def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(
parser, process["modules"]
)
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
for category, arg in behavior.process_apicall(event):
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
# TODO Improve this where we have to calculate the "real"
# time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
yield {
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%d")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(
parser, process["modules"]
)
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
for category, arg in behavior.process_apicall(event):
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
# TODO Improve this where we have to calculate the "real"
# time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
yield {
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%d")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def parse(self, path):
# Invoke parsing of current log file.
self.fp = open(path, "rb") # TODO: no proper cleanup
parser = BsonParser(self.fp, self.task_id)
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(parser,
process["modules"])
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
# TODO! Improve this where we have to calculate the
# "real" time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
# in Python 2.7, that's the only way to get from datetime back
# to a timestamp :(
abs_timestamp = float(ts.strftime("%s.%f"))
for category, arg in behavior.process_apicall(event):
yield {
"ts": abs_timestamp,
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
yield {
"ts": abs_timestamp,
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%s")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__
# above.
process["calls"].has_apicalls = True
yield event
def negotiate_protocol(self):
protocol = self.read_newline(strip=True)
# Command with version number.
if " " in protocol:
command, version = protocol.split()
version = int(version)
else:
command, version = protocol, None
if command == "BSON":
self.protocol = BsonParser(self, version)
elif command == "FILE":
self.protocol = FileUpload(self, version)
elif command == "LOG":
self.protocol = LogHandler(self, version)
else:
raise CuckooOperationalError(
"Netlog failure, unknown protocol requested.")
self.protocol.init()