def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError("Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
if not path.endswith('.cpl'):
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
exe_path = "C:\\WINDOWS\\system32\\rundll32.exe"
else:
args = "{0}".format(path)
if arguments:
args += " {0}".format(arguments)
exe_path = "C:\\WINDOWS\\system32\\control.exe"
log.info("starting DLL with: %s" % (args))
p = Process()
#if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
if not p.execute(path=exe_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
if os.getenv("ProgramFiles(x86)"):
iex86 = os.path.join(os.getenv("ProgramFiles(x86)"), "Internet Explorer", "iexplore.exe")
else:
iex86 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe")
if os.path.exists(iex86):
iexplore = iex86
else:
iexplore = ie32
p = Process()
if not p.execute(path=iexplore, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
p = Process()
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
control = self.get_path()
if not control:
raise CuckooPackageError("Unable to find any control.exe "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=control, args="\"%s\"" % path,
suspended=suspended):
raise CuckooPackageError("Unable to execute initial Control "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_path = self.options.get("class", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
if class_path:
args = "-cp \"%s\" %s" % (path, class_path)
else:
args = "-jar \"%s\"" % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
excel = self.get_path()
if not excel:
raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=excel, args='"%s"' % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
java = self.get_path()
if not java:
raise CuckooPackageError("Unable to find any Java executable available")
free = self.options.get("free", False)
class_path = self.options.get("class", None)
suspended = True
if free:
suspended = False
if class_path:
args = '-cp "%s" %s' % (path, class_path)
else:
args = '-jar "%s"' % path
p = Process()
if not p.execute(path=java, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Java process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
with ZipFile(path, "r") as archive:
try:
archive.extractall(root)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
archive.extractall(path=root, pwd="infected")
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file, unknown password?")
file_path = os.path.join(root, self.options.get("file", "sample.exe"))
free = self.options.get("free", False)
args = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process()
if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
if not kernel_analysis:
p.inject(dll, interest)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dll = self.options.get("dll", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, path):
browser = self.get_path()
if not browser:
raise CuckooPackageError("Unable to find any browser "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
class_name = self.options.get("class", None)
suspended = True
if free:
suspended = False
html_path = self.make_html(path, class_name)
p = Process()
if not p.execute(path=browser, args="\"%s\"" % html_path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\WINDOWS\\system32\\cmd.exe", args=arg, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
free = self.options.get("free")
dll = self.options.get("dll")
p.execute(path="bin/flashplayer.exe", args=path, suspended=True)
p.inject(dll, path)
p.resume()
if free:
return None
return p.pid
def start(self, path):
p = Process()
execsc = "extra/execsc.exe"
p.execute(path=execsc, args=path, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(
path="C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
p.execute(
path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe",
args=arg,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False)
self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/WaitForIdle", suspended = False)
if "arguments" in self.options:
p.execute(path = path, args = self.options["arguments"], suspended = True)
else:
p.execute(path = path, suspended = True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
self.procmon = Process()
p = Process()
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False)
self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/WaitForIdle", suspended=False)
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
p.resume()
return p.pid
def start(self, path):
self.procmon = Process()
p = Process()
self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False)
self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/WaitForIdle", suspended=False)
url = self.options["url"]
url = url + "=" * (-len(url) % 4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
# p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
url = self.options["url"]
url = url + "=" * (-len(url)%4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
self.procmon = Process()
p = Process()
self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False)
self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/WaitForIdle", suspended = False)
url = self.options["url"]
url = url + "=" * (-len(url)%4)
url = base64.b64decode(url)
p.execute(path = "C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended = True)
p.resume()
return p.pid
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: "
"{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
#no name provided try to find a better name
if len(zipinfos) > 0:
#take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
root = os.environ["TEMP"]
password = self.options.get("password", None)
default_file_name = "sample.exe"
with ZipFile(path, "r") as archive:
zipinfos = archive.infolist()
try:
archive.extractall(path=root, pwd=password)
except BadZipfile as e:
raise CuckooPackageError("Invalid Zip file")
except RuntimeError:
try:
password = self.options.get("password", "infected")
archive.extractall(path=root, pwd=password)
except RuntimeError as e:
raise CuckooPackageError("Unable to extract Zip file: " "{0}".format(e))
file_name = self.options.get("file", default_file_name)
if file_name == default_file_name:
# no name provided try to find a better name
if len(zipinfos) > 0:
# take the first one
file_name = zipinfos[0].filename
file_path = os.path.join(root, file_name)
dll = self.options.get("dll", None)
free = self.options.get("free", False)
args = self.options.get("arguments", None)
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=file_path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, " "analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
gw = self.options.get("setgw",None)
u = Utils()
if gw:
u.set_default_gw(gw)
p = Process()
dll = self.options.get("dll")
p.execute(path="bin/execsc.exe", args=path, suspended=True)
p.inject(dll)
p.resume()
return p.pid
def start(self, path):
arg = "\"%s\"" % path
p = Process()
# p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True)
url = self.options["url"]
url = url + "=" * (-len(url) % 4)
url = base64.b64decode(url)
p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe",
args=url,
suspended=True)
p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
if "arguments" in self.options:
p.execute(path=path, args=self.options["arguments"], suspended=True)
else:
p.execute(path=path, suspended=True)
if self.options.get("free", "no") != "yes":
p.inject()
p.resume()
return p.pid
def start(self, url):
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe"), args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet Explorer process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
p = Process()
rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe"
if "function" in self.options:
p.execute(path=rundll32, args="%s,%s" % (path, self.options["function"]), suspended=True)
else:
p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True)
if self.options.get("free", "no") != "yes":
p.inject()
p.resume()
return p.pid
def execute(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
dll = self.options.get("dll")
dll_64 = self.options.get("dll_64")
free = self.options.get("free")
gw = self.options.get("setgw", None)
u = Utils()
if gw:
u.set_default_gw(gw)
suspended = True
if free:
suspended = False
kernel_analysis = self.options.get("kernel_analysis", False)
if kernel_analysis != False:
kernel_analysis = True
p = Process(options=self.options, config=self.config)
if not p.execute(path=path,
args=args,
suspended=suspended,
kernel_analysis=kernel_analysis):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if free:
return None
is_64bit = p.is_64bit()
if not kernel_analysis:
if is_64bit:
p.inject(dll_64, INJECT_QUEUEUSERAPC, interest)
else:
p.inject(dll, INJECT_QUEUEUSERAPC, interest)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
args = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def execute(self, path, args):
dll = self.options.get("dll")
free = self.options.get("free")
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
if os.getenv("ProgramFiles(x86)"):
iex86 = os.path.join(os.getenv("ProgramFiles(x86)"),
"Internet Explorer", "iexplore.exe")
else:
iex86 = os.path.join(os.getenv("ProgramFiles"),
"Internet Explorer", "iexplore.exe")
ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
if os.path.exists(iex86):
iexplore = iex86
else:
iexplore = ie32
# Travelling inside malware universe you should bring a towel with you.
# If a file detected as HTML is submitted without a proper extension,
# or without an extension at all (are you used to name samples with hash?),
# IE is going to open it as a text file, so you precious sample will not
# be executed.
# We help you sample to execute renaming it with a proper extension.
if not path.endswith(".html") or not path.endswith(".htm"):
shutil.copy(path, path + ".html")
path = path + ".html"
log.info("Submitted file is missing extension, adding .html")
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
p = Process()
pin = os.path.join("bin", "pin.exe")
dll = os.path.join("bin", "malwpin.dll")
if "share_letter" in self.options:
root = self.options['share_letter']
else:
root = "E:\\" #PATHS["root"]
out = os.path.join(root, "malwpin.xml")
pinlog = os.path.join(root, "pin.log")
stack_dir = os.path.join(root, "memory") + os.sep
pin_arg = ""
if "adr-start" in self.options:
pin_arg += " -adr-start %s " % self.options['adr-start']
if "adr-stop" in self.options:
pin_arg += " -adr-stop %s " % self.options['adr-stop']
if "n" in self.options:
pin_arg += " -n %s " % self.options['n']
argv = "-t %s -o %s -s %s -logfile %s %s -- %s" % (
dll, out, stack_dir, pinlog, pin_arg, path)
#argv = "-t %s -o %s -s %s -logfile %s -follow_execv -- %s" % (dll, out, stack_dir, pinlog, path)
if "arguments" in self.options:
argv += " " + self.options["arguments"]
p.execute(path=pin, args=argv, suspended=True)
#inject = True
#if "free" in self.options:
#if self.options["free"] == "yes":
#inject = False
#if inject:
#p.inject()
p.resume()
return p.pid
def start(self, path):
p = Process()
if "arguments" in self.options:
p.execute(path=path,
args=self.options["arguments"],
suspended=True)
else:
p.execute(path=path, suspended=True)
inject = True
if "free" in self.options:
if self.options["free"] == "yes":
inject = False
if inject:
p.inject()
p.resume()
return p.pid
def start(self, path):
free = self.options.get("free", False)
arguments = self.options.get("arguments", "")
dll = self.options.get("dll")
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path="C:\\Python27\\python.exe",
args="%s %s" % (path, arguments),
suspended=suspended):
raise CuckooPackageError("Unable to execute python, "
"analysis aborted.")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def execute(self, path, args):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@return: process pid
"""
dll = self.options.get("dll")
free = self.options.get("free")
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
def start(self, path):
free = self.options.get("free", False)
function = self.options.get("function", "DllMain")
arguments = self.options.get("arguments", None)
suspended = True
if free:
suspended = False
args = "{0},{1}".format(path, function)
if arguments:
args += " {0}".format(arguments)
p = Process()
if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute rundll32, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
return p.pid
else:
return None
def start(self, path):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe")
cmd_args = "/c start \"{0}\"".format(path)
p = Process()
if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial process, "
"analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
p.close()
return p.pid
else:
return None
def start(self, url):
free = self.options.get("free", False)
dll = self.options.get("dll", None)
suspended = True
if free:
suspended = False
iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer",
"iexplore.exe")
p = Process()
if not p.execute(
path=iexplore, args="\"%s\"" % url, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Internet "
"Explorer process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def debug(self, path, args, interest):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@param interest: file of interest, passed to the cuckoomon config
@return: process pid
"""
suspended = True
p = Process(options=self.options, config=self.config)
if not p.execute(
path=path, args=args, suspended=suspended,
kernel_analysis=False):
raise CuckooPackageError(
"Unable to execute the initial process, analysis aborted")
p.debug_inject(interest, childprocess=False)
p.resume()
p.close()
return p.pid
def start(self, path):
wscript = self.get_path()
if not wscript:
raise CuckooPackageError("Unable to find any WScript "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended):
raise CuckooPackageError("Unable to execute initial WScript "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
powershell = self.get_path()
if not powershell:
raise CuckooPackageError("Unable to find any PowerShell executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path)
p = Process()
if not p.execute(path=powershell, args=args, suspended=suspended):
raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
word = self.get_path()
if not word:
raise CuckooPackageError("Unable to find any Microsoft "
"Office Word executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=word, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Microsoft "
"Office Word process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
p = Process()
rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe"
if "function" in self.options:
p.execute(path=rundll32,
args="%s,%s" % (path, self.options["function"]),
suspended=True)
else:
p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True)
inject = True
if "free" in self.options:
if self.options["free"] == "yes":
inject = False
if inject:
p.inject()
p.resume()
return p.pid
def start(self, path):
reader = self.get_path()
if not reader:
raise CuckooPackageError("Unable to find any Adobe Reader "
"executable available")
dll = self.options.get("dll", None)
free = self.options.get("free", False)
suspended = True
if free:
suspended = False
p = Process()
if not p.execute(path=reader, args="\"%s\"" % path, suspended=suspended):
raise CuckooPackageError("Unable to execute initial Adobe Reader "
"process, analysis aborted")
if not free and suspended:
p.inject(dll)
p.resume()
return p.pid
else:
return None
def start(self, path):
pin = "C:\\pin\\pin.exe"
pindll = os.path.join(os.getcwd(), "dll", "PinVMShield.dll")
if not pindll:
raise CuckooPackageError("Unable to find any DBA available")
free = self.options.get("free", False)
args = self.options.get("arguments", None)
dbi = self.options.get("dbi", None)
if dbi == "true":
isdbi = True
else:
isdbi = False
suspended = True
if free:
suspended = False
p = Process()
if not isdbi:
if not p.execute(path=path, args=args, suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial process, analysis aborted")
else:
if not p.execute(path=pin,
args="-t \"%s\" -- \"%s\" %s" %
(pindll, path, args),
suspended=suspended):
raise CuckooPackageError(
"Unable to execute initial process, analysis aborted")
if not free and suspended:
p.inject()
p.resume()
p.close()
return p.pid
else:
return None
