Esempio n. 1
0
 def __init__(self, working_dir=None):
     BaseInterface.__init__(self, working_dir)
     self.logger = get_my_logger(self.__class__.__name__)
     self.is_dryrun = is_windows()
     dbpath = os.path.join(self.working_dir, DEFAULT_DB_NAME)
     # if os.path.exists(dbpath):
     self.use_database(dbpath)
Esempio n. 2
0
    def __init__(self):
        if common.is_linux():
            envret = setenv()
            if envret == False:
                raise Exception(
                    "Can not set important environment!Maybe use XWayland.")
            if common.is_x86_64():
                misc_path = "lib/linux/x64/misc.so"
            else:
                misc_path = "lib/linux/x86/misc.so"

            self._lib = CDLL(os.path.join(common.get_work_dir(), misc_path))

        elif common.is_windows():
            self._lib = CDLL(
                os.path.join(common.get_work_dir(), "lib/windows/misc.dll"))
        else:
            raise Exception("Not support on macos")

        ret = self._lib.GlobalInit()

        if ret != 0:
            raise Exception("MiscGlobalInitFailed")

        self._buffer = create_string_buffer(4194304)
Esempio n. 3
0
    def runQuickScan(self):
        root_paths = []

        if common.is_linux():
            root_paths = [("/root", True), ('/bin', True), ('/sbin', True),
                          ('/usr/bin', True), ('/usr/local/bin', True)]

        if common.is_darwin():
            root_paths.append(('/users', True))
        else:
            root_paths.append(('/home', True))

        if common.is_windows():
            # root_paths = [('D:\\test\\木马\\',True)]
            root = os.getenv('systemroot')[:1]
            root_paths = [(root + ':\\users', True)]
            # root_paths = [  (root+":\\Documents and Settings", True),
            # 				(root+":\\windows", False),
            # 				(root+":\\windows\\system32", True),
            # 				(root+":\\windows\\syswow64\\system32", True),
            # 				(root+":\\program files", True),
            # 				(root+":\\Program Files (x86)", True)]

            self.avoid_list.append((root + ':\\$Recycle.Bin').lower())

        self.runVirusScan(root_paths)
Esempio n. 4
0
def delete_locked_file(pathname):
    """Delete a file that is currently in use"""
    if common.is_windows():
        from ctypes import windll, c_ulong, c_buffer, byref, sizeof

        if os.path.exists(pathname):
            MOVEFILE_DELAY_UNTIL_REBOOT = 4
            if 0 == windll.kernel32.MoveFileExW(pathname, None,
                                                MOVEFILE_DELAY_UNTIL_REBOOT):
                from ctypes import WinError
                raise WinError()
Esempio n. 5
0
    def __init__(self, usb_plugged, usb_unplugged):
        if common.is_windows():
            from . import usb_detect_win as usb_detect_proxy
        elif common.is_linux():
            from . import usb_detect_linux as usb_detect_proxy
        else:
            raise "No support os " + __NAME__

        self.name = "USB detector"
        self.proxy = usb_detect_proxy
        self.usb_plugged = usb_plugged
        self.usb_unplugged = usb_unplugged
Esempio n. 6
0
    def __init__(self, file_created_captured, file_modified_captured):
        if common.is_windows():
            from . import fs_change_win as fs_change_proxy
        elif common.is_linux():
            from . import fs_change_linux as fs_change_proxy
        else:
            raise "No support os " + __NAME__

        self.name = "Filesystem monitor"
        self.proxy = fs_change_proxy
        self.file_created_captured = file_created_captured
        self.file_modified_captured = file_modified_captured
Esempio n. 7
0
    def load_jsons(self):
        apps_path = os.path.join(self.json_path, "apps.json")
        if not os.path.exists(apps_path):
            Klogger().debug("apps.json does not exist")
            raise Exception

        try:
            with open(apps_path, "r") as f:
                raw_apps_list = json.load(f)
        except Exception as e:
            Klogger().debug("read apps.json fails with %s" % (str(e)))
            raise

        for each in raw_apps_list:
            if (not 'id' in each or not 'label' in each
                    or not 'description' in each or not 'icon' in each):
                Klogger().debug("Corrupted item in apps.json")
                continue

            if 'os' in each:
                if each['os'] == "windows":
                    if not common.is_windows():
                        continue
                elif each['os'] == "linux":
                    if not common.is_linux():
                        continue
                else:
                    Klogger().debug("Unknown os in apps.json, id %s" %
                                    (each['id']))
                    continue

            item = {
                "label": each['label'],
                "description": each['description'],
                "icon": each['icon']
            }

            if 'running' in each:
                item['running'] = each['running']

            self.apps_list[each['id']] = item

        for pathname in self.json_files:
            try:
                item = clean_item(os.path.join(self.json_path, pathname))
            except Exception as e:
                Klogger().warn('error reading item: %s %s', pathname, e)
                continue

            self.kinds[item.id] = item
Esempio n. 8
0
    def runDeepScan(self):
        root_paths = []

        if common.is_linux() or common.is_darwin():
            root_paths.append(("/", True))
            self.avoid_list = ['/proc', '/dev', '/sys']

        if common.is_windows():
            for item in psutil.disk_partitions():
                device, mountpoint, fstype, opts = item
                if fstype:
                    root_paths.append((mountpoint, True))
                    self.avoid_list.append(
                        os.path.join(mountpoint, '$Recycle.Bin').lower())

        self.runVirusScan(root_paths)
Esempio n. 9
0
from core.cleaner import Kcleaner
from core.vuls import Kvuls
from core import security_audit_implement
from utils import common, import_helper
#import pcapy

if common.is_linux():
	import module.basic.overview

if common.is_windows():
	import module.basic.overview_win
	import wmi
	import win32timezone
	import win32file
	import login
	
if common.is_darwin():
	import module.basic.overview_mac

import module.basic.heartbeat
import module.basic.set_language
import module.basic.get_info
import module.basic.system_status
import module.status.resource
import module.hardening.vulscan
import module.hardening.boot_services
import module.terminal.new_pty
import module.terminal.write_pty
import module.terminal.resize_pty
import module.terminal.kill_pty
import module.vnc.init_vnc
Esempio n. 10
0
def cpu_status(response):
	virtualization = "None"
	cpu_mhz = 0
	num_threads = 0
	num_process = 0
	num_fds = 0

	if os.path.exists("/proc/cpuinfo"):
		with open("/proc/cpuinfo") as f:
			data = f.readlines()

			for line in data:
				_tmp = line.split(":")
				if len(_tmp) != 2:
					continue

				item, value = (_tmp[0].strip(), _tmp[1].strip())

				if item == "cpu MHz":
					try:
						cpu_mhz = int(float(value))
					except:
						pass

				elif item == "flags":
					if "vmx" in value:
						virtualization = "Intel VT-x"
					if "svm" in value:
						virtualization = "AMD-V"

	for proc in psutil.process_iter():

		try:
			num_threads += proc.num_threads()
			if common.is_linux():
				num_fds += proc.num_fds()
			elif common.is_windows():
				num_fds += proc.num_handles()
		except Exception as e:
			pass

		num_process += 1

	#cache = cpu_cache()
	freq = psutil.cpu_freq()
	freq = [cpu_mhz, 0, cpu_mhz] if (not freq or len(freq) < 3) else freq
	
	response["cpu"].append([Klanguage().to_ts(1505), "{}%".format(psutil.cpu_percent(interval = 0.2))])
	response["cpu"].append([Klanguage().to_ts(1511), num_process])
	response["cpu"].append([Klanguage().to_ts(1508), psutil.cpu_count(logical = False)])
	response["cpu"].append([Klanguage().to_ts(1514), "{} Mhz".format(freq[0])])

	response["cpu"].append([Klanguage().to_ts(1506), virtualization])
	response["cpu"].append([Klanguage().to_ts(1509), num_threads])
	response["cpu"].append([Klanguage().to_ts(1512), psutil.cpu_count(logical = True)])
	response["cpu"].append([Klanguage().to_ts(1515), "{} Mhz".format(freq[1])])

	response["cpu"].append([Klanguage().to_ts(1507), sys.byteorder])
	response["cpu"].append([Klanguage().to_ts(1510), num_fds])
	response["cpu"].append([Klanguage().to_ts(1513), str(datetime.now() - datetime.fromtimestamp(psutil.boot_time())).split(".")[0]])
	response["cpu"].append([Klanguage().to_ts(1516), "{} Mhz".format(freq[2])])
Esempio n. 11
0
    def on_initializing(self, *args, **kwargs):
        self.reset_monitor_second()

        self.db_objs = {}
        self.db_maps = {
            "audit": Kpickle(constant.DB_AUDIT),
            "baseline": Kpickle(constant.DB_BASELINE),
            "basic": Kpickle(constant.DB_BASIC),
            "fingerprint": Kpickle(constant.DB_FINGERPRINT),
            "monitor": Kpickle(constant.DB_MONITOR),
            "setting": Kpickle(constant.DB_SETTING),
            "strategy": Kpickle(constant.DB_STRATEGY),
            "ueba": Kpickle(constant.DB_UEBA),
            "virus": Kpickle(constant.DB_VIRUS),
            "virus_whitelist": Kpickle(constant.DB_VIRUS_WHITELIST),
            "vuls": Kpickle(constant.DB_VULS)
        }

        db_objs = {
            "audit": {
                "feature": [],
                "authentication": [],
                "kernel": [],
                "statistic": {
                    "critical": 0,
                    "warning": 0
                },
                "lasttime": 0
            },
            "baseline": {
                "risks": {},
                "lasttime": 0
            },
            "basic": {
                "startup_counts": 0,
                "uuid": None
            },
            "fingerprint": {
                "port": {
                    "current": [],
                    "change": {},
                    "lasttime": 0
                },
                "account": {
                    "current": [],
                    "change": {},
                    "lasttime": 0
                }
            },
            "monitor": {
                "cpu": [],
                "memory": [],
                "net_io": {
                    "tx": [],
                    "rx": []
                },
                "disk_io": {
                    "read": [],
                    "write": []
                },
                "procs": [],
                "times": [],
                "minutes": 0,
                "warnings": {
                    "cpu": [],
                    "memory": [],
                    "net_io": [],
                    "disk_io": []
                }
            },
            "setting": {
                "username": "",
                "credential": ""
            },
            "strategy": {},
            "ueba": {
                "storys": {},
                "lasttime": 0
            },
            "virus": {
                "handledList": {},
                "isolateList": {},
                "untrustList": {},
                "allHistory": [],
                'lastScanedPath': '',
                'finished': 0,
                "lasttime": 0,
                'searchedCount': 0
            },
            "virus_whitelist": {},
            "vuls": {
                "items": {},
                "repaired_packages": [],
                "record": [],
                "lasttime": 0
            }
        }

        for key in self.db_maps.keys():
            try:
                self.db_objs[key] = self.db_maps[key].load()
            except Exception as e:
                self.db_objs[key] = db_objs[key]
                self.dump(key)

        self.startup_update()
        self.manual_struct_update()

        if len(args) == 0:
            if not self.get_obj("setting")["username"] or not self.get_obj(
                    "setting")["credential"]:
                from core.logger import Klogger
                Klogger().critical(
                    "Please use login.py to login Marsnake server first")

                if common.is_windows():
                    import login
                    login.read_from_user()
                    return True
                else:
                    return False

        return True
Esempio n. 12
0
def run(payload, socket):
	monitor = Kdatabase().get_obj("monitor")
	monitor_second = Kdatabase().get_monitor_second()
	monitor_warnings = {
		"cpu": {
			"start_time": 0,
			"end_time": 0,
			"percent": 0.0,
			"percent_count": 0,
			"db": None
		},
		"memory": {
			"start_time": 0,
			"end_time": 0,
			"percent": 0.0,
			"percent_count": 0,
			"db": None
		}
	}
	counters_ts = 0

	while True:
		if Kevent().is_terminate():
			print("resource thread terminate")
			break

		if not counters_ts:
			psutil.cpu_percent()
			disk_counters = psutil.disk_io_counters()
			net_counters = psutil.net_io_counters()
			counters_ts = datetime.now()

			time.sleep(1)
			continue

		#update counters
		now = datetime.now()
		interval = (now - counters_ts).total_seconds()
		counters_ts = now

		if interval > 15.0:
			Kdatabase().reset_monitor_second()
			monitor_second = Kdatabase().get_monitor_second()
			counters_ts = 0
			continue

		#calculate
		net = psutil.net_io_counters()
		tx_bytes = (net.bytes_sent - net_counters.bytes_sent) / interval
		rx_bytes = (net.bytes_recv - net_counters.bytes_recv) / interval
		net_counters = net

		disk = psutil.disk_io_counters()
		dru = (disk.read_bytes - disk_counters.read_bytes) / interval
		dwu = (disk.write_bytes - disk_counters.write_bytes) / interval
		disk_counters = disk

		monitor_second["cpu"].append(psutil.cpu_percent())
		monitor_second["memory"].append(psutil.virtual_memory()[2])
		monitor_second["net_io"]["tx"].append(tx_bytes)
		monitor_second["net_io"]["rx"].append(rx_bytes)
		monitor_second["disk_io"]["read"].append(dru)
		monitor_second["disk_io"]["write"].append(dwu)
		if not "start_record" in monitor_second or not monitor_second["start_record"]:
			monitor_second["start_record"] = now
			for proc in psutil.process_iter():
				try:
					proc.cpu_percent()
				except:
					pass

		if now > monitor_second["start_record"] + timedelta(seconds = RECORD_INTERVAL):
			procs = {}
			for proc in psutil.process_iter():
				try:
					if common.is_kernel_thread(proc):
						continue

					pid = proc.pid

					username = "******"
					status = "unknown"
					beginat = int(time.time())
					name = "unknown"
					proc_read_bytes = 0
					proc_write_bytes = 0
					cpu_percent = 0.0
					memory_percent = 0.0
					thread_num = 0
					fds_num = 0

					with proc.oneshot():
						try:
							username = proc.username()
							status = proc.status()
							beginat = int(proc.create_time())
						except:
							continue

						try:
							cmdline = proc.cmdline()
							exe = proc.exe()

							if exe:
								cmdline[0] = exe

							name = " ".join(cmdline[:3])
						except:
							try:
								name = proc.name()
							except:
								continue

						try:
							io = proc.io_counters()

							proc_read_bytes = io[2]
							proc_write_bytes = io[3]
						except:
							pass

						try:
							cpu_percent = proc.cpu_percent()
							memory_percent = proc.memory_percent()
						except:
							pass

						try:
							thread_num = proc.num_threads()
							if common.is_linux():
								fds_num = proc.num_fds()
							elif common.is_windows():
								fds_num = proc.num_handles()
						except:
							pass

					procs[pid] = {
						"name" : name,
						"username" : username,
						"io_rb": proc_read_bytes,
						"io_wb": proc_write_bytes,
						"beginat" : beginat,
						"status" : status,
						"fd" : fds_num,
						"thread" : thread_num,
						"data" : (cpu_percent, memory_percent)
					}

				except Exception as e:
					#print("pid : {} name : {} error : {}".format(pid, name, str(e)))
					pass

			upgrade_proc_status(monitor_second, monitor, procs, monitor_warnings)

			monitor_second["start_record"] = monitor_second["start_record"] + timedelta(seconds = RECORD_INTERVAL)

		if len(monitor_second["cpu"]) > 120:
			pop_status(monitor_second)

		if interval >= 1:
			sleep = 1 - (interval - 1)

			if sleep < 0:
				sleep = 1
		else:
			sleep = 1

		time.sleep(sleep)
Esempio n. 13
0
def enum_process_by_users():
	process_by_user = {}

	# use monitor_second directly may be dangerous since there is no lock
	monitor_second = Kdatabase().get_monitor_second().copy()

	for proc in psutil.process_iter():
		try:
			if common.is_kernel_thread(proc):
				continue

			pid = proc.pid

			if pid in monitor_second["procs"]:
				saved_proc = monitor_second["procs"][pid]

				username = saved_proc["username"]

				name = saved_proc["name"]
				cpu = saved_proc["data"][0]
				memory = saved_proc["data"][1]
				threads = saved_proc["thread"]
				fds = saved_proc["fd"]
				delta = int(time.time()) - saved_proc["beginat"]
				delta = delta if delta > 0 else 1
				io_read = saved_proc["io_rb"]
				io_write = saved_proc["io_wb"]
				status = saved_proc["status"]

				with proc.oneshot():
					try:
						memory = proc.memory_percent()
					except:
						pass

					try:
						threads = proc.num_threads()
						if common.is_linux():
							fds = proc.num_fds()
						elif common.is_windows():
							fds = proc.num_handles()
					except:
						pass

					try:
						if "start_record" in monitor_second and monitor_second["start_record"]:
							_delta = int(time.time()) - int(monitor_second["start_record"].timestamp())
							if _delta <= 0:
								_delta = 1

							_io = proc.io_counters()
							_io_read = _io[2]
							_io_write = _io[3]

							delta = _delta
							io_read = _io_read - saved_proc["io_rb"]
							io_write = _io_write - saved_proc["io_wb"]
					except:
						pass

					try:
						status = proc.status()
					except:
						pass

			else:
				username = "******"

				name = "unknown"
				cpu = 0.0
				memory = 0.0
				threads = 0
				fds = 0
				delta = 1
				io_read = 0.0
				io_write = 0.0
				status = "unknown"

				with proc.oneshot():
					try:
						username = proc.username()
						status = proc.status()
					except:
						continue

					try:
						cmdline = proc.cmdline()
						exe = proc.exe()

						if exe:
							cmdline[0] = exe

						name = " ".join(cmdline[:3])
					except:
						try:
							name = proc.name()
						except:
							continue

					try:
						memory = proc.memory_percent()
					except:
						pass

					try:
						threads = proc.num_threads()
						if common.is_linux():
							fds = proc.num_fds()
						elif common.is_windows():
							fds = proc.num_handles()
					except:
						pass

					try:
						_delta = int(time.time()) - int(proc.create_time())
						if _delta <= 0:
							_delta = 1

						_io = proc.io_counters()
						_io_read = _io[2]
						_io_write = _io[3]

						delta = _delta
						io_read = _io_read
						io_write = _io_write
					except:
						pass


			if not username in process_by_user:
				process_by_user[username] = {
					"username": username,
					"cpu": 0.0,
					"memory": 0.0,
					"fds": 0,
					"threads": 0,
					"disk_io": {
						"read": 0.0,
						"write": 0.0
					},
					"process": []
				}

			process_by_user[username]["cpu"] += cpu
			process_by_user[username]["memory"] += memory
			process_by_user[username]["fds"] += fds
			process_by_user[username]["threads"] += threads
			process_by_user[username]["disk_io"]["read"] += io_read / delta
			process_by_user[username]["disk_io"]["write"] += io_write / delta
			process_by_user[username]["process"].append({
				"pid": pid,
				"name": name,
				"cpu": round(cpu, 2),
				"memory": round(memory, 2),
				"threads": threads,
				"fds": fds,
				"disk_io": {
					"read": round((io_read / delta), 2),
					"write": round((io_write / delta), 2)
				},
				"status": status
			})

		except Exception as e:
			pass

	for each in process_by_user.values():
		each["cpu"] = round(each["cpu"], 2)
		each["memory"] = round(each["memory"], 2)
		each["disk_io"]["read"] = round(each["disk_io"]["read"], 2)
		each["disk_io"]["write"] = round(each["disk_io"]["write"], 2)

	return process_by_user
Esempio n. 14
0
def list_process_by_users():
	process_by_users = enum_process_by_users()

	if common.is_linux():

		result = []

		useradd_users = lib.find_useradd_users()

		import pwd
		pwall_users = [ x[0] for x in pwd.getpwall() ]

		users = [ x for x in useradd_users if x in pwall_users ]

		if "root" in process_by_users:
			users.insert(0, "root")

		for user in users:
			if user in process_by_users:
				result.append(process_by_users[user])
				del process_by_users[user]

		if not process_by_users:
			return result

		non_useradd_users = {
			"username": "******",
			"cpu": 0.0,
			"memory": 0.0,
			"fds": 0,
			"threads": 0,
			"disk_io": {
				"read": 0.0,
				"write": 0.0
			},
			"process": []
		}

		for each in process_by_users.values():
			non_useradd_users["cpu"] += each["cpu"]
			non_useradd_users["memory"] += each["memory"]
			non_useradd_users["fds"] += each["fds"]
			non_useradd_users["threads"] += each["threads"]
			non_useradd_users["disk_io"]["read"] += each["disk_io"]["read"]
			non_useradd_users["disk_io"]["write"] += each["disk_io"]["write"]
			non_useradd_users["process"] += each["process"]

		non_useradd_users["cpu"] = round(non_useradd_users["cpu"], 2)
		non_useradd_users["memory"] = round(non_useradd_users["memory"], 2)
		non_useradd_users["disk_io"]["read"] = round(non_useradd_users["disk_io"]["read"], 2)
		non_useradd_users["disk_io"]["write"] = round(non_useradd_users["disk_io"]["write"], 2)

		result.append(non_useradd_users)

		return result

	elif common.is_windows():

		for each in process_by_users.values():
			if '\\' in each["username"]:
				each["username"] = each["username"].split("\\")[1]

		return list(process_by_users.values())

	else:
		return list(process_by_users.values())