def log_call(self, context, apiname, modulename, arguments): if not self.rawlogfd: raise CuckooOperationalError( "Netlog failure, call before process.") apiindex, status, returnval, tid, timediff = context #log.debug("log_call> tid:{0} apiname:{1}".format(tid, apiname)) current_time = self.connect_time + datetime.timedelta( 0, 0, timediff * 1000) timestring = logtime(current_time) argumentstrings = [ "{0}->{1}".format(argname, r) for argname, r in arguments ] if self.logfd: print >> self.logfd, ",".join("\"{0}\"".format(i) for i in [ timestring, self.pid, self.procname, tid, self.ppid, modulename, apiname, status, returnval, ] + argumentstrings)
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.warning('Analysis results folder does not exist at path "%s".', self._logs_path) return results # TODO: this should check the current analysis configuration and raise a warning # if injection is enabled and there is no logs folder. if len(os.listdir(self._logs_path)) == 0: log.info( "Analysis results folder does not contain any file or injection was disabled." ) return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) # Check if Loop Detection is enabled globally or locally (as an option) if cfg_process.loop_detection.enabled or self.options.get( "loop_detection"): self.compress_log_file(file_path) if os.path.isdir(file_path): continue # Skipping the current log file if it's too big. if os.stat(file_path).st_size > cfg.processing.analysis_size_limit: log.warning( "Behavioral log {0} too big to be processed, skipped.". format(file_name)) continue # Invoke parsing of current log file (if ram_boost is enabled, otherwise parsing is done on-demand) current_log = ParseProcessLog(file_path) if current_log.process_id is None: continue # If the current log actually contains any data, add its data to # the results list. results.append({ "process_id": current_log.process_id, "process_name": bytes2str(current_log.process_name), "parent_id": current_log.parent_id, "module_path": bytes2str(current_log.module_path), "first_seen": logtime(current_log.first_seen), "calls": current_log.calls, "threads": current_log.threads, "environ": current_log.environdict, }) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.warning( "Analysis results folder does not exist at path \"%s\".", self._logs_path) return results # TODO: this should check the current analysis configuration and raise a warning # if injection is enabled and there is no logs folder. if len(os.listdir(self._logs_path)) == 0: log.info( "Analysis results folder does not contain any file or injection was disabled." ) return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) if os.path.isdir(file_path): continue # Skipping the current log file if it's too big. if os.stat(file_path ).st_size > self.cfg.processing.analysis_size_limit: log.warning( "Behavioral log {0} too big to be processed, skipped.". format(file_name)) continue # Invoke parsing of current log file. current_log = ParseProcessLog(file_path) if current_log.process_id is None: continue # If the current log actually contains any data, add its data to # the results list. results.append({ "process_id": current_log.process_id, "process_name": current_log.process_name, "parent_id": current_log.parent_id, "module_path": current_log.module_path, "first_seen": logtime(current_log.first_seen), "calls": current_log.calls, "threads": current_log.threads }) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results
def log_call(self, context, apiname, category, arguments): apiindex, status, returnval, tid, timediff = context current_time = self.first_seen + datetime.timedelta( 0, 0, timediff * 1000) timestring = logtime(current_time) self.lastcall = self._parse( [timestring, tid, category, apiname, status, returnval] + arguments)
def log_call(self, context, apiname, category, arguments): apiindex, status, returnval, tid, timediff = context current_time = self.first_seen + datetime.timedelta(0, 0, timediff*1000) timestring = logtime(current_time) self.lastcall = self._parse([timestring, tid, category, apiname, status, returnval] + arguments)
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.warning('Analysis results folder does not exist at path "%s".', self._logs_path) return results # TODO: this should check the current analysis configuration and raise a warning # if injection is enabled and there is no logs folder. if len(os.listdir(self._logs_path)) == 0: log.info("Analysis results folder does not contain any file or injection was disabled.") return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) if os.path.isdir(file_path): continue # Skipping the current log file if it's too big. if os.stat(file_path).st_size > self.cfg.processing.analysis_size_limit: log.warning("Behavioral log {0} too big to be processed, skipped.".format(file_name)) continue # Invoke parsing of current log file. current_log = ParseProcessLog(file_path) if current_log.process_id is None: continue # If the current log actually contains any data, add its data to # the results list. results.append( { "process_id": current_log.process_id, "process_name": current_log.process_name, "parent_id": current_log.parent_id, "module_path": current_log.module_path, "first_seen": logtime(current_log.first_seen), "calls": current_log.calls, "threads": current_log.threads, "environ": current_log.environdict, } ) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results
def log_call(self, context, apiname, category, arguments): """log an api call from data file @param context: containing additional api info @param apiname: name of the api @param category: win32 function category @param arguments: arguments to the api call """ apiindex, repeated, status, returnval, tid, timediff, caller, parentcaller = context current_time = self.first_seen + datetime.timedelta(0, 0, timediff * 1000) timestring = logtime(current_time) self.lastcall = self._parse( [timestring, tid, caller, parentcaller, category, apiname, repeated, status, returnval] + arguments )
def log_call(self, context, apiname, category, arguments): """ log an api call from data file @param context: containing additional api info @param apiname: name of the api @param category: win32 function category @param arguments: arguments to the api call """ apiindex, repeated, status, returnval, tid, timediff, caller, parentcaller = context current_time = self.first_seen + datetime.timedelta(0, 0, timediff * 1000) timestring = logtime(current_time) self.lastcall = self._parse( [timestring, tid, caller, parentcaller, category, apiname, repeated, status, returnval] + arguments )
def log_call(self, context, apiname, modulename, arguments): if not self.rawlogfd: raise CuckooOperationalError("Netlog failure, call before process.") apiindex, status, returnval, tid, timediff = context #log.debug("log_call> tid:{0} apiname:{1}".format(tid, apiname)) current_time = self.connect_time + datetime.timedelta(0,0, timediff*1000) timestring = logtime(current_time) argumentstrings = ["{0}->{1}".format(argname, r) for argname, r in arguments] if self.logfd: print >>self.logfd, ",".join("\"{0}\"".format(i) for i in [timestring, self.pid, self.procname, tid, self.ppid, modulename, apiname, status, returnval, ] + argumentstrings)
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.error("Analysis results folder does not exist at path \"%s\".", self._logs_path) return results if len(os.listdir(self._logs_path)) == 0: log.error("Analysis results folder does not contain any file.") return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) if os.path.isdir(file_path): continue # Skipping the current log file if it's too big. if os.stat(file_path).st_size > self.cfg.processing.analysis_size_limit: log.warning("Behavioral log {0} too big to be processed, skipped.".format(file_name)) continue # Invoke parsing of current log file. current_log = ParseProcessLog(file_path) if current_log.process_id is None: continue # If the current log actually contains any data, add its data to # the results list. results.append({ "process_id": current_log.process_id, "process_name": current_log.process_name, "parent_id": current_log.parent_id, "first_seen": logtime(current_log.first_seen), "calls": current_log.calls, }) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.error("Analysis results folder does not exist at path \"%s\".", self._logs_path) return results if len(os.listdir(self._logs_path)) == 0: log.error("Analysis results folder does not contain any file.") return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) if os.path.isdir(file_path): continue if not file_path.endswith(".raw"): continue # Invoke parsing of current log file. current_log = ParseProcessLog(file_path) if current_log.process_id == None: continue # If the current log actually contains any data, add its data to # the global results list. results.append({ "process_id": current_log.process_id, "process_name": current_log.process_name, "parent_id": current_log.parent_id, "first_seen": logtime(current_log.first_seen), "calls": current_log }) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results
def run(self): """Run analysis. @return: processes infomartion list. """ results = [] if not os.path.exists(self._logs_path): log.warning("Analysis results folder does not exist at path \"%s\".", self._logs_path) return results # TODO: this should check the current analysis configuration and raise a warning # if injection is enabled and there is no logs folder. if len(os.listdir(self._logs_path)) == 0: log.info("Analysis results folder does not contain any file or injection was disabled.") return results for file_name in os.listdir(self._logs_path): file_path = os.path.join(self._logs_path, file_name) if os.path.isdir(file_path): continue # Skipping the current log file if it's too big. if os.stat(file_path).st_size > self.cfg.processing.analysis_size_limit: log.warning("Behavioral log {0} too big to be processed, skipped.".format(file_name)) continue # Invoke parsing of current log file. current_log = ParseProcessLog(file_path) if current_log.process_id is None: continue # If we have a spammy API, theres a chance that process did it multiple times # so we'll sum the total counts here as we now have all of the logs parsed for # the specific process if current_log.spam_apis: api_counts = dict() for apiInfo in current_log.spam_apis: if apiInfo["api"] not in api_counts.keys(): api_counts[apiInfo["api"]] = dict() api_counts[apiInfo["api"]]["count"] = apiInfo["count"] api_counts[apiInfo["api"]]["name"] = apiInfo["name"] api_counts[apiInfo["api"]]["pid"] = apiInfo["pid"] else: api_counts[apiInfo["api"]]["count"] += apiInfo["count"] new_spam_apis = list() for current_api in api_counts.keys(): tmp = { "api": current_api, "name": api_counts[current_api]["name"], "pid": api_counts[current_api]["pid"], "count": api_counts[current_api]["count"] } new_spam_apis.append(tmp) current_log.spam_apis = new_spam_apis # If the current log actually contains any data, add its data to # the results list. results.append({ "process_id": current_log.process_id, "process_name": current_log.process_name, "parent_id": current_log.parent_id, "module_path": current_log.module_path, "first_seen": logtime(current_log.first_seen), "calls": current_log.calls, "threads" : current_log.threads, "environ" : current_log.environdict, "spam_apis": current_log.spam_apis, }) # Sort the items in the results list chronologically. In this way we # can have a sequential order of spawned processes. results.sort(key=lambda process: process["first_seen"]) return results