Exemplo n.º 1
0
    def write_monitor_config(self, interest=None, nosleepskip=False):

        config_path = format(os.getcwd()) + "\\dll\\%s.ini" % self.pid
        log.info("Monitor config for process %s: %s", self.pid, config_path)

        with open(config_path, "w", encoding="utf-8") as config:
            # start the logserver for this monitored process
            logserver_path = LOGSERVER_PREFIX + str(self.pid)
            if logserver_path not in LOGSERVER_POOL:
                LOGSERVER_POOL[logserver_path] = LogServer(
                    self.config.ip, self.config.port, logserver_path)

            if "tlsdump" not in self.options:
                Process.process_num += 1
            firstproc = Process.process_num == 1

            config.write("host-ip={0}\n".format(self.config.ip))
            config.write("host-port={0}\n".format(self.config.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write("pythonpath={0}\n".format(
                os.path.dirname(sys.executable)))
            config.write(
                "first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(
                TERMINATE_EVENT, self.pid))

            if nosleepskip or ("force-sleepskip" not in self.options
                               and len(interest) > 2 and interest[1] != ":"
                               and interest[0] != "\\"
                               and Process.process_num <= 2):
                config.write("force-sleepskip=0\n")

            if "norefer" not in self.options and "referrer" not in self.options:
                config.write("referrer={0}\n".format(
                    get_referrer_url(interest)))

            server_options = [
                "disable_cape",
                "dll",
                "dll_64",
                "loader",
                "loader_64",
                "route",
                "nohuman",
                "unpack",
                "main_task_id",
                "auto",
            ]

            for optname, option in self.options.items():
                if optname not in server_options:
                    config.write("{0}={1}\n".format(optname, option))
                    log.info("Option '%s' with value '%s' sent to monitor",
                             optname, option)
Exemplo n.º 2
0
    def write_monitor_config(self, interest=None, nosleepskip=False):

        config_path = os.path.join(os.getcwd(), "dll", f"{self.pid}.ini")
        log.info("Monitor config for process %s: %s", self.pid, config_path)

        # start the logserver for this monitored process
        logserver_path = f"{LOGSERVER_PREFIX}{self.pid}"
        if logserver_path not in LOGSERVER_POOL:
            LOGSERVER_POOL[logserver_path] = LogServer(self.config.ip,
                                                       self.config.port,
                                                       logserver_path)

        if "tlsdump" not in self.options:
            Process.process_num += 1
        firstproc = Process.process_num == 1

        with open(config_path, "w", encoding="utf-8") as config:
            config.write(f"host-ip={self.config.ip}\n")
            config.write(f"host-port={self.config.port}\n")
            config.write(f"pipe={PIPE}\n")
            config.write(f"logserver={logserver_path}\n")
            config.write(f"results={PATHS['root']}\n")
            config.write(f"analyzer={os.getcwd()}\n")
            config.write(f"pythonpath={os.path.dirname(sys.executable)}\n")
            config.write(f"first-process={1 if firstproc else 0}\n")
            config.write(f"startup-time={Process.startup_time}\n")
            config.write(f"file-of-interest={interest}\n")
            config.write(f"shutdown-mutex={SHUTDOWN_MUTEX}\n")
            config.write(f"terminate-event={TERMINATE_EVENT}{self.pid}\n")

            if nosleepskip or ("force-sleepskip" not in self.options
                               and len(interest) > 2 and interest[:2] != "\\:"
                               and Process.process_num <= 2):
                config.write("force-sleepskip=0\n")

            if "norefer" not in self.options and "referrer" not in self.options:
                config.write(f"referrer={get_referrer_url(interest)}\n")

            server_options = [
                "disable_cape",
                "dll",
                "dll_64",
                "loader",
                "loader_64",
                "route",
                "nohuman",
                "main_task_id",
                "auto",
                "pre_script_args",
                "pre_script_timeout",
                "during_script_args",
            ]

            for optname, option in self.options.items():
                if optname not in server_options:
                    config.write(f"{optname}={option}\n")
                    log.info("Option '%s' with value '%s' sent to monitor",
                             optname, option)
Exemplo n.º 3
0
    def write_monitor_config(self, interest=None, nosleepskip=False):

        config_path = "C:\\%s.ini" % self.pid

        with open(config_path, "w") as config:
            # start the logserver for this monitored process
            logserver_path = LOGSERVER_PREFIX + str(self.pid)
            if logserver_path not in LOGSERVER_POOL:
                LOGSERVER_POOL[logserver_path] = LogServer(
                    self.config.ip, self.config.port, logserver_path)

            Process.process_num += 1
            firstproc = Process.process_num == 1

            config.write("host-ip={0}\n".format(self.config.ip))
            config.write("host-port={0}\n".format(self.config.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write(
                "first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(
                TERMINATE_EVENT, self.pid))
            config.write("terminate-processes={0}\n".format(
                "1" if self.config.terminate_processes else "0"))

            if nosleepskip or ("force-sleepskip" not in self.options
                               and len(interest) > 2 and interest[1] != ':'
                               and interest[0] != '\\'
                               and Process.process_num <= 2):
                config.write("force-sleepskip=0\n")

            if "norefer" not in self.options and "referrer" not in self.options:
                config.write("referrer={0}\n".format(
                    get_referrer_url(interest)))

            server_options = [
                "disable_cape", "dll", "dll_64", "loader", "loader_64", "route"
            ]

            for optname, option in self.options.items():
                if optname not in server_options:
                    config.write("{0}={1}\n".format(optname, option))
                    log.info("Option '%s' with value '%s' sent to monitor",
                             optname, option)
Exemplo n.º 4
0
    def write_monitor_config(self, interest=None, nosleepskip=False):

        config_path = "C:\\%s.ini" % self.pid

        with open(config_path, "w") as config:
            # start the logserver for this monitored process
            logserver_path = LOGSERVER_PREFIX + str(self.pid)
            if logserver_path not in LOGSERVER_POOL:
                LOGSERVER_POOL[logserver_path] = LogServer(
                    self.config.ip, self.config.port, logserver_path)

            Process.process_num += 1
            firstproc = Process.process_num == 1

            config.write("host-ip={0}\n".format(self.config.ip))
            config.write("host-port={0}\n".format(self.config.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write(
                "first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(
                TERMINATE_EVENT, self.pid))

            if nosleepskip or ("force-sleepskip" not in self.options
                               and len(interest) > 2 and interest[1] != ':'
                               and interest[0] != '\\'
                               and Process.process_num <= 2):
                config.write("force-sleepskip=0\n")

            if "norefer" not in self.options and "referrer" not in self.options:
                config.write("referrer={0}\n".format(
                    get_referrer_url(interest)))

            simple_optnames = [
                "force-sleepskip",
                "full-logs",
                "force-flush",
                "no-stealth",
                "buffer-max",
                "large-buffer-max",
                "referrer",
                "serial",
                "sysvol_ctimelow",
                "sysvol_ctimehigh",
                "sys32_ctimelow",
                "sys32_ctimehigh",
                "debug",
                "disable_hook_content",
                "hook-type",
                "base-on-api",
                "exclude-apis",
                "exclude-dlls",
                "dump-on-api",
                "bp0",
                "bp1",
                "bp2",
                "bp3",
            ]

            for optname in simple_optnames:
                if optname in self.options:
                    config.write("{0}={1}\n".format(optname,
                                                    self.options[optname]))
                    log.info("Option '%s' with value '%s' sent to monitor",
                             optname, self.options[optname])

            if "procdump" in self.options:
                config.write("procdump={0}\n".format(self.options["procdump"]))
            if "import_reconstruction" in self.options:
                config.write("import_reconstruction={0}\n".format(
                    self.options["import_reconstruction"]))
            if "CAPE_var1" in self.options:
                config.write("CAPE_var1={0}\n".format(
                    self.options["CAPE_var1"]))
            if "CAPE_var2" in self.options:
                config.write("CAPE_var2={0}\n".format(
                    self.options["CAPE_var2"]))
            if "CAPE_var3" in self.options:
                config.write("CAPE_var3={0}\n".format(
                    self.options["CAPE_var3"]))
            if "CAPE_var4" in self.options:
                config.write("CAPE_var4={0}\n".format(
                    self.options["CAPE_var4"]))
Exemplo n.º 5
0
    def inject(self, dll=None, interest=None, nosleepskip=False):
        """Cuckoo DLL injection.
        @param dll: Cuckoo DLL path.
        @param interest: path to file of interest, handed to cuckoomon config
        @param apc: APC use.
        """
        if not self.pid:
            log.warning("No valid pid specified, injection aborted")
            return False

        thread_id = 0
        if self.thread_id:
            thread_id = self.thread_id

        if not self.is_alive():
            log.warning(
                "The process with pid %s is not alive, "
                "injection aborted", self.pid)
            return False

        is_64bit = self.is_64bit()
        if not dll:
            if is_64bit:
                dll = "cuckoomon_x64.dll"
            else:
                dll = "cuckoomon.dll"

        dll = randomize_dll(os.path.join("dll", dll))

        if not dll or not os.path.exists(dll):
            log.warning(
                "No valid DLL specified to be injected in process "
                "with pid %d, injection aborted.", self.pid)
            return False

        config_path = "C:\\%s.ini" % self.pid
        with open(config_path, "w") as config:
            cfg = Config("analysis.conf")
            cfgoptions = cfg.get_options()

            # start the logserver for this monitored process
            self.logserver = LogServer(cfg.ip, cfg.port, self.logserver_path)

            firstproc = Process.first_process

            config.write("host-ip={0}\n".format(cfg.ip))
            config.write("host-port={0}\n".format(cfg.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(self.logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write(
                "first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(
                TERMINATE_EVENT, self.pid))
            if nosleepskip:
                config.write("force-sleepskip=0\n")
            elif "force-sleepskip" in cfgoptions:
                config.write("force-sleepskip={0}\n".format(
                    cfgoptions["force-sleepskip"]))
            if "full-logs" in cfgoptions:
                config.write("full-logs={0}\n".format(cfgoptions["full-logs"]))
            if "no-stealth" in cfgoptions:
                config.write("no-stealth={0}\n".format(
                    cfgoptions["no-stealth"]))

            if firstproc:
                Process.first_process = False

        if thread_id or self.suspended:
            log.debug("Using QueueUserAPC injection.")
        else:
            log.debug("Using CreateRemoteThread injection.")

        bin_name = ""
        bit_str = ""
        if is_64bit:
            bin_name = "bin/loader_x64.exe"
            bit_str = "64-bit"
        else:
            bin_name = "bin/loader.exe"
            bit_str = "32-bit"

        if os.path.exists(bin_name):
            ret = subprocess.call(
                [bin_name, "inject",
                 str(self.pid),
                 str(thread_id), dll])
            if ret != 0:
                if ret == 1:
                    log.info("Injected into suspended %s process with pid %d",
                             bit_str, self.pid)
                else:
                    log.error(
                        "Unable to inject into %s process with pid %d, error: %d",
                        bit_str, self.pid, ret)
                return False
            else:
                return True
        else:
            log.error(
                "Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.",
                os.path.basename(bin_name), bit_str)
            return False
Exemplo n.º 6
0
    def debug_inject(self, dll=None, interest=None, childprocess=False, nosleepskip=False):
        """CAPE DLL debugger injection.
        @param dll: CAPE DLL debugger path.
        @param interest: path to file of interest, handed to cuckoomon config
        """
        global LOGSERVER_POOL

        if not self.pid:
            log.warning("No valid pid specified, injection aborted")
            return False

        thread_id = 0
        if self.thread_id:
            thread_id = self.thread_id

        if not self.is_alive():
            log.warning("The process with pid %s is not alive, "
                        "injection aborted", self.pid)
            return False

        is_64bit = self.is_64bit()
        if not dll:
            log.debug("No debugger DLL has been specified for injection")
            if is_64bit:
                dll = CUCKOOMON64_NAME
            else:
                dll = CUCKOOMON32_NAME
        else:
            dll = os.path.join("dll", dll)

        log.info("DLL to inject is %s", dll)
        
        dll = os.path.join(os.getcwd(), dll)

        if not dll or not os.path.exists(dll):
            log.warning("No valid DLL specified to be injected in process "
                        "with pid %d, injection aborted.", self.pid)
            return False

        config_path = "C:\\%s.ini" % self.pid
        with open(config_path, "w") as config:
            cfg = Config("analysis.conf")
            cfgoptions = cfg.get_options()

            # start the logserver for this monitored process
            logserver_path = LOGSERVER_PREFIX + str(self.pid)
            if logserver_path not in LOGSERVER_POOL:
                LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)

            Process.process_num += 1
            firstproc = Process.process_num == 1

            config.write("host-ip={0}\n".format(cfg.ip))
            config.write("host-port={0}\n".format(cfg.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write("first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
            if nosleepskip:
                config.write("force-sleepskip=0\n")
            elif "force-sleepskip" in cfgoptions:
                config.write("force-sleepskip={0}\n".format(cfgoptions["force-sleepskip"]))
            if "full-logs" in cfgoptions:
                config.write("full-logs={0}\n".format(cfgoptions["full-logs"]))
            if "no-stealth" in cfgoptions:
                config.write("no-stealth={0}\n".format(cfgoptions["no-stealth"]))
            if "buffer-max" in cfgoptions:
                config.write("buffer-max={0}\n".format(cfgoptions["buffer-max"]))
            if "large-buffer-max" in cfgoptions:
                config.write("large-buffer-max={0}\n".format(cfgoptions["large-buffer-max"]))
            if "serial" in cfgoptions:
                config.write("serial={0}\n".format(cfgoptions["serial"]))
            if "sysvol_ctimelow" in cfgoptions:
                config.write("sysvol_ctimelow={0}\n".format(cfgoptions["sysvol_ctimelow"]))
            if "sysvol_ctimehigh" in cfgoptions:
                config.write("sysvol_ctimehigh={0}\n".format(cfgoptions["sysvol_ctimehigh"]))
            if "sys32_ctimelow" in cfgoptions:
                config.write("sys32_ctimelow={0}\n".format(cfgoptions["sys32_ctimelow"]))
            if "sys32_ctimehigh" in cfgoptions:
                config.write("sys32_ctimehigh={0}\n".format(cfgoptions["sys32_ctimehigh"]))
            if "norefer" not in cfgoptions:
                config.write("referrer={0}\n".format(get_referrer_url(interest)))
            if firstproc:
                Process.first_process = False

            if "procmemdump" in cfgoptions:
                config.write("procmemdump={0}\n".format(cfgoptions["procmemdump"]))
            if "import_reconstruction" in cfgoptions:
                config.write("import_reconstruction={0}\n".format(cfgoptions["import_reconstruction"]))
            if "breakpoint" in cfgoptions:
                config.write("breakpoint={0}\n".format(cfgoptions["breakpoint"]))
                
        orig_bin_name = ""
        bit_str = ""
        if is_64bit:
            orig_bin_name = LOADER64_NAME
            bit_str = "64-bit"
        else:
            orig_bin_name = LOADER32_NAME
            bit_str = "32-bit"

        bin_name = os.path.join(os.getcwd(), orig_bin_name)

        if os.path.exists(bin_name) == False:
            log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to debug %s binaries.", os.path.basename(bin_name), bit_str)
            return False
        else:
            if childprocess == False:
                ret = subprocess.call([bin_name, "debug_load", str(self.pid), str(thread_id), str(self.h_process), str(self.h_thread), dll])
            else:
                ret = subprocess.call([bin_name, "debug", str(self.pid), str(thread_id), str(self.h_process), str(self.h_thread), dll])
            if ret != 0:
                if ret == 1:
                    log.info("Injected debugger DLL into suspended %s process with pid %d", bit_str, self.pid)
                else:
                    log.error("Unable to inject debugger DLL into %s process with pid %d, error: %d", bit_str, self.pid, ret)
                return False
            else:
                return True
Exemplo n.º 7
0
    def inject(self, dll=None, injectmode=INJECT_QUEUEUSERAPC, interest=None, nosleepskip=False):
        """Cuckoo DLL injection.
        @param dll: Cuckoo DLL path.
        @param interest: path to file of interest, handed to cuckoomon config
        @param apc: APC use.
        """
        global LOGSERVER_POOL

        if not self.pid:
            return False

        thread_id = 0
        if self.thread_id:
            thread_id = self.thread_id

        if not self.is_alive():
            log.warning("The process with pid %s is not alive, "
                        "injection aborted", self.pid)
            return False

        is_64bit = self.is_64bit()
        if not dll:
            log.debug("No DLL has been specified for injection")
            if is_64bit:
                dll = CUCKOOMON64_NAME
            else:
                dll = CUCKOOMON32_NAME
        else:
            dll = os.path.join("dll", dll)

        log.info("DLL to inject is %s", dll)
        
        dll = os.path.join(os.getcwd(), dll)

        if not dll or not os.path.exists(dll):
            log.warning("No valid DLL specified to be injected in process "
                        "with pid %d, injection aborted.", self.pid)
            return False

        if thread_id or self.suspended:
            log.debug("Using QueueUserAPC injection.")
        else:
            log.debug("Using CreateRemoteThread injection.")

        config_path = "C:\\%s.ini" % self.pid
        with open(config_path, "w") as config:
            cfg = Config("analysis.conf")
            cfgoptions = cfg.get_options()

            # start the logserver for this monitored process
            logserver_path = LOGSERVER_PREFIX + str(self.pid)
            if logserver_path not in LOGSERVER_POOL:
                LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)

            Process.process_num += 1
            firstproc = Process.process_num == 1

            config.write("host-ip={0}\n".format(cfg.ip))
            config.write("host-port={0}\n".format(cfg.port))
            config.write("pipe={0}\n".format(PIPE))
            config.write("logserver={0}\n".format(logserver_path))
            config.write("results={0}\n".format(PATHS["root"]))
            config.write("analyzer={0}\n".format(os.getcwd()))
            config.write("first-process={0}\n".format("1" if firstproc else "0"))
            config.write("startup-time={0}\n".format(Process.startup_time))
            config.write("file-of-interest={0}\n".format(interest))
            config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
            config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))

            if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
                config.write("force-sleepskip=0\n")

            if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
                config.write("referrer={0}\n".format(get_referrer_url(interest)))

            simple_optnames = [
                "force-sleepskip",
                "full-logs",
                "force-flush",
                "no-stealth",
                "buffer-max",
                "large-buffer-max",
                "serial",
                "sysvol_ctimelow",
                "sysvol_ctimehigh",
                "sys32_ctimelow",
                "sys32_ctimehigh",
                "debug",
                "disable_hook_content",
                "hook-type",
                "exclude-apis",
                "exclude-dlls",
                "referrer",
                ]
            
            for optname in simple_optnames:
                if optname in cfgoptions:
                    config.write("{0}={1}\n".format(optname, cfgoptions[optname]))

            if "procmemdump" in cfgoptions:
                config.write("procmemdump={0}\n".format(cfgoptions["procmemdump"]))
            if "import_reconstruction" in cfgoptions:
                config.write("import_reconstruction={0}\n".format(cfgoptions["import_reconstruction"]))
            if "breakpoint" in cfgoptions:
                config.write("breakpoint={0}\n".format(cfgoptions["breakpoint"]))
                
        orig_bin_name = ""
        bit_str = ""
        if is_64bit:
            orig_bin_name = LOADER64_NAME
            bit_str = "64-bit"
        else:
            orig_bin_name = LOADER32_NAME
            bit_str = "32-bit"

        bin_name = os.path.join(os.getcwd(), orig_bin_name)

        if os.path.exists(bin_name):
            if thread_id or self.suspended:
                ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll, str(INJECT_QUEUEUSERAPC)])
            else:    
                ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll, str(INJECT_CREATEREMOTETHREAD)])
            if ret != 0:
                if ret == 1:
                    log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
                else:
                    log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
                return False
            else:
                return True
        else:
            log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
            return False