def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe") cmd_args = "/c start \"{0}\"".format(path) p = Process() if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def start(self, path): p = Process() dll = self.options.get("dll") p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject(dll) p.resume() return p.pid
def start(self, path): free = self.options.get("free", False) function = self.options.get("function", "DllMain") arguments = self.options.get("arguments", None) dll = self.options.get("dll", None) gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False args = "{0},{1}".format(path, function) if arguments: args += " {0}".format(arguments) p = Process() if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended): raise CuckooPackageError("Unable to execute rundll32, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): wscript = self.get_path() if not wscript: raise CuckooPackageError("Unable to find any WScript " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended): raise CuckooPackageError("Unable to execute initial WScript " "process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, url): free = self.options.get("free", False) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") p = Process() if not p.execute(path=iexplore, args="\"%s\"" % url, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): powershell = self.get_path() if not powershell: raise CuckooPackageError("Unable to find any PowerShell executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path) p = Process() if not p.execute(path=powershell, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): free = self.options.get("free", False) function = self.options.get("function", "DllMain") arguments = self.options.get("arguments", None) suspended = True if free: suspended = False if not path.endswith('.cpl'): args = "{0},{1}".format(path, function) if arguments: args += " {0}".format(arguments) exe_path = "C:\\WINDOWS\\system32\\rundll32.exe" else: args = "{0}".format(path) if arguments: args += " {0}".format(arguments) exe_path = "C:\\WINDOWS\\system32\\control.exe" log.info("starting DLL with: %s" % (args)) p = Process() #if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended): if not p.execute(path=exe_path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute rundll32, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) suspended = True if free: suspended = False if os.getenv("ProgramFiles(x86)"): iex86 = os.path.join(os.getenv("ProgramFiles(x86)"), "Internet Explorer", "iexplore.exe") else: iex86 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") if os.path.exists(iex86): iexplore = iex86 else: iexplore = ie32 p = Process() if not p.execute(path=iexplore, args="\"%s\"" % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): p = Process() p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): control = self.get_path() if not control: raise CuckooPackageError("Unable to find any control.exe " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=control, args="\"%s\"" % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Control " "process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): java = self.get_path() if not java: raise CuckooPackageError("Unable to find any Java " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) class_path = self.options.get("class", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False if class_path: args = "-cp \"%s\" %s" % (path, class_path) else: args = "-jar \"%s\"" % path p = Process() if not p.execute(path=java, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial Java " "process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): excel = self.get_path() if not excel: raise CuckooPackageError("Unable to find any Microsoft " "Office Excel executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=excel, args='"%s"' % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Microsoft " "Office Excel process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): java = self.get_path() if not java: raise CuckooPackageError("Unable to find any Java executable available") free = self.options.get("free", False) class_path = self.options.get("class", None) suspended = True if free: suspended = False if class_path: args = '-cp "%s" %s' % (path, class_path) else: args = '-jar "%s"' % path p = Process() if not p.execute(path=java, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial Java process, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def start(self, path): root = os.environ["TEMP"] with ZipFile(path, "r") as archive: try: archive.extractall(root) except BadZipfile as e: raise CuckooPackageError("Invalid Zip file") except RuntimeError: try: archive.extractall(path=root, pwd="infected") except RuntimeError as e: raise CuckooPackageError("Unable to extract Zip file, unknown password?") file_path = os.path.join(root, self.options.get("file", "sample.exe")) free = self.options.get("free", False) args = self.options.get("arguments", None) suspended = True if free: suspended = False p = Process() if not p.execute(path=file_path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def execute(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") suspended = True if free: suspended = False kernel_analysis = self.options.get("kernel_analysis", False) if kernel_analysis != False: kernel_analysis = True p = Process() if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") if free: return None if not kernel_analysis: p.inject(dll, interest) p.resume() p.close() return p.pid
def start(self, path): free = self.options.get("free", False) args = self.options.get("arguments", None) dll = self.options.get("dll", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def start(self, path): browser = self.get_path() if not browser: raise CuckooPackageError("Unable to find any browser " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) class_name = self.options.get("class", None) suspended = True if free: suspended = False html_path = self.make_html(path, class_name) p = Process() if not p.execute(path=browser, args="\"%s\"" % html_path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute(path="C:\\WINDOWS\\system32\\cmd.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): p = Process() free = self.options.get("free") dll = self.options.get("dll") p.execute(path="bin/flashplayer.exe", args=path, suspended=True) p.inject(dll, path) p.resume() if free: return None return p.pid
def start(self, path): p = Process() execsc = "extra/execsc.exe" p.execute(path=execsc, args=path, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute( path="C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() p.execute( path="C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe", args=arg, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path self.procmon = Process() p = Process() self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False) self.procmon.execute(path = "C:\\Procmon\Procmon.exe", args = "/WaitForIdle", suspended = False) if "arguments" in self.options: p.execute(path = path, args = self.options["arguments"], suspended = True) else: p.execute(path = path, suspended = True) p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path self.procmon = Process() p = Process() self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False) self.procmon.execute(path="C:\\Procmon\Procmon.exe", args="/WaitForIdle", suspended=False) if "arguments" in self.options: p.execute(path=path, args=self.options["arguments"], suspended=True) else: p.execute(path=path, suspended=True) p.resume() return p.pid
def start(self, path): self.procmon = Process() p = Process() self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/Quiet /backingfile C:\\procmon", suspended=False) self.procmon.execute(path="C:\\Procmon\\Procmon.exe", args="/WaitForIdle", suspended=False) url = self.options["url"] url = url + "=" * (-len(url) % 4) url = base64.b64decode(url) p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True) p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() # p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True) url = self.options["url"] url = url + "=" * (-len(url)%4) url = base64.b64decode(url) p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): self.procmon = Process() p = Process() self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/Quiet /backingfile C:\\procmon", suspended = False) self.procmon.execute(path = "C:\\Procmon\\Procmon.exe", args = "/WaitForIdle", suspended = False) url = self.options["url"] url = url + "=" * (-len(url)%4) url = base64.b64decode(url) p.execute(path = "C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended = True) p.resume() return p.pid
def start(self, path): root = os.environ["TEMP"] password = self.options.get("password", None) default_file_name = "sample.exe" with ZipFile(path, "r") as archive: zipinfos = archive.infolist() try: archive.extractall(path=root, pwd=password) except BadZipfile as e: raise CuckooPackageError("Invalid Zip file") except RuntimeError: try: password = self.options.get("password", "infected") archive.extractall(path=root, pwd=password) except RuntimeError as e: raise CuckooPackageError("Unable to extract Zip file: " "{0}".format(e)) file_name = self.options.get("file", default_file_name) if file_name == default_file_name: #no name provided try to find a better name if len(zipinfos) > 0: #take the first one file_name = zipinfos[0].filename file_path = os.path.join(root, file_name) dll = self.options.get("dll", None) free = self.options.get("free", False) args = self.options.get("arguments", None) gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=file_path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): root = os.environ["TEMP"] password = self.options.get("password", None) default_file_name = "sample.exe" with ZipFile(path, "r") as archive: zipinfos = archive.infolist() try: archive.extractall(path=root, pwd=password) except BadZipfile as e: raise CuckooPackageError("Invalid Zip file") except RuntimeError: try: password = self.options.get("password", "infected") archive.extractall(path=root, pwd=password) except RuntimeError as e: raise CuckooPackageError("Unable to extract Zip file: " "{0}".format(e)) file_name = self.options.get("file", default_file_name) if file_name == default_file_name: # no name provided try to find a better name if len(zipinfos) > 0: # take the first one file_name = zipinfos[0].filename file_path = os.path.join(root, file_name) dll = self.options.get("dll", None) free = self.options.get("free", False) args = self.options.get("arguments", None) gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False p = Process() if not p.execute(path=file_path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) p = Process() dll = self.options.get("dll") p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject(dll) p.resume() return p.pid
def start(self, path): gw = self.options.get("setgw",None) u = Utils() if gw: u.set_default_gw(gw) p = Process() dll = self.options.get("dll") p.execute(path="bin/execsc.exe", args=path, suspended=True) p.inject(dll) p.resume() return p.pid
def start(self, path): arg = "\"%s\"" % path p = Process() # p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=arg, suspended=True) url = self.options["url"] url = url + "=" * (-len(url) % 4) url = base64.b64decode(url) p.execute(path="C:\\Program Files\\Internet Explorer\\iexplore.exe", args=url, suspended=True) p.inject() p.resume() return p.pid
def start(self, path): p = Process() if "arguments" in self.options: p.execute(path=path, args=self.options["arguments"], suspended=True) else: p.execute(path=path, suspended=True) if self.options.get("free", "no") != "yes": p.inject() p.resume() return p.pid
def start(self, url): free = self.options.get("free", False) suspended = True if free: suspended = False p = Process() if not p.execute(path=os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe"), args="\"%s\"" % url, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet Explorer process, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def start(self, path): p = Process() rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe" if "function" in self.options: p.execute(path=rundll32, args="%s,%s" % (path, self.options["function"]), suspended=True) else: p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True) if self.options.get("free", "no") != "yes": p.inject() p.resume() return p.pid
def execute(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ dll = self.options.get("dll") dll_64 = self.options.get("dll_64") free = self.options.get("free") gw = self.options.get("setgw", None) u = Utils() if gw: u.set_default_gw(gw) suspended = True if free: suspended = False kernel_analysis = self.options.get("kernel_analysis", False) if kernel_analysis != False: kernel_analysis = True p = Process(options=self.options, config=self.config) if not p.execute(path=path, args=args, suspended=suspended, kernel_analysis=kernel_analysis): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") if free: return None is_64bit = p.is_64bit() if not kernel_analysis: if is_64bit: p.inject(dll_64, INJECT_QUEUEUSERAPC, interest) else: p.inject(dll, INJECT_QUEUEUSERAPC, interest) p.resume() p.close() return p.pid
def start(self, path): free = self.options.get("free", False) args = self.options.get("arguments", None) suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def execute(self, path, args): dll = self.options.get("dll") free = self.options.get("free") suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid
def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) suspended = True if free: suspended = False if os.getenv("ProgramFiles(x86)"): iex86 = os.path.join(os.getenv("ProgramFiles(x86)"), "Internet Explorer", "iexplore.exe") else: iex86 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") ie32 = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") if os.path.exists(iex86): iexplore = iex86 else: iexplore = ie32 # Travelling inside malware universe you should bring a towel with you. # If a file detected as HTML is submitted without a proper extension, # or without an extension at all (are you used to name samples with hash?), # IE is going to open it as a text file, so you precious sample will not # be executed. # We help you sample to execute renaming it with a proper extension. if not path.endswith(".html") or not path.endswith(".htm"): shutil.copy(path, path + ".html") path = path + ".html" log.info("Submitted file is missing extension, adding .html") p = Process() if not p.execute( path=iexplore, args="\"%s\"" % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): p = Process() pin = os.path.join("bin", "pin.exe") dll = os.path.join("bin", "malwpin.dll") if "share_letter" in self.options: root = self.options['share_letter'] else: root = "E:\\" #PATHS["root"] out = os.path.join(root, "malwpin.xml") pinlog = os.path.join(root, "pin.log") stack_dir = os.path.join(root, "memory") + os.sep pin_arg = "" if "adr-start" in self.options: pin_arg += " -adr-start %s " % self.options['adr-start'] if "adr-stop" in self.options: pin_arg += " -adr-stop %s " % self.options['adr-stop'] if "n" in self.options: pin_arg += " -n %s " % self.options['n'] argv = "-t %s -o %s -s %s -logfile %s %s -- %s" % ( dll, out, stack_dir, pinlog, pin_arg, path) #argv = "-t %s -o %s -s %s -logfile %s -follow_execv -- %s" % (dll, out, stack_dir, pinlog, path) if "arguments" in self.options: argv += " " + self.options["arguments"] p.execute(path=pin, args=argv, suspended=True) #inject = True #if "free" in self.options: #if self.options["free"] == "yes": #inject = False #if inject: #p.inject() p.resume() return p.pid
def start(self, path): p = Process() if "arguments" in self.options: p.execute(path=path, args=self.options["arguments"], suspended=True) else: p.execute(path=path, suspended=True) inject = True if "free" in self.options: if self.options["free"] == "yes": inject = False if inject: p.inject() p.resume() return p.pid
def start(self, path): free = self.options.get("free", False) arguments = self.options.get("arguments", "") dll = self.options.get("dll") suspended = True if free: suspended = False p = Process() if not p.execute(path="C:\\Python27\\python.exe", args="%s %s" % (path, arguments), suspended=suspended): raise CuckooPackageError("Unable to execute python, " "analysis aborted.") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def execute(self, path, args): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @return: process pid """ dll = self.options.get("dll") free = self.options.get("free") suspended = True if free: suspended = False p = Process() if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute the initial process, " "analysis aborted.") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid
def start(self, path): free = self.options.get("free", False) function = self.options.get("function", "DllMain") arguments = self.options.get("arguments", None) suspended = True if free: suspended = False args = "{0},{1}".format(path, function) if arguments: args += " {0}".format(arguments) p = Process() if not p.execute(path="C:\\WINDOWS\\system32\\rundll32.exe", args=args, suspended=suspended): raise CuckooPackageError("Unable to execute rundll32, analysis aborted") if not free and suspended: p.inject() p.resume() return p.pid else: return None
def start(self, path): free = self.options.get("free", False) dll = self.options.get("dll", None) suspended = True if free: suspended = False cmd_path = os.path.join(os.getenv("SystemRoot"), "system32", "cmd.exe") cmd_args = "/c start \"{0}\"".format(path) p = Process() if not p.execute(path=cmd_path, args=cmd_args, suspended=suspended): raise CuckooPackageError("Unable to execute initial process, " "analysis aborted") if not free and suspended: p.inject(dll) p.resume() p.close() return p.pid else: return None
def start(self, url): free = self.options.get("free", False) dll = self.options.get("dll", None) suspended = True if free: suspended = False iexplore = os.path.join(os.getenv("ProgramFiles"), "Internet Explorer", "iexplore.exe") p = Process() if not p.execute( path=iexplore, args="\"%s\"" % url, suspended=suspended): raise CuckooPackageError("Unable to execute initial Internet " "Explorer process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def debug(self, path, args, interest): """Starts an executable for analysis. @param path: executable path @param args: executable arguments @param interest: file of interest, passed to the cuckoomon config @return: process pid """ suspended = True p = Process(options=self.options, config=self.config) if not p.execute( path=path, args=args, suspended=suspended, kernel_analysis=False): raise CuckooPackageError( "Unable to execute the initial process, analysis aborted") p.debug_inject(interest, childprocess=False) p.resume() p.close() return p.pid
def start(self, path): wscript = self.get_path() if not wscript: raise CuckooPackageError("Unable to find any WScript " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) suspended = True if free: suspended = False p = Process() if not p.execute(path=wscript, args="\"{0}\"".format(path), suspended=suspended): raise CuckooPackageError("Unable to execute initial WScript " "process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): powershell = self.get_path() if not powershell: raise CuckooPackageError("Unable to find any PowerShell executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) suspended = True if free: suspended = False args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path) p = Process() if not p.execute(path=powershell, args=args, suspended=suspended): raise CuckooPackageError("Unable to execute initial PowerShell process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): word = self.get_path() if not word: raise CuckooPackageError("Unable to find any Microsoft " "Office Word executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) suspended = True if free: suspended = False p = Process() if not p.execute(path=word, args="\"%s\"" % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Microsoft " "Office Word process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): p = Process() rundll32 = "C:\\WINDOWS\\system32\\rundll32.exe" if "function" in self.options: p.execute(path=rundll32, args="%s,%s" % (path, self.options["function"]), suspended=True) else: p.execute(path=rundll32, args="%s,DllMain" % path, suspended=True) inject = True if "free" in self.options: if self.options["free"] == "yes": inject = False if inject: p.inject() p.resume() return p.pid
def start(self, path): reader = self.get_path() if not reader: raise CuckooPackageError("Unable to find any Adobe Reader " "executable available") dll = self.options.get("dll", None) free = self.options.get("free", False) suspended = True if free: suspended = False p = Process() if not p.execute(path=reader, args="\"%s\"" % path, suspended=suspended): raise CuckooPackageError("Unable to execute initial Adobe Reader " "process, analysis aborted") if not free and suspended: p.inject(dll) p.resume() return p.pid else: return None
def start(self, path): pin = "C:\\pin\\pin.exe" pindll = os.path.join(os.getcwd(), "dll", "PinVMShield.dll") if not pindll: raise CuckooPackageError("Unable to find any DBA available") free = self.options.get("free", False) args = self.options.get("arguments", None) dbi = self.options.get("dbi", None) if dbi == "true": isdbi = True else: isdbi = False suspended = True if free: suspended = False p = Process() if not isdbi: if not p.execute(path=path, args=args, suspended=suspended): raise CuckooPackageError( "Unable to execute initial process, analysis aborted") else: if not p.execute(path=pin, args="-t \"%s\" -- \"%s\" %s" % (pindll, path, args), suspended=suspended): raise CuckooPackageError( "Unable to execute initial process, analysis aborted") if not free and suspended: p.inject() p.resume() p.close() return p.pid else: return None