kernel_analysis", False)) p = Process(options=self.options, config=self.config) if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis): raise CuckooPackageError( "Unable to execute the initial process, analysis aborted") if free: return None if not kernel_analysis: p.inject(INJECT_QUEUEUSERAPC, interest) p.resume() p.close() return p.pid
def execute(self, cmd): """Start an executable for analysis. @param path: executable path @param args: executable arguments @return: process pid """ p = Process() if not p.execute(cmd): raise CuckooPackageError("Unable to execute the initial process, analysis aborted") return p.pid
def execute(self, cmd): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @return: process pid """ p = Process() if not p.execute(cmd): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") return p.pid
def finish(self): """Finish run. If configured, upload memory dumps of all running processes. """ if self.options.get("procmemdump"): for pid in self.pids: p = Process(pid=pid) p.upload_memdump() return True
def start(self, path): arg = "\"%s\"" % path self.procmon = Process() p = Process() self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False) self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/WaitForIdle", suspended=False) if "arguments" in self.options: p.execute(path=path, args=self.options["arguments"], suspended=True) else: p.execute(path=path, suspended=True) p.resume() return p.pid
def finish(self): """Finish run. If configured, upload memory dumps of all running processes. """ if self.options.get("procmemdump"): for pid in self.dump_pids: log.debug("PAUL: DUMPING PID {}".format(pid)) p = Process(pid=pid) p.upload_memdump() return True
def run(self): """Run handler. @return: operation status. """ data = "" while True: bytes_read = c_int(0) buf = create_string_buffer(BUFSIZE) success = KERNEL32.ReadFile(self.h_pipe, buf, sizeof(buf), byref(bytes_read), None) data += buf.value if not success and KERNEL32.GetLastError() == ERROR_MORE_DATA: continue #elif not success or bytes_read.value == 0: # if KERNEL32.GetLastError() == ERROR_BROKEN_PIPE: # pass break if data: command = data.strip() #log.debug("Connection received (data=%s)" % command) if command.startswith("PID:"): PROCESS_LOCK.acquire() pid = command[4:] if pid.isdigit(): pid = int(pid) if pid not in PROCESS_LIST: add_pids(pid) proc = Process(pid=pid) proc.inject() KERNEL32.WriteFile(self.h_pipe, create_string_buffer("OK"), 2, byref(bytes_read), None) PROCESS_LOCK.release() elif command.startswith("FILE:"): file_path = command[5:] add_file(file_path) KERNEL32.CloseHandle(self.h_pipe) return True
def start(self): try: p = Process(process_name="lsass.exe") p.inject(track=False, mode="dumptls") except CuckooError as e: if "process access denied" in e.message: log.warning( "You're not running the Cuckoo Agent as Administrator. " "Doing so will improve your analysis results!") else: log.warning( "An unknown error occurred while trying to inject into " "the lsass.exe process to dump TLS master secrets: %s", e)
def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe") cmd_args = "/c start \"{0}\"".format(path) p = Process() if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def test_is32bit_path(): p = Process() mzdos0 = os.path.abspath("tests/files/mzdos0") icardres = os.path.abspath("tests/files/icardres.dll") with chdir("cuckoo/data/analyzer/windows"): # File not found. with pytest.raises(CuckooError) as e: p.is32bit(path="thisisnotafile") e.match("File not found") # No MZ header. with pytest.raises(CuckooError) as e: p.is32bit(path=__file__) e.match("returned by is32bit") e.match("Invalid DOS file") # This is a MZ-DOS executable rather than a PE file. assert p.is32bit(path=mzdos0) is True # TODO Add a 32-bit PE executable. # This is a 64-bit PE file. assert p.is32bit(path=icardres) is False
def start(self, path): p = Process() p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): free = self.options.get("free", False) args = self.options.get("arguments", None) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def _handle_dumpmem(self, data): """Dump the memory of a process as it is right now.""" if not data.isdigit(): log.warning("Received DUMPMEM command with an incorrect argument.") return Process(pid=int(data)).dump_memory()
def run(self): startbrowser = self.options.get("startbrowser") url = self.options.get("url") if not startbrowser: return True while self.do_run: time.sleep(1000) self.seconds_elapsed = self.seconds_elapsed + 1 if self.seconds_elapsed == 30: iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") ie = Process() if not url: url = "https://www.yahoo.com/" ie.execute(path=iexplore, args="\"" + url + "\"", suspended=False) ie.close()
def _handle_kill(self, data): """A process is being killed.""" if not data.isdigit(): log.warning("Received KILL command with an incorrect argument.") return if self.analyzer.config.options.get("procmemdump"): Process(pid=int(data)).dump_memory()
def start(self, path): p = Process() if "arguments" in self.options: p.execute(path=path, args=self.options["arguments"], suspended=True) else: p.execute(path=path, suspended=True) if self.options.get("free", "no") != "yes": p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\WINDOWS\\system32\\cmd.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): p = Process() pin = os.path.join("bin", "pin.exe") dll = os.path.join("bin", "malwpin.dll") if "share_letter" in self.options: root = self.options['share_letter'] else: root = "E:\\" #PATHS["root"] out = os.path.join(root, "malwpin.xml") pinlog = os.path.join(root, "pin.log") stack_dir = os.path.join(root, "memory") + os.sep pin_arg = "" if "adr-start" in self.options: pin_arg += " -adr-start %s " % self.options['adr-start'] if "adr-stop" in self.options: pin_arg += " -adr-stop %s " % self.options['adr-stop'] if "n" in self.options: pin_arg += " -n %s " % self.options['n'] argv = "-t %s -o %s -s %s -logfile %s %s -- %s" % (dll, out, stack_dir, pinlog, pin_arg, path) #argv = "-t %s -o %s -s %s -logfile %s -follow_execv -- %s" % (dll, out, stack_dir, pinlog, path) if "arguments" in self.options: argv += " " + self.options["arguments"] p.execute(path=pin, args=argv, suspended=True) #inject = True #if "free" in self.options: #if self.options["free"] == "yes": #inject = False #if inject: #p.inject() p.resume() return p.pid
def test_process(self): process = Process() path = executable_name_for_target(self.current_target()) # just making sure self.assertTrue(os.path.isfile(path)) res = process.execute(path='non_existing') pid = process.pid self.assertFalse(res) self.assertTrue(pid == None) res = process.execute(path=path, args=['first', 'second']) pid = process.pid self.assertTrue(res) self.assertTrue(pid != None) self.assertIsInstance(pid, int)
def start(self, path): arg = "\"%s\"" % path self.procmon = Process() p = Process() self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False) self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/WaitForIdle", suspended = False) if "arguments" in self.options: p.execute(path = path, args = self.options["arguments"], suspended = True) else: p.execute(path = path, suspended = True) p.resume() return p.pid
def start(self, path): p = Process() rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe" if "function" in self.options: p.execute(path=rundll32, args="%s,%s" % (path, self.options["function"]), suspended=True) else: p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True) if self.options.get("free", "no") != "yes": p.inject() p.resume() return p.pid
def execute(self, path, args): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") source = self.options.get("from") # Setup pre-defined registry keys. self.init_regkeys(self.REGKEYS) p = Process() if not p.execute(path=path, args=args, dll=dll, free=free, curdir=self.curdir, source=source): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") return p.pid
def start(self, path): p = Process() execsc = "extra/execsc.exe" p.execute(path=execsc, args=path, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): p = Process() free = self.options.get("free") dll = self.options.get("dll") p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject(dll, path) p.resume() if free: return None return p.pid
def start(self, path): excel = self.get_path() if not excel: raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=excel, args='"%s"' % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None