def prepare(self): """Prepare env for analysis.""" # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") if self.config.get("clock", None): # Set virtual machine clock. clock = datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. os.system("date -s \"{0}\"".format(clock.strftime("%y-%m-%d %H:%M:%S"))) # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(tempfile.gettempdir(), self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def test_upload_to_host(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("127.0.0.1", 0)) s.listen(5) with open("analysis.conf", "wb") as f: f.write("[hello]\nip = %s\nport = %d" % s.getsockname()) handlers = logging.getLogger().handlers[:] init_logging() # Test file not found exception. upload_to_host(u"\u202ethisis404.exe", "1.exe") c, _ = s.accept() assert "Exception uploading file u'\\u202e" in c.recv(0x1000) c, _ = s.accept() assert "FILE 2\n1.exe\n\xe2\x80\xaethisis404.exe\n" in c.recv(0x1000) # Test correct upload. upload_to_host(__file__, "1.py", ["1", "2", "3"]) c, _ = s.accept() assert c.recv(0x1000).startswith( "FILE 2\n1.py\n%s\n1 2 3\n# Copyright (C" % __file__ ) logging.getLogger().handlers = handlers
def test_add_file_unicode(p): with open("analysis.conf", "wb") as f: f.write("[foo]\nip = 127.0.0.1\nport = 54321") handlers = logging.getLogger().handlers[:] init_logging() Files().add_file("\xe2\x80\xae".decode("utf8")) logging.getLogger().handlers = handlers
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer() self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def init_droidpot(debug=False, quiet=False, new_module=[]): """ Initilize droidpot. Checks environment, set console log level, initilize managers and start django web interface :param debug: debug mode :param quiet: quiet mode :return: nil """ try: if new_module: #adding new module MODULE_TYPE = 0 MODULE_NAME = 1 if new_module[MODULE_TYPE] == "monitor": print "Creating monitor module %s ..."%new_module[MODULE_NAME] create_monitor_module(new_module[MODULE_NAME]) exit(0) elif new_module[MODULE_TYPE] == "profile": print "Creating profile module %s ..."%new_module[MODULE_NAME] create_profile_module(new_module[MODULE_NAME]) exit(0) elif new_module[MODULE_TYPE] == "processing": print "Creating processing module %s ..."%new_module[MODULE_NAME] create_processing_module(new_module[MODULE_NAME]) exit(0) else: print "error. exiting..." exit(1) ''' elif new_module[MODULE_TYPE] == "reporting": print "Creating reporting module %s ..."%new_module[MODULE_NAME] create_reporting_module(new_module[MODULE_NAME]) exit(0) ''' logo() init_logging() check_ini_files() #check_device_compatibility() check_root() check_modules() log.info("Modules loaded successfully") if debug: log.setLevel(logging.DEBUG) if quiet: log.setLevel(logging.WARN) log.info("Starting Django web interface") subprocess.call(["python", "web/manage.py", "migrate","--verbosity", "0"]) subprocess.call(["python", "web/manage.py", "runserver"]) except InitilizeError as ie: exit(1) except KeyboardInterrupt: exit(0)
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") os.system("echo:|date {0}".format(thedate)) os.system("echo:|time {0}".format(thetime)) log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services SERVICES_PID = self.pid_from_process_name("services.exe") # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config.get_options()) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock(datetime.datetime.strptime( self.config.clock, "%Y%m%dT%H:%M:%S" )) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" grant_debug_privilege() create_folders() init_logging() self.config = Config(cfg=os.path.join(PATHS["root"], "analysis.conf")) self.pipe = PipeServer() self.pipe.daemon = True self.pipe.start() self.file_path = os.path.join(os.environ["SYSTEMDRIVE"] + os.sep, self.config.file_name)
def create_app(config): #create_structure() # Define the WSGI application object app = Flask(__name__) app.config['MAX_CONTENT_LENGTH'] = 200 * 1024 * 1024 # 200MB # Configurations app.config.from_object(settings[config]) settings[config].init_app(app) if not app.testing: logo() check_version() check_configs() if app.testing: init_logging('info') else: init_logging('debug') #log.setLevel(logging.DEBUG) init_modules() # Init All Flask Add-ons bootstrap.init_app(app) #pagedown.init_app(app) db.init_app(app) mail.init_app(app) if app.config['USE_LDAP'] == 'yes': # LDAP Login # TODO : Test out LDAP app.add_url_rule('/login', 'login', ldap.login, methods=['GET', 'POST']) ldap.init_app(app) else: login_manager.login_view = 'auth.login' login_manager.init_app(app) if not app.debug and not app.testing and not app.config['SSL_DISABLE']: try: from flask.ext.sslify import SSLify sslify = SSLify(app) except ImportError: from flask.ext.sslify import SSLify raise MaliceDependencyError("Unable to import Flask-SSLify " "(install with `pip install Flask-SSLify`)") # Register blueprint(s) from .malice import malice as malice_blueprint app.register_blueprint(malice_blueprint) from .mod_auth import mod_auth as auth_module app.register_blueprint(auth_module, url_prefix='/auth') # from app.mod_api.controller import mod_api as api_module # app.register_blueprint(api_module, url_prefix='/api/v1') return app
def prepare(self): """Prepare env for analysis.""" # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.parse_config("analysis.conf") # Setup machine time self.setup_machine_time()
def prepare(self): # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join("/tmp", str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def test_execute_correct_logging(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("127.0.0.1", 0)) s.listen(1) with open("analysis.conf", "wb") as f: f.write("[hello]\nip = %s\nport = %d" % s.getsockname()) handlers = logging.getLogger().handlers[:] init_logging() Process().execute(u"unicodefile\u202ethatdoesnotexist") logging.getLogger().handlers = handlers c, _ = s.accept() assert "202e" in c.recv(0x1000)
def prepare(self): # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join("/tmp", str(self.config.file_name)) subprocess.call("adb push config/hooks.json /data/local/tmp/",shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
sniff_interfaces = ["eth0"] # default interface if __name__ == "__main__": # To Do: Implement argparse parser = argparse.ArgumentParser() parser.add_argument("-d","--debug", help="Display debug messages", action="store_true", required=False) parser.add_argument("-i","--interfaces", help="Filter traffic for a specific interface", type=str, required=False) parser.add_argument("-p","--protocols", help="Protocols to be sniffed", type=str, required=False) parser.add_argument("-P","--plot", help="Plot file downloads", action="store_true", required=False) parser.add_argument("-c","--comment", help="Comment for statistical analysis", type=str, required=False) parser.add_argument("-e","--extract", help="Extract suspicious files for later analysis", action="store_true", required=False) args = parser.parse_args() # Start console and file logging init_logging() # Check for existing config files check_configs() if args.debug: log.setLevel(logging.DEBUG) if args.interfaces: sniff_interfaces = args.interfaces.split(",") log.debug("Interfaces: %s", repr(sniff_interfaces)) if args.plot: folder_path = os.path.join(ETHERSNIFF_ROOT,"log") if not os.path.exists(folder_path): os.makedirs(folder_path)
def create_app(config): logo() check_configs() check_version() init_logging() # log.setLevel(logging.DEBUG) init_modules() # create_structure() # Define the WSGI application object app = Flask(__name__) # Configurations app.config.from_object(settings[config]) # if True: if not app.config['DEBUG'] and not app.config['TESTING']: # configure logging for production # email errors to the administrators if app.config.get('MAIL_ERROR_RECIPIENT') is not None: import logging from logging.handlers import SMTPHandler credentials = None secure = None if app.config.get('MAIL_USERNAME') is not None: credentials = (app.config['MAIL_USERNAME'], app.config['MAIL_PASSWORD']) if app.config['MAIL_USE_TLS'] is not None: secure = () mail_handler = SMTPHandler( mailhost=(app.config['MAIL_SERVER'], app.config['MAIL_PORT']), fromaddr=app.config['DEFAULT_MAIL_SENDER'], toaddrs=[app.config['MAIL_ERROR_RECIPIENT']], subject='[Malice] Application Error', credentials=credentials, secure=secure) mail_handler.setLevel(logging.ERROR) app.logger.addHandler(mail_handler) # send standard logs to syslog import logging from logging.handlers import SysLogHandler syslog_handler = SysLogHandler() syslog_handler.setLevel(logging.WARNING) app.logger.addHandler(syslog_handler) # pagedown.init_app(app) db.init_app(app) mail.init_app(app) if app.config['USE_LDAP']: # LDAP Login # TODO : Test out LDAP app.add_url_rule('/login', 'login', ldap.login, methods=['GET', 'POST']) ldap.init_app(app) else: login_manager.init_app(app) # Register blueprint(s) from .malice import malice as malice_blueprint app.register_blueprint(malice_blueprint) from app.mod_users.routes import mod_user as user_module app.register_blueprint(user_module, url_prefix='/auth') # from app.mod_api.controller import mod_api as api_module # app.register_blueprint(api_module, url_prefix='/api/v1') from app.emails import start_email_thread @app.before_first_request def before_first_request(): start_email_thread() # from werkzeug.contrib.fixers import ProxyFix # app.wsgi_app = ProxyFix(app.wsgi_app) return app
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID global HIDE_PIDS # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # randomize cuckoomon DLL and loader executable names copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME) copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME) copy("bin\\loader.exe", LOADER32_NAME) copy("bin\\loader_x64.exe", LOADER64_NAME) # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") os.system("echo:|date {0}".format(thedate)) os.system("echo:|time {0}".format(thetime)) log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services svcpid = self.pids_from_process_name_list(["services.exe"]) if svcpid: SERVICES_PID = svcpid[0] protected_procname_list = [ "vmwareuser.exe", "vmwareservice.exe", "vboxservice.exe", "vboxtray.exe", "sandboxiedcomlaunch.exe", "sandboxierpcss.exe", "procmon.exe", "regmon.exe", "filemon.exe", "wireshark.exe", "netmon.exe", "prl_tools_service.exe", "prl_tools.exe", "prl_cc.exe", "sharedintapp.exe", "vmtoolsd.exe", "vmsrvc.exe", "python.exe", "perl.exe", ] HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
help="Training and test file", type=str, required=True) parser.add_argument("-c", "--classify", help="Classification file", type=str, required=False) parser.add_argument("--filter", help="Filter columns; format: c1,c2,c3", type=str, required=False) args = parser.parse_args() # Start console and file logging init_logging() log.setLevel(logging.DEBUG) bayes_classifier = BayesOneClass() # Read and parse the data file file_name = args.learnfile dataset = bayes_classifier.load_json(file_name) log.info('Loaded data file %s with %d streams.' % (file_name, len(dataset))) #print dataset # Filter columns #if args.filter: # log.info("Filtering columns: %s" % args.filter) # dataset = bayes_classifier.filter_columns(dataset, args.filter.split(","))
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID global HIDE_PIDS # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # randomize cuckoomon DLL and loader executable names copy("dll\\cuckoomon.dll", CUCKOOMON32_NAME) copy("dll\\cuckoomon_x64.dll", CUCKOOMON64_NAME) copy("bin\\loader.exe", LOADER32_NAME) copy("bin\\loader_x64.exe", LOADER64_NAME) # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") systime = SYSTEMTIME() systime.wYear = clock.year systime.wMonth = clock.month systime.wDay = clock.day systime.wHour = clock.hour systime.wMinute = clock.minute systime.wSecond = clock.second systime.wMilliseconds = 0 KERNEL32.SetSystemTime(byref(systime)) thedate = clock.strftime("%m-%d-%y") thetime = clock.strftime("%H:%M:%S") log.info("Date set to: {0}, time set to: {1}".format(thedate, thetime)) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services svcpid = self.pids_from_process_name_list(["services.exe"]) if svcpid: SERVICES_PID = svcpid[0] protected_procname_list = [ "vmwareuser.exe", "vmwareservice.exe", "vboxservice.exe", "vboxtray.exe", "sandboxiedcomlaunch.exe", "sandboxierpcss.exe", "procmon.exe", "regmon.exe", "filemon.exe", "wireshark.exe", "netmon.exe", "prl_tools_service.exe", "prl_tools.exe", "prl_cc.exe", "sharedintapp.exe", "vmtoolsd.exe", "vmsrvc.exe", "python.exe", "perl.exe", ] HIDE_PIDS = set(self.pids_from_process_name_list(protected_procname_list)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer(self.config) self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_privilege("SeDebugPrivilege") grant_privilege("SeLoadDriverPrivilege") # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. set_clock( datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. self.config.pipe = self.get_pipe_path( self.config.options.get("pipe", random_string(16, 32))) # Generate a random name for the logging pipe server. self.config.logpipe = self.get_pipe_path(random_string(16, 32)) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # General ones, for configuration to send later to package # self.config.options["dispatcherpipe"] = self.config.logpipe # DISPATCHER # self.config.options["forwarderpipe"] = self.config.pipe # FORWARDER self.config.options["dispatcherpipe"] = self.config.pipe # DISPATCHER self.config.options["forwarderpipe"] = self.config.logpipe # FORWARDER self.config.options["kernel_logpipe"] = "\\\\.\\%s" % (random_string( 16, 32)) self.config.options["destination"] = destination self.config.options["driver_options"] = self.parse_driver_options() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"], self.config.file_name) elif self.config.category == "archive": zip_path = os.path.join(os.environ["TEMP"], self.config.file_name) zipfile.ZipFile(zip_path).extractall(os.environ["TEMP"]) self.target = os.path.join(os.environ["TEMP"], self.config.options["filename"]) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Pass the configuration through to the Process class. Process.set_config(self.config) # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used for this analysis. self.default_dll = self.config.options.get("dll") # If a pipe name has not set, then generate a random one. if "pipe" in self.config.options: self.config.pipe = "\\\\.\\PIPE\\%s" % self.config.options["pipe"] else: self.config.pipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Generate a random name for the logging pipe server. self.config.logpipe = "\\\\.\\PIPE\\%s" % random_string(16, 32) # Initialize and start the Command Handler pipe server. This is going # to be used for communicating with the monitored processes. self.command_pipe = PipeServer(PipeDispatcher, self.config.pipe, message=True, dispatcher=CommandPipeHandler(self)) self.command_pipe.daemon = True self.command_pipe.start() # Initialize and start the Log Pipe Server - the log pipe server will # open up a pipe that monitored processes will use to send logs to # before they head off to the host machine. destination = self.config.ip, self.config.port self.log_pipe_server = PipeServer(PipeForwarder, self.config.logpipe, destination=destination) self.log_pipe_server.daemon = True self.log_pipe_server.start() # We update the target according to its category. If it's a file, then # we store the target path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, self.config.file_name) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services # tasklist sometimes fails under high-load (http://support.microsoft.com/kb/2732840) # We can retry a few times to hopefully work around failures retries = 4 while retries > 0: stdin, stdout, stderr = os.popen3("tasklist /V /FI \"IMAGENAME eq services.exe\"") s = stdout.read() err = stderr.read() if 'services.exe' not in s: log.warning('tasklist failed with error "%s"' % (err)) else: # it worked break retries -= 1 if 'services.exe' not in s: # All attempts failed log.error('Unable to retreive services.exe PID') SERVICES_PID = None else: servidx = s.index("services.exe") servstr = s[servidx + 12:].strip() SERVICES_PID = int(servstr[:servstr.index(' ')], 10) log.debug('services.exe PID is %s' % (SERVICES_PID)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer() self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target
def prepare(self): """Prepare env for analysis.""" global DEFAULT_DLL global SERVICES_PID # Get SeDebugPrivilege for the Python process. It will be needed in # order to perform the injections. grant_debug_privilege() # Create the folders used for storing the results. create_folders() add_protected_path(os.getcwd()) add_protected_path(PATHS["root"]) # Initialize logging. init_logging() # Parse the analysis configuration file generated by the agent. self.config = Config(cfg="analysis.conf") # Set virtual machine clock. clock = datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S") # Setting date and time. # NOTE: Windows system has only localized commands with date format # following localization settings, so these commands for english date # format cannot work in other localizations. # In addition DATE and TIME commands are blocking if an incorrect # syntax is provided, so an echo trick is used to bypass the input # request and not block analysis. os.system("echo:|date {0}".format(clock.strftime("%m-%d-%y"))) os.system("echo:|time {0}".format(clock.strftime("%H:%M:%S"))) # Set the default DLL to be used by the PipeHandler. DEFAULT_DLL = self.config.get_options().get("dll") # get PID for services.exe for monitoring services # tasklist sometimes fails under high-load (http://support.microsoft.com/kb/2732840) # We can retry a few times to hopefully work around failures retries = 4 while retries > 0: stdin, stdout, stderr = os.popen3( "tasklist /V /FI \"IMAGENAME eq services.exe\"") s = stdout.read() err = stderr.read() if 'services.exe' not in s: log.warning('tasklist failed with error "%s"' % (err)) else: # it worked break retries -= 1 if 'services.exe' not in s: # All attempts failed log.error('Unable to retreive services.exe PID') SERVICES_PID = None else: servidx = s.index("services.exe") servstr = s[servidx + 12:].strip() SERVICES_PID = int(servstr[:servstr.index(' ')], 10) log.debug('services.exe PID is %s' % (SERVICES_PID)) # Initialize and start the Pipe Servers. This is going to be used for # communicating with the injected and monitored processes. for x in xrange(self.PIPE_SERVER_COUNT): self.pipes[x] = PipeServer() self.pipes[x].daemon = True self.pipes[x].start() # We update the target according to its category. If it's a file, then # we store the path. if self.config.category == "file": self.target = os.path.join(os.environ["TEMP"] + os.sep, str(self.config.file_name)) # If it's a URL, well.. we store the URL. else: self.target = self.config.target