def prepare(self):
"""Prepare env for analysis."""
# Create the folders used for storing the results.
create_folders()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
if self.config.get("clock", None):
# Set virtual machine clock.
clock = datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
os.system("date -s \"{0}\"".format(clock.strftime("%y-%m-%d %H:%M:%S")))
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(tempfile.gettempdir(), self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def test_upload_to_host():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("127.0.0.1", 0))
s.listen(5)
with open("analysis.conf", "wb") as f:
f.write("[hello]\nip = %s\nport = %d" % s.getsockname())
handlers = logging.getLogger().handlers[:]
init_logging()
# Test file not found exception.
upload_to_host(u"\u202ethisis404.exe", "1.exe")
c, _ = s.accept()
assert "Exception uploading file u'\\u202e" in c.recv(0x1000)
c, _ = s.accept()
assert "FILE 2\n1.exe\n\xe2\x80\xaethisis404.exe\n" in c.recv(0x1000)
# Test correct upload.
upload_to_host(__file__, "1.py", ["1", "2", "3"])
c, _ = s.accept()
assert c.recv(0x1000).startswith(
"FILE 2\n1.py\n%s\n1 2 3\n# Copyright (C" % __file__
)
logging.getLogger().handlers = handlers
def test_add_file_unicode(p):
with open("analysis.conf", "wb") as f:
f.write("[foo]\nip = 127.0.0.1\nport = 54321")
handlers = logging.getLogger().handlers[:]
init_logging()
Files().add_file("\xe2\x80\xae".decode("utf8"))
logging.getLogger().handlers = handlers
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Create the folders used for storing the results.
create_folders()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer()
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def init_droidpot(debug=False, quiet=False, new_module=[]):
"""
Initilize droidpot. Checks environment, set console log level,
initilize managers and start django web interface
:param debug: debug mode
:param quiet: quiet mode
:return: nil
"""
try:
if new_module:
#adding new module
MODULE_TYPE = 0
MODULE_NAME = 1
if new_module[MODULE_TYPE] == "monitor":
print "Creating monitor module %s ..."%new_module[MODULE_NAME]
create_monitor_module(new_module[MODULE_NAME])
exit(0)
elif new_module[MODULE_TYPE] == "profile":
print "Creating profile module %s ..."%new_module[MODULE_NAME]
create_profile_module(new_module[MODULE_NAME])
exit(0)
elif new_module[MODULE_TYPE] == "processing":
print "Creating processing module %s ..."%new_module[MODULE_NAME]
create_processing_module(new_module[MODULE_NAME])
exit(0)
else:
print "error. exiting..."
exit(1)
'''
elif new_module[MODULE_TYPE] == "reporting":
print "Creating reporting module %s ..."%new_module[MODULE_NAME]
create_reporting_module(new_module[MODULE_NAME])
exit(0)
'''
logo()
init_logging()
check_ini_files()
#check_device_compatibility()
check_root()
check_modules()
log.info("Modules loaded successfully")
if debug:
log.setLevel(logging.DEBUG)
if quiet:
log.setLevel(logging.WARN)
log.info("Starting Django web interface")
subprocess.call(["python", "web/manage.py", "migrate","--verbosity", "0"])
subprocess.call(["python", "web/manage.py", "runserver"])
except InitilizeError as ie:
exit(1)
except KeyboardInterrupt:
exit(0)
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
thedate = clock.strftime("%m-%d-%y")
thetime = clock.strftime("%H:%M:%S")
os.system("echo:|date {0}".format(thedate))
os.system("echo:|time {0}".format(thetime))
log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
SERVICES_PID = self.pid_from_process_name("services.exe")
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer(self.config.get_options())
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
set_clock(datetime.datetime.strptime(
self.config.clock, "%Y%m%dT%H:%M:%S"
))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
grant_debug_privilege()
create_folders()
init_logging()
self.config = Config(cfg=os.path.join(PATHS["root"], "analysis.conf"))
self.pipe = PipeServer()
self.pipe.daemon = True
self.pipe.start()
self.file_path = os.path.join(os.environ["SYSTEMDRIVE"] + os.sep, self.config.file_name)
def create_app(config):
#create_structure()
# Define the WSGI application object
app = Flask(__name__)
app.config['MAX_CONTENT_LENGTH'] = 200 * 1024 * 1024 # 200MB
# Configurations
app.config.from_object(settings[config])
settings[config].init_app(app)
if not app.testing:
logo()
check_version()
check_configs()
if app.testing:
init_logging('info')
else:
init_logging('debug')
#log.setLevel(logging.DEBUG)
init_modules()
# Init All Flask Add-ons
bootstrap.init_app(app)
#pagedown.init_app(app)
db.init_app(app)
mail.init_app(app)
if app.config['USE_LDAP'] == 'yes':
# LDAP Login
# TODO : Test out LDAP
app.add_url_rule('/login', 'login', ldap.login, methods=['GET', 'POST'])
ldap.init_app(app)
else:
login_manager.login_view = 'auth.login'
login_manager.init_app(app)
if not app.debug and not app.testing and not app.config['SSL_DISABLE']:
try:
from flask.ext.sslify import SSLify
sslify = SSLify(app)
except ImportError:
from flask.ext.sslify import SSLify
raise MaliceDependencyError("Unable to import Flask-SSLify "
"(install with `pip install Flask-SSLify`)")
# Register blueprint(s)
from .malice import malice as malice_blueprint
app.register_blueprint(malice_blueprint)
from .mod_auth import mod_auth as auth_module
app.register_blueprint(auth_module, url_prefix='/auth')
# from app.mod_api.controller import mod_api as api_module
# app.register_blueprint(api_module, url_prefix='/api/v1')
return app
def prepare(self):
"""Prepare env for analysis."""
# Create the folders used for storing the results.
create_folders()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.parse_config("analysis.conf")
# Setup machine time
self.setup_machine_time()
def prepare(self):
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join("/tmp", str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def test_execute_correct_logging():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("127.0.0.1", 0))
s.listen(1)
with open("analysis.conf", "wb") as f:
f.write("[hello]\nip = %s\nport = %d" % s.getsockname())
handlers = logging.getLogger().handlers[:]
init_logging()
Process().execute(u"unicodefile\u202ethatdoesnotexist")
logging.getLogger().handlers = handlers
c, _ = s.accept()
assert "202e" in c.recv(0x1000)
def prepare(self):
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join("/tmp", str(self.config.file_name))
subprocess.call("adb push config/hooks.json /data/local/tmp/",shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y")))
os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S")))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
sniff_interfaces = ["eth0"] # default interface
if __name__ == "__main__":
# To Do: Implement argparse
parser = argparse.ArgumentParser()
parser.add_argument("-d","--debug", help="Display debug messages", action="store_true", required=False)
parser.add_argument("-i","--interfaces", help="Filter traffic for a specific interface", type=str, required=False)
parser.add_argument("-p","--protocols", help="Protocols to be sniffed", type=str, required=False)
parser.add_argument("-P","--plot", help="Plot file downloads", action="store_true", required=False)
parser.add_argument("-c","--comment", help="Comment for statistical analysis", type=str, required=False)
parser.add_argument("-e","--extract", help="Extract suspicious files for later analysis", action="store_true", required=False)
args = parser.parse_args()
# Start console and file logging
init_logging()
# Check for existing config files
check_configs()
if args.debug:
log.setLevel(logging.DEBUG)
if args.interfaces:
sniff_interfaces = args.interfaces.split(",")
log.debug("Interfaces: %s", repr(sniff_interfaces))
if args.plot:
folder_path = os.path.join(ETHERSNIFF_ROOT,"log")
if not os.path.exists(folder_path):
os.makedirs(folder_path)
def create_app(config):
logo()
check_configs()
check_version()
init_logging()
# log.setLevel(logging.DEBUG)
init_modules()
# create_structure()
# Define the WSGI application object
app = Flask(__name__)
# Configurations
app.config.from_object(settings[config])
# if True:
if not app.config['DEBUG'] and not app.config['TESTING']:
# configure logging for production
# email errors to the administrators
if app.config.get('MAIL_ERROR_RECIPIENT') is not None:
import logging
from logging.handlers import SMTPHandler
credentials = None
secure = None
if app.config.get('MAIL_USERNAME') is not None:
credentials = (app.config['MAIL_USERNAME'], app.config['MAIL_PASSWORD'])
if app.config['MAIL_USE_TLS'] is not None:
secure = ()
mail_handler = SMTPHandler(
mailhost=(app.config['MAIL_SERVER'], app.config['MAIL_PORT']),
fromaddr=app.config['DEFAULT_MAIL_SENDER'],
toaddrs=[app.config['MAIL_ERROR_RECIPIENT']],
subject='[Malice] Application Error',
credentials=credentials,
secure=secure)
mail_handler.setLevel(logging.ERROR)
app.logger.addHandler(mail_handler)
# send standard logs to syslog
import logging
from logging.handlers import SysLogHandler
syslog_handler = SysLogHandler()
syslog_handler.setLevel(logging.WARNING)
app.logger.addHandler(syslog_handler)
# pagedown.init_app(app)
db.init_app(app)
mail.init_app(app)
if app.config['USE_LDAP']:
# LDAP Login
# TODO : Test out LDAP
app.add_url_rule('/login', 'login', ldap.login, methods=['GET', 'POST'])
ldap.init_app(app)
else:
login_manager.init_app(app)
# Register blueprint(s)
from .malice import malice as malice_blueprint
app.register_blueprint(malice_blueprint)
from app.mod_users.routes import mod_user as user_module
app.register_blueprint(user_module, url_prefix='/auth')
# from app.mod_api.controller import mod_api as api_module
# app.register_blueprint(api_module, url_prefix='/api/v1')
from app.emails import start_email_thread
@app.before_first_request
def before_first_request():
start_email_thread()
# from werkzeug.contrib.fixers import ProxyFix
# app.wsgi_app = ProxyFix(app.wsgi_app)
return app
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
global HIDE_PIDS
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# randomize cuckoomon DLL and loader executable names
copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME)
copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME)
copy("bin\\loader.exe", LOADER32_NAME)
copy("bin\\loader_x64.exe", LOADER64_NAME)
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
thedate = clock.strftime("%m-%d-%y")
thetime = clock.strftime("%H:%M:%S")
os.system("echo:|date {0}".format(thedate))
os.system("echo:|time {0}".format(thetime))
log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
svcpid = self.pids_from_process_name_list(["services.exe"])
if svcpid:
SERVICES_PID = svcpid[0]
protected_procname_list = [
"vmwareuser.exe",
"vmwareservice.exe",
"vboxservice.exe",
"vboxtray.exe",
"sandboxiedcomlaunch.exe",
"sandboxierpcss.exe",
"procmon.exe",
"regmon.exe",
"filemon.exe",
"wireshark.exe",
"netmon.exe",
"prl_tools_service.exe",
"prl_tools.exe",
"prl_cc.exe",
"sharedintapp.exe",
"vmtoolsd.exe",
"vmsrvc.exe",
"python.exe",
"perl.exe",
]
HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer(self.config)
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
help="Training and test file",
type=str,
required=True)
parser.add_argument("-c",
"--classify",
help="Classification file",
type=str,
required=False)
parser.add_argument("--filter",
help="Filter columns; format: c1,c2,c3",
type=str,
required=False)
args = parser.parse_args()
# Start console and file logging
init_logging()
log.setLevel(logging.DEBUG)
bayes_classifier = BayesOneClass()
# Read and parse the data file
file_name = args.learnfile
dataset = bayes_classifier.load_json(file_name)
log.info('Loaded data file %s with %d streams.' %
(file_name, len(dataset)))
#print dataset
# Filter columns
#if args.filter:
# log.info("Filtering columns: %s" % args.filter)
# dataset = bayes_classifier.filter_columns(dataset, args.filter.split(","))
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
global HIDE_PIDS
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# randomize cuckoomon DLL and loader executable names
copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME)
copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME)
copy("bin\\loader.exe", LOADER32_NAME)
copy("bin\\loader_x64.exe", LOADER64_NAME)
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
systime = SYSTEMTIME()
systime.wYear = clock.year
systime.wMonth = clock.month
systime.wDay = clock.day
systime.wHour = clock.hour
systime.wMinute = clock.minute
systime.wSecond = clock.second
systime.wMilliseconds = 0
KERNEL32.SetSystemTime(byref(systime))
thedate = clock.strftime("%m-%d-%y")
thetime = clock.strftime("%H:%M:%S")
log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
svcpid = self.pids_from_process_name_list(["services.exe"])
if svcpid:
SERVICES_PID = svcpid[0]
protected_procname_list = [
"vmwareuser.exe",
"vmwareservice.exe",
"vboxservice.exe",
"vboxtray.exe",
"sandboxiedcomlaunch.exe",
"sandboxierpcss.exe",
"procmon.exe",
"regmon.exe",
"filemon.exe",
"wireshark.exe",
"netmon.exe",
"prl_tools_service.exe",
"prl_tools.exe",
"prl_cc.exe",
"sharedintapp.exe",
"vmtoolsd.exe",
"vmsrvc.exe",
"python.exe",
"perl.exe",
]
HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer(self.config)
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_privilege("SeDebugPrivilege")
grant_privilege("SeLoadDriverPrivilege")
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
set_clock(
datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S"))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
self.config.pipe = self.get_pipe_path(
self.config.options.get("pipe", random_string(16, 32)))
# Generate a random name for the logging pipe server.
self.config.logpipe = self.get_pipe_path(random_string(16, 32))
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher,
self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder,
self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# General ones, for configuration to send later to package
# self.config.options["dispatcherpipe"] = self.config.logpipe # DISPATCHER
# self.config.options["forwarderpipe"] = self.config.pipe # FORWARDER
self.config.options["dispatcherpipe"] = self.config.pipe # DISPATCHER
self.config.options["forwarderpipe"] = self.config.logpipe # FORWARDER
self.config.options["kernel_logpipe"] = "\\\\.\\%s" % (random_string(
16, 32))
self.config.options["destination"] = destination
self.config.options["driver_options"] = self.parse_driver_options()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"],
self.config.file_name)
elif self.config.category == "archive":
zip_path = os.path.join(os.environ["TEMP"], self.config.file_name)
zipfile.ZipFile(zip_path).extractall(os.environ["TEMP"])
self.target = os.path.join(os.environ["TEMP"],
self.config.options["filename"])
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Create the folders used for storing the results.
create_folders()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y")))
os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S")))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher,
self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder,
self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
global HIDE_PIDS
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# randomize cuckoomon DLL and loader executable names
copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME)
copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME)
copy("bin\\loader.exe", LOADER32_NAME)
copy("bin\\loader_x64.exe", LOADER64_NAME)
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
systime = SYSTEMTIME()
systime.wYear = clock.year
systime.wMonth = clock.month
systime.wDay = clock.day
systime.wHour = clock.hour
systime.wMinute = clock.minute
systime.wSecond = clock.second
systime.wMilliseconds = 0
KERNEL32.SetSystemTime(byref(systime))
thedate = clock.strftime("%m-%d-%y")
thetime = clock.strftime("%H:%M:%S")
log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
svcpid = self.pids_from_process_name_list(["services.exe"])
if svcpid:
SERVICES_PID = svcpid[0]
protected_procname_list = [
"vmwareuser.exe",
"vmwareservice.exe",
"vboxservice.exe",
"vboxtray.exe",
"sandboxiedcomlaunch.exe",
"sandboxierpcss.exe",
"procmon.exe",
"regmon.exe",
"filemon.exe",
"wireshark.exe",
"netmon.exe",
"prl_tools_service.exe",
"prl_tools.exe",
"prl_cc.exe",
"sharedintapp.exe",
"vmtoolsd.exe",
"vmsrvc.exe",
"python.exe",
"perl.exe",
]
HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer(self.config)
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y")))
os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S")))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
# tasklist sometimes fails under high-load (http://support.microsoft.com/kb/2732840)
# We can retry a few times to hopefully work around failures
retries = 4
while retries > 0:
stdin, stdout, stderr = os.popen3("tasklist /V /FI \"IMAGENAME eq services.exe\"")
s = stdout.read()
err = stderr.read()
if 'services.exe' not in s:
log.warning('tasklist failed with error "%s"' % (err))
else:
# it worked
break
retries -= 1
if 'services.exe' not in s:
# All attempts failed
log.error('Unable to retreive services.exe PID')
SERVICES_PID = None
else:
servidx = s.index("services.exe")
servstr = s[servidx + 12:].strip()
SERVICES_PID = int(servstr[:servstr.index(' ')], 10)
log.debug('services.exe PID is %s' % (SERVICES_PID))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer()
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y")))
os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S")))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
# tasklist sometimes fails under high-load (http://support.microsoft.com/kb/2732840)
# We can retry a few times to hopefully work around failures
retries = 4
while retries > 0:
stdin, stdout, stderr = os.popen3(
"tasklist /V /FI \"IMAGENAME eq services.exe\"")
s = stdout.read()
err = stderr.read()
if 'services.exe' not in s:
log.warning('tasklist failed with error "%s"' % (err))
else:
# it worked
break
retries -= 1
if 'services.exe' not in s:
# All attempts failed
log.error('Unable to retreive services.exe PID')
SERVICES_PID = None
else:
servidx = s.index("services.exe")
servstr = s[servidx + 12:].strip()
SERVICES_PID = int(servstr[:servstr.index(' ')], 10)
log.debug('services.exe PID is %s' % (SERVICES_PID))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer()
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
global DEFAULT_DLL
global SERVICES_PID
global HIDE_PIDS
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# randomize cuckoomon DLL and loader executable names
copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME)
copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME)
copy("bin\\loader.exe", LOADER32_NAME)
copy("bin\\loader_x64.exe", LOADER64_NAME)
# Create the folders used for storing the results.
create_folders()
add_protected_path(os.getcwd())
add_protected_path(PATHS["root"])
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Set virtual machine clock.
clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
# NOTE: Windows system has only localized commands with date format
# following localization settings, so these commands for english date
# format cannot work in other localizations.
# In addition DATE and TIME commands are blocking if an incorrect
# syntax is provided, so an echo trick is used to bypass the input
# request and not block analysis.
thedate = clock.strftime("%m-%d-%y")
thetime = clock.strftime("%H:%M:%S")
os.system("echo:|date {0}".format(thedate))
os.system("echo:|time {0}".format(thetime))
log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime))
# Set the default DLL to be used by the PipeHandler.
DEFAULT_DLL = self.config.get_options().get("dll")
# get PID for services.exe for monitoring services
svcpid = self.pids_from_process_name_list(["services.exe"])
if svcpid:
SERVICES_PID = svcpid[0]
protected_procname_list = [
"vmwareuser.exe",
"vmwareservice.exe",
"vboxservice.exe",
"vboxtray.exe",
"sandboxiedcomlaunch.exe",
"sandboxierpcss.exe",
"procmon.exe",
"regmon.exe",
"filemon.exe",
"wireshark.exe",
"netmon.exe",
"prl_tools_service.exe",
"prl_tools.exe",
"prl_cc.exe",
"sharedintapp.exe",
"vmtoolsd.exe",
"vmsrvc.exe",
"python.exe",
"perl.exe",
]
HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list))
# Initialize and start the Pipe Servers. This is going to be used for
# communicating with the injected and monitored processes.
for x in xrange(self.PIPE_SERVER_COUNT):
self.pipes[x] = PipeServer(self.config)
self.pipes[x].daemon = True
self.pipes[x].start()
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
str(self.config.file_name))
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def create_app(config):
logo()
check_configs()
check_version()
init_logging()
# log.setLevel(logging.DEBUG)
init_modules()
# create_structure()
# Define the WSGI application object
app = Flask(__name__)
# Configurations
app.config.from_object(settings[config])
# if True:
if not app.config['DEBUG'] and not app.config['TESTING']:
# configure logging for production
# email errors to the administrators
if app.config.get('MAIL_ERROR_RECIPIENT') is not None:
import logging
from logging.handlers import SMTPHandler
credentials = None
secure = None
if app.config.get('MAIL_USERNAME') is not None:
credentials = (app.config['MAIL_USERNAME'],
app.config['MAIL_PASSWORD'])
if app.config['MAIL_USE_TLS'] is not None:
secure = ()
mail_handler = SMTPHandler(
mailhost=(app.config['MAIL_SERVER'], app.config['MAIL_PORT']),
fromaddr=app.config['DEFAULT_MAIL_SENDER'],
toaddrs=[app.config['MAIL_ERROR_RECIPIENT']],
subject='[Malice] Application Error',
credentials=credentials,
secure=secure)
mail_handler.setLevel(logging.ERROR)
app.logger.addHandler(mail_handler)
# send standard logs to syslog
import logging
from logging.handlers import SysLogHandler
syslog_handler = SysLogHandler()
syslog_handler.setLevel(logging.WARNING)
app.logger.addHandler(syslog_handler)
# pagedown.init_app(app)
db.init_app(app)
mail.init_app(app)
if app.config['USE_LDAP']:
# LDAP Login
# TODO : Test out LDAP
app.add_url_rule('/login',
'login',
ldap.login,
methods=['GET', 'POST'])
ldap.init_app(app)
else:
login_manager.init_app(app)
# Register blueprint(s)
from .malice import malice as malice_blueprint
app.register_blueprint(malice_blueprint)
from app.mod_users.routes import mod_user as user_module
app.register_blueprint(user_module, url_prefix='/auth')
# from app.mod_api.controller import mod_api as api_module
# app.register_blueprint(api_module, url_prefix='/api/v1')
from app.emails import start_email_thread
@app.before_first_request
def before_first_request():
start_email_thread()
# from werkzeug.contrib.fixers import ProxyFix
# app.wsgi_app = ProxyFix(app.wsgi_app)
return app
