def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer() self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock( datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") os.system("echo:|date {0}".format(thedate)) os.system("echo:|time {0}".format(thetime)) log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services SERVICES_PID = self.pid_from_process_name("services.exe") # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config.get_options()) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock(datetime.datetime.strptime( self.config.clock, "%Y%m%dT%H:%M:%S" )) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" grant_debug_privilege() create_folders() init_logging() self.config = Config(cfg=os.path.join(PATHS["root"], "analysis.conf")) self.pipe = PipeServer() self.pipe.daemon = True self.pipe.start() self.file_path = os.path.join(os.environ["SYSTEMDRIVE"] + os.sep, self.config.file_name)
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID global HIDE_PIDS # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # randomize cuckoomon DLL and loader executable names copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME) copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME) copy("bin\\loader.exe", LOADER32_NAME) copy("bin\\loader_x64.exe", LOADER64_NAME) # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") os.system("echo:|date {0}".format(thedate)) os.system("echo:|time {0}".format(thetime)) log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services svcpid = self.pids_from_process_name_list(["services.exe"]) if svcpid: SERVICES_PID = svcpid[0] protected_procname_list = [ "vmwareuser.exe", "vmwareservice.exe", "vboxservice.exe", "vboxtray.exe", "sandboxiedcomlaunch.exe", "sandboxierpcss.exe", "procmon.exe", "regmon.exe", "filemon.exe", "wireshark.exe", "netmon.exe", "prl_tools_service.exe", "prl_tools.exe", "prl_cc.exe", "sharedintapp.exe", "vmtoolsd.exe", "vmsrvc.exe", "python.exe", "perl.exe", ] HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID global HIDE_PIDS # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # randomize cuckoomon DLL and loader executable names copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME) copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME) copy("bin\\loader.exe", LOADER32_NAME) copy("bin\\loader_x64.exe", LOADER64_NAME) # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") systime = SYSTEMTIME() systime.wYear = clock.year systime.wMonth = clock.month systime.wDay = clock.day systime.wHour = clock.hour systime.wMinute = clock.minute systime.wSecond = clock.second systime.wMilliseconds = 0 KERNEL32.SetSystemTime(byref(systime)) thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services svcpid = self.pids_from_process_name_list(["services.exe"]) if svcpid: SERVICES_PID = svcpid[0] protected_procname_list = [ "vmwareuser.exe", "vmwareservice.exe", "vboxservice.exe", "vboxtray.exe", "sandboxiedcomlaunch.exe", "sandboxierpcss.exe", "procmon.exe", "regmon.exe", "filemon.exe", "wireshark.exe", "netmon.exe", "prl_tools_service.exe", "prl_tools.exe", "prl_cc.exe", "sharedintapp.exe", "vmtoolsd.exe", "vmsrvc.exe", "python.exe", "perl.exe", ] HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services # tasklist sometimes fails under high-load (http://support.microsoft.com/kb/2732840) # We can retry a few times to hopefully work around failures retries = 4 while retries > 0: stdin, stdout, stderr = os.popen3("tasklist /V /FI \"IMAGENAME eq services.exe\"") s = stdout.read() err = stderr.read() if 'services.exe' not in s: log.warning('tasklist failed with error "%s"' % (err)) else: # it worked break retries -= 1 if 'services.exe' not in s: # All attempts failed log.error('Unable to retreive services.exe PID') SERVICES_PID = None else: servidx = s.index("services.exe") servstr = s[servidx + 12:].strip() SERVICES_PID = int(servstr[:servstr.index(' ')], 10) log.debug('services.exe PID is %s' % (SERVICES_PID)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer() self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target