def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(parser)
self.processes.append(process)
self.reconstructors[process["pid"]] = BehaviorReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
reconstructor = self.reconstructors[event["pid"]]
res = reconstructor.process_apicall(event)
if res and isinstance(res, tuple):
res = [res]
if res:
for category, arg in res:
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(parser)
self.processes.append(process)
self.reconstructors[process["pid"]] = BehaviorReconstructor()
# create generic events out of the windows calls
elif event["type"] == "apicall":
reconstructor = self.reconstructors[event["pid"]]
res = reconstructor.process_apicall(event)
if res and isinstance(res, tuple):
res = [res]
if res:
for category, arg in res:
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
yield event
def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
#@Kapil: Skipping ProcessInterceptor in cuckoo report
#if "dvasion_exp" in process["process_name"]:
# continue
process["calls"] = MonitorProcessLog(parser,
process["modules"])
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
#@Kapil: Skipping ProcessInterceptor in cuckoo report
if not event["pid"] in self.behavior or event[
"pid"] not in self.reboot:
continue
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
for category, arg in behavior.process_apicall(event):
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
# TODO Improve this where we have to calculate the "real"
# time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
yield {
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%d")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def negotiate_protocol(self):
# Read until newline.
buf = self.read_newline()
if "BSON" in buf:
self.protocol = BsonParser(self)
elif "FILE" in buf:
self.protocol = FileUpload(self)
elif "LOG" in buf:
self.protocol = LogHandler(self)
else:
raise CuckooOperationalError("Netlog failure, unknown "
"protocol requested.")
def test_read_next_message(self, bson_file):
b = BsonParser(bson_file)
b.read_next_message()
assert len(bson_file.process_log) == 0
b.read_next_message()
assert bson_file.process_log == (
[0, 0, 1, 0, 2360, 0, 0, 0],
datetime.datetime(2020, 11, 6, 10, 34, 36, 359375),
1976,
476,
b'C:\\Windows\\sysnative\\lsass.exe',
b"lsass.exe",
)
def negotiate_protocol(self):
# Read until newline.
buf = self.read_newline()
if "BSON" in buf:
self.protocol = BsonParser(self)
elif "FILE" in buf:
self.protocol = FileUpload(self, is_binary=False, duplicate=False)
elif "DUPLICATEBINARY" in buf:
self.protocol = FileUpload(self, is_binary=True, duplicate=True)
elif "BINARY" in buf:
self.protocol = FileUpload(self, is_binary=True, duplicate=False)
elif "LOG" in buf:
self.protocol = LogHandler(self)
else:
raise CuckooOperationalError("Netlog failure, unknown "
"protocol requested.")
def parse_first_and_reset(self):
self.fd = open(self._log_path, "rb")
if self._log_path.endswith(".bson"):
self.parser = BsonParser(self)
elif self._log_path.endswith(".raw"):
self.parser = NetlogParser(self)
else:
self.fd.close()
self.fd = None
return
# Get the process information from file to determine
# process id (file names.)
while not self.process_id:
self.parser.read_next_message()
self.fd.seek(0)
def parse_first_and_reset(self):
"""Open file and init Bson Parser. Read till first process"""
if not self._log_path.endswith(".bson"):
return
self.fd = open(self._log_path, "rb")
self.parser = BsonParser(self)
# Get the process information from file
# Note that we have to read in all messages until we
# get all the information we need, so the invariant below
# should involve the last process-related bit of
# information logged
# Environment info will be filled in as the log is read
# and will be stored by reference into the results dict
while not self.process_id:
self.parser.read_next_message()
self.fd.seek(0)
def negotiate_protocol(self):
protocol = self.read_newline(strip=True)
# Command with version number.
if " " in protocol:
command, version = protocol.split()
version = int(version)
else:
command, version = protocol, None
if command == "BSON":
self.protocol = BsonParser(self, version)
elif command == "FILE":
self.protocol = FileUpload(self, version)
elif command == "LOG":
self.protocol = LogHandler(self, version)
else:
raise CuckooOperationalError(
"Netlog failure, unknown protocol requested.")
self.protocol.init()
def test_init(self, bson_file):
assert BsonParser(bson_file)
