def generateCodeIdentityEvent():
while True:
filePath = "c:\\windows\\%s" % randomStringOf(10)
yield rSequence().addSequence(
Symbols.notification.CODE_IDENTITY,
rSequence().addInt32(Symbols.base.PROCESS_ID,
random.randint(0, 0xFFFFFFFF)).addStringA(
Symbols.base.FILE_PATH,
filePath).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.base.HASH,
randomHash()).
addInt8(Symbols.base.ERROR, 0).addSequence(
Symbols.base.SIGNATURE,
rSequence().addInt8(
Symbols.base.FILE_CERT_IS_VERIFIED_GLOBAL, 0).addStringA(
Symbols.base.FILE_PATH,
filePath).addInt8(
Symbols.base.FILE_CERT_IS_VERIFIED_LOCAL, 0).
addInt32(Symbols.base.CERT_CHAIN_STATUS, 124).addStringA(
Symbols.base.CERT_ISSUER,
"C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011"
).addStringA(
Symbols.base.CERT_ISSUER,
"C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows"
).addInt8(Symbols.base.FILE_IS_SIGNED, 1)))
def generateNewProcessEvent():
while True:
parentId = random.randint(0, 0xFFFFFFFF)
yield rSequence().addSequence(
Symbols.notification.NEW_PROCESS,
rSequence().addInt32(
Symbols.base.PROCESS_ID,
random.randint(0, 0xFFFFFFFF)).addStringA(
Symbols.base.FILE_PATH,
"c:\\program files\\%s" % randomStringOf(8)).addStringA(
Symbols.base.COMMAND_LINE,
"%s" % randomStringOf(15)).addStringA(
Symbols.base.USER_NAME,
randomStringOf(8)).addInt32(
Symbols.base.USER_ID,
random.randint(0, 64)).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).
addInt32(Symbols.base.PARENT_PROCESS_ID, parentId).addSequence(
Symbols.base.PARENT,
rSequence().addInt32(
Symbols.base.PROCESS_ID, parentId).addStringA(
Symbols.base.FILE_PATH, "c:\\program files\\%s" %
randomStringOf(8)).addStringA(
Symbols.base.COMMAND_LINE,
"%s" % randomStringOf(15)).addStringA(
Symbols.base.USER_NAME,
randomStringOf(8)).addInt32(
Symbols.base.USER_ID,
random.randint(0, 64)).addInt32(
Symbols.base.PARENT_PROCESS_ID,
parentId)))
def _doHbsSync(self):
self._log("Sending HBS sync")
self._sendFrame(HcpModuleId.HBS, [
rSequence().addSequence(
Symbols.notification.SYNC,
rSequence().addBuffer(Symbols.base.HASH, self._hbsProfileHash))
], 30)
def generateUserObservedEvent():
while True:
yield rSequence().addSequence(
Symbols.notification.USER_OBSERVED,
rSequence().addStringA(Symbols.base.USER_NAME,
randomStringOf(8)).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes))
def generateTerminateProcessEvent():
while True:
yield rSequence().addSequence(
Symbols.notification.TERMINATE_PROCESS,
rSequence().addInt32(Symbols.base.PROCESS_ID,
random.randint(0, 0xFFFFFFFF)).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).addInt32(
Symbols.base.PARENT_PROCESS_ID,
random.randint(0, 0xFFFFFFFF)))
def _doHcpSync(self):
moduleList = rList()
for moduleId, moduleHash in self._hcpModules:
moduleList.addSequence(
Symbols.hcp.MODULE,
rSequence().addInt8(Symbols.hcp.MODULE_ID, moduleId).addBuffer(
Symbols.base.HASH, moduleHash))
self._log("Sending HCP sync")
self._sendFrame(HcpModuleId.HCP,
[rSequence().addList(Symbols.hcp.MODULES, moduleList)],
timeout=30,
isNotHbs=True)
def generateNetworkSummaryEvent():
while True:
connections = rList()
for _ in range(0, random.randint(0, 11)):
connections.addSequence(
Symbols.notification.NEW_TCP4_CONNECTION,
rSequence().addInt32(
Symbols.base.PROCESS_ID,
random.randint(0, 0xFFFFFFFF)).addInt8(
Symbols.base.IS_OUTGOING,
random.randint(0, 1)).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).addTimestamp(
Symbols.base.TIMESTAMP,
int(time.time() * 1000)).
addSequence(
Symbols.base.DESTINATION,
rSequence().addIpv4(
Symbols.base.IP_ADDRESS,
"%d.%d.%d.%d" %
(random.randint(0, 254), random.randint(0, 254),
random.randint(0, 254), random.randint(0, 254))).
addInt16(Symbols.base.PORT, random.randint(
0, 0xFFFF))).addSequence(
Symbols.base.SOURCE,
rSequence().addIpv4(
Symbols.base.IP_ADDRESS, "%d.%d.%d.%d" %
(random.randint(0, 254), random.randint(
0, 254), random.randint(0, 254),
random.randint(0, 254))).addInt16(
Symbols.base.PORT,
random.randint(0, 0xFFFF))))
yield rSequence().addSequence(
Symbols.notification.NETWORK_SUMMARY,
rSequence().addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).addSequence(
Symbols.base.PROCESS,
next(generateNewProcessEvent())).addList(
Symbols.base.NETWORK_ACTIVITY, connections))
def generateDnsEvent():
while True:
yield rSequence().addSequence(
Symbols.notification.DNS_REQUEST,
rSequence().addInt32(
Symbols.base.PROCESS_ID,
random.randint(0, 0xFFFFFFFF)).addStringA(
Symbols.base.DOMAIN_NAME, "%s.%s.com" %
(randomStringOf(3), randomStringOf(8))).addBuffer(
Symbols.hbs.PARENT_ATOM,
uuid.uuid4().bytes).addBuffer(
Symbols.hbs.THIS_ATOM,
uuid.uuid4().bytes).addIpv4(
Symbols.base.IP_ADDRESS, "%d.%d.%d.%d" %
(random.randint(0, 254), random.randint(
0, 254), random.randint(0, 254),
random.randint(0, 254))).addInt32(
Symbols.base.MESSAGE_ID,
random.randint(0, 0xFFFF)).addInt8(
Symbols.base.DNS_TYPE, 1))
def _connect(self):
try:
self._socket = gevent.ssl.wrap_socket(
gevent.socket.socket(gevent.socket.AF_INET,
gevent.socket.SOCK_STREAM),
cert_reqs=gevent.ssl.CERT_NONE)
self._socket.connect((self._destServer, self._destPort))
self._log("Connected")
headers = rSequence()
headers.addSequence(
Symbols.base.HCP_IDENT,
AgentId((self._oid, self._iid, self._sid, self._plat,
self._arch)).toJson())
headers.addStringA(Symbols.base.HOST_NAME,
hashlib.md5(str(self._sid)).hexdigest())
headers.addIpv4(
Symbols.base.IP_ADDRESS,
"%d.%d.%d.%d" % (random.randint(0, 254), random.randint(
0, 254), random.randint(0, 254), random.randint(0, 254)))
if self._enrollmentToken is not None:
headers.addBuffer(Symbols.hcp.ENROLLMENT_TOKEN,
self._enrollmentToken)
self._sendFrame(HcpModuleId.HCP, [headers],
timeout=30,
isNotHbs=True)
self._log("Handshake sent")
self._threads.add(gevent.spawn(self._recvThread))
self._threads.add(gevent.spawn_later(1, self._syncHcpThread))
self._threads.add(gevent.spawn_later(10, self._syncHbsThread))
self._threads.add(
gevent.spawn_later(2, lambda: self._connectedEvent.set()))
return True
except:
self._log("Failed to connect over TLS: %s" %
traceback.format_exc())
return False
required=True,
help='output file for store signature',
dest='output_store_sig')
arguments = parser.parse_args()
conf = (rSequence().addStringA(_.hcp.PRIMARY_URL,
arguments.primary[0]).addInt16(
_.hcp.PRIMARY_PORT,
arguments.primary[1]).addStringA(
_.hcp.SECONDARY_URL,
arguments.secondary[0]).
addInt16(_.hcp.SECONDARY_PORT, arguments.secondary[1]).addSequence(
_.base.HCP_IDENT,
rSequence().addBuffer(
_.base.HCP_ORG_ID, arguments.oid.bytes).addBuffer(
_.base.HCP_INSTALLER_ID, arguments.iid.bytes).addBuffer(
_.base.HCP_SENSOR_ID,
uuid.UUID('00000000-0000-0000-0000-000000000000').bytes
).addInt32(_.base.HCP_PLATFORM, 0).addInt32(
_.base.HCP_ARCHITECTURE,
0)).addBuffer(_.hcp.C2_PUBLIC_KEY,
arguments.c2_pub_cert.read()).addBuffer(
_.hcp.ROOT_PUBLIC_KEY,
arguments.root_pub_key.read()))
conf = rpcm.serialise(conf)
conf = obfuscate(conf, OBFUSCATION_KEY)
confSig = Signing(arguments.root_pri_key.read()).sign(conf)
arguments.output_store.write(conf)
arguments.output_store_sig.write(confSig)