def run(self):
seconds = 0
nohuman = self.options.get("nohuman")
if nohuman:
return True
file_type = self.config.file_type
file_name = self.config.file_name
officedoc = False
if "Rich Text Format" in file_type or "Microsoft Word" in file_type or \
"Microsoft Office Word" in file_type or file_name.endswith((".doc", ".docx", ".rtf")):
officedoc = True
elif "Microsoft Office Excel" in file_type or "Microsoft Excel" in file_type or \
file_name.endswith((".xls", ".xlsx")):
officedoc = True
elif "Microsoft PowerPoint" in file_type or \
file_name.endswith((".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")):
officedoc = True
while self.do_run:
if officedoc and seconds == 30:
USER32.EnumWindows(EnumWindowsProc(get_office_window), 0)
click_mouse()
move_mouse()
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
seconds += 1
def run(self):
# Global disable flag.
if "human" in self.options:
self.do_move_mouse = int(self.options["human"])
self.do_click_mouse = int(self.options["human"])
self.do_click_buttons = int(self.options["human"])
else:
self.do_move_mouse = True
self.do_click_mouse = True
self.do_click_buttons = True
# Per-feature enable or disable flag.
if "human.move_mouse" in self.options:
self.do_move_mouse = int(self.options["human.move_mouse"])
if "human.click_mouse" in self.options:
self.do_click_mouse = int(self.options["human.click_mouse"])
if "human.click_buttons" in self.options:
self.do_click_buttons = int(self.options["human.click_buttons"])
while self.do_run:
if self.do_click_mouse:
click_mouse()
if self.do_move_mouse:
move_mouse()
if self.do_click_buttons:
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
def run(self):
nohuman = self.options.get("nohuman")
if nohuman:
return True
while self.do_run:
click_mouse()
move_mouse()
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
def run(self):
try:
seconds = 0
randoff = random.randint(0, 10)
# add some random data to the clipboard
randchars = list(
" aaaabcddeeeeeefghhhiiillmnnnooooprrrsssttttuwy")
cliplen = random.randint(10, 1000)
clipval = []
for i in range(cliplen):
clipval.append(randchars[random.randint(0,
len(randchars) - 1)])
clipstr = "".join(clipval)
cliprawstr = create_string_buffer(clipstr)
USER32.OpenClipboard(None)
USER32.EmptyClipboard()
buf = KERNEL32.GlobalAlloc(GMEM_MOVEABLE, sizeof(cliprawstr))
lockbuf = KERNEL32.GlobalLock(buf)
memmove(lockbuf, cliprawstr, sizeof(cliprawstr))
KERNEL32.GlobalUnlock(buf)
USER32.SetClipboardData(CF_TEXT, buf)
USER32.CloseClipboard()
nohuman = self.options.get("nohuman")
if nohuman:
return True
officedoc = False
if hasattr(self.config, "file_type"):
file_type = self.config.file_type
file_name = self.config.file_name
if "Rich Text Format" in file_type or "Microsoft Word" in file_type or \
"Microsoft Office Word" in file_type or "MIME entity" in file_type or \
file_name.endswith((".doc", ".docx", ".rtf", ".mht", ".mso")):
officedoc = True
elif "Microsoft Office Excel" in file_type or "Microsoft Excel" in file_type or \
file_name.endswith((".xls", ".xlsx", ".xlsm", ".xlsb")):
officedoc = True
elif "Microsoft PowerPoint" in file_type or \
file_name.endswith((".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")):
officedoc = True
USER32.EnumWindows(EnumWindowsProc(getwindowlist), 0)
while self.do_run:
if officedoc and (seconds % 30) == 0 and not CLOSED_OFFICE:
USER32.EnumWindows(EnumWindowsProc(get_office_window), 0)
# only move the mouse 50% of the time, as malware can choose to act on an "idle" system just as it can on an "active" system
if random.randint(0, 3) > 1:
click_mouse()
move_mouse()
if (seconds % (15 + randoff)) == 0:
curwind = USER32.GetForegroundWindow()
other_hwnds = INITIAL_HWNDS[:]
try:
other_hwnds.remove(USER32.GetForegroundWindow())
except:
pass
if len(other_hwnds):
USER32.SetForegroundWindow(other_hwnds[random.randint(
0,
len(other_hwnds) - 1)])
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
seconds += 1
except Exception as e:
error_exc = traceback.format_exc()
log.exception(error_exc)
def run(self):
while self.do_run:
click_mouse()
move_mouse()
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
KERNEL32.Sleep(1000)
def run(self):
# human starts before the sample invocation, wait for 3s to start
minimal_timeout = KERNEL32.GetTickCount() + 3000
# set office close timeout after 2/3 of analysis (in milliseconds)
office_close_sec = int(self.options.get("timeout") * (3. / 4) * 1000)
office_close_timeout = KERNEL32.GetTickCount() + office_close_sec
is_office_close = False
is_full_screen = False
pdf_clicks_ctr = 10
# adaptive sleep timer
sleep = 50 if self.is_ultrafast else 750
while self.do_run:
KERNEL32.Sleep(
sleep) # we wait for minimal timeout anyway so no loss here
if KERNEL32.GetTickCount() < minimal_timeout:
continue
if not is_office_close and KERNEL32.GetTickCount(
) > office_close_timeout:
USER32.EnumWindows(EnumWindowsProc(get_office_window), 0)
is_office_close = True
if self.do_click_mouse and self.do_move_mouse:
# extract foregroud window name
fg_window_name = ""
hwnd = USER32.GetForegroundWindow()
try:
fg_window_name = get_window_text(hwnd).lower()
except:
log.exception("failed to extract window name")
pass
# make the office window on front
if fg_window_name in ["", "program manager"]:
x, y = self.coordinates.center()
move_mouse(x, y)
click_mouse(x, y)
continue
else:
log.info("fg_window_name: %s", fg_window_name)
if "word" in fg_window_name or "excel" in fg_window_name:
if not is_full_screen:
set_full_screen(hwnd)
is_full_screen = True
x, y = self.coordinates.next()
move_mouse(x, y)
double_click(x, y)
elif "powerpoint" in fg_window_name:
if not is_full_screen:
set_full_screen(hwnd)
is_full_screen = True
x, y = self.coordinates.center()
move_mouse(x, y)
click_mouse(x, y)
elif "acrobat reader" in fg_window_name:
if not is_full_screen:
set_full_screen(hwnd)
is_full_screen = True
# place cursor on top left
x, y = 120, 200
move_mouse(x, y)
click_mouse(x, y)
if pdf_clicks_ctr > 0:
# press tab
click_button(win32con.VK_TAB)
# press enter
click_button(win32con.VK_RETURN)
pdf_clicks_ctr = pdf_clicks_ctr - 1
# wait for result
KERNEL32.Sleep(1000)
else:
# make random move
x, y = self.coordinates.random()
move_mouse(x, y)
if self.do_click_buttons:
USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
