def __init__(self, config: Config, instance_id: int):
super().__init__(config)
# Now that karton is set up we can plug in our logger
logger = logging.getLogger("drakrun")
for handler in self.log.handlers:
logger.addHandler(handler)
logger.setLevel(logging.INFO)
self.instance_id = instance_id
self.install_info = InstallInfo.load()
self.default_timeout = int(
self.config.config['drakrun'].get('analysis_timeout') or 60 * 10)
with open(os.path.join(PROFILE_DIR, "runtime.json"), 'r') as runtime_f:
self.runtime_info = RuntimeInfo.load(runtime_f)
self.active_plugins = {}
self.active_plugins["_all_"] = [
'apimon', 'bsodmon', 'clipboardmon', 'cpuidmon', 'crashmon',
'debugmon', 'delaymon', 'exmon', 'filedelete', 'filetracer',
'librarymon', 'memdump', 'procdump', 'procmon', 'regmon', 'rpcmon',
'ssdtmon', 'syscalls', 'tlsmon', 'windowmon', 'wmimon'
]
for quality, list_str in self.config.config.items('drakvuf_plugins'):
plugins = [x for x in list_str.split(',') if x.strip()]
self.active_plugins[quality] = plugins
def create_missing_profiles():
"""
Creates usermode profiles by restoring vm-1 and extracting the DLLs.
Assumes that injector is configured properly, i.e. kernel and runtime
profiles exist and that vm-1 is free to use.
"""
# Prepare injector
with open(os.path.join(PROFILE_DIR, "runtime.json"), "r") as runtime_f:
runtime_info = RuntimeInfo.load(runtime_f)
kernel_profile = os.path.join(PROFILE_DIR, "kernel.json")
injector = Injector("vm-1", runtime_info, kernel_profile)
# restore vm-1
out_interface = conf["drakrun"].get("out_interface", "")
dns_server = conf["drakrun"].get("dns_server", "")
install_info = InstallInfo.load()
backend = get_storage_backend(install_info)
generate_vm_conf(install_info, 1)
setup_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
vm = VirtualMachine(backend, 1)
vm.restore()
# Ensure that all declared usermode profiles exist
# This is important when upgrade defines new entries in dll_file_list and compulsory_dll_file_list
for profile in compulsory_dll_file_list:
if not profiles_exist(profile.dest):
create_rekall_profile(injector, profile, True)
for profile in dll_file_list:
if not profiles_exist(profile.dest):
try:
create_rekall_profile(injector, profile)
except Exception:
log.exception(
"Unexpected exception from create_rekall_profile!")
build_os_info(APISCOUT_PROFILE_DIR, vmi_win_guid(vm.vm_name), backend)
dll_basename_list = [dll.dest for dll in dll_file_list]
static_apiscout_profile = build_static_apiscout_profile(
APISCOUT_PROFILE_DIR, dll_basename_list)
with open(
Path(APISCOUT_PROFILE_DIR) / "static_apiscout_profile.json",
"w") as f:
json.dump(static_apiscout_profile, f)
vm.destroy()
delete_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
def postupgrade():
if not check_root():
return
with open(os.path.join(ETC_DIR, 'scripts/cfg.template'), 'r') as f:
template = f.read()
passwd_characters = string.ascii_letters + string.digits
passwd = ''.join(secrets.choice(passwd_characters) for _ in range(20))
template = template.replace('{{ VNC_PASS }}', passwd)
with open(os.path.join(ETC_DIR, 'scripts', 'cfg.template'), 'w') as f:
f.write(template)
detect_defaults()
install_info = InstallInfo.try_load()
if not install_info:
logging.info("Postupgrade done. DRAKVUF Sandbox not installed.")
return
# Prepare injector
with open(os.path.join(PROFILE_DIR, "runtime.json"), 'r') as runtime_f:
runtime_info = RuntimeInfo.load(runtime_f)
kernel_profile = os.path.join(PROFILE_DIR, "kernel.json")
injector = Injector('vm-1', runtime_info, kernel_profile)
stop_all_drakruns()
# Use vm-1 for generating profiles
out_interface = conf['drakrun'].get('out_interface', '')
dns_server = conf['drakrun'].get('dns_server', '')
setup_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
backend = get_storage_backend(install_info)
vm = VirtualMachine(backend, 1)
vm.restore()
create_missing_profiles(injector)
vm.destroy()
delete_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
start_enabled_drakruns()
def create_missing_profiles():
"""
Creates usermode profiles by restoring vm-1 and extracting the DLLs.
Assumes that injector is configured properly, i.e. kernel and runtime
profiles exist and that vm-1 is free to use.
"""
# Prepare injector
with open(os.path.join(PROFILE_DIR, "runtime.json"), "r") as runtime_f:
runtime_info = RuntimeInfo.load(runtime_f)
kernel_profile = os.path.join(PROFILE_DIR, "kernel.json")
injector = Injector("vm-1", runtime_info, kernel_profile)
# restore vm-1
out_interface = conf["drakrun"].get("out_interface", "")
dns_server = conf["drakrun"].get("dns_server", "")
install_info = InstallInfo.load()
backend = get_storage_backend(install_info)
generate_vm_conf(install_info, 1)
setup_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
vm = VirtualMachine(backend, 1)
vm.restore()
# Ensure that all declared usermode profiles exist
# This is important when upgrade defines new entries in dll_file_list and compulsory_dll_file_list
for profile in compulsory_dll_file_list:
if not profile_exists(profile):
create_rekall_profile(injector, profile, True)
for profile in dll_file_list:
if not profile_exists(profile):
try:
create_rekall_profile(injector, profile)
except Exception:
# silence per-dll errors
pass
vm.destroy()
delete_vm_network(vm_id=1,
net_enable=False,
out_interface=out_interface,
dns_server=dns_server)
def __init__(self, config: Config, instance_id: int):
super().__init__(config)
# Now that karton is set up we can plug in our logger
logger = logging.getLogger("drakrun")
for handler in self.log.handlers:
logger.addHandler(handler)
logger.setLevel(logging.INFO)
self.instance_id = instance_id
self.install_info = InstallInfo.load()
self.default_timeout = int(
self.config.config["drakrun"].get("analysis_timeout") or 60 * 10
)
with open(os.path.join(PROFILE_DIR, "runtime.json"), "r") as runtime_f:
self.runtime_info = RuntimeInfo.load(runtime_f)
self.active_plugins = {}
self.active_plugins["_all_"] = [
"apimon",
"bsodmon",
"clipboardmon",
"cpuidmon",
"crashmon",
"debugmon",
"delaymon",
"exmon",
"filedelete",
"filetracer",
"librarymon",
"memdump",
"procdump",
"procmon",
"regmon",
"rpcmon",
"ssdtmon",
"syscalls",
"tlsmon",
"windowmon",
"wmimon",
]
for quality, list_str in self.config.config.items("drakvuf_plugins"):
plugins = [x for x in list_str.split(",") if x.strip()]
self.active_plugins[quality] = plugins
def __init__(self, vm_id: int, dns: str):
install_info = InstallInfo.load()
backend = get_storage_backend(install_info)
generate_vm_conf(install_info, vm_id)
self.vm = VirtualMachine(backend, vm_id)
with open(Path(PROFILE_DIR) / "runtime.json", 'r') as f:
self.runtime_info = RuntimeInfo.load(f)
self.desktop = WinPath(r"%USERPROFILE%") / "Desktop"
self.kernel_profile = Path(PROFILE_DIR) / "kernel.json"
self.injector = Injector(
self.vm.vm_name,
self.runtime_info,
self.kernel_profile,
)
setup_vm_network(vm_id, True, find_default_interface(), dns)
def test_runtime_info_load(serialized_runtime_info):
stream = StringIO(serialized_runtime_info)
RuntimeInfo.load(stream)