def parse(self, path): # Invoke parsing of current log file. parser = BsonParser(open(path, "rb")) for event in parser: if event["type"] == "process": process = dict(event) process["calls"] = MonitorProcessLog(parser) self.processes.append(process) self.reconstructors[process["pid"]] = BehaviorReconstructor() # Create generic events out of the windows calls. elif event["type"] == "apicall": reconstructor = self.reconstructors[event["pid"]] res = reconstructor.process_apicall(event) if res and isinstance(res, tuple): res = [res] if res: for category, arg in res: yield { "type": "generic", "pid": event["pid"], "category": category, "value": arg, } # Indicate that the process has API calls. For more # information on this matter, see also the __nonzero__ above. process["calls"].has_apicalls = True yield event
def parse(self, path): # Invoke parsing of current log file. parser = BsonParser(open(path, "rb")) for event in parser: if event["type"] == "process": process = dict(event) process["calls"] = MonitorProcessLog(parser) self.processes.append(process) self.reconstructors[process["pid"]] = BehaviorReconstructor() # create generic events out of the windows calls elif event["type"] == "apicall": reconstructor = self.reconstructors[event["pid"]] res = reconstructor.process_apicall(event) if res and isinstance(res, tuple): res = [res] if res: for category, arg in res: yield { "type": "generic", "pid": event["pid"], "category": category, "value": arg, } yield event
def parse(self, path): # Invoke parsing of current log file. parser = BsonParser(open(path, "rb")) parser.init() for event in parser: if event["type"] == "process": process = dict(event) #@Kapil: Skipping ProcessInterceptor in cuckoo report #if "dvasion_exp" in process["process_name"]: # continue process["calls"] = MonitorProcessLog(parser, process["modules"]) self.processes.append(process) self.behavior[process["pid"]] = BehaviorReconstructor() self.reboot[process["pid"]] = RebootReconstructor() # Create generic events out of the windows calls. elif event["type"] == "apicall": #@Kapil: Skipping ProcessInterceptor in cuckoo report if not event["pid"] in self.behavior or event[ "pid"] not in self.reboot: continue behavior = self.behavior[event["pid"]] reboot = self.reboot[event["pid"]] for category, arg in behavior.process_apicall(event): yield { "type": "generic", "pid": event["pid"], "category": category, "value": arg, } # Process the reboot reconstructor. for category, args in reboot.process_apicall(event): # TODO Improve this where we have to calculate the "real" # time again even though we already do this in # MonitorProcessLog. ts = process["first_seen"] + \ datetime.timedelta(0, 0, event["time"] * 1000) yield { "type": "reboot", "category": category, "args": args, "time": int(ts.strftime("%d")), } # Indicate that the process has API calls. For more # information on this matter, see also the __nonzero__ above. process["calls"].has_apicalls = True yield event
def negotiate_protocol(self): # Read until newline. buf = self.read_newline() if "BSON" in buf: self.protocol = BsonParser(self) elif "FILE" in buf: self.protocol = FileUpload(self) elif "LOG" in buf: self.protocol = LogHandler(self) else: raise CuckooOperationalError("Netlog failure, unknown " "protocol requested.")
def test_read_next_message(self, bson_file): b = BsonParser(bson_file) b.read_next_message() assert len(bson_file.process_log) == 0 b.read_next_message() assert bson_file.process_log == ( [0, 0, 1, 0, 2360, 0, 0, 0], datetime.datetime(2020, 11, 6, 10, 34, 36, 359375), 1976, 476, b'C:\\Windows\\sysnative\\lsass.exe', b"lsass.exe", )
def negotiate_protocol(self): # Read until newline. buf = self.read_newline() if "BSON" in buf: self.protocol = BsonParser(self) elif "FILE" in buf: self.protocol = FileUpload(self, is_binary=False, duplicate=False) elif "DUPLICATEBINARY" in buf: self.protocol = FileUpload(self, is_binary=True, duplicate=True) elif "BINARY" in buf: self.protocol = FileUpload(self, is_binary=True, duplicate=False) elif "LOG" in buf: self.protocol = LogHandler(self) else: raise CuckooOperationalError("Netlog failure, unknown " "protocol requested.")
def parse_first_and_reset(self): self.fd = open(self._log_path, "rb") if self._log_path.endswith(".bson"): self.parser = BsonParser(self) elif self._log_path.endswith(".raw"): self.parser = NetlogParser(self) else: self.fd.close() self.fd = None return # Get the process information from file to determine # process id (file names.) while not self.process_id: self.parser.read_next_message() self.fd.seek(0)
def parse_first_and_reset(self): """Open file and init Bson Parser. Read till first process""" if not self._log_path.endswith(".bson"): return self.fd = open(self._log_path, "rb") self.parser = BsonParser(self) # Get the process information from file # Note that we have to read in all messages until we # get all the information we need, so the invariant below # should involve the last process-related bit of # information logged # Environment info will be filled in as the log is read # and will be stored by reference into the results dict while not self.process_id: self.parser.read_next_message() self.fd.seek(0)
def negotiate_protocol(self): protocol = self.read_newline(strip=True) # Command with version number. if " " in protocol: command, version = protocol.split() version = int(version) else: command, version = protocol, None if command == "BSON": self.protocol = BsonParser(self, version) elif command == "FILE": self.protocol = FileUpload(self, version) elif command == "LOG": self.protocol = LogHandler(self, version) else: raise CuckooOperationalError( "Netlog failure, unknown protocol requested.") self.protocol.init()
def test_init(self, bson_file): assert BsonParser(bson_file)