def run(self): global PROCESS_LOCK PROCESS_LOCK.acquire() log = logging.getLogger("Core.PipeHandler") try: data = create_string_buffer(BUFSIZE) # Read data from pipe connection. while True: bytes_read = c_int(0) success = cuckoo.defines.KERNEL32.ReadFile(self.h_pipe, data, sizeof(data), byref(bytes_read), None) if not success or bytes_read.value == 0: if cuckoo.defines.KERNEL32.GetLastError() == cuckoo.defines.ERROR_BROKEN_PIPE: # Client disconnected. pass break if data: command = data.value.strip() # If the acquired data is a valid PID to monitor, inject it. if re.match("PID:", command): pid = int(command[4:]) log.debug("Received request to analyze process with PID %d." % pid) if pid > -1: # Check if the process has not been injected previously. if pid not in PROCESS_LIST: # If injection is successful, add the newly monitored # process to global list too. if cuckoo_inject(pid, CUCKOO_DLL_PATH): PROCESS_LIST.append(pid) else: log.error("Failed injecting process with " "PID \"%s\" (0x%08x)." % (pid, pid)) else: log.debug("Process with PID \"%d\" (0x%08x) " \ "already in monitored process list. Skip." % (pid, pid)) # If the acquired data is a path to a file to dump, add it to # the list. elif re.match("FILE:", command): file_path = command[5:] add_file_to_list(file_path) finally: PROCESS_LOCK.release() return True
def run(self): global PROCESS_LOCK PROCESS_LOCK.acquire() log = logging.getLogger("Core.PipeHandler") try: data = create_string_buffer(BUFSIZE) # Read data from pipe connection. while True: bytes_read = c_int(0) success = cuckoo.defines.KERNEL32.ReadFile( self.h_pipe, data, sizeof(data), byref(bytes_read), None) if not success or bytes_read.value == 0: if cuckoo.defines.KERNEL32.GetLastError( ) == cuckoo.defines.ERROR_BROKEN_PIPE: # Client disconnected. pass break if data: command = data.value.strip() # If the acquired data is a valid PID to monitor, inject it. if re.match("PID:", command): pid = int(command[4:]) log.debug( "Received request to analyze process with PID %d." % pid) if pid > -1: # Check if the process has not been injected previously. if pid not in PROCESS_LIST: # If injection is successful, add the newly monitored # process to global list too. if cuckoo_inject(pid, CUCKOO_DLL_PATH): PROCESS_LIST.append(pid) else: log.error("Failed injecting process with " "PID \"%s\" (0x%08x)." % (pid, pid)) else: log.debug("Process with PID \"%d\" (0x%08x) " \ "already in monitored process list. Skip." % (pid, pid)) # If the acquired data is a path to a file to dump, add it to # the list. elif re.match("FILE:", command): file_path = command[5:] add_file_to_list(file_path) finally: PROCESS_LOCK.release() return True
def cuckoo_monitor(pid=-1, h_thread=-1, suspended=False, dll_path=None): """ Invokes injection and resume of the specified process. @param pid: PID of the process to monitor @param h_thread: handle of the thread of the process to monitor @param suspended: boolean value enabling or disabling the resume of the specified process from suspended mode @param dll_path: path to the DLL to inject, if none is specified it will use the default DLL """ log = logging.getLogger("Monitor.Monitor") # The package run function should return the process id, if it's valid # I can inject it with Cuckoo's DLL or specified custom DLL. if pid > -1: if not dll_path or dll_path == CUCKOO_DLL_PATH: dll_path = CUCKOO_DLL_PATH log.info("Using default Cuckoo DLL \"%s\"." % dll_path) else: log.info("Using custom DLL \"%s\"." % dll_path) if not cuckoo_inject(pid, dll_path): log.error("Unable to inject process with ID \"%d\" with DLL " \ "\"%s\" (GLE=%s)." % (pid, dll_path, cuckoo.defines.KERNEL32.GetLastError())) return False else: log.info( "Original process with PID \"%d\" successfully injected." % pid) # Resume the process in case it was created in suspended mode. if suspended and h_thread > -1: if not cuckoo_resumethread(h_thread): return False return True
def cuckoo_monitor(pid = -1, h_thread = -1, suspended = False, dll_path = None): """ Invokes injection and resume of the specified process. @param pid: PID of the process to monitor @param h_thread: handle of the thread of the process to monitor @param suspended: boolean value enabling or disabling the resume of the specified process from suspended mode @param dll_path: path to the DLL to inject, if none is specified it will use the default DLL """ log = logging.getLogger("Monitor.Monitor") # The package run function should return the process id, if it's valid # I can inject it with Cuckoo's DLL or specified custom DLL. if pid > -1: if not dll_path or dll_path == CUCKOO_DLL_PATH: dll_path = CUCKOO_DLL_PATH log.info("Using default Cuckoo DLL \"%s\"." % dll_path) else: log.info("Using custom DLL \"%s\"." % dll_path) if not cuckoo_inject(pid, dll_path): log.error("Unable to inject process with ID \"%d\" with DLL " \ "\"%s\" (GLE=%s)." % (pid, dll_path, cuckoo.defines.KERNEL32.GetLastError())) return False else: log.info("Original process with PID \"%d\" successfully injected." % pid) # Resume the process in case it was created in suspended mode. if suspended and h_thread > -1: if not cuckoo_resumethread(h_thread): return False return True