def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) pid, num = map(int, re.findall("(\\d+)", dmp)) regions = [] for region in roach.procmem(dump_path).regions: regions.append(region.to_json()) proc = dict( file=dump_path, pid=pid, num=num, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=regions, ) ExtractManager.for_task(self.task["id"]).peek_procmem(proc) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("extract_img"): proc["extracted"] = list( self.dump_images(proc, self.options.get("extract_dll"))) proc["extracted"] += list(self.dump_dex(proc)) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error( "Unable to delete memory dump file at path \"%s\"", dump_path) results.append(proc) results.sort(key=lambda x: (x["pid"], x["num"])) return results
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) pid, num = map(int, re.findall("(\\d+)", dmp)) regions = [] for region in roach.procmem(dump_path).regions: regions.append(region.to_json()) proc = dict( file=dump_path, pid=pid, num=num, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=regions, ) ExtractManager.for_task(self.task["id"]).peek_procmem(proc) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("extract_img"): proc["extracted"] = list(self.dump_images( proc, self.options.get("extract_dll") )) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error( "Unable to delete memory dump file at path \"%s\"", dump_path ) results.append(proc) results.sort(key=lambda x: (x["pid"], x["num"])) return results
def process_extracted(self): task_id = self.results.get("info", {}).get("id") if not task_id: return for item in ExtractManager.for_task(task_id).results(): for sig in self.signatures: self.call_signature(sig, sig.on_extract, ExtractedMatch(item))
def init(package, *filename): id_ = task_id() init_analysis(id_, package, *filename) init_yara() s = Static() s.set_task({ "id": id_, "category": "file", "package": package, "target": filename[-1], }) s.file_path = cwd("binary", analysis=id_) e = ExtractManager.for_task(id_) return s.run(), e.results()
def test_push_script_recursive(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd(analysis=1)) open(cwd("yara", "office", "ole.yar"), "wb").write(""" rule OleInside { strings: $s1 = "Win32_Process" condition: filename matches /word\/vbaProject.bin/ and $s1 } """) init_yara() s = Static() s.file_path = "tests/files/createproc1.docm" s.set_task({ "id": 1, "category": "file", "target": s.file_path, "package": "doc", }) s.run() assert ExtractManager.for_task(1).results()[0]["yara"] == [{ "name": "OleInside", "meta": { "description": "(no description)", }, "offsets": { "s1": [ (3933, 0), ], }, "strings": [ "Win32_Process".encode("base64").strip(), ], }]
def __init__(self, filepath, task_id): self.filepath = filepath self.files = {} self.ex = ExtractManager.for_task(task_id)
def __init__(self, *args, **kwargs): super(ExtractScripts, self).__init__(*args, **kwargs) self.ex = ExtractManager.for_task(self.analysis.task["id"])
def test_on_extract(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() Database().connect() mkdir(cwd(analysis=2)) cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4") ex = ExtractManager.for_task(2) ex.push_script({ "pid": 1, "first_seen": 2, }, cmd) results = RunProcessing(task=Dictionary({ "id": 2, "category": "file", "target": __file__, })).run() assert results["extracted"] == [{ "category": "script", "pid": 1, "first_seen": 2, "program": "cmd", "raw": cwd("extracted", "0.bat", analysis=2), "yara": [], "info": {}, }] class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_yara(self): pass on_extract = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() sig1.on_extract.assert_called_once() em = sig1.on_extract.call_args_list[0][0][0] assert em.category == "script"
def test_on_extract(): set_cwd(tempfile.mkdtemp()) cuckoo_create() init_modules() Database().connect() mkdir(cwd(analysis=2)) cmd = Scripting().parse_command("cmd.exe /c ping 1.2.3.4") ex = ExtractManager.for_task(2) ex.push_script({ "pid": 1, "first_seen": 2, }, cmd) results = RunProcessing(task=Dictionary({ "id": 2, "category": "file", "target": __file__, })).run() assert results["extracted"] == [{ "category": "script", "pid": 1, "first_seen": 2, "program": "cmd", "script": cwd("extracted", "0.bat", analysis=2), "yara": [], }] class sig1(object): name = "sig1" @property def matched(self): return False @matched.setter def matched(self, value): pass def init(self): pass def on_signature(self): pass def on_complete(self): pass def on_yara(self): pass on_extract = mock.MagicMock() rs = RunSignatures(results) rs.signatures = sig1(), rs.run() sig1.on_extract.assert_called_once() em = sig1.on_extract.call_args_list[0][0][0] assert em.category == "script"
def run(self): return ExtractManager.for_task(self.task.id).results()
def __init__(self, *args, **kwargs): super(ExtractScripts, self).__init__(*args, **kwargs) self.scr = Scripting() self.ex = ExtractManager.for_task(self.analysis.task["id"])