def launch_analysis(self):
"""Start analysis.
@raise CuckooAnalysisError: if unable to start analysis.
"""
log.info("Starting analysis of file \"%s\"" % self.task.file_path)
if not os.path.exists(self.task.file_path):
raise CuckooAnalysisError("The file to analyze does not exist at path \"%s\", analysis aborted" % self.task.file_path)
self.init_storage()
self.store_file()
options = self.build_options()
while True:
machine_lock.acquire()
vm = mmanager.acquire(machine_id=self.task.machine, platform=self.task.platform)
machine_lock.release()
if not vm:
log.debug("No machine available")
time.sleep(1)
else:
log.info("Acquired machine %s (Label: %s)" % (vm.id, vm.label))
break
# Initialize sniffer
if self.cfg.cuckoo.use_sniffer:
sniffer = Sniffer(self.cfg.cuckoo.tcpdump)
sniffer.start(interface=self.cfg.cuckoo.interface, host=vm.ip, file_path=os.path.join(self.analysis.results_folder, "dump.pcap"))
else:
sniffer = False
try:
# Start machine
mmanager.start(vm.label)
# Initialize guest manager
guest = GuestManager(vm.ip, vm.platform)
# Launch analysis
guest.start_analysis(options)
# Wait for analysis to complete
success = guest.wait_for_completion()
# Stop sniffer
if sniffer:
sniffer.stop()
if not success:
raise CuckooAnalysisError("Analysis failed, review previous errors")
# Save results
guest.save_results(self.analysis.results_folder)
except (CuckooMachineError, CuckooGuestError) as e:
raise CuckooAnalysisError(e.message)
finally:
# Stop machine
mmanager.stop(vm.label)
# Release the machine from lock
mmanager.release(vm.label)
# Launch reports generation
Reporter(self.analysis.results_folder).run(Processor(self.analysis.results_folder).run())
log.info("Reports generation completed (path=%s)" % self.analysis.results_folder)
def launch_analysis(self):
"""Start analysis."""
sniffer = None
succeeded = False
stored = False
log.info("Starting analysis of %s \"%s\" (task=%d)"
% (self.task.category.upper(),
self.task.target, self.task.id))
# Initialize the the analysis folders.
if not self.init_storage():
return False
if self.task.category == "file":
# Store a copy of the original file.
if not self.store_file():
return False
# Generate the analysis configuration file.
options = self.build_options()
# Acquire analysis machine.
machine = self.acquire_machine()
# If enabled in the configuration, start the tcpdump instance.
if self.cfg.sniffer.enabled:
sniffer = Sniffer(self.cfg.sniffer.tcpdump)
sniffer.start(interface=self.cfg.sniffer.interface,
host=machine.ip,
file_path=os.path.join(self.storage, "dump.pcap"))
try:
# Mark the selected analysis machine in the database as started.
guest_log = Database().guest_start(self.task.id,
machine.name,
machine.label,
mmanager.__class__.__name__)
# Start the machine.
mmanager.start(machine.label)
except CuckooMachineError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
try:
# Initialize the guest manager.
guest = GuestManager(machine.name, machine.ip, machine.platform)
# Start the analysis.
guest.start_analysis(options)
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
# Wait for analysis completion.
try:
guest.wait_for_completion()
succeeded = True
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
succeeded = False
# Retrieve the analysis results and store them.
try:
guest.save_results(self.storage)
stored = True
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
stored = False
finally:
# Stop the sniffer.
if sniffer:
sniffer.stop()
# If the target is a file and the user enabled the option,
# delete the original copy.
if self.task.category == "file" and self.cfg.cuckoo.delete_original:
try:
os.remove(self.task.target)
except OSError as e:
log.error("Unable to delete original file at path \"%s\": "
"%s" % (self.task.target, e))
# Take a memory dump of the machine before shutting it off.
do_memory_dump = False
if self.cfg.cuckoo.memory_dump:
do_memory_dump = True
else:
if self.task.memory:
do_memory_dump = True
if do_memory_dump:
try:
mmanager.dump_memory(machine.label,
os.path.join(self.storage, "memory.dmp"))
except NotImplementedError:
log.error("The memory dump functionality is not available "
"for current machine manager")
except CuckooMachineError as e:
log.error(e)
try:
# Stop the analysis machine.
mmanager.stop(machine.label)
# Market the machine in the database as stopped.
Database().guest_stop(guest_log)
# Release the analysis machine.
mmanager.release(machine.label)
except CuckooMachineError as e:
log.error("Unable to release machine %s, reason %s. "
"You might need to restore it manually"
% (machine.label, e))
# If the results were correctly stored, we process the results and
# generate the reports.
if stored:
self.process_results()
return succeeded
def test_tcpdump_path_(self):
assert_equals(Sniffer("foo").tcpdump, "foo")
def test_interface_not_found(self):
assert_equals(False, Sniffer("foo").start("ethfoo"))
def test_tcpdump_not_found(self):
assert_equals(False, Sniffer("foo").start())
def launch_analysis(self):
"""Start analysis.
@raise CuckooAnalysisError: if unable to start analysis.
"""
log.info("Starting analysis of file \"%s\" (task=%s)" %
(self.task.file_path, self.task.id))
if not os.path.exists(self.task.file_path):
raise CuckooAnalysisError(
"The file to analyze does not exist at path \"%s\", analysis aborted"
% self.task.file_path)
self.init_storage()
self.store_file()
options = self.build_options()
while True:
machine_lock.acquire()
vm = mmanager.acquire(machine_id=self.task.machine,
platform=self.task.platform)
machine_lock.release()
if not vm:
log.debug("Task #%s: no machine available" % self.task.id)
time.sleep(1)
else:
log.info("Task #%s: acquired machine %s (label=%s)" %
(self.task.id, vm.id, vm.label))
break
# Initialize sniffer
if self.cfg.cuckoo.use_sniffer:
sniffer = Sniffer(self.cfg.cuckoo.tcpdump)
sniffer.start(interface=self.cfg.cuckoo.interface,
host=vm.ip,
file_path=os.path.join(self.analysis.results_folder,
"dump.pcap"))
else:
sniffer = False
try:
# Start machine
mmanager.start(vm.label)
# Initialize guest manager
guest = GuestManager(vm.id, vm.ip, vm.platform)
# Launch analysis
guest.start_analysis(options)
# Wait for analysis to complete
success = guest.wait_for_completion()
# Stop sniffer
if sniffer:
sniffer.stop()
if not success:
raise CuckooAnalysisError(
"Task #%s: analysis failed, review previous errors" %
self.task.id)
# Save results
guest.save_results(self.analysis.results_folder)
except (CuckooMachineError, CuckooGuestError) as e:
raise CuckooAnalysisError(e)
finally:
# Stop machine
mmanager.stop(vm.label)
# Release the machine from lock
mmanager.release(vm.label)
# Launch reports generation
Reporter(self.analysis.results_folder).run(
Processor(self.analysis.results_folder).run())
log.info("Task #%s: reports generation completed (path=%s)" %
(self.task.id, self.analysis.results_folder))
def launch_analysis(self):
"""Start analysis."""
sniffer = None
succeeded = False
log.info("Starting analysis of %s \"%s\" (task=%d)", self.task.category.upper(), self.task.target, self.task.id)
# Initialize the the analysis folders.
if not self.init_storage():
return False
if self.task.category == "file":
# Store a copy of the original file.
if not self.store_file():
return False
# Generate the analysis configuration file.
options = self.build_options()
# Acquire analysis machine.
machine = self.acquire_machine()
# At this point we can tell the Resultserver about it
try:
Resultserver().add_task(self.task, machine)
except Exception as e:
mmanager.release(machine.label)
self.errors.put(e)
# If enabled in the configuration, start the tcpdump instance.
if self.cfg.sniffer.enabled:
sniffer = Sniffer(self.cfg.sniffer.tcpdump)
sniffer.start(interface=self.cfg.sniffer.interface,
host=machine.ip,
file_path=os.path.join(self.storage, "dump.pcap"))
try:
# Mark the selected analysis machine in the database as started.
guest_log = Database().guest_start(self.task.id,
machine.name,
machine.label,
mmanager.__class__.__name__)
# Start the machine.
mmanager.start(machine.label)
except CuckooMachineError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
try:
# Initialize the guest manager.
guest = GuestManager(machine.name, machine.ip, machine.platform)
# Start the analysis.
guest.start_analysis(options)
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
# Wait for analysis completion.
try:
guest.wait_for_completion()
succeeded = True
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
succeeded = False
finally:
# Stop the sniffer.
if sniffer:
sniffer.stop()
# Take a memory dump of the machine before shutting it off.
if self.cfg.cuckoo.memory_dump or self.task.memory:
try:
mmanager.dump_memory(machine.label,
os.path.join(self.storage, "memory.dmp"))
except NotImplementedError:
log.error("The memory dump functionality is not available "
"for current machine manager")
except CuckooMachineError as e:
log.error(e)
try:
# Stop the analysis machine.
mmanager.stop(machine.label)
except CuckooMachineError as e:
log.warning("Unable to stop machine %s: %s", machine.label, e)
# Market the machine in the database as stopped.
Database().guest_stop(guest_log)
try:
# Release the analysis machine.
mmanager.release(machine.label)
except CuckooMachineError as e:
log.error("Unable to release machine %s, reason %s. "
"You might need to restore it manually", machine.label, e)
# after all this, we can make the Resultserver forget about it
Resultserver().del_task(self.task, machine)
return succeeded
def launch_analysis(self):
"""Start analysis."""
sniffer = None
succeeded = False
log.info("Starting analysis of %s \"%s\" (task=%d)", self.task.category.upper(), self.task.target, self.task.id)
# Initialize the the analysis folders.
if not self.init_storage():
return False
### JG: added interaction
if self.task.category == "file" and self.task.interaction < 2:
# Store a copy of the original file.
if not self.store_file():
return False
# Generate the analysis configuration file.
options = self.build_options()
### JG: added log output
if options['interaction'] > 0:
log.info("Starting analysis by interactive command shell or browser")
# Acquire analysis machine.
machine = self.acquire_machine()
# At this point we can tell the Resultserver about it
try:
Resultserver().add_task(self.task, machine)
except Exception as e:
mmanager.release(machine.label)
self.errors.put(e)
# If enabled in the configuration, start the tcpdump instance.
if self.cfg.sniffer.enabled:
sniffer = Sniffer(self.cfg.sniffer.tcpdump)
sniffer.start(interface=self.cfg.sniffer.interface,
host=machine.ip,
file_path=os.path.join(self.storage, "dump.pcap"))
### JG: If enabled in the configuration, start the netflow probe instance.
if self.cfg.netflow.enabled:
fprobe = Netflow(self.cfg.netflow.generator, self.cfg.netflow.collector)
nflowPort = int(machine.ip.split('.')[-1])
fprobe.start(interface=self.cfg.sniffer.interface, dst=self.cfg.netflow.destination, dport=nflowPort, file_path=os.path.join(self.storage))
else:
fprobe = False
### JG: If enabled in the configuration, start the fake DNS server.
if self.cfg.fakedns.enabled:
fdns = fakeDNS(self.cfg.fakedns.fakedns)
fdns.start(ip=self.cfg.fakedns.dnsip, withInternet=options["internet"])
else:
fdns = False
### JG: check if NAT should be enabled
if options["internet"]:
try:
pargs = ['/usr/bin/sudo', self.cfg.nat.enable]
enableNAT = subprocess.Popen(pargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except (OSError, ValueError) as e:
log.error("Failed to enable NAT" % (e))
else:
try:
pargs = ['/usr/bin/sudo', self.cfg.nat.disable]
disableNAT = subprocess.Popen(pargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except (OSError, ValueError) as e:
log.error("Failed to disable NAT" % (e))
try:
# Mark the selected analysis machine in the database as started.
guest_log = Database().guest_start(self.task.id,
machine.name,
machine.label,
mmanager.__class__.__name__)
# Start the machine.
mmanager.start(machine.label)
except CuckooMachineError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
### JG: Stop netflow
if fprobe:
fprobe.stop()
### JG: Stop fakeDNS
if fdns:
fdns.stop()
### JG: Disable NAT
if options["internet"]:
try:
pargs = ['/usr/bin/sudo', self.cfg.nat.disable]
disableNAT = subprocess.Popen(pargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except (OSError, ValueError) as e:
log.error("Failed to enable NAT: %s" % (e))
return False
else:
try:
# Initialize the guest manager.
guest = GuestManager(machine.name, machine.ip, machine.platform)
# Start the analysis.
guest.start_analysis(options)
log.info("guest initialization successfull.")
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
### JG: Stop netflow
if fprobe:
fprobe.stop()
### JG: Stop fakeDNS
if fdns:
fdns.stop()
### JG: Disable NAT
if options["internet"]:
try:
pargs = ['/usr/bin/sudo', self.cfg.nat.disable]
disableNAT = subprocess.Popen(pargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except (OSError, ValueError) as e:
log.error("Failed to enable NAT: %s" % (e))
return False
else:
# Wait for analysis completion.
try:
guest.wait_for_completion()
succeeded = True
except CuckooGuestError as e:
log.error(str(e), extra={"task_id" : self.task.id})
succeeded = False
finally:
# Stop the sniffer.
if sniffer:
sniffer.stop()
### JG: Stop netflow
if fprobe:
fprobe.stop()
### JG: Stop fakeDNS
if fdns:
fdns.stop()
### JG: Disable NAT
if options["internet"]:
try:
pargs = ['/usr/bin/sudo', self.cfg.nat.disable]
disableNAT = subprocess.Popen(pargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except (OSError, ValueError) as e:
log.error("Failed to enable NAT: %s" % (e))
# Take a memory dump of the machine before shutting it off.
if self.cfg.cuckoo.memory_dump or self.task.memory:
try:
mmanager.dump_memory(machine.label,
os.path.join(self.storage, "memory.dmp"))
except NotImplementedError:
log.error("The memory dump functionality is not available "
"for current machine manager")
except CuckooMachineError as e:
log.error(e)
try:
# Stop the analysis machine.
mmanager.stop(machine.label)
except CuckooMachineError as e:
log.warning("Unable to stop machine %s: %s", machine.label, e)
# Market the machine in the database as stopped.
Database().guest_stop(guest_log)
try:
# Release the analysis machine.
mmanager.release(machine.label)
except CuckooMachineError as e:
log.error("Unable to release machine %s, reason %s. "
"You might need to restore it manually", machine.label, e)
# after all this, we can make the Resultserver forget about it
Resultserver().del_task(self.task, machine)
return succeeded
def launch_analysis(self):
"""Start analysis."""
sniffer = None
succeeded = False
log.info("Starting analysis of %s \"%s\" (task=%d)",
self.task.category.upper(), self.task.target, self.task.id)
# Initialize the the analysis folders.
if not self.init_storage():
return False
if self.task.category == "file":
# Store a copy of the original file.
if not self.store_file():
return False
# Generate the analysis configuration file.
options = self.build_options()
# Acquire analysis machine.
machine = self.acquire_machine()
# At this point we can tell the Resultserver about it
try:
Resultserver().add_task(self.task, machine)
except Exception as e:
mmanager.release(machine.label)
self.errors.put(e)
# If enabled in the configuration, start the tcpdump instance.
if self.cfg.sniffer.enabled:
sniffer = Sniffer(self.cfg.sniffer.tcpdump)
sniffer.start(interface=self.cfg.sniffer.interface,
host=machine.ip,
file_path=os.path.join(self.storage, "dump.pcap"))
try:
# Mark the selected analysis machine in the database as started.
guest_log = Database().guest_start(self.task.id, machine.name,
machine.label,
mmanager.__class__.__name__)
# Start the machine.
mmanager.start(machine.label)
except CuckooMachineError as e:
log.error(str(e), extra={"task_id": self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
try:
# Initialize the guest manager.
guest = GuestManager(machine.name, machine.ip,
machine.platform)
# Start the analysis.
guest.start_analysis(options)
except CuckooGuestError as e:
log.error(str(e), extra={"task_id": self.task.id})
# Stop the sniffer.
if sniffer:
sniffer.stop()
return False
else:
# Wait for analysis completion.
try:
guest.wait_for_completion()
succeeded = True
except CuckooGuestError as e:
log.error(str(e), extra={"task_id": self.task.id})
succeeded = False
finally:
# Stop the sniffer.
if sniffer:
sniffer.stop()
# Take a memory dump of the machine before shutting it off.
if self.cfg.cuckoo.memory_dump or self.task.memory:
try:
mmanager.dump_memory(
machine.label, os.path.join(self.storage,
"memory.dmp"))
except NotImplementedError:
log.error("The memory dump functionality is not available "
"for current machine manager")
except CuckooMachineError as e:
log.error(e)
try:
# Stop the analysis machine.
mmanager.stop(machine.label)
except CuckooMachineError as e:
log.warning("Unable to stop machine %s: %s", machine.label, e)
# Market the machine in the database as stopped.
Database().guest_stop(guest_log)
try:
# Release the analysis machine.
mmanager.release(machine.label)
except CuckooMachineError as e:
log.error(
"Unable to release machine %s, reason %s. "
"You might need to restore it manually", machine.label, e)
# after all this, we can make the Resultserver forget about it
Resultserver().del_task(self.task, machine)
return succeeded
def launch_analysis(self):
"""Start analysis.
@raise CuckooAnalysisError: if unable to start analysis.
"""
log.info('Starting analysis of file "%s" (task=%s)' % (self.task.file_path, self.task.id))
if not os.path.exists(self.task.file_path):
raise CuckooAnalysisError(
'The file to analyze does not exist at path "%s", analysis aborted' % self.task.file_path
)
self.init_storage()
self.store_file()
options = self.build_options()
while True:
machine_lock.acquire()
vm = mmanager.acquire(machine_id=self.task.machine, platform=self.task.platform)
machine_lock.release()
if not vm:
log.debug("Task #%s: no machine available" % self.task.id)
time.sleep(1)
else:
log.info("Task #%s: acquired machine %s (label=%s)" % (self.task.id, vm.id, vm.label))
break
# Initialize sniffer
if self.cfg.cuckoo.use_sniffer:
sniffer = Sniffer(self.cfg.cuckoo.tcpdump)
sniffer.start(
interface=self.cfg.cuckoo.interface,
host=vm.ip,
file_path=os.path.join(self.analysis.results_folder, "dump.pcap"),
)
else:
sniffer = False
try:
# Start machine
mmanager.start(vm.label)
# Initialize guest manager
guest = GuestManager(vm.id, vm.ip, vm.platform)
# Launch analysis
guest.start_analysis(options)
# Wait for analysis to complete
success = guest.wait_for_completion()
# Stop sniffer
if sniffer:
sniffer.stop()
# Save results
guest.save_results(self.analysis.results_folder)
if not success:
raise CuckooAnalysisError("Task #%s: analysis failed, review previous errors" % self.task.id)
except (CuckooMachineError, CuckooGuestError) as e:
raise CuckooAnalysisError(e)
finally:
# Delete original file
if self.cfg.cuckoo.delete_original:
try:
os.remove(self.task.file_path)
except OSError as e:
log.error('Unable to delete original file at path "%s": %s' % (self.task.file_path, e))
try:
# Stop machine
mmanager.stop(vm.label)
# Release the machine from lock
log.debug("Task #%s: releasing machine %s (label=%s)" % (self.task.id, vm.id, vm.label))
mmanager.release(vm.label)
except CuckooMachineError as e:
log.error("Unable to release vm %s, reason %s. You have to fix it manually" % (vm.label, e))
# Check analysis file size to avoid memory leaks.
try:
for csv in os.listdir(os.path.join(self.analysis.results_folder, "logs")):
csv = os.path.join(self.analysis.results_folder, "logs", csv)
if os.stat(csv).st_size > self.cfg.cuckoo.analysis_size_limit:
raise CuckooAnalysisError(
"Analysis file %s is too big to be processed. Analysis aborted. You can process it manually"
% csv
)
except OSError as e:
log.warning("Log access error for analysis #%s: %s" % (self.task.id, e))
# Launch reports generation
Reporter(self.analysis.results_folder).run(Processor(self.analysis.results_folder).run())
log.info("Task #%s: reports generation completed (path=%s)" % (self.task.id, self.analysis.results_folder))
def launch_analysis(self):
"""Start analysis.
@raise CuckooAnalysisError: if unable to start analysis.
"""
log.info("Starting analysis of file \"%s\" (task=%s)" % (self.task.file_path, self.task.id))
if not os.path.exists(self.task.file_path):
raise CuckooAnalysisError("The file to analyze does not exist at path \"%s\", analysis aborted" % self.task.file_path)
self.init_storage()
self.store_file()
options = self.build_options()
while True:
machine_lock.acquire()
vm = mmanager.acquire(machine_id=self.task.machine, platform=self.task.platform)
machine_lock.release()
if not vm:
log.debug("Task #%s: no machine available" % self.task.id)
time.sleep(1)
else:
log.info("Task #%s: acquired machine %s (label=%s)" % (self.task.id, vm.id, vm.label))
break
# Initialize sniffer
if self.cfg.cuckoo.use_sniffer:
sniffer = Sniffer(self.cfg.cuckoo.tcpdump)
sniffer.start(interface=self.cfg.cuckoo.interface, host=vm.ip, file_path=os.path.join(self.analysis.results_folder, "dump.pcap"))
else:
sniffer = False
# Initialize VMWare ScreenShot
MachineManager()
module = MachineManager.__subclasses__()[0]
mman = module()
mman_conf = os.path.join(CUCKOO_ROOT, "conf", "%s.conf" % self.cfg.cuckoo.machine_manager)
if not os.path.exists(mman_conf):
raise CuckooMachineError("The configuration file for machine manager \"%s\" does not exist at path: %s"
% (self.cfg.cuckoo.machine_manager, mman_conf))
mman.set_options(Config(mman_conf))
mman.initialize(self.cfg.cuckoo.machine_manager)
screener = Screener(mman.options.vmware.path, vm.label, "avtest", "avtest", self.analysis.results_folder)
try:
# Start machine
mmanager.start(vm.label)
# Initialize guest manager
guest = GuestManager(vm.id, vm.ip, vm.platform)
# Launch analysis
guest.start_analysis(options)
# Start Screenshots
screener.start()
# Wait for analysis to complete
success = guest.wait_for_completion()
# Stop sniffer
if sniffer:
sniffer.stop()
# Stop Screenshots
if screener:
screener.stop()
if not success:
raise CuckooAnalysisError("Task #%s: analysis failed, review previous errors" % self.task.id)
# Save results
guest.save_results(self.analysis.results_folder)
except (CuckooMachineError, CuckooGuestError) as e:
raise CuckooAnalysisError(e)
#"""
finally:
# Stop machine
mmanager.stop(vm.label)
# Release the machine from lock
mmanager.release(vm.label)
#"""
# Launch reports generation
Reporter(self.analysis.results_folder).run(Processor(self.analysis.results_folder).run())
log.info("Task #%s: reports generation completed (path=%s)" % (self.task.id, self.analysis.results_folder))
