def start(self, path):
# TODO: proper constructor for MySQL connection handler
host = "10.0.20.1"
user = "******"
passwd = "avtest"
dbname = "avtest"
conn = MySQLdb.connect(host, user, passwd, dbname)
cursor = conn.cursor()
task_id = self.get_task_id()
p = Process()
if "arguments" in self.options:
x = p.execute(path=path, args=self.options["arguments"], suspended=False)
else:
x = p.execute(path=path, suspended=False)
if x == True:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(1, task_id))
conn.commit()
elif x == False:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(2, task_id))
conn.commit()
else:
return False
return p.pid
def finish(self):
if self.options.get("procmemdump", False):
for pid in self.pids:
p = Process(pid=pid)
p.dump_memory()
return True
def start(self, path):
# TODO: proper constructor for MySQL connection handler
host = "10.0.20.1"
user = "******"
passwd = "avtest"
dbname = "avtest"
conn = MySQLdb.connect(host, user, passwd, dbname)
cursor = conn.cursor()
task_id = self.get_task_id()
p = Process()
if "arguments" in self.options:
x = p.execute(path=path,
args=self.options["arguments"],
suspended=False)
else:
x = p.execute(path=path, suspended=False)
if x == True:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(1, task_id))
conn.commit()
elif x == False:
cursor.execute("UPDATE tasks SET detected = %s WHERE id = %s",
(2, task_id))
conn.commit()
else:
return False
return p.pid
def execute(self, path, args):
p = Process()
if not p.execute(path=path, args=args, suspended=True):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def finish(self):
if self.options.get("procmemdump", False):
for pid in self.pids:
p = Process(pid=pid)
p.dump_memory()
return True
def start(self):
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
pid = 0
while flag:
if proc_info.sz_exeFile == b"lsass.exe":
pid = proc_info.th32ProcessID
log.info("lsass.exe found, pid %d", pid)
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
if not pid:
log.warning("Unable to find lsass.exe process.")
return
try:
p = Process(options=self.options, config=self.config, pid=pid)
filepath = p.get_filepath()
p.inject(injectmode=0, interest=filepath, nosleepskip=True)
except CuckooError as e:
if "process access denied" in e.message:
log.warning("You're not running the Agent as Administrator.")
else:
log.warning(
"An unknown error occurred while trying to inject into "
"the lsass.exe process to dump TLS master secrets: %s", e)
del self.options["tlsdump"]
def execute(self, path, args, mode=None, maximize=False):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param mode: monitor mode - which functions to instrument
@param maximize: whether the GUI should start maximized
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
source = self.options.get("from", "explorer.exe")
# Setup pre-defined registry keys.
self.init_regkeys(self.REGKEYS)
p = Process()
if not p.execute(path=path,
args=args,
dll=dll,
free=free,
curdir=self.curdir,
source=source,
mode=mode,
maximize=maximize):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def execute(self, path, args, mode=None, maximize=False, env=None,
source=None, trigger=None):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param mode: monitor mode - which functions to instrument
@param maximize: whether the GUI should start maximized
@param env: additional environment variables
@param source: parent process of our process
@param trigger: trigger to indicate analysis start
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
source = source or self.options.get("from")
mode = mode or self.options.get("mode")
# Setup pre-defined registry keys.
self.init_regkeys(self.REGKEYS)
p = Process()
if not p.execute(path=path, args=args, dll=dll, free=free,
curdir=self.curdir, source=source, mode=mode,
maximize=maximize, env=env, trigger=trigger):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted."
)
return p.pid
def start(self, path):
try:
sc = self.get_path("sc.exe")
servicename = self.options.get("servicename", "CAPEService")
servicedesc = self.options.get("servicedesc", "CAPE Service")
arguments = self.options.get("arguments")
if "." not in os.path.basename(path):
new_path = path + ".exe"
os.rename(path, new_path)
path = new_path
binPath = "\"{0}\"".format(path)
if arguments:
binPath += " {0}".format(arguments)
scm_handle = ADVAPI32.OpenSCManagerA(None, None,
SC_MANAGER_ALL_ACCESS)
if scm_handle == 0:
log.info("Failed to open SCManager")
log.info(ctypes.FormatError())
return
service_handle = ADVAPI32.CreateServiceA(
scm_handle, servicename, servicedesc, SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE, binPath, None, None, None, None, None)
if service_handle == 0:
log.info("Failed to create service")
log.info(ctypes.FormatError())
return
log.info("Created service (handle: 0x%x)", service_handle)
servproc = Process(options=self.options,
config=self.config,
pid=self.config.services_pid,
suspended=False)
filepath = servproc.get_filepath()
is_64bit = servproc.is_64bit()
if is_64bit:
servproc.inject(injectmode=INJECT_QUEUEUSERAPC,
interest=filepath,
nosleepskip=True)
else:
servproc.inject(injectmode=INJECT_QUEUEUSERAPC,
interest=filepath,
nosleepskip=True)
servproc.close()
KERNEL32.Sleep(500)
service_launched = ADVAPI32.StartServiceA(service_handle, 0, None)
if service_launched == True:
log.info("Successfully started service")
else:
log.info(ctypes.FormatError())
log.info("Failed to start service")
ADVAPI32.CloseServiceHandle(service_handle)
ADVAPI32.CloseServiceHandle(scm_handle)
return
except Exception as e:
log.info(sys.exc_info()[0])
log.info(e)
log.info(e.__dict__)
log.info(e.__class__)
log.exception(e)
def start(self, path):
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=[path], suspended=True)
p.inject(dll)
p.resume()
p.wait()
return p.pid
def test_is32bit_process():
p = Process()
with chdir("cuckoo/data/analyzer/windows"):
# Normally the user shouldn't be able to access the SYSTEM process.
with pytest.raises(CuckooError) as e:
p.is32bit(pid=4)
e.match("process access denied$")
def test_is32bit_process():
p = Process()
with chdir("cuckoo/data/analyzer/windows"):
# Normally the user shouldn't be able to access the SYSTEM process.
with pytest.raises(CuckooError) as e:
p.is32bit(pid=4)
e.match("process access denied$")
def run_ie(self):
time.sleep(30)
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie = Process()
if not ie.execute(path=iexplore, args="\"https://www.yahoo.com/\"", suspended=False):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
return None
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
set_clock(
datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S"))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher,
self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder,
self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def stop(self):
"""Stop all pids of this analysis package"""
for pid in self.initial_pids:
p = Process(pid=pid)
if p.is_alive():
try:
p.terminate()
except Exception:
continue
def test_is32bit_process():
p = Process()
with chdir("cuckoo/data/analyzer/windows"):
# Normally (i.e., when not Administrator) the user shouldn't be able
# to access the lsass.exe process.
with pytest.raises(CuckooError) as e:
p.is32bit(process_name="lsass.exe")
e.match("process access denied$")
def terminate_tracked(self):
log.info("Terminating all remaining processes")
for pid in self.pids:
p = Process(pid=pid)
if p.is_alive():
try:
p.terminate()
except Exception:
continue
def initialize(self):
Process.set_config(self.config)
self.config.logpipe = get_pipe_path(random_string(16, 32))
self.config.pipe = self.config.options.get(
"pipe", get_pipe_path(random_string(16, 32))
)
self.msgclient = MessageClient(
self.config.ip, self.config.port, self
)
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_debug_privilege()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
# Set virtual machine clock.
set_clock(datetime.datetime.strptime(
self.config.clock, "%Y%m%dT%H:%M:%S"
))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
# We update the target according to its category. If it's a file, then
# we store the target path.
if self.config.category == "file":
self.target = os.path.join(os.environ["TEMP"] + os.sep,
self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def prepare(self):
"""Prepare env for analysis."""
# Get SeDebugPrivilege for the Python process. It will be needed in
# order to perform the injections.
grant_privilege("SeDebugPrivilege")
grant_privilege("SeLoadDriverPrivilege")
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
if not os.path.exists('analysis.conf'):
log.error('analysis.conf does not exist')
sys.exit(1)
self.config = Config(cfg="analysis.conf")
# Pass the configuration through to the Process class.
Process.set_config(self.config)
#TODO evan - reset if you want to change the clock
# Set virtual machine clock.
# set_clock(datetime.datetime.strptime(
# self.config.clock, "%Y%m%dT%H:%M:%S"
# ))
# Set the default DLL to be used for this analysis.
self.default_dll = self.config.options.get("dll")
# If a pipe name has not set, then generate a random one.
if "pipe" in self.config.options:
self.config.pipe = "\\??\\PIPE\\%s" % self.config.options["pipe"]
else:
self.config.pipe = "\\??\\PIPE\\%s" % random_string(16, 32)
# Generate a random name for the logging pipe server.
self.config.logpipe = "\\??\\PIPE\\%s" % random_string(16, 32)
# Initialize and start the Command Handler pipe server. This is going
# to be used for communicating with the monitored processes.
self.command_pipe = PipeServer(PipeDispatcher,
self.config.pipe,
message=True,
dispatcher=CommandPipeHandler(self))
self.command_pipe.daemon = True
self.command_pipe.start()
# Initialize and start the Log Pipe Server - the log pipe server will
# open up a pipe that monitored processes will use to send logs to
# before they head off to the host machine.
destination = self.config.ip, self.config.port
self.log_pipe_server = PipeServer(PipeForwarder,
self.config.logpipe,
destination=destination)
self.log_pipe_server.daemon = True
self.log_pipe_server.start()
def finish(self):
"""Finish run.
If specified to do so, this method dumps the memory of
all running processes.
"""
if self.options.get("procmemdump"):
for pid in self.pids:
p = Process(pid=pid)
p.dump_memory()
return True
def finish(self):
"""Finish run.
If specified to do so, this method dumps the memory of
all running processes.
"""
if self.options.get("procmemdump"):
for pid in self.pids:
p = Process(pid=pid)
p.dump_memory()
return True
def execute(self,
path,
args,
mode=None,
maximize=False,
env=None,
source=None,
trigger=None):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param mode: monitor mode - which functions to instrument
@param maximize: whether the GUI should start maximized
@param env: additional environment variables
@param source: parent process of our process
@param trigger: trigger to indicate analysis start
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
analysis = self.options.get("analysis")
# Kernel analysis overrides the free argument.
if analysis == "kernel":
free = True
source = source or self.options.get("from")
mode = mode or self.options.get("mode")
if not trigger and self.options.get("trigger"):
if self.options["trigger"] == "exefile":
trigger = "file:%s" % path
# Setup pre-defined registry keys.
if self.set_regkeys:
self.init_regkeys(self.REGKEYS)
self.set_regkeys = False
p = Process()
if not p.execute(path=path,
args=args,
dll=dll,
free=free,
curdir=self.curdir,
source=source,
mode=mode,
maximize=maximize,
env=env,
trigger=trigger):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted.")
self.initial_pids.append(p.pid)
return p.pid
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process()
if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
if not kernel_analysis:
p.inject(dll, interest)
p.resume()
p.close()
return p.pid
def debug(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
p = Process()
if not p.execute(
path=path, args=args, suspended=suspended,
kernel_analysis=False):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
p.debug_inject(dll, INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
self.run_ie()
p.close()
return p.pid
else:
self.run_ie()
return None
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
free = self.options.get("free", False)
suspended = not free
kernel_analysis = bool(self.options.get("kernel_analysis", False))
p = Process(options=self.options, config=self.config)
if not p.execute(path=path,
args=args,
suspended=suspended,
kernel_analysis=kernel_analysis):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted")
if free:
return None
if not kernel_analysis:
p.inject(INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def execute(self, cmd):
"""Start an executable for analysis.
@param path: executable path
@param args: executable arguments
@return: process pid
"""
p = Process()
if not p.execute(cmd):
raise CuckooPackageError("Unable to execute the initial process, analysis aborted")
return p.pid
def execute(self, cmd):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@return: process pid
"""
p = Process()
if not p.execute(cmd):
raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.")
return p.pid
def finish(self):
"""Finish run.
If configured, upload memory dumps of
all running processes.
"""
if self.options.get("procmemdump"):
for pid in self.pids:
p = Process(pid=pid)
p.upload_memdump()
return True
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False)
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/WaitForIdle", suspended=False)
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
p.resume()
return p.pid
def finish(self):
"""Finish run.
If configured, upload memory dumps of
all running processes.
"""
if self.options.get("procmemdump"):
for pid in self.dump_pids:
log.debug("PAUL: DUMPING PID {}".format(pid))
p = Process(pid=pid)
p.upload_memdump()
return True
def run(self):
"""Run handler.
@return: operation status.
"""
data = ""
while True:
bytes_read = c_int(0)
buf = create_string_buffer(BUFSIZE)
success = KERNEL32.ReadFile(self.h_pipe,
buf,
sizeof(buf),
byref(bytes_read),
None)
data += buf.value
if not success and KERNEL32.GetLastError() == ERROR_MORE_DATA:
continue
#elif not success or bytes_read.value == 0:
# if KERNEL32.GetLastError() == ERROR_BROKEN_PIPE:
# pass
break
if data:
command = data.strip()
#log.debug("Connection received (data=%s)" % command)
if command.startswith("PID:"):
PROCESS_LOCK.acquire()
pid = command[4:]
if pid.isdigit():
pid = int(pid)
if pid not in PROCESS_LIST:
add_pids(pid)
proc = Process(pid=pid)
proc.inject()
KERNEL32.WriteFile(self.h_pipe,
create_string_buffer("OK"),
2,
byref(bytes_read),
None)
PROCESS_LOCK.release()
elif command.startswith("FILE:"):
file_path = command[5:]
add_file(file_path)
KERNEL32.CloseHandle(self.h_pipe)
return True
def start(self):
try:
p = Process(process_name="lsass.exe")
p.inject(track=False, mode="dumptls")
except CuckooError as e:
if "process access denied" in e.message:
log.warning(
"You're not running the Cuckoo Agent as Administrator. "
"Doing so will improve your analysis results!")
else:
log.warning(
"An unknown error occurred while trying to inject into "
"the lsass.exe process to dump TLS master secrets: %s", e)
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def test_is32bit_path():
p = Process()
mzdos0 = os.path.abspath("tests/files/mzdos0")
icardres = os.path.abspath("tests/files/icardres.dll")
with chdir("cuckoo/data/analyzer/windows"):
# File not found.
with pytest.raises(CuckooError) as e:
p.is32bit(path="thisisnotafile")
e.match("File not found")
# No MZ header.
with pytest.raises(CuckooError) as e:
p.is32bit(path=__file__)
e.match("returned by is32bit")
e.match("Invalid DOS file")
# This is a MZ-DOS executable rather than a PE file.
assert p.is32bit(path=mzdos0) is True
# TODO Add a 32-bit PE executable.
# This is a 64-bit PE file.
assert p.is32bit(path=icardres) is False
def start(self, path):
p = Process()
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def _handle_dumpmem(self, data):
"""Dump the memory of a process as it is right now."""
if not data.isdigit():
log.warning("Received DUMPMEM command with an incorrect argument.")
return
Process(pid=int(data)).dump_memory()
def run(self):
startbrowser = self.options.get("startbrowser")
url = self.options.get("url")
if not startbrowser:
return True
while self.do_run:
time.sleep(1000)
self.seconds_elapsed = self.seconds_elapsed + 1
if self.seconds_elapsed == 30:
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie = Process()
if not url:
url = "https://www.yahoo.com/"
ie.execute(path=iexplore, args="\"" + url + "\"", suspended=False)
ie.close()
def _handle_kill(self, data):
"""A process is being killed."""
if not data.isdigit():
log.warning("Received KILL command with an incorrect argument.")
return
if self.analyzer.config.options.get("procmemdump"):
Process(pid=int(data)).dump_memory()
def start(self, path):
p = Process()
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
if self.options.get("free", "no") != "yes":
p.inject()
p.resume()
return p.pid
def test_is32bit_path():
p = Process()
mzdos0 = os.path.abspath("tests/files/mzdos0")
icardres = os.path.abspath("tests/files/icardres.dll")
with chdir("cuckoo/data/analyzer/windows"):
# File not found.
with pytest.raises(CuckooError) as e:
p.is32bit(path="thisisnotafile")
e.match("File not found")
# No MZ header.
with pytest.raises(CuckooError) as e:
p.is32bit(path=__file__)
e.match("returned by is32bit")
e.match("Invalid DOS file")
# This is a MZ-DOS executable rather than a PE file.
assert p.is32bit(path=mzdos0) is True
# TODO Add a 32-bit PE executable.
# This is a 64-bit PE file.
assert p.is32bit(path=icardres) is False
def start(self, path):
p = Process()
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\WINDOWS\\system32\\cmd.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
pin = os.path.join("bin", "pin.exe")
dll = os.path.join("bin", "malwpin.dll")
if "share_letter" in self.options:
root = self.options['share_letter']
else:
root = "E:\\" #PATHS["root"]
out = os.path.join(root, "malwpin.xml")
pinlog = os.path.join(root, "pin.log")
stack_dir = os.path.join(root, "memory") + os.sep
pin_arg = ""
if "adr-start" in self.options:
pin_arg += " -adr-start %s " % self.options['adr-start']
if "adr-stop" in self.options:
pin_arg += " -adr-stop %s " % self.options['adr-stop']
if "n" in self.options:
pin_arg += " -n %s " % self.options['n']
argv = "-t %s -o %s -s %s -logfile %s %s -- %s" % (dll, out, stack_dir, pinlog, pin_arg, path)
#argv = "-t %s -o %s -s %s -logfile %s -follow_execv -- %s" % (dll, out, stack_dir, pinlog, path)
if "arguments" in self.options:
argv += " " + self.options["arguments"]
p.execute(path=pin, args=argv, suspended=True)
#inject = True
#if "free" in self.options:
#if self.options["free"] == "yes":
#inject = False
#if inject:
#p.inject()
p.resume()
return p.pid
def test_process(self):
process = Process()
path = executable_name_for_target(self.current_target())
# just making sure
self.assertTrue(os.path.isfile(path))
res = process.execute(path='non_existing')
pid = process.pid
self.assertFalse(res)
self.assertTrue(pid == None)
res = process.execute(path=path, args=['first', 'second'])
pid = process.pid
self.assertTrue(res)
self.assertTrue(pid != None)
self.assertIsInstance(pid, int)
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False)
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/WaitForIdle", suspended = False)
if "arguments" in self.options:
p.execute(path = path, args = self.options["arguments"], suspended = True)
else:
p.execute(path = path, suspended = True)
p.resume()
return p.pid
def start(self, path):
p = Process()
rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe"
if "function" in self.options:
p.execute(path=rundll32, args="%s,%s" % (path, self.options["function"]), suspended=True)
else:
p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True)
if self.options.get("free", "no") != "yes":
p.inject()
p.resume()
return p.pid
def execute(self, path, args):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
source = self.options.get("from")
# Setup pre-defined registry keys.
self.init_regkeys(self.REGKEYS)
p = Process()
if not p.execute(path=path, args=args, dll=dll,
free=free, curdir=self.curdir, source=source):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def start(self, path):
p = Process()
execsc = "extra/execsc.exe"
p.execute(path=execsc, args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
free = self.options.get("free")
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll, path)
p.resume()
if free:
return None
return p.pid
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args='"%s"' % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
