def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def debug(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
p = Process(options=self.options, config=self.config)
if not p.execute(
path=path, args=args, suspended=suspended,
kernel_analysis=False):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
is_64bit = p.is_64bit()
if is_64bit:
p.debug_inject(dll_64, interest, childprocess=False)
else:
p.debug_inject(dll, interest, childprocess=False)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe",
args=args,
suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(
path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
word = self.get_path()
if not word:
raise CuckooPackageError("Unable to find any Microsoft "
"Office Word executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=word, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft "
"Office Word process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args='"%s"' % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError("Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
self.run_ie()
p.close()
return p.pid
else:
self.run_ie()
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript,
args="\"{0}\"".format(path),
suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError(
"Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(
path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial PowerShell process, analysis aborted"
)
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
control = self.get_path()
if not control:
raise CuckooPackageError("Unable to find any control.exe "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=control, args="\"%s\"" % path,
suspended=suspended):
raise CuckooPackageError("Unable to execute initial Control "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: "
"{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
#no name provided try to find a better name
if len(zipinfos) > 0:
#take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: " "{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
# no name provided try to find a better name
if len(zipinfos) > 0:
# take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
free = self.options.get("free")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process(options=self.options, config=self.config)
if not p.execute(path=path,
args=args,
suspended=suspended,
kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
is_64bit = p.is_64bit()
if not kernel_analysis:
if is_64bit:
p.inject(dll_64, INJECT_QUEUEUSERAPC, interest)
else:
p.inject(dll, INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process()
if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
if not kernel_analysis:
p.inject(dll, interest)
p.resume()
p.close()
return p.pid
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
from __future__ import absolute_import
import os
import json
import logging
import locale
from io import BytesIO
from lib.api.utils import Utils
from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile
log = logging.getLogger(__name__)
util = Utils()
class DigiSig(Auxiliary):
"""Runs signtool.exe and parses the output.
For this to work, the Microsoft tool signtool.exe will need to be placed
into the windows/analyzer/bin/ directory. signtool.exe can be downloaded
from Microsoft as part of the SDK. (which is also usually packaged with
Visual Studio)
TODO:
Currently the only way to properly update root certificate cab files is
via Windows Update which is disabled in many Cuckoo rigs. This means that
we will not be able to error out on revoked certificates. Need to find a
good work around for this. Ideally make it an option so we don't force
log unnecessary update network traffic.