def analyze_sample(self, sample_path, workdir, outdir, start_command,
timeout):
analysis_info = dict()
dns_server = self.config.config['drakrun'].get('dns_server', '8.8.8.8')
drakmon_log_fp = os.path.join(outdir, "drakmon.log")
with self.run_vm() as vm, \
graceful_exit(start_dnsmasq(self.instance_id, dns_server)), \
graceful_exit(start_tcpdump_collector(self.instance_id, outdir)), \
open(drakmon_log_fp, "wb") as drakmon_log:
analysis_info[
'snapshot_version'] = vm.backend.get_vm0_snapshot_time()
kernel_profile = os.path.join(PROFILE_DIR, "kernel.json")
self.log.info("Copying sample to VM...")
injector = Injector(self.vm_name, self.runtime_info,
kernel_profile)
result = injector.write_file(
sample_path,
f"%USERPROFILE%\\Desktop\\{os.path.basename(sample_path)}")
injected_fn = json.loads(result.stdout)['ProcessName']
if "%f" not in start_command:
self.log.warning("No file name in start command")
cur_start_command = start_command.replace("%f", injected_fn)
# don't include our internal maintanance commands
analysis_info['start_command'] = cur_start_command
self.log.info("Using command: %s", cur_start_command)
if self.net_enable:
self.log.info("Setting up network...")
injector.create_process("cmd /C ipconfig /renew >nul",
wait=True,
timeout=120)
drakvuf_cmd = self.build_drakvuf_cmdline(
timeout=timeout,
cwd=subprocess.list2cmdline([ntpath.dirname(injected_fn)]),
full_cmd=cur_start_command,
dump_dir=os.path.join(outdir, "dumps"),
ipt_dir=os.path.join(outdir, "ipt"),
workdir=workdir,
)
try:
subprocess.run(drakvuf_cmd,
stdout=drakmon_log,
check=True,
timeout=timeout + 60)
except subprocess.TimeoutExpired:
self.log.exception("DRAKVUF timeout expired")
return analysis_info
def main():
parser = argparse.ArgumentParser(
description="DRAKVUF Sandbox interactive shell")
parser.add_argument("vm_id", type=int, help="VM id you want to control")
parser.add_argument("--dns", default="8.8.8.8")
args = parser.parse_args()
logging.basicConfig(
level=logging.DEBUG,
format="[%(asctime)s][%(levelname)s] %(message)s",
handlers=[logging.StreamHandler()],
)
with graceful_exit(start_dnsmasq(args.vm_id, args.dns)), DrakmonShell(
args.vm_id, args.dns) as shell:
helpers = {
"help": shell.help,
"copy": shell.copy,
"mount": shell.mount,
"drakvuf": shell.drakvuf,
"vm": shell.vm,
}
banner = dedent("""
*** Welcome to drakrun playground ***
Your VM is now ready and running with internet connection.
You can connect to it using VNC (password can be found in /etc/drakrun/scripts/cfg.template)
Run help() to list available commands.
""")
embed(banner1=banner, user_ns=helpers, colors="neutral")
def main():
parser = argparse.ArgumentParser(
description='DRAKVUF Sandbox interactive shell')
parser.add_argument('vm_id', type=int, help='VM id you want to control')
parser.add_argument('--dns', default='8.8.8.8')
args = parser.parse_args()
with graceful_exit(start_dnsmasq(args.vm_id, args.dns)), \
DrakmonShell(args.vm_id, args.dns) as shell:
helpers = {
'copy': shell.copy,
'drakvuf': shell.drakvuf,
'vm': shell.vm
}
embed(banner='', user_ns=helpers, colors='neutral')
def main():
parser = argparse.ArgumentParser(
description='DRAKVUF Sandbox interactive shell')
parser.add_argument('vm_id', type=int, help='VM id you want to control')
parser.add_argument('--dns', default='8.8.8.8')
args = parser.parse_args()
logging.basicConfig(level=logging.DEBUG,
format='[%(asctime)s][%(levelname)s] %(message)s',
handlers=[logging.StreamHandler()])
with graceful_exit(start_dnsmasq(args.vm_id, args.dns)), \
DrakmonShell(args.vm_id, args.dns) as shell:
helpers = {
'copy': shell.copy,
'drakvuf': shell.drakvuf,
'vm': shell.vm
}
embed(banner='', user_ns=helpers, colors='neutral')
def analyze_sample(self, sample_path, workdir, outdir, start_command,
timeout):
analysis_info = dict()
dns_server = self.config.config["drakrun"].get("dns_server", "8.8.8.8")
drakmon_log_fp = os.path.join(outdir, "drakmon.log")
with self.run_vm() as vm, graceful_exit(
start_dnsmasq(self.instance_id, dns_server)), graceful_exit(
start_tcpdump_collector(self.instance_id, outdir)), open(
drakmon_log_fp, "wb") as drakmon_log:
analysis_info[
"snapshot_version"] = vm.backend.get_vm0_snapshot_time()
kernel_profile = os.path.join(PROFILE_DIR, "kernel.json")
self.log.info("Copying sample to VM...")
injector = Injector(self.vm_name, self.runtime_info,
kernel_profile)
result = injector.write_file(
sample_path,
f"%USERPROFILE%\\Desktop\\{os.path.basename(sample_path)}")
try:
injected_fn = json.loads(result.stdout)["ProcessName"]
except ValueError as e:
self.log.error(
"JSON decode error occurred when tried to parse injector's logs."
)
self.log.error(f"Raw log line: {result.stdout}")
raise e
# don't include our internal maintanance commands
start_command = start_command.replace("%f", injected_fn)
analysis_info["start_command"] = start_command
self.log.info("Using command: %s", start_command)
if self.net_enable:
self.log.info("Setting up network...")
injector.create_process("cmd /C ipconfig /renew >nul",
wait=True,
timeout=120)
task_quality = self.current_task.headers.get("quality", "high")
requested_plugins = self.current_task.payload.get(
"plugins", self.active_plugins["_all_"])
analysis_info["plugins"] = self.get_plugin_list(
task_quality, requested_plugins)
drakvuf_cmd = self.build_drakvuf_cmdline(
timeout=timeout,
cwd=subprocess.list2cmdline([ntpath.dirname(injected_fn)]),
full_cmd=start_command,
dump_dir=os.path.join(outdir, "dumps"),
ipt_dir=os.path.join(outdir, "ipt"),
workdir=workdir,
enabled_plugins=analysis_info["plugins"],
)
try:
subprocess.run(drakvuf_cmd,
stdout=drakmon_log,
check=True,
timeout=timeout + 60)
except subprocess.CalledProcessError as e:
# see DRAKVUF src/exitcodes.h for more details
INJECTION_UNSUCCESSFUL = 4
if e.returncode == INJECTION_UNSUCCESSFUL:
self.log_startup_failure(drakmon_log_fp)
raise e
except subprocess.TimeoutExpired as e:
self.log.exception("DRAKVUF timeout expired")
raise e
return analysis_info
