示例#1
0
    def patch_acpi(self):
        # TODO This should be improved, but for now may suffice.
        keywords = {
            "VBOX": "LNVO",
            "vbox": "lnvo",
            "VirtualBox": "LENOVOTP",
            "innotek GmbH": "",
        }

        regkeys = [
            ["SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data", "AcpiData"],
            ["SYSTEM\\ControlSet001\\Services\\mssmbios\\Data", "AcpiData"],

            ["SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data", "SMBiosData"],
            ["SYSTEM\\ControlSet001\\Services\\mssmbios\\Data", "SMBiosData"],
        ]

        for regkey, key in regkeys:
            value = query_value(HKEY_LOCAL_MACHINE, regkey, key)
            if value is None:
                continue

            for k, v in keywords.items():
                value = value.replace(k, v)

            set_regkey(HKEY_LOCAL_MACHINE, regkey, key, REG_BINARY, value)

        if regkey_exists(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__"):
            rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__", "LENOVO")
            rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__", "LENOVO")
            rename_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__", "LENOVO")
示例#2
0
    def patch_scsi_identifiers(self):
        types = {
            "DiskPeripheral": self.HDD_IDENTIFIERS,
            "CdRomPeripheral": self.CDROM_IDENTIFIERS,
        }

        for row in itertools.product([0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3],
                                     [0, 1, 2, 3]):
            type_ = query_value(
                HKEY_LOCAL_MACHINE,
                "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d"
                % row, "Type")
            value = query_value(
                HKEY_LOCAL_MACHINE,
                "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d"
                % row, "Identifier")
            if not type_ or not value:
                continue

            value = value.lower()
            if "vbox" in value or "vmware" in value or "qemu" in value or "virtual" in value:
                if type_ in types:
                    new_value = random.choice(types[type_])
                else:
                    log.warning(
                        "Unknown SCSI type (%s), disguising it with a random string",
                        type_)
                    new_value = random_string(len(value))

                set_regkey(
                    HKEY_LOCAL_MACHINE,
                    "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d"
                    % row, "Identifier", REG_SZ, new_value)
示例#3
0
    def start(self):
        if not self.options.get("dbgview"):
            return

        dbgview_path = os.path.join("bin", "dbgview.exe")
        if not os.path.exists(dbgview_path):
            log.error("DbgView.exe not found!")
            return

        # Make sure all logging makes it into DbgView.
        set_regkey(_winreg.HKEY_LOCAL_MACHINE, DebugPrintFilter, "",
                   _winreg.REG_DWORD, 0xffffffff)

        self.filepath = os.path.join(self.analyzer.path, "bin", "dbgview.log")

        # Accept the EULA and enable Kernel Capture.
        subprocess.Popen([
            dbgview_path,
            "/accepteula",
            "/t",
            "/k",
            "/l",
            self.filepath,
        ])
        log.info("Successfully started DbgView.")
示例#4
0
def test_setreg():
    regkey = random_regkey()
    assert not regkey_exists(_winreg.HKEY_CURRENT_USER, regkey)
    assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") is None

    set_regkey(_winreg.HKEY_CURRENT_USER, regkey, "foo", _winreg.REG_SZ, "bar")

    assert regkey_exists(_winreg.HKEY_CURRENT_USER, regkey)
    assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") == "bar"
示例#5
0
    def change_productid(self):
        """Randomizes Windows ProductId.
        The Windows ProductId is occasionally used by malware
        to detect public setups of Cuckoo, e.g., Malwr.com.
        """
        value = "{0}-{1}-{2}-{3}".format(random_integer(5), random_integer(3),
                                         random_integer(7), random_integer(5))

        set_regkey(HKEY_LOCAL_MACHINE,
                   "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
                   "ProductId", REG_SZ, value)
示例#6
0
def test_setreg():
    regkey = random_regkey()
    assert not regkey_exists(_winreg.HKEY_CURRENT_USER, regkey)
    assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") is None

    set_regkey(
        _winreg.HKEY_CURRENT_USER, regkey,
        "foo", _winreg.REG_SZ, "bar"
    )

    assert regkey_exists(_winreg.HKEY_CURRENT_USER, regkey)
    assert query_value(_winreg.HKEY_CURRENT_USER, regkey, "foo") == "bar"
示例#7
0
    def patch_processor(self):
        keywords = {
            "QEMU Virtual CPU version 2.0.0": "Intel(R) Core(TM) i7 CPU @3GHz",
        }

        for idx in xrange(32):
            value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx, "ProcessorNameString")
            if value is None:
                continue

            for k, v in keywords.items():
                value = value.replace(k, v)

            set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx,
                       "ProcessorNameString", REG_SZ, value)
示例#8
0
 def patch_manufacturer(self):
     set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
                "BIOSVersion", REG_SZ, random.choice(self.BIOS_VERSIONS))
     set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
                "BIOSReleaseDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
     set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
                "SystemManufacturer", REG_SZ, random.choice(self.SYSTEM_MANUFACTURERS))
     set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
                "SystemProductName", REG_SZ, random.choice(self.SYSTEM_PRODUCTNAMES))
示例#9
0
 def patch_bios(self):
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", REG_SZ,
                random.choice(self.SYSTEM_BIOS_DATES))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosVersion", REG_MULTI_SZ,
                random.choice(self.SYSTEM_BIOS_VERSIONS))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosDate", REG_SZ,
                random.choice(self.VIDEO_BIOS_DATES))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosVersion", REG_MULTI_SZ,
                random.choice(self.VIDEO_BIOS_VERSIONS))
示例#10
0
    def patch_scsi_identifiers(self):
        types = {
            "DiskPeripheral": self.HDD_IDENTIFIERS,
            "CdRomPeripheral": self.CDROM_IDENTIFIERS,
        }

        for row in itertools.product([0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3], [0, 1, 2, 3]):
            type_ = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Type")
            value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row, "Identifier")
            if not type_ or not value:
                continue

            value = value.lower()
            if "vbox" in value or "vmware" in value or "qemu" in value or "virtual" in value:
                if type_ in types:
                    new_value = random.choice(types[type_])
                else:
                    log.warning("Unknown SCSI type (%s), disguising it with a random string", type_)
                    new_value = random_string(len(value))

                set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port %d\\Scsi Bus %d\\Target Id %d\\Logical Unit Id %d" % row,
                           "Identifier", REG_SZ, new_value)
示例#11
0
    def start(self):
        if not self.options.get("dbgview"):
            return

        dbgview_path = os.path.join("bin", "dbgview.exe")
        if not os.path.exists(dbgview_path):
            log.error("DbgView.exe not found!")
            return

        # Make sure all logging makes it into DbgView.
        set_regkey(
            _winreg.HKEY_LOCAL_MACHINE, DebugPrintFilter,
            "", _winreg.REG_DWORD, 0xffffffff
        )

        self.filepath = os.path.join(self.analyzer.path, "bin", "dbgview.log")

        # Accept the EULA and enable Kernel Capture.
        subprocess.Popen([
            dbgview_path, "/accepteula", "/t", "/k", "/l", self.filepath,
        ])
        log.info("Successfully started DbgView.")
示例#12
0
 def patch_hdd_path(self):
     set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
                "0", REG_SZ, random.choice(self.HDD_PATHS))
示例#13
0
 def patch_bios(self):
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosVersion", REG_MULTI_SZ, random.choice(self.SYSTEM_BIOS_VERSIONS))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosDate", REG_SZ, random.choice(self.VIDEO_BIOS_DATES))
     set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosVersion", REG_MULTI_SZ, random.choice(self.VIDEO_BIOS_VERSIONS))
示例#14
0
 def set_regkey(self, key, type_, value):
     set_regkey(
         _winreg.HKEY_LOCAL_MACHINE,
         "SYSTEM\\CurrentControlSet\\Services\\%s" % self.install_name, key,
         type_, value)
示例#15
0
 def set_regkey(self, key, type_, value):
     set_regkey(
         _winreg.HKEY_LOCAL_MACHINE,
         "SYSTEM\\CurrentControlSet\\Services\\%s" % self.install_name,
         key, type_, value
     )