def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever the script is loaded for the first time, either with the import_module command, or when loaded at startup. ''' #We keep a callback manager as a global var. # --> To access it from any function. # --> Necessary to call cm.clean() from clean() function global cm global pyrebox_print #Initialize printer function (global var), that we can use to print #text that is associated to our script pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") #Initialize the callback manager, and register a couple of named #callbacks. cm = CallbackManager(module_hdl) new_proc_cb = cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") remove_proc_cb = cm.add_callback(CallbackManager.REMOVEPROC_CB, remove_proc, name="vmi_remove_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl,printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl) new_proc_cb = cm.add_callback(CallbackManager.CREATEPROC_CB,new_proc,name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): global cm global pyrebox_print from plugins.guest_agent import guest_agent pyrebox_print = printer cm = CallbackManager(module_hdl) guest_agent.copy_file("/home/marc/sdcard/zoo/gen/sample.exe", "C:\\ProgramData\\malo.exe") cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") guest_agent.execute_file("C:\\ProgramData\\malo.exe")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.MEM_READ_CB, my_function, name="mem_read") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Test: Open calc.exe and monitor the process")
def initialize_callbacks(module_hdl,printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.OPCODE_RANGE_CB,opcode_range,name="opcode",start_opcode=0x90,end_opcode=0x90) pyrebox_print("[*] Initialized callbacks") pyrebox_print("[!] Test: Open calc.exe and monitor the process")
def initialize_callbacks(module_hdl,printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,my_function,name="block_begin") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] In order to perform the test, start monitoring some process")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. ''' global cm global pyrebox_print # debug var global num_ins global logger global process_is_created logger = logging.getLogger('funcap') hdlr = logging.FileHandler('funcap.log') formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s') hdlr.setFormatter(formatter) logger.addHandler(hdlr) # Set level log level = 0 if level == 0: logger.setLevel(logging.INFO) elif level == 1: logger.setLevel(logging.WARNING) elif level == 2: logger.setLevel(logging.ERROR) elif level == 3: logger.setLevel(logging.CRITICAL) else: logger.setLevel(logging.WARNING) num_ins = 0 process_is_created = 0 # Init symbols # api.get_symbol_list() # Initialize printer function pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") #Initialize the callback manager cm = CallbackManager(module_hdl) ## # Callback for CALL opcode ## cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") cm.add_callback(CallbackManager.OPCODE_RANGE_CB, funcap, start_opcode=0xFF, end_opcode=0xFF) cm.add_callback(CallbackManager.REMOVEPROC_CB, remove_proc, name="vmi_remove_proc") do_set_target(TARGET) pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.INSN_END_CB, my_function, name="insn_end") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Test: Open calc.exe and monitor the process")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. ''' global cm global pyrebox_print # Initialize printer function pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager cm = CallbackManager(module_hdl) # Register a process creation callback cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc) pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.TLB_EXEC_CB, tlb_exec, name="tlb_exec") cm.add_callback(CallbackManager.CONTEXTCHANGE_CB, context_change, name="context_change") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.INSN_BEGIN_CB, insn_begin, name="insn_begin") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] In order to run the rest, open calc.exe and monitor the process.")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.BLOCK_END_CB, my_function, name="block_end") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Test: Open calc.exe and monitor the process")
def initialize_callbacks(module_hdl, printer): ''' Initialize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager from plugins.guest_agent import guest_agent from mw_monitor2.generic_unpacker import register_memory_dump_callback global cm global pyrebox_print pyrebox_print = printer try: # Initialize process creation callback pyrebox_print("[*] Initializing callbacks") # Add memory dump callback register_memory_dump_callback(memory_dump_callback) cm = CallbackManager(module_hdl, new_style=True) pyrebox_print("[*] Initialized callbacks") except Exception as e: import traceback traceback.print_exc()
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager global cm global pyrebox_print # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.KEYSTROKE_CB, my_function, name="keystroke") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Just type stuff on the guest")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.BLOCK_BEGIN_CB, my_function, name="block_begin") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] In order to perform the test, start monitoring some process")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.CONTEXTCHANGE_CB, context_change, name="context_change") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.KEYSTROKE_CB, my_function, name="keystroke") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Just type stuff on the guest")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print # Initialize printer function (global var), that we can use to print # text that is associated to our script pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager, and register a couple of named # callbacks. cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.NIC_SEND_CB, my_function_send, name="send") cm.add_callback(CallbackManager.NIC_REC_CB, my_function_receive, name="receive") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print("[!] Test: Open calc.exe and monitor the process")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print global target_procname from api import CallbackManager from plugins.guest_agent import guest_agent pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.INSN_BEGIN_CB, insn_begin, name="insn_begin") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print( "[!] In order to run the rest, open calc.exe and monitor the process." )
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.BLOCK_BEGIN_CB, block_begin, name="block_begin") pyrebox_print("[*] Initialized callbacks\n") pyrebox_print( "[!] In order to run the test, start calc.exe and monitor it\n")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print # Initialize printer function (global var), that we can use to print # text that is associated to our script pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager, and register a couple of named # callbacks. cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): global cm global pyrebox_print global sample_to_upload global upload_path global sample_name from plugins.guest_agent import guest_agent pyrebox_print = printer cm = CallbackManager(module_hdl) # Push the sample from de host to de guest guest_agent.copy_file(sample_to_upload, upload_path + sample_name) # Create a Callback for every new process create to catch de sample when executed cm.add_callback(CallbackManager.CREATEPROC_CB, new_process_created, name="vmi_new_proc") # Run the sample uploaded to the VM guest_agent.execute_file(upload_path + sample_name)
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.MEM_WRITE_CB, mem_write, name="mem_write") #Add a bpw_memrange trigger to the callback, that will limit #the address range for which the callback will be triggered cm.add_trigger("mem_write", "triggers/trigger_bpw_memrange.so") cm.set_trigger_var("mem_write", "begin", 0x0) cm.set_trigger_var("mem_write", "end", 0x80000000) cm.set_trigger_var("mem_write", "pgd", 0xFFFFFFFF) pyrebox_print("[*] Initialized callbacks\n")
def initialize_callbacks(module_hdl, printer): ''' Initialize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager from plugins.guest_agent import guest_agent from mw_monitor2.interproc import interproc_data global cm global pyrebox_print global UNPACKER_LOG_PATH global UNPACKER_DUMP_PATH global interproc_data pyrebox_print = printer # Set configuration values try: f = open(os.environ["GENERIC_UNPACKER_CONF_PATH"], "r") conf_data = json.load(f) f.close() UNPACKER_LOG_PATH = conf_data.get("unpacker_log_path", None) UNPACKER_DUMP_PATH = conf_data.get("unpacker_dump_path", None) if UNPACKER_LOG_PATH is None or UNPACKER_DUMP_PATH is None: raise ValueError( "The json configuration file is not well-formed: fields missing?" ) except Exception as e: pyrebox_print( "Could not read or correctly process the configuration file: %s" % str(e)) return try: # Initialize log init_log() # Initialize process creation callback pyrebox_print("[*] Initializing callbacks") interproc_data.register_entry_point_callback(module_entry_point) interproc_data.register_file_read_callback(file_read) interproc_data.register_file_write_callback(file_write) interproc_data.register_remote_memory_read_callback(memory_read) interproc_data.register_remote_memory_write_callback(memory_write) interproc_data.register_section_map_callback(section_map) interproc_data.register_section_unmap_callback(section_unmap) cm = CallbackManager(module_hdl, new_style=True) pyrebox_print("[*] Initialized callbacks") except Exception as e: import traceback traceback.print_exc()
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") cm.add_callback(CallbackManager.MEM_WRITE_CB, mem_write, name="mem_write") cm.add_callback(CallbackManager.BLOCK_BEGIN_CB, block_exec, name="block_begin") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks\n") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.MEM_WRITE_CB, mem_write, name="mem_write") # Add a bpw_memrange trigger to the callback, that will limit # the address range for which the callback will be triggered cm.add_trigger("mem_write", "triggers/trigger_bpw_memrange.so") cm.set_trigger_var("mem_write", "begin", 0x0) cm.set_trigger_var("mem_write", "end", 0x80000000) cm.set_trigger_var("mem_write", "pgd", 0xFFFFFFFF) pyrebox_print("[*] Initialized callbacks\n")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever the script is loaded for the first time, either with the import_module command, or when loaded at startup. ''' # We keep a callback manager as a global var. # --> To access it from any function. # --> Necessary to call cm.clean() from clean() function global cm global pyrebox_print # Initialize printer function (global var), that we can use to print # text that is associated to our script pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager, and register a couple of named # callbacks. cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") cm.add_callback(CallbackManager.REMOVEPROC_CB, remove_proc, name="vmi_remove_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. ''' global cm global pyrebox_print # Initialize printer function pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager cm = CallbackManager(module_hdl) # TODO: Register some callback pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initialize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager from plugins.guest_agent import guest_agent from autorun.autorun import register_autorun_create_proc_callback global interproc_config global cm global pyrebox_print pyrebox_print = printer # Set configuration values try: pyrebox_print("[*] Reading configuration file") #Read AutoRun configuration file (json) f = open(os.environ["MWMONITOR_INTERPROC_CONF_PATH"], "r") conf = json.load(f) f.close() interproc_config.interproc_bin_log = conf.get("bin_log", False) interproc_config.interproc_text_log = conf.get("text_log", False) interproc_config.interproc_basic_stats = conf.get("basic_stats", False) interproc_config.interproc_text_log_name = conf.get("text_log_path", "interproc.log") interproc_config.interproc_basic_stats_name = conf.get("basic_stats_path", "basic_stats") interproc_config.interproc_bin_log_name = conf.get("bin_log_path", "interproc.bin") interproc_config.interproc_text_log_handle = open(interproc_config.interproc_text_log_name, "w") except Exception as e: pyrebox_print("Could not read or correctly process the configuration file: %s" % str(e)) return try: cm = CallbackManager(module_hdl, new_style = True) # Initialize process creation callback pyrebox_print("[*] Initializing callbacks") register_autorun_create_proc_callback(interproc_start_monitoring_process) pyrebox_print("[*] Initialized callbacks") except Exception as e: import traceback traceback.print_exc()
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print #Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.NIC_SEND_CB, my_function_send, name="send") cm.add_callback(CallbackManager.NIC_REC_CB, my_function_receive, name="receive") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print from api import CallbackManager # Initialize printer pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") cm.add_callback(CallbackManager.REMOVEPROC_CB, remove_proc, name="vmi_remove_proc") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever the script is loaded for the first time, either with the import_module command, or when loaded at startup. ''' # We keep a callback manager as a global var. # --> To access it from any function. # --> Necessary to call cm.clean() from clean() function global cm global pyrebox_print from plugins.guest_agent import guest_agent # Initialize printer function (global var), that we can use to print # text that is associated to our script pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") # Initialize the callback manager, and register a couple of named # callbacks. cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") cm.add_callback(CallbackManager.REMOVEPROC_CB, remove_proc, name="vmi_remove_proc") pyrebox_print("[*] Initialized callbacks") filename = None with open("filename", "rb") as f: filename = f.readlines() guest_agent.copy_file(filename.strip(), "C:\\Users\\Windows7\\Desktop\\filename.exe") guest_agent.execute_file("C:\\Users\\Windows7\\Desktop\\filename.exe")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.INSN_BEGIN_CB, insn_begin, name="insn_begin") # Add a trigger so that the callback is only triggered # for a certain range of addresses cm.add_trigger("insn_begin", "triggers/trigger_bp_memrange.so") cm.set_trigger_var("insn_begin", "begin", 0x100218f) cm.set_trigger_var("insn_begin", "end", 0x1002190) cm.set_trigger_var("insn_begin", "pgd", 0xFFFFFFFF) pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.INSN_BEGIN_CB, insn_begin, name="insn_begin") # Add a trigger so that the callback is only triggered # for a certain range of addresses cm.add_trigger("insn_begin", "triggers/trigger_bp_memrange.so") cm.set_trigger_var("insn_begin", "begin", 0x100218f) cm.set_trigger_var("insn_begin", "end", 0x1002190) cm.set_trigger_var("insn_begin", "pgd", 0xFFFFFFFF) pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initialize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager from plugins.guest_agent import guest_agent global cm global pyrebox_print global target_procname global autorun_module_handle autorun_module_handle = module_hdl pyrebox_print = printer pyrebox_print("[*] Reading configuration file") #Read AutoRun configuration file (json) f = open(os.environ["AUTORUN_CONF_PATH"], "r") conf = json.load(f) f.close() kws = [ "container_path", "main_executable_file", "extract_path", "temp_path", "preserve_filenames" ] for k in kws: if k not in conf: pyrebox_print( "The configuration file does not contain the necessary keywords" ) return # Initialize process creation callback pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style=True) cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc") pyrebox_print("[*] Initialized callbacks") # Copy target file to guest, and execute it pyrebox_print("Copying host file to guest, using agent...") temp_dnames = [] if "container_path" in conf and tarfile.is_tarfile(conf["container_path"]): # For each file in the tar file, extract to a temporary file, # and copy to the VM with the appropriate file name. extracted_files = {} tar = tarfile.open(conf["container_path"], "r:gz") # Get file names inside the tar file for tarinfo in tar: extracted_files[tarinfo.name] = None # Extract each file into a temporary file for fname in extracted_files.keys(): temp_dname = tempfile.mkdtemp(dir=conf["temp_path"]) temp_dnames.append(temp_dname) tar.extract(fname, path=temp_dname) extracted_files[fname] = os.path.join(temp_dname, fname) tar.close() # Copy files to the VM for fname, temp_fname in extracted_files.iteritems(): # Copy the specified file to C:\\temp.exe in the guest if conf["preserve_filenames"]: guest_agent.copy_file(temp_fname, conf["extract_path"] + fname) else: guest_agent.copy_file(temp_fname, conf["extract_path"] + "file.exe") conf["main_executable_file"] = "file.exe" # Execute the file. We set a callback to signal this script that # the files have already been copied and can be deleted f = functools.partial(files_copied_callback, temp_dnames) guest_agent.execute_file(conf["extract_path"] + conf["main_executable_file"], callback=f) # stop_agent() does not only kill the agent, but it also # disables the agent plugin. Invalid opcodes # are not treated as agent commands any more, so this call # improves transparency. guest_agent.stop_agent() # Set target proc name: target_procname = conf["main_executable_file"] pyrebox_print("Waiting for process %s to start\n" % target_procname) pyrebox_print("Module loaded: %d" % module_hdl)
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl, new_style = True) cm.add_callback(CallbackManager.CREATEPROC_CB, my_createproc, name="createproc") cm.add_trigger("createproc", "triggers/trigger_getset_var_example.so") cm.set_trigger_var("createproc", "var1", 0) cm.set_trigger_var("createproc", "var2", 100) cm.set_trigger_var("createproc", "var3", "Hello world") pyrebox_print("[*] Initialized callbacks")
def initialize_callbacks(module_hdl, printer): ''' Initialize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' from api import CallbackManager from plugins.guest_agent import guest_agent from mw_monitor2.interproc import interproc_data from deviare_db_parser import set_db_path global cm global pyrebox_print global APITRACER_BIN_LOG_PATH global APITRACER_TEXT_LOG_PATH global APITRACER_RULES global APITRACER_LIGHT_MODE global APITRACER_DATABASE32 global APITRACER_DATABASE64 global APITRACER_ANTI_STOLEN global APITRACER_ENABLE_JMP global APITRACER_ENABLE_RET global interproc_data pyrebox_print = printer # Set configuration values try: f = open(os.environ["MWMONITOR_APITRACER_CONF_PATH"], "r") conf_data = json.load(f) f.close() APITRACER_BIN_LOG_PATH = conf_data.get("bin_log_path", None) APITRACER_TEXT_LOG_PATH = conf_data.get("text_log_path", None) APITRACER_RULES = conf_data.get("rules", []) # Validate the rules if "policy" not in APITRACER_RULES: raise Exception("Invalid rules configuration: no policy specified") if APITRACER_RULES["policy"] != "accept" and APITRACER_RULES[ "policy"] != "reject": raise Exception( "Invalid rules configuration: policy must be 'reject' or 'accept'" ) if "rules" not in APITRACER_RULES or not isinstance( APITRACER_RULES["rules"], list): raise Exception("Invalid rules configuration: no rules group") for ru in APITRACER_RULES["rules"]: if not isinstance(ru, dict): raise Exception( "Invalid rules configuration: each rule must be a dictionary" ) if "action" not in ru or "mod" not in ru or "fun" not in ru: raise Exception( "Invalid rules configuration: each rule must contain the keywords: action, mod, and fun" ) if not (isinstance(ru["action"], str) or isinstance(ru["action"], unicode)): raise Exception( "Invalid rules configuration: action keyword must be str or unicode" ) if not (isinstance(ru["mod"], str) or isinstance(ru["mod"], unicode)): raise Exception( "Invalid rules configuration: mod keyword must be str or unicode" ) if not (isinstance(ru["fun"], str) or isinstance(ru["fun"], unicode)): raise Exception( "Invalid rules configuration: fun keyword must be str or unicode" ) for kw in ru: if kw not in ["action", "mod", "fun", "from_mod"]: raise Exception( "Invalid rules configuration: Invalid keyword: %s" % kw) if ru["action"] != "accept" and ru["action"] != "reject": raise Exception( "Rule action must be either 'accept' or 'reject'") APITRACER_LIGHT_MODE = conf_data.get("light_mode", True) if not "database_path_32" in conf_data: raise Exception( "Database path ('database_path_32') not properly specified") if not "database_path_64" in conf_data: raise Exception( "Database path ('database_path_64') not properly specified") APITRACER_DATABASE32 = conf_data.get("database_path_32", None) set_db_path(APITRACER_DATABASE32, 32) APITRACER_DATABASE64 = conf_data.get("database_path_64", None) set_db_path(APITRACER_DATABASE64, 64) # Tracing engine configuration if "anti_stolen_bytes" in conf_data: APITRACER_ANTI_STOLEN = conf_data["anti_stolen_bytes"] else: APITRACER_ANTI_STOLEN = False if "enable_jmp_tracing" in conf_data: APITRACER_ENABLE_JMP = conf_data["enable_jmp_tracing"] else: APITRACER_ENABLE_JMP = False if "enable_ret_tracing" in conf_data: APITRACER_ENABLE_RET = conf_data["enable_ret_tracing"] else: APITRACER_ENABLE_RET = False if APITRACER_BIN_LOG_PATH is None or APITRACER_TEXT_LOG_PATH is None: raise ValueError( "The json configuration file is not well-formed: fields missing?" ) except Exception as e: pyrebox_print( "Could not read or correctly process the configuration file: %s" % str(e)) return try: # Initialize process creation callback pyrebox_print("[*] Initializing callbacks") interproc_data.register_entry_point_callback(module_entry_point) interproc_data.register_load_module_callback(module_load) cm = CallbackManager(module_hdl, new_style=True) pyrebox_print("[*] Initialized callbacks") except Exception as e: traceback.print_exc()
def initialize_callbacks(module_hdl, printer): ''' Initilize callbacks for this module. This function will be triggered whenever import_module command is triggered. ''' global cm global pyrebox_print pyrebox_print = printer pyrebox_print("[*] Initializing callbacks") cm = CallbackManager(module_hdl) cm.add_callback(CallbackManager.CREATEPROC_CB, my_createproc, name="createproc") cm.add_trigger("createproc", "triggers/trigger_getset_var_example.so") cm.set_trigger_var("createproc", "var1", 0) cm.set_trigger_var("createproc", "var2", 100) cm.set_trigger_var("createproc", "var3", "Hello world") pyrebox_print("[*] Initialized callbacks")