def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
caller = row[2] # non-system DLL return address
parentcaller = row[
3] # non-system DLL parent of non-system-DLL return address
category = row[4] # Win32 function category.
api_name = row[5] # Name of the Windows API.
repeated = row[6] # Times log repeated
status_value = row[7] # Success or Failure?
return_value = row[8] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(9, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
arg_name, arg_value = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s",
row[index], e)
continue
argument["name"] = arg_name
if isinstance(arg_value, bytes):
arg_value = bytes2str(arg_value)
argument["value"] = convert_to_printable(str(arg_value),
self.conversion_cache)
if not self.reporting_mode:
argument["raw_value"] = arg_value
pretty = pretty_print_arg(category, api_name, arg_name,
argument["value"])
if pretty:
argument["pretty_value"] = pretty
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["caller"] = "0x%.08x" % default_converter(caller)
call["parentcaller"] = "0x%.08x" % default_converter(parentcaller)
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int) or isinstance(return_value, int):
call["return"] = "0x%.08x" % default_converter(return_value)
else:
call["return"] = convert_to_printable(str(return_value),
self.conversion_cache)
prettyret = pretty_print_retval(category, api_name, call["status"],
call["return"])
if prettyret:
call["pretty_return"] = prettyret
call["arguments"] = arguments
call["repeated"] = repeated
# add the thread id to our thread set
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
return call
def _parse(self, row):
"""Parse log row.
@param row: row data.
@return: parsed information dict.
"""
call = {}
arguments = []
try:
timestamp = row[0] # Timestamp of current API call invocation.
thread_id = row[1] # Thread ID.
caller = row[2] # non-system DLL return address
parentcaller = row[3] # non-system DLL parent of non-system-DLL return address
category = row[4] # Win32 function category.
api_name = row[5] # Name of the Windows API.
repeated = row[6] # Times log repeated
status_value = row[7] # Success or Failure?
return_value = row[8] # Value returned by the function.
except IndexError as e:
log.debug("Unable to parse process log row: %s", e)
return None
# Now walk through the remaining columns, which will contain API
# arguments.
for index in range(9, len(row)):
argument = {}
# Split the argument name with its value based on the separator.
try:
arg_name, arg_value = row[index]
except ValueError as e:
log.debug("Unable to parse analysis row argument (row=%s): %s", row[index], e)
continue
argument["name"] = arg_name
argument["value"] = convert_to_printable(str(arg_value), self.conversion_cache)
if not self.reporting_mode:
argument["raw_value"] = arg_value
pretty = pretty_print_arg(category, api_name, arg_name, argument["value"])
if pretty:
argument["pretty_value"] = pretty
arguments.append(argument)
call["timestamp"] = timestamp
call["thread_id"] = str(thread_id)
call["caller"] = "0x%.08x" % default_converter(caller)
call["parentcaller"] = "0x%.08x" % default_converter(parentcaller)
call["category"] = category
call["api"] = api_name
call["status"] = bool(int(status_value))
if isinstance(return_value, int) or isinstance(return_value, long):
call["return"] = "0x%.08x" % default_converter(return_value)
else:
call["return"] = convert_to_printable(str(return_value), self.conversion_cache)
prettyret = pretty_print_retval(category, api_name, call["status"], call["return"])
if prettyret:
call["pretty_return"] = prettyret
call["arguments"] = arguments
call["repeated"] = repeated
# add the thread id to our thread set
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
return call
from lib.cuckoo.common.defines import REG_DWORD_BIG_ENDIAN
from lib.cuckoo.common.defines import REG_DWORD_LITTLE_ENDIAN
from lib.cuckoo.common.exceptions import CuckooResultError
from lib.cuckoo.common.logtbl import table as LOGTBL
from lib.cuckoo.common.utils import get_filename_from_path, default_converter
log = logging.getLogger(__name__)
###############################################################################
# Generic BSON based protocol - by rep
# Allows all kinds of languages / sources to generate input for Cuckoo,
# thus we can reuse report generation / signatures for other API trace sources.
###############################################################################
TYPECONVERTERS = {
"h": lambda v: "0x%08x" % default_converter(v),
"p": lambda v: "0x%.08x" % default_converter(v)
}
# 20 Mb max message length.
MAX_MESSAGE_LENGTH = 20 * 1024 * 1024
def check_names_for_typeinfo(arginfo):
argnames = [i[0] if type(i) in (list, tuple) else i for i in arginfo]
converters = []
for i in arginfo:
if type(i) in (list, tuple):
r = TYPECONVERTERS.get(i[1], None)
if not r:
log.debug("Analyzer sent unknown format "
from lib.cuckoo.common.defines import REG_DWORD_BIG_ENDIAN
from lib.cuckoo.common.defines import REG_DWORD_LITTLE_ENDIAN
from lib.cuckoo.common.exceptions import CuckooResultError
from lib.cuckoo.common.logtbl import table as LOGTBL
from lib.cuckoo.common.utils import get_filename_from_path, default_converter
log = logging.getLogger(__name__)
###############################################################################
# Generic BSON based protocol - by rep
# Allows all kinds of languages / sources to generate input for Cuckoo,
# thus we can reuse report generation / signatures for other API trace sources.
###############################################################################
TYPECONVERTERS = {
"h": lambda v: "0x%08x" % default_converter(v),
"p": lambda v: "0x%.08x" % default_converter(v)
}
# 20 Mb max message length.
MAX_MESSAGE_LENGTH = 20 * 1024 * 1024
def pointer_converter_32bit(v):
return "0x%08x" % (v % 2**32)
def pointer_converter_64bit(v):
return "0x%016x" % (v % 2**64)
def default_converter_32bit(v):
if isinstance(v, (int, long)) and v < 0:
return v % 2**32
bson_decode = lambda d: bson.loads(d)
else:
HAVE_BSON = False
from lib.cuckoo.common.logtbl import table as LOGTBL
from lib.cuckoo.common.utils import get_filename_from_path, default_converter
log = logging.getLogger(__name__)
###############################################################################
# Generic BSON based protocol - by rep
# Allows all kinds of languages / sources to generate input for Cuckoo,
# thus we can reuse report generation / signatures for other API trace sources.
###############################################################################
TYPECONVERTERS = {"h": lambda v: "0x%08x" % default_converter(v), "p": lambda v: "0x%.08x" % default_converter(v)}
# 20 Mb max message length.
MAX_MESSAGE_LENGTH = 20 * 1024 * 1024
def pointer_converter_32bit(v):
return "0x%08x" % (v % 2 ** 32)
def pointer_converter_64bit(v):
return "0x%016x" % (v % 2 ** 64)
def default_converter_32bit(v):
if isinstance(v, int) and v < 0: