def init_modules(): """Initialize plugins.""" log.debug("Imported modules...") categories = ( "auxiliary", "machinery", "processing", "signatures", "reporting", ) # Call the init_once() static method of each plugin/module. If an exception # is thrown in that initialization call, then a hard error is appropriate. for category in categories: for module in cuckoo.plugins[category]: module.init_once() for category in categories: log.debug("Imported \"%s\" modules:", category) entries = cuckoo.plugins[category] for entry in entries: if entry == entries[-1]: log.debug("\t `-- %s", entry.__name__) else: log.debug("\t |-- %s", entry.__name__) # Initialize the RunSignatures module with all available Signatures and # the ExtractManager with all available Extractors. RunSignatures.init_once() ExtractManager.init_once()
def init_modules(): """Initializes plugins.""" log.debug("Imported modules...") categories = ( "auxiliary", "machinery", "processing", "signatures", "reporting", ) # Call the init_once() static method of each plugin/module. If an exception # is thrown in that initialization call, then a hard error is appropriate. for category in categories: for module in cuckoo.plugins[category]: module.init_once() for category in categories: log.debug("Imported \"%s\" modules:", category) entries = cuckoo.plugins[category] for entry in entries: if entry == entries[-1]: log.debug("\t `-- %s", entry.__name__) else: log.debug("\t |-- %s", entry.__name__) # Initialize the RunSignatures module with all available Signatures and # the ExtractManager with all available Extractors. RunSignatures.init_once() ExtractManager.init_once()
def test_ident_shellcode(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd("yara", "scripts")) open(cwd("yara", "scripts", "1.yar"), "wb").write(""" rule Shellcode1 { strings: $Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase condition: all of them } """) init_yara() class Shellcode1(Extractor): yara_rules = "Shellcode1" def handle_yara(self, filepath, match): sc = match.string("Shellcode", 0) self.push_shellcode( "".join(chr(int(x, 16)) for x in sc[2:-1].split(",")) ) ExtractManager.init_once() sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read()) sc = ",".join("0x%02x" % ord(ch) for ch in sc) scr = Scripting() ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le") cmd = scr.parse_command( "powershell -e %s" % ps1.encode("base64").replace("\n", "") ) mkdir(cwd(analysis=1)) em = ExtractManager(1) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) assert len(em.items) == 2 filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc") buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read() assert "call 0x88" in buf assert "0x00c1: push 0xc69f8957" in buf assert ".db 'www.service.chrome-up.date',0" in buf
def test_ident_shellcode(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd("yara", "scripts")) open(cwd("yara", "scripts", "1.yar"), "wb").write(""" rule Shellcode1 { strings: $Shellcode = /=\s*((0x)?[0-9A-F]{2}\s*[,;]\s*)+/ nocase condition: all of them } """) init_yara() class Shellcode1(Extractor): yara_rules = "Shellcode1" def handle_yara(self, filepath, match): sc = match.string("Shellcode", 0) self.push_shellcode("".join( chr(int(x, 16)) for x in sc[2:-1].split(","))) ExtractManager.init_once() sc = shikata(open("tests/files/shellcode/shikata/1.bin", "rb").read()) sc = ",".join("0x%02x" % ord(ch) for ch in sc) scr = Scripting() ps1 = ("[Byte[]]$s = %s;" % sc).encode("utf-16le") cmd = scr.parse_command("powershell -e %s" % ps1.encode("base64").replace("\n", "")) mkdir(cwd(analysis=1)) em = ExtractManager(1) em.push_script({ "pid": 1, "first_seen": 2, }, cmd) assert len(em.items) == 2 filepath = cwd("extracted", "0.ps1", analysis=1) assert open(filepath, "rb").read().startswith("[Byte[]]$s = 0xfc") buf = open(cwd("extracted", "1.bin.txt", analysis=1), "rb").read() assert "call 0x88" in buf assert "0x00c1: push 0xc69f8957" in buf assert ".db 'www.service.chrome-up.date',0" in buf
def test_cfgextr(): set_cwd(tempfile.mkdtemp()) cuckoo_create() class Trigger1(Extractor): yara_rules = "Trigger1" def handle_yara(self, filepath, match): self.push_config({ "family": "barfoo", "version": "baz", }) ExtractManager.init_once() mkdir(cwd(analysis=1)) em = ExtractManager(1) em.handle_yara( None, YaraMatch({ "name": "Trigger1", "meta": None, "offsets": None, "strings": [], })) assert len(em.items) == 1 results = { "extracted": em.results(), "metadata": {}, "info": {}, } RunSignatures(results).run() assert results == { "info": { "score": 10.0, }, "metadata": { "cfgextr": [{ "family": "barfoo", "version": "baz", }], }, "extracted": mock.ANY, "signatures": [], }
def test_cfgextr(): set_cwd(tempfile.mkdtemp()) cuckoo_create() class Trigger1(Extractor): yara_rules = "Trigger1" def handle_yara(self, filepath, match): self.push_config({ "family": "barfoo", "version": "baz", }) ExtractManager.init_once() mkdir(cwd(analysis=1)) em = ExtractManager(1) em.handle_yara(None, YaraMatch({ "name": "Trigger1", "meta": None, "offsets": None, "strings": [], })) assert len(em.items) == 1 results = { "extracted": em.results(), "metadata": {}, "info": {}, } RunSignatures(results).run() assert results == { "info": { "score": 10.0, }, "metadata": { "cfgextr": [{ "family": "barfoo", "version": "baz", }], }, "extracted": mock.ANY, "signatures": [], }
def setup_module(): set_cwd(tempfile.mktemp()) shutil.copytree(os.path.expanduser("~/.cuckoo"), cwd()) reload_signatures() ExtractManager._instances = {} ExtractManager.init_once()