def test_basics():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
init_yara()
em = ExtractManager(1)
em.write_extracted("foo", "bar")
filepath = cwd("extracted", "0.foo", analysis=1)
assert open(filepath, "rb").read() == "bar"
scr = Scripting()
cmd = scr.parse_command(
"powershell -e %s" % "foobar".encode("utf-16le").encode("base64")
)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read() == "foobar"
em.push_command_line(
"powershell -e %s" % "world!".encode("utf-16le").encode("base64")
)
filepath = cwd("extracted", "1.ps1", analysis=1)
assert open(filepath, "rb").read() == "world!"
def test_basics():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
init_yara()
em = ExtractManager(1)
em.write_extracted("foo", "bar")
filepath = cwd("extracted", "0.foo", analysis=1)
assert open(filepath, "rb").read() == "bar"
scr = Scripting()
cmd = scr.parse_command("powershell -e %s" %
"foobar".encode("utf-16le").encode("base64"))
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read() == "foobar"
em.push_command_line("powershell -e %s" %
"world!".encode("utf-16le").encode("base64"))
filepath = cwd("extracted", "1.ps1", analysis=1)
assert open(filepath, "rb").read() == "world!"
def test_ident_shellcode(p):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
# No Yara has been installed.
if not init_yara(True):
return
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode(
"".join(chr(int(x, 16)) for x in sc[2:-1].split(","))
)
p.return_value = Shellcode1,
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command(
"powershell -e %s" % ps1.encode("base64").replace("\n", "")
)
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
def test_ident_shellcode(p):
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd("yara", "scripts"))
open(cwd("yara", "scripts", "1.yar"), "wb").write("""
rule Shellcode1 {
strings:
$Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase
condition:
all of them
}
""")
# No Yara has been installed.
if not init_yara(True):
return
class Shellcode1(Extractor):
yara_rules = "Shellcode1"
def handle_yara(self, filepath, match):
sc = match.string("Shellcode", 0)
self.push_shellcode("".join(
chr(int(x, 16)) for x in sc[2:-1].split(",")))
p.return_value = Shellcode1,
sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read())
sc = ",".join("0x%02x" % ord(ch) for ch in sc)
scr = Scripting()
ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le")
cmd = scr.parse_command("powershell -e %s" %
ps1.encode("base64").replace("\n", ""))
mkdir(cwd(analysis=1))
em = ExtractManager(1)
em.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
assert len(em.items) == 2
filepath = cwd("extracted", "0.ps1", analysis=1)
assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc")
buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read()
assert "call 0x88" in buf
assert "0x00c1: push 0xc69f8957" in buf
assert ".db 'www.service.chrome-up.date',0" in buf
class ExtractScripts(BehaviorHandler):
"""Extracts embedded scripts in command-line parameters."""
key = "extracted"
event_types = ["process"]
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def handle_event(self, process):
command = self.scr.parse_command(process["command_line"])
if command and command.get_script():
self.ex.push_script(process, command)
def run(self):
pass
class ExtractScripts(BehaviorHandler):
"""Extracts embedded scripts in command-line parameters."""
key = "extracted"
event_types = ["process"]
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def handle_event(self, process):
command = self.scr.parse_command(process["command_line"])
if command and command.get_script():
self.ex.push_script(process, command)
def run(self):
pass
def setup(self):
self.scr = Scripting()
class TestScripting(object):
def setup(self):
self.scr = Scripting()
def test_cmd_ping(self):
obj = self.scr.parse_command("cmd /c ping 8.8.8.8")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children
assert obj.astree() == {
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}
def test_cmd_fullpath(self):
obj = self.scr.parse_command(
"C:\\\\Windows\\\\System32\\\\cmd.exe /k ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": True,
"command": [
"ping", "8.8.8.8",
],
}
def test_cmd_cmd_cmd_ping(self):
obj = self.scr.parse_command(
"cmd /c CMD.EXE /c cmd.exE /c ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children[0].children) == 1
assert obj.children[0].children[0].args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children[0].children[0].children
assert obj.astree() == {
"args": {
"remains": False,
"command": [
"CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8",
],
},
"children": [{
"args": {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
},
"children": [{
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}],
}],
}
def test_cmd_powershell(self):
obj = self.scr.parse_command("""
cmd /c powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": [
"powershell", "-nop", "-ep", "bypass", "-enc",
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=",
]
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children[0].children
def test_powershell_encodedcommand(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children
assert obj.get_script() == 'echo "Recursive"'
def test_powershell_command(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -Command ping '8.8.8.8'
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.get_script() == "ping '8.8.8.8'"
def setup(self):
self.scr = Scripting()
class TestScripting(object):
def setup(self):
self.scr = Scripting()
def test_cmd_ping(self):
obj = self.scr.parse_command("cmd /c ping 8.8.8.8")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children
assert obj.astree() == {
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}
def test_cmd_fullpath(self):
obj = self.scr.parse_command(
"C:\\\\Windows\\\\System32\\\\cmd.exe /k ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": True,
"command": [
"ping", "8.8.8.8",
],
}
def test_cmd_cmd_cmd_ping(self):
obj = self.scr.parse_command(
"cmd /c CMD.EXE /c cmd.exE /c ping 8.8.8.8"
)
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": ["CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
}
assert len(obj.children[0].children) == 1
assert obj.children[0].children[0].args == {
"remains": False,
"command": ["ping", "8.8.8.8"],
}
assert not obj.children[0].children[0].children
assert obj.astree() == {
"args": {
"remains": False,
"command": [
"CMD.EXE", "/c", "cmd.exE", "/c", "ping", "8.8.8.8",
],
},
"children": [{
"args": {
"remains": False,
"command": ["cmd.exE", "/c", "ping", "8.8.8.8"],
},
"children": [{
"args": {
"remains": False,
"command": ["ping", "8.8.8.8"],
},
"children": [],
}],
}],
}
def test_cmd_powershell(self):
obj = self.scr.parse_command("""
cmd /c powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "cmd"
assert obj.ext == "bat"
assert obj.args == {
"remains": False,
"command": [
"powershell", "-nop", "-ep", "bypass", "-enc",
"ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=",
]
}
assert len(obj.children) == 1
assert obj.children[0].args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children[0].children
def test_powershell_encodedcommand(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -enc
ZQBjAGgAbwAgACIAUgBlAGMAdQByAHMAaQB2AGUAIgA=
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.args == {
"noprofile": True, "executionpolicy": "bypass",
"encodedcommand": 'echo "Recursive"',
}
assert not obj.children
assert obj.get_script() == 'echo "Recursive"'
def test_powershell_command(self):
obj = self.scr.parse_command("""
powershell -nop -ep bypass -Command ping '8.8.8.8'
""")
assert obj.program == "powershell"
assert obj.ext == "ps1"
assert obj.get_script() == "ping '8.8.8.8'"
def test_on_extract():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
init_modules()
Database().connect()
mkdir(cwd(analysis=2))
cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4")
ex = ExtractManager.for_task(2)
ex.push_script({
"pid": 1,
"first_seen": 2,
}, cmd)
results = RunProcessing(task=Dictionary({
"id": 2,
"category": "file",
"target": __file__,
})).run()
assert results["extracted"] == [{
"category":
"script",
"pid":
1,
"first_seen":
2,
"program":
"cmd",
"raw":
cwd("extracted", "0.bat", analysis=2),
"yara": [],
"info": {},
}]
class sig1(object):
name = "sig1"
@property
def matched(self):
return False
@matched.setter
def matched(self, value):
pass
def init(self):
pass
def on_signature(self):
pass
def on_complete(self):
pass
def on_yara(self):
pass
on_extract = mock.MagicMock()
rs = RunSignatures(results)
rs.signatures = sig1(),
rs.run()
sig1.on_extract.assert_called_once()
em = sig1.on_extract.call_args_list[0][0][0]
assert em.category == "script"
def push_command_line(self, cmdline, process=None):
command = Scripting().parse_command(cmdline)
if command and command.get_script():
self.push_script(process, command)
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
def push_command_line(self, cmdline, process=None):
command = Scripting().parse_command(cmdline)
if command and command.get_script():
self.push_script(process, command)
def __init__(self, *args, **kwargs):
super(ExtractScripts, self).__init__(*args, **kwargs)
self.scr = Scripting()
self.ex = ExtractManager.for_task(self.analysis.task["id"])
