def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(parser)
self.processes.append(process)
self.reconstructors[process["pid"]] = BehaviorReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
reconstructor = self.reconstructors[event["pid"]]
res = reconstructor.process_apicall(event)
if res and isinstance(res, tuple):
res = [res]
if res:
for category, arg in res:
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
#@Kapil: Skipping ProcessInterceptor in cuckoo report
#if "dvasion_exp" in process["process_name"]:
# continue
process["calls"] = MonitorProcessLog(parser,
process["modules"])
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
#@Kapil: Skipping ProcessInterceptor in cuckoo report
if not event["pid"] in self.behavior or event[
"pid"] not in self.reboot:
continue
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
for category, arg in behavior.process_apicall(event):
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
# TODO Improve this where we have to calculate the "real"
# time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
yield {
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%d")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
def parse(self, path):
# Invoke parsing of current log file.
parser = BsonParser(open(path, "rb"))
parser.init()
for event in parser:
if event["type"] == "process":
process = dict(event)
process["calls"] = MonitorProcessLog(
parser, process["modules"]
)
self.processes.append(process)
self.behavior[process["pid"]] = BehaviorReconstructor()
self.reboot[process["pid"]] = RebootReconstructor()
# Create generic events out of the windows calls.
elif event["type"] == "apicall":
behavior = self.behavior[event["pid"]]
reboot = self.reboot[event["pid"]]
for category, arg in behavior.process_apicall(event):
yield {
"type": "generic",
"pid": event["pid"],
"category": category,
"value": arg,
}
# Process the reboot reconstructor.
for category, args in reboot.process_apicall(event):
# TODO Improve this where we have to calculate the "real"
# time again even though we already do this in
# MonitorProcessLog.
ts = process["first_seen"] + \
datetime.timedelta(0, 0, event["time"] * 1000)
yield {
"type": "reboot",
"category": category,
"args": args,
"time": int(ts.strftime("%d")),
}
# Indicate that the process has API calls. For more
# information on this matter, see also the __nonzero__ above.
process["calls"].has_apicalls = True
yield event
