Showing preview only (5,343K chars total). Download the full file or copy to clipboard to get everything.
Repository: PowerLZY/Bold-Falcon
Branch: master
Commit: dfdd974c2950
Files: 525
Total size: 4.9 MB
Directory structure:
gitextract_a6c_s16r/
├── .codeclimate.yml
├── .gitignore
├── .travis.yml
├── LICENSE.txt
├── README.md
├── __init__.py
├── _config.yml
├── agent/
│ ├── agent.py
│ └── agent.sh
├── analyzer/
│ ├── android/
│ │ ├── __init__.py
│ │ ├── analyzer.py
│ │ ├── config/
│ │ │ └── hooks.json
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── api/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── adb.py
│ │ │ │ └── screenshot.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstracts.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── exceptions.py
│ │ │ │ ├── results.py
│ │ │ │ └── utils.py
│ │ │ └── core/
│ │ │ ├── __init__.py
│ │ │ ├── config.py
│ │ │ ├── packages.py
│ │ │ └── startup.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ ├── auxiliary/
│ │ │ ├── __init__.py
│ │ │ └── screenshots.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ ├── apk.py
│ │ └── default_browser.py
│ ├── darwin/
│ │ ├── __init__.py
│ │ ├── analyzer.py
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── config.py
│ │ │ │ ├── hashing.py
│ │ │ │ ├── rand.py
│ │ │ │ └── results.py
│ │ │ ├── core/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── data/
│ │ │ │ │ ├── signatures.yml
│ │ │ │ │ └── types.yml
│ │ │ │ ├── filetimes.py
│ │ │ │ ├── host.py
│ │ │ │ ├── osx.py
│ │ │ │ └── packages.py
│ │ │ └── dtrace/
│ │ │ ├── __init__.py
│ │ │ ├── apicalls.d
│ │ │ ├── apicalls.py
│ │ │ ├── autoprobes.py
│ │ │ ├── common.py
│ │ │ ├── dtruss.py
│ │ │ ├── dtruss.sh
│ │ │ ├── follow_children.d
│ │ │ ├── ipconnections.d
│ │ │ └── ipconnections.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ ├── app.py
│ │ ├── bash.py
│ │ ├── macho.py
│ │ └── zip.py
│ ├── linux/
│ │ ├── analyzer.py
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── api/
│ │ │ │ ├── __init__.py
│ │ │ │ └── process.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstracts.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── exceptions.py
│ │ │ │ ├── hashing.py
│ │ │ │ ├── results.py
│ │ │ │ └── utils.py
│ │ │ └── core/
│ │ │ ├── __init__.py
│ │ │ ├── config.py
│ │ │ └── startup.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ ├── auxiliary/
│ │ │ ├── __init__.py
│ │ │ ├── lkm.py
│ │ │ └── stap.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ └── generic.py
│ └── windows/
│ ├── analyzer.py
│ ├── bin/
│ │ ├── procmon.pmc
│ │ ├── rules.yarac
│ │ └── zer0m0n-x64.sys
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── api/
│ │ │ ├── __init__.py
│ │ │ ├── process.py
│ │ │ └── screenshot.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── abstracts.py
│ │ │ ├── constants.py
│ │ │ ├── decide.py
│ │ │ ├── defines.py
│ │ │ ├── exceptions.py
│ │ │ ├── hashing.py
│ │ │ ├── rand.py
│ │ │ ├── registry.py
│ │ │ └── results.py
│ │ └── core/
│ │ ├── __init__.py
│ │ ├── config.py
│ │ ├── driver.py
│ │ ├── ioctl.py
│ │ ├── packages.py
│ │ ├── pipe.py
│ │ ├── privileges.py
│ │ └── startup.py
│ └── modules/
│ ├── __init__.py
│ ├── auxiliary/
│ │ ├── __init__.py
│ │ ├── dbgview.py
│ │ ├── disguise.py
│ │ ├── dumptls.py
│ │ ├── human.py
│ │ ├── installcert.py
│ │ ├── procmon.py
│ │ ├── reboot.py
│ │ ├── recentfiles.py
│ │ ├── screenshots.py
│ │ └── zer0m0n.py
│ └── packages/
│ ├── __init__.py
│ ├── applet.py
│ ├── bin.py
│ ├── com.py
│ ├── cpl.py
│ ├── dll.py
│ ├── doc.py
│ ├── exe.py
│ ├── ff.py
│ ├── generic.py
│ ├── hta.py
│ ├── hwp.py
│ ├── ie.py
│ ├── jar.py
│ ├── js.py
│ ├── jse.py
│ ├── msi.py
│ ├── pdf.py
│ ├── ppt.py
│ ├── ps1.py
│ ├── pub.py
│ ├── python.py
│ ├── reboot.py
│ ├── vbs.py
│ ├── wsf.py
│ ├── xls.py
│ └── zip.py
├── conf/
│ ├── auxiliary.conf
│ ├── avd.conf
│ ├── cuckoo.conf
│ ├── cuckooml.conf
│ ├── detection.conf
│ ├── esx.conf
│ ├── kvm.conf
│ ├── memory.conf
│ ├── physical.conf
│ ├── processing.conf
│ ├── qemu.conf
│ ├── reporting.conf
│ ├── virtualbox.conf
│ ├── vmware.conf
│ ├── vpn.conf
│ ├── vsphere.conf
│ └── xenserver.conf
├── cuckoo.py
├── data/
│ ├── __init__.py
│ ├── android/
│ │ ├── anti-vm/
│ │ │ ├── fake-build.prop
│ │ │ ├── fake-cpuinfo
│ │ │ └── fake-drivers
│ │ ├── apps/
│ │ │ ├── ImportContacts.apk
│ │ │ ├── Superuser.apk
│ │ │ └── de.robv.android.xposed.installer_v33_36570c.apk
│ │ ├── binaries/
│ │ │ └── su
│ │ ├── create_guest_avd.sh
│ │ └── hooking/
│ │ ├── Droidmon.apk
│ │ └── EmulatorAntiDetect.apk
│ ├── guids.txt
│ ├── html/
│ │ ├── base-report.html
│ │ ├── base-web.html
│ │ ├── browse.html
│ │ ├── error.html
│ │ ├── graphic/
│ │ │ └── logo.html
│ │ ├── js/
│ │ │ └── functions.js
│ │ ├── pagination-menu.html
│ │ ├── pagination-rpp.html
│ │ ├── report.html
│ │ ├── sections/
│ │ │ ├── behavior.html
│ │ │ ├── dropped.html
│ │ │ ├── errors.html
│ │ │ ├── file.html
│ │ │ ├── info.html
│ │ │ ├── network.html
│ │ │ ├── screenshots.html
│ │ │ ├── signatures.html
│ │ │ ├── static.html
│ │ │ ├── url.html
│ │ │ └── volatility.html
│ │ ├── submit.html
│ │ └── success.html
│ ├── mitm.py
│ ├── models/
│ │ ├── MalConv/
│ │ │ ├── malconvtest.py
│ │ │ └── pretrained_malconv.pth
│ │ ├── apistats/
│ │ │ ├── extract_apifeatures.py
│ │ │ └── standard.txt
│ │ └── strings_ngram/
│ │ ├── XGB_model.pkl
│ │ └── raw_train_sample.csv
│ ├── peutils/
│ │ └── UserDB.TXT
│ ├── src/
│ │ └── binpackage/
│ │ ├── Makefile
│ │ └── execsc.c
│ ├── strace.stp
│ ├── test-internet.vbs
│ ├── whitelist/
│ │ └── domain.txt
│ └── yara/
│ ├── binaries/
│ │ ├── embedded.yar
│ │ ├── shellcodes.yar
│ │ └── vmdetect.yar
│ ├── memory/
│ │ ├── .gitignore
│ │ └── index_memory.yar
│ └── urls/
│ └── .gitignore
├── distributed/
│ ├── alembic.ini
│ ├── app.py
│ ├── distributed/
│ │ ├── __init__.py
│ │ ├── api.py
│ │ ├── app.py
│ │ ├── db.py
│ │ ├── exception.py
│ │ └── views/
│ │ ├── __init__.py
│ │ └── api.py
│ ├── instance.py
│ ├── migration/
│ │ ├── env.py
│ │ ├── script.py.mako
│ │ └── versions/
│ │ ├── 151400d38e03_node_status_timestamp_index.py
│ │ ├── 166078eb1311_change_node_id_to_name.py
│ │ ├── 2aa59981b59d_node_task_not_unique.py
│ │ ├── 37c08c9655bb_initial_database.py
│ │ ├── 3cc1509b7fdc_node_status.py
│ │ ├── 3d1d8fd2cdbb_timestamps.py
│ │ ├── 4b86bc0d40aa_node_mode.py
│ │ ├── 4d0a2590e997_node_task_index.py
│ │ └── 69ecf07a99b_finished_to_status.py
│ ├── requirements.txt
│ └── settings.py
├── docs/
│ ├── .debug.yml
│ ├── CNAME
│ ├── Gemfile
│ ├── Makefile
│ ├── README.md
│ ├── _config.yml
│ └── book/
│ ├── DevelopmentDocumentation.md
│ ├── Installation.md
│ ├── Introduction.md
│ ├── README.md
│ ├── Usage.md
│ └── 设计文档.md
├── docs-old/
│ ├── AUTHORS
│ ├── CHANGELOG
│ ├── LICENSE
│ ├── README
│ └── book/
│ └── src/
│ ├── Makefile
│ ├── conf.py
│ ├── customization/
│ │ ├── auxiliary.rst
│ │ ├── index.rst
│ │ ├── machinery.rst
│ │ ├── packages.rst
│ │ ├── processing.rst
│ │ ├── reporting.rst
│ │ └── signatures.rst
│ ├── development/
│ │ ├── code_style.rst
│ │ ├── development_notes.rst
│ │ └── index.rst
│ ├── faq/
│ │ └── index.rst
│ ├── finalremarks/
│ │ └── index.rst
│ ├── index.rst
│ ├── installation/
│ │ ├── guest/
│ │ │ ├── agent.rst
│ │ │ ├── cloning.rst
│ │ │ ├── creation.rst
│ │ │ ├── index.rst
│ │ │ ├── network.rst
│ │ │ ├── requirements.rst
│ │ │ └── saving.rst
│ │ ├── guest_physical/
│ │ │ ├── creation.rst
│ │ │ ├── index.rst
│ │ │ ├── network.rst
│ │ │ ├── requirements.rst
│ │ │ └── saving.rst
│ │ ├── host/
│ │ │ ├── configuration.rst
│ │ │ ├── configuration_android.rst
│ │ │ ├── index.rst
│ │ │ ├── installation.rst
│ │ │ └── requirements.rst
│ │ ├── index.rst
│ │ └── upgrade.rst
│ ├── introduction/
│ │ ├── index.rst
│ │ ├── license.rst
│ │ ├── sandboxing.rst
│ │ └── what.rst
│ └── usage/
│ ├── api.rst
│ ├── clean.rst
│ ├── dist.rst
│ ├── index.rst
│ ├── packages.rst
│ ├── results.rst
│ ├── start.rst
│ ├── submit.rst
│ ├── utilities.rst
│ └── web.rst
├── examples/
│ ├── cuckooml.ipynb
│ ├── cuckooml.py
│ ├── detectiontest.py
│ ├── getjsondata.py
│ ├── instance.py
│ ├── loader.py
│ ├── ml.py
│ └── rundetectiontest.py
├── lib/
│ ├── __init__.py
│ └── cuckoo/
│ ├── __init__.py
│ ├── common/
│ │ ├── __init__.py
│ │ ├── abstracts.py
│ │ ├── colors.py
│ │ ├── compare.py
│ │ ├── config.py
│ │ ├── constants.py
│ │ ├── defines.py
│ │ ├── dns.py
│ │ ├── exceptions.py
│ │ ├── irc.py
│ │ ├── logo.py
│ │ ├── netlog.py
│ │ ├── objects.py
│ │ ├── utils.py
│ │ ├── virustotal.py
│ │ └── whitelist.py
│ └── core/
│ ├── __init__.py
│ ├── database.py
│ ├── guest.py
│ ├── plugins.py
│ ├── resultserver.py
│ ├── rooter.py
│ ├── scheduler.py
│ └── startup.py
├── modules/
│ ├── __init__.py
│ ├── auxiliary/
│ │ ├── __init__.py
│ │ ├── mitm.py
│ │ ├── services.py
│ │ └── sniffer.py
│ ├── detection/
│ │ ├── __init__.py
│ │ ├── apistats.py
│ │ ├── malconv.py
│ │ ├── model.py
│ │ └── strings.py
│ ├── machinery/
│ │ ├── __init__.py
│ │ ├── avd.py
│ │ ├── esx.py
│ │ ├── kvm.py
│ │ ├── physical.py
│ │ ├── qemu.py
│ │ ├── virtualbox.py
│ │ ├── vmware.py
│ │ ├── vsphere.py
│ │ └── xenserver.py
│ ├── processing/
│ │ ├── __init__.py
│ │ ├── analysisinfo.py
│ │ ├── apkinfo.py
│ │ ├── baseline.py
│ │ ├── behavior.py
│ │ ├── buffer.py
│ │ ├── cuckooml.py
│ │ ├── debug.py
│ │ ├── droidmon.py
│ │ ├── dropped.py
│ │ ├── dumptls.py
│ │ ├── googleplay.py
│ │ ├── memory.py
│ │ ├── network.py
│ │ ├── platform/
│ │ │ ├── __init__.py
│ │ │ ├── linux.py
│ │ │ └── windows.py
│ │ ├── procmemory.py
│ │ ├── screenshots.py
│ │ ├── snort.py
│ │ ├── static.py
│ │ ├── strings.py
│ │ ├── suricata.py
│ │ ├── targetinfo.py
│ │ └── virustotal.py
│ └── reporting/
│ ├── __init__.py
│ ├── elasticsearch.py
│ ├── jsondump.py
│ ├── moloch.py
│ ├── mongodb.py
│ └── reporthtml.py
├── oldweb/
│ ├── .gitignore
│ ├── analysis/
│ │ ├── __init__.py
│ │ ├── forms.py
│ │ ├── templatetags/
│ │ │ ├── __init__.py
│ │ │ └── analysis_tags.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── compare/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── dashboard/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── manage.py
│ ├── static/
│ │ ├── css/
│ │ │ ├── lightbox.css
│ │ │ └── style.css
│ │ └── js/
│ │ ├── app.js
│ │ ├── bootstrap-fileupload.js
│ │ ├── hexdump.js
│ │ ├── jquery.js
│ │ └── lightbox.js
│ ├── submission/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── templates/
│ │ ├── analysis/
│ │ │ ├── admin/
│ │ │ │ └── index.html
│ │ │ ├── behavior/
│ │ │ │ ├── _api_call.html
│ │ │ │ ├── _chunk.html
│ │ │ │ ├── _processes.html
│ │ │ │ ├── _search.html
│ │ │ │ ├── _search_results.html
│ │ │ │ ├── _tree.html
│ │ │ │ ├── _tree_process.html
│ │ │ │ └── index.html
│ │ │ ├── buffers/
│ │ │ │ └── index.html
│ │ │ ├── dropped/
│ │ │ │ └── index.html
│ │ │ ├── export.html
│ │ │ ├── import.html
│ │ │ ├── index.html
│ │ │ ├── memory/
│ │ │ │ ├── _apihooks.html
│ │ │ │ ├── _callbacks.html
│ │ │ │ ├── _devicetree.html
│ │ │ │ ├── _gdt.html
│ │ │ │ ├── _idt.html
│ │ │ │ ├── _malfind.html
│ │ │ │ ├── _messagehooks.html
│ │ │ │ ├── _modscan.html
│ │ │ │ ├── _netscan.html
│ │ │ │ ├── _pslist.html
│ │ │ │ ├── _sockscan.html
│ │ │ │ ├── _ssdt.html
│ │ │ │ ├── _svcscan.html
│ │ │ │ ├── _timers.html
│ │ │ │ ├── _yarascan.html
│ │ │ │ └── index.html
│ │ │ ├── network/
│ │ │ │ ├── _dns.html
│ │ │ │ ├── _hosts.html
│ │ │ │ ├── _http.html
│ │ │ │ ├── _icmp.html
│ │ │ │ ├── _irc.html
│ │ │ │ ├── _snort.html
│ │ │ │ ├── _suricata.html
│ │ │ │ ├── _tcp.html
│ │ │ │ ├── _udp.html
│ │ │ │ └── index.html
│ │ │ ├── overview/
│ │ │ │ ├── _file.html
│ │ │ │ ├── _info.html
│ │ │ │ ├── _screenshots.html
│ │ │ │ ├── _signatures.html
│ │ │ │ ├── _summary.html
│ │ │ │ ├── _url.html
│ │ │ │ └── index.html
│ │ │ ├── pending.html
│ │ │ ├── procmemory/
│ │ │ │ └── index.html
│ │ │ ├── report.html
│ │ │ ├── search.html
│ │ │ ├── search_results.html
│ │ │ └── static/
│ │ │ ├── _antivirus.html
│ │ │ ├── _pe32.html
│ │ │ ├── _strings.html
│ │ │ └── index.html
│ │ ├── base.html
│ │ ├── compare/
│ │ │ ├── _info.html
│ │ │ ├── _summary_table.html
│ │ │ ├── both.html
│ │ │ ├── hash.html
│ │ │ └── left.html
│ │ ├── dashboard/
│ │ │ └── index.html
│ │ ├── error.html
│ │ ├── footer.html
│ │ ├── header.html
│ │ ├── standalone_error.html
│ │ ├── submission/
│ │ │ ├── complete.html
│ │ │ ├── index.html
│ │ │ └── status.html
│ │ └── success.html
│ └── web/
│ ├── __init__.py
│ ├── headers.py
│ ├── local_settings.py
│ ├── secret_key.py
│ ├── settings.py
│ ├── urls.py
│ └── wsgi.py
├── requirements.txt
└── utils/
├── api.py
├── community.py
├── darwin/
│ ├── bootstrap_guest.sh
│ └── bootstrap_host.sh
├── db_migration/
│ ├── alembic.ini
│ ├── env.py
│ ├── script.py.mako
│ └── versions/
│ ├── from_0_6_to_1_1.py
│ ├── from_1_1_to_1_2-added_states.py
│ ├── from_1_1_to_1_2-extend_file_type.py
│ ├── from_1_2_to_1_3-add_task_owner.py
│ ├── from_1_2_to_2_0-guest_status.py
│ ├── from_1_2_to_2_0-machine_options.py
│ ├── from_1_2_to_2_0-processing-column.py
│ └── from_1_2_to_2_0-taken-route.py
├── dnsserve.py
├── machine.py
├── process.py
├── process2.py
├── rawdb.py
├── rooter.py
├── service.sh
├── setup.sh
├── smtp_sinkhole.py
├── start-distributed.sh
├── stats.py
├── stop-distributed.sh
├── submit.py
├── suricata.sh
└── vpncheck.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .codeclimate.yml
================================================
languages:
Python: true
exclude_paths:
- "tests/*"
================================================
FILE: .gitignore
================================================
# Ignore Database
db/cuckoo.db
# Ignore logs
log/*.log
# Ignore analyses
storage/*
# Ignore Python byte code
*.pyc
# Ignore certificates
*.pem
*.cert
# Ignore OS generated files
.DS_Store*
.AppleDouble
ehthumbs.db
Icon?
Thumbs.db
# Ignore development files
docs/book/src/_build/
.idea/
.project
.pydevproject
# Ignore Django secret_key
web/web/secret_key.py
# Ignore yara rules
data/yara/index_*.yar
# Ignore venv
venv
# Ignore sample data
sample_data/
# Ignore Jupyter Notebook examples' checkpoints
examples/.ipynb_checkpoints
/data/monitor/
/modules/signatures/
================================================
FILE: .travis.yml
================================================
branches:
only:
- master
language: python
python:
- 2.7
before_install:
- sudo apt-get update -qq
- sudo apt-get install python-dev python-libvirt libffi-dev libssl-dev
- wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.12/ssdeep-2.12.tar.gz
- tar -zxvf ssdeep-2.12.tar.gz
- cd ssdeep-2.12
- ./configure && make
- sudo make install
- cd ..
install:
- pip install -r requirements.txt
script:
- python utils/community.py -wafb monitor
- python cuckoo.py --debug --test
#- nosetests
================================================
FILE: LICENSE.txt
================================================
BSD 3-Clause License
Copyright 2021-2024, Zhengyang Li. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
```shell
____ _ _ _____ _
| __ ) ___ | | __| | | ___|_ _| | ___ ___ _ __
| _ \ / _ \| |/ _` |_____| |_ / _` | |/ __/ _ \| '_ \
| |_) | (_) | | (_| |_____| _| (_| | | (_| (_) | | | |
|____/ \___/|_|\__,_| |_| \__,_|_|\___\___/|_| |_|
```
<img src="resources/test.png" align="right" width="256px" height="176px">
# 毕方智能云沙箱
毕方智能云沙箱(***Bold-Falcon***)是一个开源的自动化恶意软件分析系统。它用于自动运行和分析文件,并收集全面的分析结果,概述恶意软件在独立操作系统中运行时所做的工作。我们的工作是二次开发开源cuckoo沙箱,包括**更新项目结构**,**重写整个前端的用户交互**和**添加基于机器学习的检测模块**,
使恶意软件分析系统可以**思考**。
**`说明文档`** https://powerlzy.github.io/Bold-Falcon/
**`开发文档`** https://boldfalcon.readthedocs.io
#### 下载源码
```shell
$ git clone https://github.com/PowerLZY/Bold-Falcon
```
#### 开源资料
+ [cuckoo](https://github.com/cuckoosandbox/cuckoo) Cuckoo Sandbox is an automated dynamic malware analysis system
+ [cuckoo-modified](https://github.com/spender-sandbox/cuckoo-modified) Modified edition of cuckoo
+ [cuckooDroid](https://github.com/idanr1986/cuckoo-droid) CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.
+ [docker-cuckoo](https://github.com/blacktop/docker-cuckoo) Cuckoo Sandbox Dockerfile
+ [cuckooautoinstall](https://github.com/buguroo/cuckooautoinstall) Auto Installer Script for Cuckoo Sandbox
+ [cuckooML](https://github.com/honeynet/cuckooml) CuckooML: Machine Learning for Cuckoo Sandbox
+ [Panda-Sandbox](https://github.com/PowerLZY/Panda-Sandbox) Cuckoo python3 (Unfinished)
+ [HaboMalHunter](https://github.com/Tencent/HaboMalHunter#readme_cn) HaboMalHunter is a sub-project of Habo Malware Analysis System
+ [cuckoosegg](https://github.com/chrisante/cuckoosegg)
#### 源码分析
+ [cuckoo技术分析全景图](https://cloud.tencent.com/developer/article/1597020)
+ [cuckoo沙箱源码分析上](https://bbs.pediy.com/thread-260038.htm)
+ [cuckoo沙箱源码分析中](https://bbs.pediy.com/thread-260087.htm)
+ [cuckoo沙箱源码分析后](https://bbs.pediy.com/thread-260252.htm)
+ [腾讯哈勃Linux沙箱源码分析上](https://zhuanlan.zhihu.com/p/54756592)
+ [腾讯哈勃Linux沙箱源码分析下](https://zhuanlan.zhihu.com/p/54756845)
### 开源样本
如果你想要获取更多的`恶意样本`请访问查询:
**推荐:**
- [Blue Hexagon Open Dataset for Malware AnalysiS (BODMAS)](https://whyisyoung.github.io/BODMAS/)
- [EMBER](https://github.com/elastic/ember) - Endgame Malware BEnchmark for Research
- [Malware Training Sets: A machine learning dataset for everyone](http://marcoramilli.blogspot.cz/2016/12/malware-training-sets-machine-learning.html) ([data](https://github.com/marcoramilli/MalwareTrainingSets))
- [SoReL-20M](https://github.com/sophos-ai/SOREL-20M) - Sophos-ReversingLabs 20 Million dataset.
- [Virusshare](https://virusshare.com/)
**其他:**
+ [Samples of Security Related Dats](http://www.secrepo.com/)
+ [DARPA Intrusion Detection Data Sets](https://www.ll.mit.edu/ideval/data/)
+ [Stratosphere IPS Data Sets](https://stratosphereips.org/category/dataset.html)
+ [Open Data Sets](http://csr.lanl.gov/data/)
+ [Data Capture from National Security Agency](http://www.westpoint.edu/crc/SitePages/DataSets.aspx)
+ [The ADFA Intrusion Detection Data Sets](https://www.unsw.adfa.edu.au/australian-centre-for-cyber-security/cybersecurity/ADFA-IDS-Datasets)
+ [NSL-KDD Data Sets](https://github.com/defcom17/NSL_KDD)
+ [Malicious URLs Data Sets](https://sysnet.ucsd.edu/projects/url)
+ [Multi-Source Cyber-Security Events](http://csr.lanl.gov/data/cyber1/)
+ [Malware Training Sets: A machine learning dataset for everyone](http://marcoramilli.blogspot.cz/2016/12/malware-training-sets-machine-learning.html)
如果你想要获取更多的`良性样本`请在如下等网络自行爬取:
- [portablefreeware](http://www.portablefreeware.com/)
- [onlyfreewares](http://www.onlyfreewares.com/)
- [snapfiles](https://www.snapfiles.com/new/list-whatsnew.html)
- [downloadcrew](https://downloadcrew.com/)
- [chocolatey](https://chocolatey.org/)
#### 项目结构更新
- [x] 整理工程目录打包lib:(common,core),Modules(辅助功能、虚拟机、处理、签名、机器学习模型检测)
- [x] 省略\CWD目录:添加 analyzer、db、examples、Mal_sample、sample_data、storage、log等目录
#### 最近更新
+ 学习内容
- [x] [预训练TF-IDF模型加载优化 100s -> 2s](https://thiagomarzagao.com/2015/12/08/saving-TfidfVectorizer-without-pickles/)
- [ ] Linux沙箱及检测方案
- [ ] ATT&CK Navigator layer for Cuckoo's TTPs.pyattack
- [ ] 添加 《Dynamic Malware Analysis with Feature Engineering and Feature Learning》 动态分析检测模型
- [ ] 添加 MaliciousMacroBot(mmbot)office宏病毒检测方案
+ 设计文档
+ [x] 参考文献记录(设计依据)
+ [x] 国内沙箱深度调研
+ [x] 图标+起名
+ 家族签名模块
- [x] [cuckoo 社区签名库](https://github.com/cuckoosandbox/community)
- [x] [cuckoo的行为签名](https://www.secpulse.com/archives/75180.html)
- [ ] 添加挖矿+使用自定义签名
+ 机器学习模块
- [x] 数据集:kaggle microsoft 10000个软件、挖矿软件 6000个;
- [x] 报告显示内容:模型检测图展示、使用特征展示、预测威胁得分;
- [x] 静态检测引擎:string、malconv;
- [x] 动态检测引擎:API调用序列;
- [x] 定义基类Dectection、Instance等;
- [x] 添加Smaple——malware,200个json report样本;
- [ ] 添加 《Dynamic Malware Analysis with Feature Engineering and Feature Learning》 动态分析检测模型
+ 后期需求
+ [ ] 环境打包,Docker\shells安装
+ [ ] blog解析文档编写
+ [ ] 虚拟机管理:libvirt+高并发虚拟机
+ [ ] 沙箱内存管理:MemScrimper: Time- and Space-Efficient Storage of *Malware* Sandbox Memory Dumps (2018 DIVMA)
+ [ ] 3.3.5 REST API(Cuckoo docs) wsgi应用程序
#### 常见问题
+ Machine * status gurumeditation
- 找到虚拟机安装目录下VBox.log日志文件
- 在日志文件中找到ProcessID, ```kill - 9 ProcessID```
+ python 2/3 joblib.dump() 和 joblib.load()
- 不同python版本的pickle.dump()和pickle.load()是可以相互转换和支持的
- 在python3中,您应该使用较低的协议号来编写pickle数据 ```pickle.dump(your_object, your_file, protocol=2)```
+ Pytorch Cpu 导入 Gpu 训练的模型
- `model.load(model_path, map_location='cpu')`
+ Sphinx-readthedocs 开发文档自动生成
- `sphinx-quickstart`
- `sphinx-apidoc -o ./source ../Bold-Falcon`
- `python -m sphinx -T -E -b html -d _build/doctrees -D language=en . _build/html`
================================================
FILE: __init__.py
================================================
name = "1111ScorecardBundle"
================================================
FILE: _config.yml
================================================
theme: jekyll-theme-cayman
================================================
FILE: agent/agent.py
================================================
# Copyright (C) 2010-2013 Claudio Guarnieri.
# Copyright (C) 2014-2018 Cuckoo Foundation.
# Copyright (C) 2020-2021 PowerLZY.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import sys
import time
import socket
import string
import random
import platform
import subprocess
import ConfigParser
from StringIO import StringIO
from zipfile import ZipFile
from SimpleXMLRPCServer import SimpleXMLRPCServer
BIND_IP = "0.0.0.0"
BIND_PORT = 8000
STATUS_INIT = 0x0001
STATUS_RUNNING = 0x0002
STATUS_COMPLETED = 0x0003
STATUS_FAILED = 0x0004
class Agent(object):
"""
Bold-Falcon agent, it runs inside guest.
:param system: platform
:param analyzer_path: analyzer path
:param int analyzer_pid: analyzer pid
:param error_message: None
:param current_status: STATUS_INIT = 0x0001,STATUS_RUNNING = 0x0002,STATUS_COMPLETED = 0x0003,STATUS_FAILED = 0x0004
:param analyzer_folder: upload analyzer folder
:param results_folder: results folder
"""
def __init__(self):
self.system = platform.system().lower()
self.analyzer_path = ""
self.analyzer_pid = 0
self.error_message = None
self.current_status = STATUS_INIT
self.analyzer_folder = ""
self.results_folder = ""
def _initialize(self):
'''
initialize agent.py
'''
if not self.analyzer_folder:
random.seed(time.time())
container = "".join(random.choice(string.ascii_lowercase) for x in range(random.randint(5, 10)))
if self.system == "windows":
system_drive = os.environ["SYSTEMDRIVE"] + os.sep
self.analyzer_folder = os.path.join(system_drive, container)
elif self.system == "linux" or self.system == "darwin":
self.analyzer_folder = \
os.path.join(os.environ.get("HOME", os.environ.get("PWD", "/tmp")), container)
else:
self.error_message = "Unable to identify operating system"
return False
try:
os.makedirs(self.analyzer_folder)
except OSError as e:
self.error_message = e
return False
return True
def get_status(self):
"""
Get current status.
:return: status.
"""
return self.current_status
def get_error(self):
"""
Get error message
:return: error message.
"""
return str(self.error_message)
def add_malware(self, data, name):
"""
Get analysis data.
:param data: analysis data.
:param name: file name.
:return: operation status.
"""
data = data.data
if self.system == "windows":
root = os.environ["TEMP"]
elif self.system == "linux" or self.system == "darwin":
root = "/tmp"
else:
self.error_message = \
"Unable to write malware to disk because the operating " \
"system could not be identified."
return False
file_path = os.path.join(root, name)
try:
with open(file_path, "wb") as sample:
sample.write(data)
except IOError as e:
self.error_message = \
"Unable to write sample to disk: {0}".format(e)
return False
return True
def add_config(self, options):
"""
Creates analysis.conf file from current analysis options.
:param options: current configuration options, dict format.
:return: operation status.
"""
if not isinstance(options, dict):
return False
config = ConfigParser.RawConfigParser()
config.add_section("analysis")
try:
for key, value in options.items():
# Options can be UTF encoded.
if isinstance(value, basestring):
try:
value = value.encode("utf-8")
except UnicodeEncodeError:
pass
config.set("analysis", key, value)
config_path = os.path.join(self.analyzer_folder, "analysis.conf")
with open(config_path, "wb") as config_file:
config.write(config_file)
except Exception as e:
self.error_message = e
return False
return True
def add_analyzer(self, data):
"""Add analyzer.
:param data: analyzer data.
:return: operation status.
"""
data = data.data
if not self._initialize():
return False
try:
zip_data = StringIO()
zip_data.write(data)
with ZipFile(zip_data, "r") as archive:
archive.extractall(self.analyzer_folder)
finally:
zip_data.close()
self.analyzer_path = os.path.join(self.analyzer_folder, "analyzer.py")
return True
def execute(self):
"""
Execute analysis.
:return: analyzer PID.
"""
if not self.analyzer_path or not os.path.exists(self.analyzer_path):
return False
try:
proc = subprocess.Popen([sys.executable, self.analyzer_path],
cwd=os.path.dirname(self.analyzer_path))
self.analyzer_pid = proc.pid
except OSError as e:
self.error_message = e
return False
self.current_status = STATUS_RUNNING
return self.analyzer_pid
def complete(self, success=True, error="", results=""):
"""
Complete analysis.
:param success: success status.
:param error: error status.
"""
if success:
self.current_status = STATUS_COMPLETED
else:
self.current_status = STATUS_FAILED
if error:
self.error_message = error
self.results_folder = results
return True
if __name__ == "__main__":
try:
if not BIND_IP:
BIND_IP = socket.gethostbyname(socket.gethostname())
print("[+] Starting agent on %s:%s ..." % (BIND_IP, BIND_PORT))
# Disable DNS lookup, by Scott D.
def FakeGetFQDN(name=""):
return name
socket.getfqdn = FakeGetFQDN
server = SimpleXMLRPCServer((BIND_IP, BIND_PORT), allow_none=True)
server.register_instance(Agent())
server.serve_forever()
except KeyboardInterrupt:
server.shutdown()
================================================
FILE: agent/agent.sh
================================================
#!/bin/bash
# Copyright (C) 2010-2013 Claudio Guarnieri.
# Copyright (C) 2014-2016 Cuckoo Foundation.
# Copyright (C) 2020-2021 PowerLZY.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
FILEPATH=$(readlink -f ${0%})
FILEPATHDIR=$(dirname $FILEPATH)
cd /tmp/
python $FILEPATHDIR/agent.py >$FILEPATHDIR/agent.stdout 2>$FILEPATHDIR/agent.stderr &
================================================
FILE: analyzer/android/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/analyzer.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import os
import logging
import pkgutil
import shutil
import sys
import xmlrpclib
import time
from lib.core.packages import choose_package
from lib.common.exceptions import CuckooError, CuckooPackageError
from lib.common.abstracts import Package, Auxiliary
from lib.common.constants import PATHS
from lib.core.config import Config
from lib.core.startup import init_logging
from modules import auxiliary
logging.disable(level=logging.DEBUG)
log = logging.getLogger()
class Analyzer(object):
def __init__(self):
self.config = None
self.target = None
def complete(self):
"""End analysis."""
log.info("Analysis completed")
def get_options(self):
"""Get analysis options.
@return: options dict.
"""
# The analysis package can be provided with some options in the
# following format:
# option1=value1,option2=value2,option3=value3
#
# Here we parse such options and provide a dictionary that will be made
# accessible to the analysis package.
options = {}
if self.config.options:
try:
# Split the options by comma.
fields = self.config.options.strip().split(",")
except ValueError as e:
log.warning("Failed parsing the options: %s", e)
else:
for field in fields:
# Split the name and the value of the option.
try:
key, value = field.strip().split("=")
except ValueError as e:
log.warning("Failed parsing option (%s): %s", field, e)
else:
# If the parsing went good, we add the option to the
# dictionary.
options[key.strip()] = value.strip()
return options
def prepare(self):
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join("/data/local/tmp", str(self.config.file_name))
shutil.copyfile("config/hooks.json", "/data/local/tmp/hooks.json")
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def run(self):
self.prepare()
log.info("Starting analyzer from: {0}".format(os.getcwd()))
log.info("Storing results at: {0}".format(PATHS["root"]))
log.info("Target is: {0}".format(self.target))
# If no analysis package was specified at submission, we try to select
# one automatically.
if not self.config.package:
log.info("No analysis package specified, trying to detect it automagically")
# If the analysis target is a file, we choose the package according
# to the file format.
if self.config.category == "file":
package = choose_package(self.config.file_type, self.config.file_name)
# If it's an URL, we'll just use the default Internet Explorer
# package.
else:
package = "default_browser"
# If we weren't able to automatically determine the proper package,
# we need to abort the analysis.
if not package:
raise CuckooError("No valid package available for file type: {0}".format(self.config.file_type))
log.info("Automatically selected analysis package \"%s\"", package)
# Otherwise just select the specified package.
else:
package = self.config.package
# Generate the package path.
package_name = "modules.packages.%s" % package
# Try to import the analysis package.
try:
__import__(package_name, globals(), locals(), ["dummy"], -1)
# If it fails, we need to abort the analysis.
except ImportError:
raise CuckooError("Unable to import package \"{0}\", does not exist.".format(package_name))
# Initialize the package parent abstract.
Package()
# Enumerate the abstract's subclasses.
try:
package_class = Package.__subclasses__()[0]
except IndexError as e:
raise CuckooError("Unable to select package class (package={0}): {1}".format(package_name, e))
# Initialize the analysis package.
pack = package_class(self.get_options())
# Initialize Auxiliary modules
Auxiliary()
prefix = auxiliary.__name__ + "."
for loader, name, ispkg in pkgutil.iter_modules(auxiliary.__path__, prefix):
if ispkg:
continue
# Import the auxiliary module.
try:
__import__(name, globals(), locals(), ["dummy"], -1)
except ImportError as e:
log.warning("Unable to import the auxiliary module "
"\"%s\": %s", name, e)
# Walk through the available auxiliary modules.
aux_enabled = []
for module in Auxiliary.__subclasses__():
# Try to start the auxiliary module.
try:
aux = module()
aux.start()
except (NotImplementedError, AttributeError):
log.warning("Auxiliary module %s was not implemented",
aux.__class__.__name__)
continue
except Exception as e:
log.warning("Cannot execute auxiliary module %s: %s",
aux.__class__.__name__, e)
continue
finally:
log.info("Started auxiliary module %s",
aux.__class__.__name__)
aux_enabled.append(aux)
# Start analysis package. If for any reason, the execution of the
# analysis package fails, we have to abort the analysis.
try:
pack.start(self.target)
except NotImplementedError:
raise CuckooError("The package \"{0}\" doesn't contain a run "
"function.".format(package_name))
except CuckooPackageError as e:
raise CuckooError("The package \"{0}\" start function raised an "
"error: {1}".format(package_name, e))
except Exception as e:
raise CuckooError("The package \"{0}\" start function encountered "
"an unhandled exception: "
"{1}".format(package_name, e))
time_counter = 0
while True:
time_counter += 1
if time_counter == int(self.config.timeout):
log.info("Analysis timeout hit, terminating analysis")
break
try:
# The analysis packages are provided with a function that
# is executed at every loop's iteration. If such function
# returns False, it means that it requested the analysis
# to be terminate.
if not pack.check():
log.info("The analysis package requested the "
"termination of the analysis...")
break
# If the check() function of the package raised some exception
# we don't care, we can still proceed with the analysis but we
# throw a warning.
except Exception as e:
log.warning("The package \"%s\" check function raised "
"an exception: %s", package_name, e)
finally:
# Zzz.
time.sleep(1)
try:
# Before shutting down the analysis, the package can perform some
# final operations through the finish() function.
pack.finish()
except Exception as e:
log.warning("The package \"%s\" finish function raised an "
"exception: %s", package_name, e)
# Terminate the Auxiliary modules.
for aux in aux_enabled:
try:
aux.stop()
except (NotImplementedError, AttributeError):
continue
except Exception as e:
log.warning("Cannot terminate auxiliary module %s: %s",
aux.__class__.__name__, e)
# Let's invoke the completion procedure.
self.complete()
return True
if __name__ == "__main__":
success = False
error = ""
try:
# Initialize the main analyzer class.
analyzer = Analyzer()
# Run it and wait for the response.
success = analyzer.run()
# This is not likely to happen.
except KeyboardInterrupt:
error = "Keyboard Interrupt"
# If the analysis process encountered a critical error, it will raise a
# CuckooError exception, which will force the termination of the analysis
# weill notify the agent of the failure. Also catched unexpected
# exceptions.
except Exception as e:
# Store the error.
error = str(e)
# Just to be paranoid.
if len(log.handlers) > 0:
log.critical(error)
else:
sys.stderr.write("{0}\n".format(e))
# Once the analysis is completed or terminated for any reason, we report
# back to the agent, notifying that it can report back to the host.
finally:
# Establish connection with the agent XMLRPC server.
server = xmlrpclib.Server("http://127.0.0.1:8000")
server.complete(success, error, PATHS["root"])
================================================
FILE: analyzer/android/config/hooks.json
================================================
{
"hookConfigs": [
{
"class_name": "android.telephony.TelephonyManager",
"method": "getDeviceId",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getSubscriberId",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getLine1Number",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getNetworkOperator",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getNetworkOperatorName",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getSimOperatorName",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.net.wifi.WifiInfo",
"method": "getMacAddress",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getSimCountryIso",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getSimSerialNumber",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getNetworkCountryIso",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "getDeviceSoftwareVersion",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.os.Debug",
"method": "isDebuggerConnected",
"thisObject": false,
"type": "fingerprint"
},
{
"class_name": "android.app.SharedPreferencesImpl$EditorImpl",
"method": "putString",
"thisObject": false,
"type": "globals"
},
{
"class_name": "android.app.SharedPreferencesImpl$EditorImpl",
"method": "putBoolean",
"thisObject": false,
"type": "globals"
},
{
"class_name": "android.app.SharedPreferencesImpl$EditorImpl",
"method": "putInt",
"thisObject": false,
"type": "globals"
},
{
"class_name": "android.app.SharedPreferencesImpl$EditorImpl",
"method": "putLong",
"thisObject": false,
"type": "globals"
},
{
"class_name": "android.app.SharedPreferencesImpl$EditorImpl",
"method": "putFloat",
"thisObject": false,
"type": "globals"
},
{
"class_name": "android.content.ContentValues",
"method": "put",
"thisObject": false,
"type": "globals"
},
{
"class_name": "java.net.URL",
"method": "openConnection",
"thisObject": true,
"type": "network"
},
{
"class_name": "org.apache.http.impl.client.AbstractHttpClient",
"method": "execute",
"thisObject": false,
"type": "network"
},
{
"class_name": "android.app.ContextImpl",
"method": "registerReceiver",
"thisObject": false,
"type": "binder"
},
{
"class_name": "android.app.ActivityThread",
"method": "handleReceiver",
"thisObject": false,
"type": "binder"
},
{
"class_name": "android.app.Activity",
"method": "startActivity",
"thisObject": false,
"type": "binder"
},
{
"class_name": "dalvik.system.BaseDexClassLoader",
"method": "findResource",
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.BaseDexClassLoader",
"method": "findLibrary",
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.DexFile",
"method": "loadDex",
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.DexClassLoader",
"method": null,
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.BaseDexClassLoader",
"method": "findResources",
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.DexFile",
"method": "loadClass",
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.DexFile",
"method": null,
"thisObject": false,
"type": "dex"
},
{
"class_name": "dalvik.system.PathClassLoader",
"method": null,
"thisObject": false,
"type": "dex"
},
{
"class_name": "java.lang.reflect.Method",
"method": "invoke",
"thisObject": false,
"type": "reflection"
},
{
"class_name": "javax.crypto.spec.SecretKeySpec",
"method": null,
"thisObject": false,
"type": "crypto"
},
{
"class_name": "javax.crypto.Cipher",
"method": "doFinal",
"thisObject": true,
"type": "crypto"
},
{
"class_name": "javax.crypto.Mac",
"method": "doFinal",
"thisObject": false,
"type": "crypto"
},
{
"class_name": "android.app.ApplicationPackageManager",
"method": "setComponentEnabledSetting",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.app.NotificationManager",
"method": "notify",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.util.Base64",
"method": "decode",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.telephony.TelephonyManager",
"method": "listen",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.util.Base64",
"method": "encode",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.util.Base64",
"method": "encodeToString",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.net.ConnectivityManager",
"method": "setMobileDataEnabled",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.content.BroadcastReceiver",
"method": "abortBroadcast",
"thisObject": false,
"type": "generic"
},
{
"class_name": "android.telephony.SmsManager",
"method": "sendTextMessage",
"thisObject": false,
"type": "sms"
},
{
"class_name": "android.telephony.SmsManager",
"method": "sendMultipartTextMessage",
"thisObject": false,
"type": "sms"
},
{
"class_name": "java.lang.Runtime",
"method": "exec",
"thisObject": false,
"type": "runtime"
},
{
"class_name": "java.lang.ProcessBuilder",
"method": "start",
"thisObject": true,
"type": "runtime"
},
{
"class_name": "java.io.FileOutputStream",
"method": "write",
"thisObject": false,
"type": "runtime"
},
{
"class_name": "java.io.FileInputStream",
"method": "read",
"thisObject": false,
"type": "runtime"
},
{
"class_name": "android.app.ActivityManager",
"method": "killBackgroundProcesses",
"thisObject": false,
"type": "runtime"
},
{
"class_name": "android.os.Process",
"method": "killProcess",
"thisObject": false,
"type": "runtime"
},
{
"class_name": "android.content.ContentResolver",
"method": "query",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.content.ContentResolver",
"method": "registerContentObserver",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.content.ContentResolver",
"method": "insert",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.accounts.AccountManager",
"method": "getAccountsByType",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.accounts.AccountManager",
"method": "getAccounts",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.location.Location",
"method": "getLatitude",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.location.Location",
"method": "getLongitude",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.content.ContentResolver",
"method": "delete",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.media.AudioRecord",
"method": "startRecording",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.media.MediaRecorder",
"method": "start",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.os.SystemProperties",
"method": "get",
"thisObject": false,
"type": "content"
},
{
"class_name": "android.app.ApplicationPackageManager",
"method": "getInstalledPackages",
"thisObject": false,
"type": "content"
},
{
"class_name": "libcore.io.IoBridge",
"method": "open",
"thisObject": false,
"type": "file"
}
],
"trace": false
}
================================================
FILE: analyzer/android/lib/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/lib/api/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/lib/api/adb.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import logging
import os
import subprocess
from lib.common.utils import send_file
log = logging.getLogger(__name__)
def install_sample(path):
"""Install the sample on the emulator via adb"""
log.info("Installing sample in the device: %s", path)
try:
args = ["/system/bin/sh", "/system/bin/pm", "install", path]
output = subprocess.check_output(args)
except subprocess.CalledProcessError as e:
log.error("Error installing sample: %r", e)
return
log.info("Installed sample: %r", output)
def execute_sample(package, activity):
"""Execute the sample on the emulator via adb"""
try:
package_activity = "%s/%s" % (package, activity)
args = [
"/system/bin/sh", "/system/bin/am", "start",
"-n", package_activity,
]
output = subprocess.check_output(args)
except subprocess.CalledProcessError as e:
log.error("Error executing package activity: %r", e)
return
log.info("Executed package activity: %r", output)
def dump_droidmon_logs(package):
xposed_logs = "/data/data/de.robv.android.xposed.installer/log/error.log"
if not os.path.exists(xposed_logs):
log.info("Could not find any Xposed logs, skipping droidmon logs.")
return
tag = "Droidmon-apimonitor-%s" % package
tag_error = "Droidmon-shell-%s" % package
log_xposed, log_success, log_error = [], [], []
for line in open(xposed_logs, "rb"):
if tag in line:
log_success.append(line.split(":", 1)[1])
if tag_error in line:
log_error.append(line.split(":", 1)[1])
log_xposed.append(line)
send_file("logs/xposed.log", "\n".join(log_xposed))
send_file("logs/droidmon.log", "\n".join(log_success))
send_file("logs/droidmon_error.log", "\n".join(log_error))
def execute_browser(url):
"""Start URL intent on the emulator."""
try:
args = [
"/system/bin/sh", "/system/bin/am", "start",
"-a", "android.intent.action.VIEW",
"-d", url,
]
output = subprocess.check_output(args)
except subprocess.CalledProcessError as e:
log.error("Error starting browser intent: %r", e)
return
log.info("Intent returned: %r", output)
def take_screenshot(filename):
try:
subprocess.check_output(["/system/bin/screencap", "-p",
"/sdcard/%s" % filename])
except subprocess.CalledProcessError as e:
log.error("Error creating screenshot: %r", e)
return
return "/sdcard/%s" % filename
================================================
FILE: analyzer/android/lib/api/screenshot.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import math
import filecmp
try:
import ImageChops
from PIL import Image
HAVE_PIL = True
except:
try:
from PIL import ImageChops
from PIL import Image
HAVE_PIL = True
except:
HAVE_PIL = False
class Screenshot:
"""Get screenshots."""
def have_pil(self):
"""Is Python Image Library installed?
@return: installed status.
"""
return HAVE_PIL
def equal_old(self, img1, img2):
"""Compares two screenshots using Root-Mean-Square Difference (RMS).
@param img1: screenshot to compare.
@param img2: screenshot to compare.
@return: equal status.
"""
if not HAVE_PIL:
return None
image1 = Image.open(img1)
image2 = Image.open(img2)
# To get a measure of how similar two images are, we use
# root-mean-square (RMS). If the images are exactly identical,
# this value is zero.
diff = ImageChops.difference(image1, image2)
h = diff.histogram()
sq = (value*((idx % 256)**2) for idx, value in enumerate(h))
sum_of_squares = sum(sq)
rms = math.sqrt(sum_of_squares/float(image1.size[0] * image2.size[1]))
# Might need to tweak the threshold.
return rms < 8
def equal(self, img1, img2):
return filecmp.cmp(img1, img2)
================================================
FILE: analyzer/android/lib/common/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/lib/common/abstracts.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
class Package(object):
"""Base abstact analysis package."""
def __init__(self, options={}):
"""@param options: options dict."""
self.options = options
self.pids = []
def set_pids(self, pids):
"""Update list of monitored PIDs in the package context.
@param pids: list of pids.
"""
self.pids = pids
def start(self):
"""Run analysis packege.
@param path: sample path.
@raise NotImplementedError: this method is abstract.
"""
raise NotImplementedError
def check(self):
"""Check.
@raise NotImplementedError: this method is abstract.
"""
raise NotImplementedError
def finish(self):
"""Finish run.
@raise NotImplementedError: this method is abstract.
"""
raise NotImplementedError
class Auxiliary(object):
pass
================================================
FILE: analyzer/android/lib/common/constants.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import os
import string
import random
def _rand_string(a, b):
return "".join(random.choice(string.ascii_lowercase) for x in xrange(random.randint(a, b)))
ROOT = os.path.join("/data/local/tmp", _rand_string(6, 10))
PATHS = {
"root" : ROOT,
"logs" : os.path.join(ROOT, "logs"),
"files" : os.path.join(ROOT, "files"),
"shots" : os.path.join(ROOT, "shots"),
"memory" : os.path.join(ROOT, "memory"),
"drop" : os.path.join(ROOT, "drop")
}
================================================
FILE: analyzer/android/lib/common/exceptions.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
class CuckooError(Exception):
pass
class CuckooPackageError(Exception):
pass
================================================
FILE: analyzer/android/lib/common/results.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import logging
import socket
import time
from lib.core.config import Config
log = logging.getLogger(__name__)
BUFSIZE = 1024*1024
def upload_to_host(file_path, dump_path):
nc = infd = None
try:
nc = NetlogFile(dump_path)
infd = open(file_path, "rb")
buf = infd.read(BUFSIZE)
while buf:
nc.send(buf, retry=False)
buf = infd.read(BUFSIZE)
except Exception as e:
log.error("Exception uploading file %s to host: %s", file_path, e)
finally:
if infd:
infd.close()
if nc:
nc.close()
class NetlogConnection(object):
def __init__(self, proto=""):
config = Config(cfg="analysis.conf")
self.hostip, self.hostport = config.ip, config.port
self.sock = None
self.proto = proto
def connect(self):
# Try to connect as quickly as possible. Just sort of force it to
# connect with a short timeout.
while not self.sock:
try:
s = socket.create_connection((self.hostip, self.hostport), 0.1)
s.sendall(self.proto)
except socket.error:
time.sleep(0.1)
continue
self.sock = s
def send(self, data, retry=True):
if not self.sock:
self.connect()
try:
self.sock.sendall(data)
except socket.error as e:
if retry:
self.connect()
self.send(data, retry=False)
else:
raise
except Exception as e:
log.error("Unhandled exception in NetlogConnection: %s", str(e))
# We really have nowhere to log this, if the netlog connection
# does not work, we can assume that any logging won't work either.
# So we just fail silently.
self.close()
def close(self):
try:
self.sock.close()
except Exception:
pass
class NetlogFile(NetlogConnection):
def __init__(self, filepath):
self.filepath = filepath
NetlogConnection.__init__(self, proto="FILE\n{0}\n".format(self.filepath))
self.connect()
class NetlogHandler(logging.Handler, NetlogConnection):
def __init__(self):
logging.Handler.__init__(self)
NetlogConnection.__init__(self, proto="LOG\n")
self.connect()
def emit(self, record):
msg = self.format(record)
self.send("{0}\n".format(msg))
================================================
FILE: analyzer/android/lib/common/utils.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
from lib.common.results import NetlogFile
def send_file(name, data):
"""Send file to result server"""
nf = NetlogFile(name)
nf.sock.sendall(data)
nf.close()
================================================
FILE: analyzer/android/lib/core/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/lib/core/config.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import ConfigParser
class Config:
def __init__(self, cfg):
"""@param cfg: configuration file."""
config = ConfigParser.ConfigParser(allow_no_value=True)
config.read(cfg)
for section in config.sections():
for name, raw_value in config.items(section):
try:
value = config.getboolean(section, name)
except ValueError:
try:
value = config.getint(section, name)
except ValueError:
value = config.get(section, name)
setattr(self, name, value)
================================================
FILE: analyzer/android/lib/core/packages.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
def choose_package(file_type, file_name):
"""Choose analysis package due to file type and file extension.
@param file_type: file type.
@return: package or None.
"""
if not file_type:
return None
file_type = file_type.lower()
file_name = file_name.lower()
if "apk" in file_name:
return "apk"
elif "zip" in file_type:
return "apk"
# elif "DEX" in file_type:
# return "dex"
else:
return "apk"
================================================
FILE: analyzer/android/lib/core/startup.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import os
import logging
from lib.common.constants import PATHS
from lib.common.results import NetlogHandler
log = logging.getLogger()
def create_folders():
"""Create folders in PATHS."""
for name, folder in PATHS.items():
if os.path.exists(folder):
continue
try:
os.makedirs(folder)
except OSError:
pass
def init_logging():
"""Initialize logger."""
formatter = logging.Formatter("%(asctime)s [%(name)s] %(levelname)s: %(message)s")
sh = logging.StreamHandler()
sh.setFormatter(formatter)
log.addHandler(sh)
nh = NetlogHandler()
nh.setFormatter(formatter)
log.addHandler(nh)
log.setLevel(logging.DEBUG)
================================================
FILE: analyzer/android/modules/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/modules/auxiliary/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/modules/auxiliary/screenshots.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import time
import logging
import StringIO
from threading import Thread
from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile
from lib.api.adb import take_screenshot
from lib.api.screenshot import Screenshot
log = logging.getLogger(__name__)
SHOT_DELAY = 2
class Screenshots(Auxiliary, Thread):
"""Take screenshots."""
def __init__(self):
Thread.__init__(self)
self.do_run = True
def stop(self):
"""Stop screenshotting."""
self.do_run = False
def run(self):
"""Run screenshotting.
@return: operation status.
"""
img_counter = 0
img_last = None
while self.do_run:
time.sleep(SHOT_DELAY)
try:
filename = "screenshot%s.jpg" % str(img_counter)
img_current = take_screenshot(filename)
if img_last:
if Screenshot().equal(img_last, img_current):
continue
file = open(img_current, 'r')
tmpio = StringIO.StringIO(file.read())
# now upload to host from the StringIO
nf = NetlogFile("shots/%s.jpg" % str(img_counter).rjust(4, "0"))
for chunk in tmpio:
nf.sock.sendall(chunk)
nf.close()
file.close()
img_counter += 1
img_last = img_current
except IOError as e:
log.error("Cannot take screenshot: %s", e)
continue
return True
================================================
FILE: analyzer/android/modules/packages/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
================================================
FILE: analyzer/android/modules/packages/apk.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
import logging
from lib.api.adb import dump_droidmon_logs, execute_sample, install_sample
from lib.common.abstracts import Package
log = logging.getLogger(__name__)
class Apk(Package):
"""Apk analysis package."""
def __init__(self, options={}):
super(Apk, self).__init__(options)
self.package, self.activity = options.get("apk_entry", ":").split(":")
def start(self, path):
install_sample(path)
execute_sample(self.package, self.activity)
def check(self):
return True
def finish(self):
dump_droidmon_logs(self.package)
return True
================================================
FILE: analyzer/android/modules/packages/default_browser.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
# Originally contributed by Check Point Software Technologies, Ltd.
from lib.common.abstracts import Package
from lib.api.adb import execute_browser
class default_browser(Package):
"""Default Browser analysis package."""
def __init__(self, options={}):
super(default_browser, self).__init__(options)
def start(self, target):
execute_browser(target)
def check(self):
return True
def finish(self):
return True
================================================
FILE: analyzer/darwin/__init__.py
================================================
================================================
FILE: analyzer/darwin/analyzer.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import logging
from sys import stderr
from hashlib import sha256
from xmlrpclib import Server
from traceback import format_exc
from os import path, getcwd, makedirs
from lib.common.config import Config
from lib.common.hashing import hash_file
from lib.common.results import NetlogHandler, upload_to_host
from lib.core.constants import PATHS
from lib.core.packages import choose_package_class
from lib.core.osx import set_wallclock
from lib.core.host import CuckooHost
class Macalyzer(object):
"""Cuckoo OS X analyser.
"""
log = logging.getLogger()
target = None
files_to_upload = []
uploaded_hashes = []
def __init__(self, host, configuration=None):
self.config = configuration
self.host = host
def bootstrap(self):
_create_result_folders()
_setup_logging()
self._detect_target()
def run(self):
"""Run analysis.
"""
self.bootstrap()
self.log.debug("Starting analyzer from %s", getcwd())
self.log.debug("Storing results at: %s", PATHS["root"])
package = self._setup_analysis_package()
if self.config.clock:
set_wallclock(self.config.clock)
self._analysis(package)
return self._complete()
def _complete(self):
for f in self.files_to_upload:
self._upload_file(f)
return True
#
# Implementation details
#
def _detect_target(self):
if self.config.category == "file":
self.target = path.join("/tmp/", str(self.config.file_name))
else: # It's not a file, but a URL
self.target = self.config.target
def _setup_analysis_package(self):
# Do we have a suggestion about an analysis package?
if self.config.package:
suggestion = self.config.package
elif self.config.category != "file":
suggestion = "url"
else:
suggestion = None
# Try to figure out what analysis package to use with this target
kwargs = {"suggestion" : suggestion}
package_class = choose_package_class(self.config.file_type,
self.config.file_name, **kwargs)
if not package_class:
raise Exception("Could not find an appropriate analysis package")
# Package initialization
kwargs = {
"options" : self.config.get_options(),
"timeout" : self.config.timeout
}
return package_class(self.target, self.host, **kwargs)
def _analysis(self, package):
package.start()
self.files_to_upload = package.touched_files
def _upload_file(self, filepath):
if not path.isfile(filepath):
return
# Check whether we've already dumped this file - in that case skip it
try:
hashsum = hash_file(sha256, filepath)
if sha256 in self.uploaded_hashes:
return
except IOError as e:
self.log.info("Error dumping file from path \"%s\": %s", filepath, e)
return
filename = "%s_%s" % (hashsum[:16], path.basename(filepath))
upload_path = path.join("files", filename)
try:
upload_to_host(filepath, upload_path)
self.uploaded_hashes.append(hashsum)
except IOError as e:
self.log.error("Unable to upload dropped file at path \"%s\": %s", filepath, e)
def _create_result_folders():
for _, folder in PATHS.items():
if path.exists(folder):
continue
try:
makedirs(folder)
except OSError:
pass
def _setup_logging():
""" Initialize logger. """
logger = logging.getLogger()
formatter = logging.Formatter("%(asctime)s [%(name)s] %(levelname)s: %(message)s")
stream = logging.StreamHandler()
stream.setFormatter(formatter)
logger.addHandler(stream)
netlog = NetlogHandler()
netlog.setFormatter(formatter)
logger.addHandler(netlog)
logger.setLevel(logging.DEBUG)
if __name__ == "__main__":
success = False
error = ""
try:
config = Config(cfg="analysis.conf")
cuckoo = CuckooHost(config.ip, config.port)
analyzer = Macalyzer(cuckoo, config)
success = analyzer.run()
except KeyboardInterrupt:
error = "Keyboard Interrupt"
except Exception as err:
error_exc = format_exc()
error = str(err)
if len(analyzer.log.handlers):
analyzer.log.exception(error_exc)
else:
stderr.write("{0}\n".format(error_exc))
# Once the analysis is completed or terminated for any reason, we report
# back to the agent, notifying that it can report back to the host.
finally:
# Establish connection with the agent XMLRPC server.
server = Server("http://127.0.0.1:8000")
server.complete(success, error, PATHS["root"])
================================================
FILE: analyzer/darwin/lib/__init__.py
================================================
================================================
FILE: analyzer/darwin/lib/common/__init__.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
================================================
FILE: analyzer/darwin/lib/common/config.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import ConfigParser
class Config:
def __init__(self, cfg):
"""@param cfg: configuration file."""
config = ConfigParser.ConfigParser(allow_no_value=True)
config.read(cfg)
for section in config.sections():
for name, raw_value in config.items(section):
if name == "file_name":
value = config.get(section, name)
else:
try:
value = config.getboolean(section, name)
except ValueError:
try:
value = config.getint(section, name)
except ValueError:
value = config.get(section, name)
setattr(self, name, value)
def get_options(self):
"""Get analysis options.
@return: options dict.
"""
# The analysis package can be provided with some options in the
# following format:
# option1=value1,option2=value2,option3=value3
#
# Here we parse such options and provide a dictionary that will be made
# accessible to the analysis package.
options = {}
if hasattr(self, "options") and len(self.options) > 0:
try:
# Split the options by comma.
fields = self.options.split(",")
except ValueError:
pass
else:
for field in fields:
# Split the name and the value of the option.
try:
# Sometimes, we have a key without a value (i.e. it's a
# command line argument), so we can't use the
# `key, value = field.split("=", 1)` style here
parts = field.split("=", 1)
except ValueError:
pass
else:
key = parts[0].strip()
arg_prefix = "arg-"
if not key.startswith(arg_prefix):
# If the parsing went good, we add the option to the
# dictionary.
value = parts[1].strip()
options[key] = value
elif len(key) > len(arg_prefix):
# Remove "arg-" prefix from the key
key = key[4:]; parts[0] = key
# Add this key (with a value maybe) to the args
if "args" not in options: options["args"] = []
options["args"] += parts
return options
================================================
FILE: analyzer/darwin/lib/common/hashing.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
BUFSIZE = 1024*1024
def hash_file(method, path):
"""Calculates an hash on a file by path.
@param method: callable hashing method
@param path: file path
@return: computed hash string
"""
f = open(path, "rb")
h = method()
while True:
buf = f.read(BUFSIZE)
if not buf:
break
h.update(buf)
return h.hexdigest()
================================================
FILE: analyzer/darwin/lib/common/rand.py
================================================
import random
import string
def random_string(minimum, maximum=None):
if maximum is None:
maximum = minimum
count = random.randint(minimum, maximum)
return "".join(random.choice(string.ascii_letters) for x in xrange(count))
def random_integer(digits):
start = 10 ** (digits - 1)
end = (10 ** digits) - 1
return random.randint(start, end)
================================================
FILE: analyzer/darwin/lib/common/results.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import time
import socket
import logging
from config import Config
log = logging.getLogger(__name__)
BUFSIZE = 1024*1024
def upload_to_host(file_path, dump_path):
nc = infd = None
try:
nc = NetlogFile(dump_path)
infd = open(file_path, "rb")
buf = infd.read(BUFSIZE)
while buf:
nc.send(buf, retry=False)
buf = infd.read(BUFSIZE)
except Exception as e:
log.error("Exception uploading file %s to host: %s", file_path, e)
finally:
if infd:
infd.close()
if nc:
nc.close()
class NetlogConnection(object):
def __init__(self, proto=""):
config = Config(cfg="analysis.conf")
self.hostip, self.hostport = config.ip, config.port
self.sock, self.file = None, None
self.proto = proto
def connect(self):
i = 1
# this can loop forever, if we can't connect the whole analysis is useless anyways
while True:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((self.hostip, self.hostport))
s.sendall(self.proto)
except:
time.sleep(i)
i = min(i + 1, 60)
else:
self.sock = s
self.file = s.makefile()
break
def send(self, data, retry=True):
if not self.sock: self.connect()
try:
self.sock.sendall(data)
except socket.error as e:
if retry:
self.connect()
self.send(data, retry=False)
else:
raise
except Exception as e:
log.error("Unhandled exception in NetlogConnection: %s", str(e))
# We really have nowhere to log this, if the netlog connection
# does not work, we can assume that any logging won't work either.
# So we just fail silently.
self.close()
def close(self):
try:
self.file.close()
self.sock.close()
except Exception:
pass
class NetlogFile(NetlogConnection):
def __init__(self, filepath):
self.filepath = filepath
NetlogConnection.__init__(self, proto="FILE\n{0}\n".format(self.filepath))
self.connect()
class NetlogHandler(logging.Handler, NetlogConnection):
def __init__(self):
logging.Handler.__init__(self)
NetlogConnection.__init__(self, proto="LOG\n")
self.connect()
def emit(self, record):
msg = self.format(record)
self.send("{0}\n".format(msg))
================================================
FILE: analyzer/darwin/lib/core/__init__.py
================================================
================================================
FILE: analyzer/darwin/lib/core/constants.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
from tempfile import gettempdir
from ..common.rand import random_string
ROOT = os.path.join(gettempdir() + os.sep, random_string(6, 10))
PATHS = {
"root" : ROOT,
"logs" : os.path.join(ROOT, "logs"),
"files" : os.path.join(ROOT, "files"),
"shots" : os.path.join(ROOT, "shots"),
"memory" : os.path.join(ROOT, "memory"),
"drop" : os.path.join(ROOT, "drop")
}
================================================
FILE: analyzer/darwin/lib/core/data/signatures.yml
================================================
system:
is_success_condition: "retval == 0"
args:
- {name: "command", type: "char *"}
retval_type: "int"
category: "foobar"
printf:
is_success_condition: "retval > 0"
args:
- {name: "format", type: "char *"}
retval_type: "int"
category: "foobar"
dlopen:
is_success_condition: "retval > 0"
args:
- {name: "path", type: "char *"}
- {name: "mode", type: "int"}
retval_type: "void *"
category: "foobar"
library: "libdyld"
dlsym:
is_success_condition: "retval > 0"
args:
- {name: "handle", type: "void *"}
- {name: "symbol", type: "char *"}
retval_type: "void *"
category: "foobar"
library: "libdyld"
fprintf:
is_success_condition: "retval > 0"
args:
- {name: "stream", type: "void *"}
- {name: "format", type: "char *"}
retval_type: "int"
category: "foobar"
open:
is_success_condition: "retval > 0"
args:
- {name: "path", type: "char *"}
- {name: "oflag", type: "int"}
retval_type: "int"
category: "file"
fopen:
is_success_condition: "retval > 0"
args:
- {name: "filename", type: "char *"}
- {name: "mode", type: "char *"}
retval_type: "void *"
category: "file"
freopen:
is_success_condition: "retval > 0"
args:
- {name: "filename", type: "char *"}
- {name: "mode", type: "char *"}
- {name: "stream", type: "void *"}
retval_type: "void *"
category: "file"
rename:
is_success_condition: "retval == 0"
args:
- {name: "old", type: "char *"}
- {name: "new", type: "char *"}
- {name: "state", type: "void *"}
- {name: "flags", type: "uint64_t"}
retval_type: "int"
category: "file"
copyfile:
is_success_condition: "retval == 0"
args:
- {name: "from", type: "char *"}
- {name: "to", type: "char *"}
- {name: "state", type: "void *"}
- {name: "flags", type: "uint32_t"}
retval_type: "int"
category: "file"
remove:
is_success_condition: "retval == 0"
args:
- {name: "path", type: "char *"}
retval_type: "int"
category: "file"
unlink:
is_success_condition: "retval == 0"
args:
- {name: "path", type: "char *"}
retval_type: "int"
category: "file"
execve:
is_success_condition: "retval != -1"
args:
- {name: "path", type: "char *"}
- {name: "argv", type: "void *"}
- {name: "envp", type: "void *"}
retval_type: "int"
category: "process"
__ignore__: true
fork:
is_success_condition: "retval >= 0"
args: []
retval_type: "int"
category: "process"
socket:
is_success_condition: "retval > 0"
args:
- {name: "domain", type: "int"}
- {name: "type", type: "int"}
- {name: "protocol", type: "int"}
retval_type: "int"
category: "network"
# Signatures for tests.
# Please don't remove them. Thanks!
rb_isalpha:
is_success_condition: "retval != 0"
args:
- {name: "character", type: "char"}
retval_type: "int"
category: "foobar"
atoi:
is_success_condition: "1==1"
args:
- {name: "str", type: "char *"}
retval_type: "int"
category: "foobar"
library: "libsystem_c"
================================================
FILE: analyzer/darwin/lib/core/data/types.yml
================================================
# ===============================================
# Basic types
#
int: &int
# We will print it with something like printf("%d", value)
printf_specifier: "%d"
# Is it a native C type (on OS X)?
native: Yes
# Alternative name for backward compatibility
integer: *int
unsigned int: &unsigned-int
printf_specifier: "%ld"
native: Yes
long: &long
printf_specifier: "%l"
native: Yes
unsigned long: &unsigned-long
printf_specifier: "%lu"
native: Yes
unsigned long long: &unsigned-long-long
printf_specifier: "%llu"
native: Yes
size_t: *unsigned-long
char: &char
printf_specifier: '"%c"'
native: Yes
float: &float
printf_specifier: "%f"
native: Yes
double: &double
printf_specifier: "%f"
native: Yes
#
# Raw pointers: just dump their values (in *decimal* since dtrace will output
# JSON that doesn't accept hex values)
#
"void *":
<<: *unsigned-long-long
cast: "unsigned long long"
#
# Strings
#
"char *": &char-pointer
printf_specifier: '"%S"'
native: No
template: |-
!!(${ARG}) ? copyinstr((uint64_t)${ARG}) : "<NULL>"
#
# Arbitrary buffers
#
#buffer: &buffer
# printf_specifier: '"%S"'
# native: No
# template: |-
# ${ARG} != (int64_t)NULL ? stringof(copyin(${ARG}, ${SIZE_ARG})) : "<NULL>"
#
# Fixed length C types
#
int8_t: &int8_t
printf_specifier: "%d"
native: Yes
uint8_t: &uint8_t
printf_specifier: "%u"
native: Yes
int16_t: &int16_t
printf_specifier: "%d"
native: Yes
uint16_t: &uint16_t
printf_specifier: "%u"
native: Yes
int32_t: &int32_t
printf_specifier: "%d"
native: Yes
uint32_t: &uint32_t
printf_specifier: "%u"
native: Yes
int64_t: &int64_t
printf_specifier: "%lld"
native: Yes
uint64_t: &uint64_t
printf_specifier: "%llu"
native: Yes
#
# Structures for tests.
# Please don't remove them. Thanks!
#
test_t:
native: No
struct:
hash: "int"
base: "test_internal_t *"
description: "char *"
test_internal_t:
native: No
struct:
abc: "double *"
hfa: "size_t"
sss: "char *"
test_extra_t:
native: No
struct:
foo: int
bar: uint64_t
#
# Your custom data types
#
================================================
FILE: analyzer/darwin/lib/core/filetimes.py
================================================
# Copyright (c) 2009, David Buxton <david@gasmark6.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""Tools to convert between Python datetime instances and Microsoft times.
"""
from calendar import timegm
# http://support.microsoft.com/kb/167296
# How To Convert a UNIX time_t to a Win32 FILETIME or SYSTEMTIME
EPOCH_AS_FILETIME = 116444736000000000 # January 1, 1970 as MS file time
HUNDREDS_OF_NANOSECONDS = 10000000
def dt_to_filetime(dt, delta_from_utc):
"""Converts a datetime to Microsoft filetime format.
>>> "%.0f" % dt_to_filetime(datetime(2009, 7, 25, 23, 0))
'128930364000000000'
>>> "%.0f" % dt_to_filetime(datetime(1970, 1, 1, 0, 0, tzinfo=utc))
'116444736000000000'
>>> "%.0f" % dt_to_filetime(datetime(1970, 1, 1, 0, 0))
'116444736000000000'
>>> dt_to_filetime(datetime(2009, 7, 25, 23, 0, 0, 100))
128930364000001000
"""
dt += delta_from_utc
ft = EPOCH_AS_FILETIME + (timegm(dt.timetuple()) * HUNDREDS_OF_NANOSECONDS)
return ft + (dt.microsecond * 10)
================================================
FILE: analyzer/darwin/lib/core/host.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import yaml
import socket
import logging
import bson
from os import path
from datetime import datetime
from subprocess import check_output, CalledProcessError
from filetimes import dt_to_filetime
log = logging.getLogger(__name__)
class CuckooHost(object):
""" Sending analysis results back to the Cuckoo Host.
Currently it only supports sending results about API calls via send_api(),
see `apicalls` module.
"""
sockets = {
# Each target process has its own results server on the host, so
# we setup as many sockets as we have targets to analyse.
}
descriptions = {
# We don't want to explain APIs every single time they're about to be
# send to the host, so we explain them once and then just refer to them
# via an unique ID.
}
launch_times = {
# Since Cuckoo host expects us to send relative times, we remember when
# every target was launched.
}
human_readable_info = {
# Here goes all the additional information about APIs like category,
# arguments names and so on. See date/apis.json for more details.
}
def __init__(self, host_ip, host_port):
self.ip = host_ip
self.port = host_port
self._load_human_readable_info()
def send_api(self, thing):
""" Sends a new API notification to the Cuckoo host """
pid = thing.pid
api = thing.api
# We're required to report results of tracing a target process to
# *its own* result server. So create a communication socket...
if pid not in self.sockets:
self.sockets[pid] = self._create_socket()
if not self.sockets[pid]:
raise Exception("CuckooHost error: could not create socket.")
# ... and don't forget to explain every single API call again
self.descriptions.setdefault(pid, ["__process__", "__thread__"])
self._send_new_process(thing)
try:
lookup_idx = self.descriptions[pid].index(api)
except ValueError:
self.descriptions[pid].append(api)
lookup_idx = len(self.descriptions[pid]) - 1
self._send_api_description(lookup_idx, thing)
# Here's an api object:
# {
# "I" : (int)<index in the API lookup table>,
# "T" : (int)<caller thread id>,
# "t" : (int)<time (in milliseconds) since a process launch>,
# "args" : [
# (int)<1 if this API call was successfull, 0 otherwise>,
# (int)<return value>,
# (any)<value the first argument>,
# (any)<value the second argument>,
# ...
# (any)<value the n-th argument>,
# ]
# }
time_offset_ms = int(1000*thing.timestamp - 1000*self.launch_times[pid])
self.sockets[pid].sendall(bson.BSON.encode({
"I" : lookup_idx,
"T" : thing.tid,
"t" : time_offset_ms,
"args" : self._prepare_args(thing)
}))
def _create_socket(self):
""" Allocates a new socket and prepares it for communicating with the host """
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.ip, self.port))
# Prepare the result server to accept data in BSON format
sock.sendall("BSON\n")
return sock
def _send_api_description(self, lookup_idx, thing):
""" Describes the given API call to the host """
# Here's an api description object:
# {
# "I" : (string)<index in the API lookup table>,
# "name" : (string)<API name>,
# "type" : "info",
# "category" : (string)<an API category (e.g. "memory" or "network")>
# "args" : [
# "is_success",
# "retval",
# (string)<description of the first argument>,
# (string)<description of the second argument>,
# ...
# (string)<description of the n-th argument>,
# ]
# }
self.sockets[thing.pid].sendall(bson.BSON.encode({
"I" : lookup_idx,
"name" : thing.api,
"type" : "info",
"category" : self._api_category(thing),
"args" : self._api_args_description(thing)
}))
def _send_new_process(self, thing):
""" Sends a notification about a new target process out there """
pid = thing.pid
lookup_idx = self.descriptions[pid].index("__process__")
# Remember when this process was born
self.launch_times[pid] = thing.timestamp
# Describe the __process__ notification
self.sockets[pid].sendall(bson.BSON.encode({
"I" : lookup_idx,
"name" : "__process__",
"type" : "info",
"category" : "unknown",
"args" : [
"is_success",
"retval",
"TimeLow", "TimeHigh",
"ProcessIdentifier", "ParentProcessIdentifier",
"ModulePath"
]
}))
# Convert our unix timestamp into Windows's FILETIME because Cuckoo
# result server expect timestamps to be in this format
filetime = _filetime_from_timestamp(thing.timestamp)
# Get process name (aka module path)
module = _proc_name_from_pid(pid)
self.sockets[pid].sendall(bson.BSON.encode({
"I" : lookup_idx,
"T" : thing.tid,
"t" : 0,
"args" : [
1,
0,
# TimeLow (first 32bits) and TimeHigh (last 32bits)
filetime & 0xffffffff, filetime >> 32,
thing.pid, thing.ppid,
# ModulePath
module
]
}))
def _prepare_args(self, thing):
# First two "arguments" are always is_success and retval
result = [
self._verify_is_success(thing),
thing.retval
]
return result + thing.args
def _verify_is_success(self, thing):
retval = thing.retval
errno = thing.errno
if thing.api not in self.human_readable_info: # fallback to success
return 1
condition = self.human_readable_info[thing.api]["is_success_condition"]
result = eval(condition, {"__builtins__" : None}, {
"retval" : retval,
"errno" : errno
})
return 1 if result else 0
def _api_category(self, thing):
api = thing.api
if api not in self.human_readable_info: # fallback
return "unknown"
return self.human_readable_info[api]["category"]
def _api_args_description(self, thing):
api = thing.api
# First two "arguments" are always these
description = ["is_success", "retval"]
# Try to parse argument names for known APIs
if api in self.human_readable_info:
args = self.human_readable_info[api]["args"]
description += [x["name"] for x in args]
else: # fallback to arg0, arg1, ..., argN
for arg_idx in range(0, len(thing.args)):
description += ["arg%d" % arg_idx]
return description
def _load_human_readable_info(self):
signatures = _description_file_path()
try:
with open(signatures, "r") as infile:
self.human_readable_info = yaml.safe_load(infile)
except IOError:
log.exception("Could not open %s" % path.basename(signatures))
except ValueError:
log.exception("Invalid YAML file %s" % path.basename(signatures))
def _proc_name_from_pid(pid):
""" Parses `ps -o comm` output for the given PID """
try:
ps_output = check_output(["/bin/ps", "-p", str(pid), "-o", "comm"])
# The first line of an output is reserved for `ps` headers and the
# second one contains a process path
return ps_output.split("\n")[1]
except CalledProcessError:
return "unknown"
def _filetime_from_timestamp(timestamp):
""" See filetimes.py for details """
# Timezones are hard, sorry
moment = datetime.fromtimestamp(timestamp)
delta_from_utc = moment - datetime.utcfromtimestamp(timestamp)
return dt_to_filetime(moment, delta_from_utc)
def _description_file_path():
return path.join(path.dirname(path.abspath(__file__)), "data", "signatures.yml")
================================================
FILE: analyzer/darwin/lib/core/osx.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from os import system
from datetime import datetime
def set_wallclock(clock_str, **kwargs):
clock = datetime.strptime(clock_str, "%Y%m%dT%H:%M:%S")
# NOTE: On OS X there's `date` utility that accepts
# new date/time as a string of the folowing format:
# {month}{day}{hour}{minutes}{year}.{seconds}
# where every {x} is a 2 digit number.
cmd = "sudo date {0}".format(clock.strftime("%m%d%H%M%y.%S"))
if "just_testing" in kwargs:
return cmd
else:
system(cmd)
================================================
FILE: analyzer/darwin/lib/core/packages.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from ..dtrace.apicalls import apicalls
import inspect
from sets import Set
from os import sys, path
def choose_package_class(file_type, file_name, suggestion=None):
if suggestion is not None:
name = suggestion
else:
name = _guess_package_name(file_type, file_name)
if not name:
return None
full_name = "modules.packages.%s" % name
try:
# FIXME(rodionovd):
# I couldn't figure out how to make __import__ import anything from
# the (grand)parent package, so here I just patch the PATH
sys.path.append(path.abspath(path.join(path.dirname(__file__), '..', '..')))
# Since we don't know the package class yet, we'll just import everything
# from this module and then try to figure out the required member class
module = __import__(full_name, globals(), locals(), ['*'])
except ImportError:
raise Exception("Unable to import package \"{0}\": it does not "
"exist.".format(name))
try:
pkg_class = _found_target_class(module, name)
except IndexError as err:
raise Exception("Unable to select package class (package={0}): "
"{1}".format(full_name, err))
return pkg_class
def _found_target_class(module, name):
""" Searches for a class with the specific name: it should be
equal to capitalized $name.
"""
members = inspect.getmembers(module, inspect.isclass)
return [x[1] for x in members if x[0] == name.capitalize()][0]
def _guess_package_name(file_type, file_name):
if "Bourne-Again" in file_type or "bash" in file_type:
return "bash"
elif "Mach-O" in file_type and "executable" in file_type:
return "macho"
elif "directory" in file_type and (file_name.endswith(".app") or file_name.endswith(".app/")):
return "app"
elif "Zip archive" in file_type and file_name.endswith(".zip"):
return "zip"
else:
return None
class Package(object):
""" Base analysis package """
# Our target may touch some files; keep an eye on them
touched_files = Set()
def __init__(self, target, host, **kwargs):
if not target or not host:
raise Exception("Package(): `target` and `host` arguments are required")
self.host = host
self.target = target
# Any analysis options?
self.options = kwargs.get("options", {})
# A timeout for analysis
self.timeout = kwargs.get("timeout", None)
# Command-line arguments for the target.
self.args = self.options.get("args", [])
# Choose an analysis method (or fallback to apicalls)
self.method = self.options.get("method", "apicalls")
# Should our target be launched as root or not
self.run_as_root = _string_to_bool(self.options.get("run_as_root", "False"))
def prepare(self):
""" Preparation routine. Do anything you want here. """
pass
def start(self):
""" Runs an analysis process.
This function is a generator.
"""
self.prepare()
if self.method == "apicalls":
self.apicalls_analysis()
else:
raise Exception("Unsupported analysis method. Try `apicalls`.")
def apicalls_analysis(self):
kwargs = {
'args': self.args,
'timeout': self.timeout,
'run_as_root': self.run_as_root
}
for call in apicalls(self.target, **kwargs):
# Send this API to Cuckoo host
self.host.send_api(call)
# Handle file IO APIs
self.handle_files(call)
def handle_files(self, call):
""" Remember what files our target has been working with during the analysis"""
def makeabs(filepath):
# Is it a relative path? Suppose it's relative to our dtrace working directory
if not path.isfile(filepath):
filepath = path.join(path.dirname(__file__), "..", "dtrace", filepath)
return filepath
if call.api in ["fopen", "freopen", "open"]:
self.open_file(makeabs(call.args[0]))
if call.api in ["rename"]:
self.move_file(makeabs(call.args[0]), makeabs(call.args[1]))
if call.api in ["copyfile"]:
self.copy_file(makeabs(call.args[0]), makeabs(call.args[1]))
if call.api in ["remove", "unlink"]:
self.remove_file(makeabs(call.args[0]))
def open_file(self, filepath):
self.touched_files.add(filepath)
def move_file(self, frompath, topath):
# Remove old reference if needed
if frompath in self.touched_files:
self.touched_files.remove(frompath)
self.touched_files.add(topath)
def copy_file(self, frompath, topath):
# Add both files to the watch list
self.touched_files.update([frompath, topath])
def remove_file(self, filepath):
# TODO(rodionovd): we're actually unable to dump this file
# because well, it was removed
self.touched_files.add(filepath)
def _string_to_bool(raw):
if not isinstance(raw, basestring):
raise Exception("Unexpected input: not a string :/")
return raw.lower() in ("yes", "true", "t", "1")
================================================
FILE: analyzer/darwin/lib/dtrace/__init__.py
================================================
================================================
FILE: analyzer/darwin/lib/dtrace/apicalls.d
================================================
#pragma D option destructive
#pragma D option quiet
/* apicalls.d
*
* Copyright (C) 2015 Dmitry Rodionov
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*
* This script prints results in JSON format, each log entry is a dictionary:
* {
* api : string, // e.g. "fprintf"
* args : array, // e.g. [1489124712123, "Hello\n!"]
* retval : string OR integer, // e.g. "kkk"
* timestamp : integer, // e.g. 1433765405
* pid : integer, // e.g. 9213
* ppid : integer, // e.g. 9210
* tid : integer, // e.g. 269040
* errno : integer // e.g. 22
* }
*
*/
#define SCRIPT_NAME "apicalls.d"
#ifndef ANALYSIS_TIMEOUT
#define ANALYSIS_TIMEOUT (-1)
#endif
dtrace:::BEGIN
{
countdown = ANALYSIS_TIMEOUT;
self->deeplevel = 0;
self->arg0 = (int64_t)0;
self->arg1 = (int64_t)0;
self->arg2 = (int64_t)0;
self->arg3 = (int64_t)0;
self->arg4 = (int64_t)0;
self->arg5 = (int64_t)0;
self->arg6 = (int64_t)0;
self->arg7 = (int64_t)0;
self->arg8 = (int64_t)0;
self->arg9 = (int64_t)0;
self->arg10 = (int64_t)0;
self->arg11 = (int64_t)0;
}
profile:::tick-1sec
/ countdown > 0 /
{
--countdown;
}
profile:::tick-1sec
/ countdown == 0 /
{
exit(0);
}
#pragma mark - Following children
#include "follow_children.d"
/* We may use `sudo -u` to drop (root) privileges before running a target.
* If this were the case, we wouldn't care about API calls of sudo itself, thus
* no probes.
*/
#ifndef SUDO
/* ******* **************************** ******* */
self int64_t arguments_stack[unsigned long, string];
self deeplevel;
/* ******* **************************** ******* */
#pragma mark - Probes
#include "probes.d"
/* exec* probes are special: they don't return on success; so catch them early */
pid$target::execve:entry
{
this->retval = 0;
this->timestamp_ms = walltimestamp/1000000;
printf("{\"api\":\"%s\", \"args\":[\"%S\", %llu, %llu], \"retval\":%d, \"timestamp\":%lld, \"pid\":%d, \"ppid\":%d, \"tid\":%d, \"errno\":%d}\n",
probefunc,
arg0 != (int64_t)NULL ? copyinstr(arg0) : "<NULL>", (unsigned long long)arg1, (unsigned long long)arg2,
(int)this->retval,
(int64_t)this->timestamp_ms, pid, ppid, tid, errno);
}
#endif /* not SUDO */
================================================
FILE: analyzer/darwin/lib/dtrace/apicalls.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import os
import json
from getpass import getuser
from subprocess import Popen
from collections import namedtuple
from tempfile import NamedTemporaryFile
from autoprobes import generate_probes
from common import sanitize_path, path_for_script, filelines, current_directory
apicall = namedtuple("apicall", "api args retval timestamp pid ppid tid errno")
def apicalls(target, **kwargs):
"""
"""
if not target:
raise Exception("Invalid target for apicalls()")
output_file = NamedTemporaryFile()
kwargs.update({"output_file" : output_file})
cmd = _dtrace_command_line(target, **kwargs)
# Generate dtrace probes for analysis
definitions = os.path.abspath(os.path.join(__file__, "../../core/data/signatures.yml"))
probes_file = os.path.join(os.path.dirname(os.path.abspath(__file__)), "probes.d")
generate_probes(definitions, probes_file, overwrite=True)
# The dtrace script will take care of timeout itself, so we just launch
# it asynchronously
with open(os.devnull, "w") as null:
_ = Popen(cmd, stdout=null, stderr=null, cwd=current_directory())
for entry in filelines(output_file):
value = entry.strip()
if "## apicalls.d done ##" in value:
break
if len(value) == 0:
continue
yield _parse_entry(value)
output_file.close()
os.remove(probes_file)
def _dtrace_command_line(target, **kwargs):
# dtrace must be run as root on OS X
cmd = ["sudo", "/usr/sbin/dtrace"]
# Use -C for running clang's C preprocessor over the script
cmd += ["-C"]
# Use -I for adding a current directory to the search path for #includes
cmd += ["-I./"]
# Use -Z to allow probe descriptions that match zero probes in a target
cmd += ["-Z"]
cmd += ["-DANALYSIS_TIMEOUT=%d" % kwargs.get("timeout", -1)]
cmd += ["-s", path_for_script("apicalls.d")]
cmd += ["-DTOPLEVELSCRIPT=1"]
output_file = kwargs["output_file"]
cmd += ["-o", output_file.name]
cmd += ["-DOUTPUT_FILE=\"%s\"" % output_file.name]
run_as_root = kwargs.get("run_as_root", False)
if "args" in kwargs:
target_cmd = "%s %s" % (sanitize_path(target), " ".join(kwargs["args"]))
else:
target_cmd = sanitize_path(target)
# When we don't want to run the target as root, we have to drop privileges
# with `sudo -u current_user` right before calling the target.
if not run_as_root:
target_cmd = "sudo -u %s %s" % (getuser(), target_cmd)
cmd += ["-DSUDO=1"]
cmd += ["-c", target_cmd]
return cmd
def _parse_entry(entry):
parsed = json.loads(entry.replace("\\0", ""))
api = parsed['api']
args = _stringify_args(parsed['args'])
retval = parsed['retval']
# Convert milliseconds to floating point seconds
timestamp = float(parsed['timestamp']) / 1000
pid = parsed['pid']
ppid = parsed['ppid']
tid = parsed['tid']
errno = parsed['errno']
return apicall(api, args, retval, timestamp, pid, ppid, tid, errno)
def _stringify_args(args):
""" Converts each argument into a string.
In case of integers, it's a hex string. Other types are converted with str() """
new_args = []
for item in args:
if isinstance(item, (int, long)):
new_args.append("%#lx" % item)
else:
new_args.append(str(item))
return new_args
================================================
FILE: analyzer/darwin/lib/dtrace/autoprobes.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import yaml
from os import path
from string import Template
from sets import Set
def generate_probes(definitions, output_path, overwrite=True):
""" TBD """
if not overwrite and path.isfile(output_path):
pass
if isinstance(definitions, list):
defs = definitions
else:
defs = read_definitions(definitions)
types = read_types(path.abspath(path.join(__file__, "../../core/data/types.yml")))
contents = [HEADER] + typedefs_for_custom_structs(defs, types)
contents += [probe_from_definition(x, types) for x in defs]
dump_probes(contents, output_path)
# FILE IO
def read_definitions(fromfile):
""" Read API signatures from a file. """
with open(fromfile, "r") as stream:
contents = yaml.safe_load(stream)
# Now convert the root dictionary to an array of dictionaries where
# original keys become values for the "api" key.
# FIXME(rodionovd): yes, I know, it should be an array..
return [dict({'api': k}, **v) for k, v in contents.iteritems()]
def read_types(infile):
""" Reads types definitions from a file. """
with open(infile, "r") as stream:
return yaml.safe_load(stream)
def dump_probes(probes, tofile):
""" Writes the given list of dtrace probes to a file. If the file
already exists, it's truncated."""
with open(tofile, "w") as stream:
stream.writelines(probes)
# GENERATION
def probe_from_definition(definition, types):
""" Maps the given API definition to an actual dtrace probe(s). """
if definition.get('__ignore__', False):
return ""
# We only need entry probes to save arguments
elif len(definition['args']) == 0:
return return_probe_from_definition(definition, types)
else:
entry_probe = entry_probe_from_definition(definition)
return_probe = return_probe_from_definition(definition, types)
return entry_probe + return_probe
def entry_probe_from_definition(df):
""" Generates an entry dtrace probe from the given API definition. """
template = Template(ENTRY_PROBE_TEMPLATE)
mapping = {
"__LIBRARY__": df.get("library", ""),
"__NAME__" : df["api"],
"__ARGUMENTS_PUSH_ON_STACK__": push_on_stack_section(df["args"])
}
return template.substitute(mapping)
def return_probe_from_definition(df, types):
""" Generates a return dtrace probe from the given API definition. """
args = df["args"]
retval_type = df["retval_type"]
printf_specifier = type_description(retval_type, types)["printf_specifier"]
template = Template(RETURN_PROBE_TEMPLATE)
mapping = {
"__LIBRARY__": df.get("library", ""),
"__NAME__" : df["api"],
"__ARGS_FORMAT_STRING__" : arguments_format_string(args, types),
"__RETVAL_FORMAT_SPECIFIER__" : printf_specifier,
"__ARGUMENTS__" : arguments_section(args, types),
"__RETVAL__" : retval_section(retval_type, types),
"__ARGUMENTS_POP_FROM_STACK__": pop_from_stack_section(args)
}
return template.substitute(mapping)
def typedefs_for_custom_structs(defs, types):
""" Returns a list of typedef statements for custom structures
defined in `types.yml`."""
def flatten(list_of_lists):
return sum(list_of_lists, [])
def deep_search_types(parent, types):
result = Set()
for t in parent:
description = type_description(t, types)
if "struct" in description:
result |= deep_search_types(description["struct"].values(), types)
result.add(dereference_type(t))
return result
# We will only generate typedefs for struct that are actually in use
obviously_used_types = [x["type"] for x in flatten([y["args"] for y in defs])]
all_used_types = deep_search_types(obviously_used_types, types)
struct_types = {
k:v for (k, v) in types.iteritems() if "struct" in v and k in all_used_types
}
typedefs = []
for (name, description) in struct_types.iteritems():
fields = []
for (f,t) in description["struct"].iteritems():
fields.append("%s %s;" % (t, f))
template = "typedef struct {\n\t%s\n} %s;\n\n"
typedefs.append(template % ("\n\t".join(fields), name))
return typedefs
# -----------------------------------------------------------------------
def arguments_section(args, types):
""" Returns a serialization statement for accessing values of
the given arguments. """
if len(args) == 0:
return ""
def serialize_arg(idx):
return serialize_argument_at_idx(idx, args, "self->arg%d" % idx, types)
parts = [serialize_arg(i) for i in xrange(len(args))]
return ("\n\t\t" + ", ".join(parts) + ",")
def arguments_format_string(args, types):
""" Returns a format string for printing the given arguments
with printf(). """
if len(args) == 0:
return ""
parts = [printf_format_for_type(x["type"], types) for x in args]
return ", ".join(parts)
def retval_section(retval_type, types):
""" Returns a serialization stetement for a return value of
the given type. """
return serialize_type(retval_type, "this->retval", types)
# -------------------------------
def printf_format_for_type(t, types):
""" Returns a format string for printing the given type
(either atomic or struct). """
description = type_description(t, types)
if "struct" in description:
specifer = printf_format_for_struct(t, types)
else:
specifer = description["printf_specifier"]
return specifer.replace("\"", "\\\"")
def printf_format_for_struct(t, types):
""" Returns a format string for printing the given struct type. """
fields = []
for (name, argtype) in type_description(t, types)["struct"].items():
printf_specifier = type_description(argtype, types).get("printf_specifier", None)
if printf_specifier != None:
fields.append("\""+name +"\"" + " : " + printf_specifier)
else:
# Yay, recursion!
struct_format = printf_format_for_struct(argtype, types)
fields.append("\""+name +"\"" + " : " + struct_format)
return "{%s}" % ", ".join(fields)
def serialize_argument_at_idx(idx, all_args, accessor, types):
""" For an argument at the given index, returns a serialization
statement for it's value. """
type_name = all_args[idx]["type"]
return serialize_type(type_name, accessor, types)
def serialize_type(name, accessor, types):
""" Returns a serialization statement for the given type. """
name = name.strip()
description = type_description(name, types)
if "struct" in description:
return serialize_struct_type(name, accessor, types)
elif "template" in description:
return serialize_type_with_template(name, accessor, types)
else:
cast = description.get("cast", dereference_type(name))
return serialize_atomic_type(name, cast, accessor)
def serialize_atomic_type(argtype, cast, accessor):
""" Returns a serialization statement for the given atomic type.
In case of pointers, values they're referencing will be used instead
(see `dereference_type()` for exceptions). """
# Do we need to dereference this argument and copy it to the userspace?
if dereference_type(argtype) == argtype:
# Nope: it's a value type
return "(%s)(%s)" % (cast, accessor)
else:
# Yep: it's a reference type
real_type = dereference_type(argtype)
t = (accessor, cast, real_type, accessor, real_type)
return "!!(%s) ? (%s)0 : *(%s *)copyin((uint64_t)%s, sizeof(%s))" % t
def serialize_struct_type(struct_type, accessor, types):
""" Returns a serialization statement for the given structure type. """
fields = []
if struct_type == dereference_type(struct_type):
memeber_operator = "."
else:
memeber_operator = "->"
structure = type_description(struct_type, types)["struct"]
for (field_name, field_type) in structure.iteritems():
fields.append(serialize_type(
field_type,
"((%s)(%s))" % (struct_type, accessor) + memeber_operator + field_name,
types
))
return ", ".join(fields)
def serialize_type_with_template(oftype, accessor, types):
""" Returns a serialization template for the given type
with all placeholders replaced with the actual values. """
template = Template(type_description(oftype, types)["template"])
mapping = {"ARG" : accessor}
# TODO(rodionovd): add support for buffers (ARG_SIZE)
return template.substitute(mapping)
# -------------------------------
def dereference_type(t):
""" Removes everything after the last star character in a type string,
except for 'void *' and 'char *`. """
if t.strip() in ["void *", "char *"]:
return t.strip()
try:
return t[:t.rindex("*")].strip()
except:
return t.strip()
def type_description(name, types):
""" Returns a dictionary description the given type. See `types.yml`
for more information about keys and values there. """
return types[dereference_type(name)]
# -----------------------------------------------------------------------
def push_on_stack_section(args):
""" Composes a "push arguments on stack" section of
an entry PID dtrace probe. """
if len(args) == 0:
return ""
parts = ["self->deeplevel++;"]
for idx in xrange(len(args)):
parts.append(
"""self->arguments_stack[self->deeplevel, \"arg%d\"] = self->arg%d;\n\tself->arg%d = arg%d;""" % (idx, idx, idx, idx)
)
return "\n\t".join(parts)
def pop_from_stack_section(args):
""" Composes a "pop arguments from stack" section of
a return PID dtrace probe. """
if len(args) == 0:
return ""
parts = []
for idx in xrange(len(args)):
parts.append("""self->arg%d = self->arguments_stack[self->deeplevel, \"arg%d\"];
\tself->arguments_stack[self->deeplevel, \"arg%d\"] = 0;""" % (idx, idx, idx))
parts.append("--self->deeplevel;")
return "\n\t" + "\n\t".join(parts)
ENTRY_PROBE_TEMPLATE = """pid$$target:${__LIBRARY__}:${__NAME__}:entry
{
\t${__ARGUMENTS_PUSH_ON_STACK__}
}\n"""
RETURN_PROBE_TEMPLATE = """pid$$target:${__LIBRARY__}:${__NAME__}:return
{
\tthis->retval = arg1;
\tthis->timestamp_ms = walltimestamp/1000000;
\tprintf("{\\\"api\\\":\\\"%s\\\", \\\"args\\\":[${__ARGS_FORMAT_STRING__}], \\\"retval\\\":${__RETVAL_FORMAT_SPECIFIER__}, \\\"timestamp\\\":%lld, \\\"pid\\\":%d, \\\"ppid\\\":%d, \\\"tid\\":%d, \\\"errno\\\":%d}\\n",
\t\tprobefunc,${__ARGUMENTS__}
\t\t${__RETVAL__},
\t\t(int64_t)this->timestamp_ms, pid, ppid, tid, errno);${__ARGUMENTS_POP_FROM_STACK__}
}\n"""
HEADER = """/* For some reason either dtrace or clang preprocessor refuses to identify standard
* C integer types like int64_t or uint8_t. Thus we must include stdint.h with the
* following patches.
*/
/* (1) fix sys/_types/_int8_t.h */
#define __signed signed
/* (2) cdefs.h throws "Unsupported compiler detected" warning, ignore it */
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-W#warnings"
#include <stdint.h>
#include <stddef.h>
#pragma clang diagnostic pop
\n
"""
================================================
FILE: analyzer/darwin/lib/dtrace/common.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from os import path
from time import sleep
def sanitize_path(raw_path):
""" Replace spaces with backslashes+spaces """
return raw_path.replace(" ", "\\ ")
def path_for_script(script):
""" Return the full path for the given script """
return path.join(current_directory(), script)
def current_directory():
return path.dirname(path.abspath(__file__))
def filelines(source_file):
""" A generator that returns lines of the file.
If there're no new lines it waits until the file is updated.
"""
# Go to the end of the file
source_file.seek(0, 2)
while True:
line = source_file.readline()
if not line:
# Sleep briefly
sleep(0.1)
continue
yield line
================================================
FILE: analyzer/darwin/lib/dtrace/dtruss.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import os
import json
from getpass import getuser
from collections import namedtuple
from subprocess import Popen
from tempfile import NamedTemporaryFile
from common import *
syscall = namedtuple("syscall", "name args result errno timestamp pid")
def dtruss(target, **kwargs):
"""Returns a list of syscalls made by a target.
Every syscall is a named tuple with the following properties:
name (string), args (list), result (int), errno (int),
timestamp(int) and pid(int).
"""
if not target:
raise Exception("Invalid target for dtruss()")
output_file = NamedTemporaryFile()
cmd = ["/bin/bash", path_for_script("dtruss.sh"), "-W", output_file.name, "-f"]
# Add timeout
if ("timeout" in kwargs) and (kwargs["timeout"] is not None):
cmd += ["-K", str(kwargs["timeout"])]
# Watch for a specific syscall only
if "syscall" in kwargs:
watch_specific_syscall = True
cmd += ["-t", kwargs["syscall"]]
else:
watch_specific_syscall = False
if "run_as_root" in kwargs:
run_as_root = kwargs["run_as_root"]
else:
run_as_root = False
# When we don't want to run the target as root, we have to drop privileges
# with `sudo -u current_user` right before calling the target.
if not run_as_root:
cmd += ["sudo", "-u", getuser()]
# Add target path
cmd += [sanitize_path(target)]
# Arguments for the target
if "args" in kwargs:
cmd += kwargs["args"]
# The dtrace script will take care of timeout itself, so we just launch
# it asynchronously
with open(os.devnull, "w") as f:
handle = Popen(cmd, stdout=f, stderr=f)
# If we use `sudo -u` for dropping root privileges, we also have to
# exclude it's output from the results
sudo_pid = None
for entry in filelines(output_file):
if "## dtruss.sh done ##" in entry.strip():
break
syscall = _parse_syscall(entry.strip())
if syscall is None:
continue
# sudo's syscalls will be the first ones, so remember its pid
if not run_as_root and sudo_pid is None and not watch_specific_syscall:
sudo_pid = syscall.pid
elif syscall.pid != sudo_pid:
yield syscall
output_file.close()
#
# Parsing implementation details
#
def _parse_syscall(string):
string = string.replace("\\0", "")
try:
parsed = json.loads(string)
except:
return None
name = parsed["syscall"]
args = parsed["args"]
result = parsed["retval"]
errno = parsed["errno"]
pid = parsed["pid"]
timestamp = parsed["timestamp"]
return syscall(name=name, args=args, result=result, errno=errno, pid=pid,
timestamp=timestamp)
================================================
FILE: analyzer/darwin/lib/dtrace/dtruss.sh
================================================
#!/bin/sh
# #!/usr/bin/sh
#
# dtruss - print process system call time details.
# Written using DTrace (Solaris 10 3/05).
#
# 17-Jun-2005, ver 0.80 (check for newer versions)
#
# USAGE: dtruss [-acdeflhoLs] [-t syscall] { -p PID | -n name | command }
#
# -p PID # examine this PID
# -n name # examine this process name
# -t syscall # examine this syscall only
# -a # print all details
# -c # print system call counts
# -d # print relative timestamps (us)
# -e # print elapsed times (us)
# -f # follow children as they are forked
# -l # force printing of pid/lwpid per line
# -o # print on cpu times (us)
# -s # print stack backtraces
# -L # don't print pid/lwpid per line
# -b bufsize # dynamic variable buf size (default is "4m")
# -K timeout # timeout of analysis
# -W file # redirect all output to a specified file
# eg,
# dtruss df -h # run and examine the "df -h" command
# dtruss -p 1871 # examine PID 1871
# dtruss -n tar # examine all processes called "tar"
# dtruss -f test.sh # run test.sh and follow children
#
# The elapsed times are interesting, to help identify syscalls that take
# some time to complete (during which the process may have context
# switched off the CPU).
#
# SEE ALSO: procsystime # DTraceToolkit
# dapptrace # DTraceToolkit
# truss
#
# COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at Docs/cddl1.txt
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# CDDL HEADER END
#
# Author: Brendan Gregg [Sydney, Australia]
#
# TODO: Track signals, more output formatting.
#
# 29-Apr-2005 Brendan Gregg Created this.
# 09-May-2005 " " Fixed evaltime (thanks Adam L.)
# 16-May-2005 " " Added -t syscall tracing.
# 17-Jun-2005 " " Added -s stack backtraces.
#
##############################
# --- Process Arguments ---
#
### Default variables
opt_pid=0; opt_name=0; pid=0; pname="."
opt_elapsed=0; opt_cpu=0; opt_counts=0;
opt_relative=0; opt_printid=0; opt_follow=0
opt_command=0; command=""; opt_buf=0; buf="4m"
opt_trace=0; trace="."; opt_stack=0;
opt_timeout=0; timeout=-1; output_file="/dev/stderr"
### Process options
while getopts ab:cdefhln:op:st:K:W:L name
do
case $name in
b) opt_buf=1; buf=$OPTARG ;;
p) opt_pid=1; pid=$OPTARG ;;
n) opt_name=1; pname=$OPTARG ;;
t) opt_trace=1; trace=$OPTARG ;;
a) opt_counts=1; opt_relative=1; opt_elapsed=1; opt_follow=1
opt_printid=1; opt_cpu=1 ;;
c) opt_counts=1 ;;
d) opt_relative=1 ;;
e) opt_elapsed=1 ;;
f) opt_follow=1 ;;
l) opt_printid=1 ;;
o) opt_cpu=1 ;;
L) opt_printid=-1 ;;
s) opt_stack=-1 ;;
K) opt_timeout=1; timeout=$OPTARG ;;
W) output_file=$OPTARG ;;
h|?) cat <<-END >&2
USAGE: dtruss [-acdefholLs] [-t syscall] { -p PID | -n name | command }
-p PID # examine this PID
-n name # examine this process name
-t syscall # examine this syscall only
-a # print all details
-c # print syscall counts
-d # print relative times (us)
-e # print elapsed times (us)
-f # follow children
-l # force printing pid/lwpid
-o # print on cpu times
-s # print stack backtraces
-L # don't print pid/lwpid
-b bufsize # dynamic variable buf size
eg,
dtruss df -h # run and examine "df -h"
dtruss -p 1871 # examine PID 1871
dtruss -n tar # examine all processes called "tar"
dtruss -f test.sh # run test.sh and follow children
END
exit 1
esac
done
shift `expr $OPTIND - 1`
### Option logic
if [ $opt_pid -eq 0 -a $opt_name -eq 0 ]; then
opt_command=1
if [ "$*" = "" ]; then
$0 -h
exit
fi
command="$*" # yes, I meant $*!
fi
if [ $opt_follow -eq 1 -o $opt_name -eq 1 ]; then
if [ $opt_printid -ne -1 ]; then
opt_printid=1
else
opt_printid=0
fi
fi
### Option translation
## if [ "$trace" = "exec" ]; then trace="exece"; fi
if [ "$trace" = "exec" ]; then trace="execve"; fi
#################################
# --- Main Program, DTrace ---
#
### Define D Script
dtrace='
#pragma D option quiet
/*
* Command line arguments
*/
inline int OPT_command = '$opt_command';
inline int OPT_follow = '$opt_follow';
inline int OPT_printid = '$opt_printid';
inline int OPT_relative = '$opt_relative';
inline int OPT_elapsed = '$opt_elapsed';
inline int OPT_cpu = '$opt_cpu';
inline int OPT_counts = '$opt_counts';
inline int OPT_pid = '$opt_pid';
inline int OPT_name = '$opt_name';
inline int OPT_trace = '$opt_trace';
inline int OPT_stack = '$opt_stack';
inline int OPT_timeout = '$opt_timeout';
inline int PID = '$pid';
inline string NAME = "'$pname'";
inline string TRACE = "'$trace'";
dtrace:::BEGIN
{
/* print header */
/* OPT_printid ? printf("%-8s ","PID/LWP") : 1; */
/*OPT_printid ? printf("\t%-8s ","PID/THRD") : 1;
OPT_relative ? printf("%8s ","RELATIVE") : 1;
OPT_elapsed ? printf("%7s ","ELAPSD") : 1;
OPT_cpu ? printf("%6s ","CPU") : 1;*/
/*printf("SYSCALL(args) \t\t = return\n");*/
/* globals */
trackedpid[pid] = 0;
self->child = 0;
this->type = 0;
TIMEOUT = '$timeout';
}
/*
* Save syscall entry info
*/
/* MacOS X: notice first appearance of child from fork. Its parent
fires syscall::*fork:return in the ususal way (see below) */
syscall:::entry
/OPT_follow && trackedpid[ppid] == -1 && 0 == self->child/
{
/* set as child */
self->child = 1;
/* print output */
self->code = errno == 0 ? "" : "Err#";
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d: ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d: ",0) : 1;
OPT_cpu ? printf("%6d ",0) : 1;
/*
printf("%s()\t\t = %d %s%d\n","fork",
0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
"fork", 0, (int)errno, this->timestamp, pid);
}
/* MacOS X: notice first appearance of child and parent from vfork */
syscall:::entry
/OPT_follow && trackedpid[ppid] > 0 && 0 == self->child/
{
/* set as child */
this->vforking_tid = trackedpid[ppid];
self->child = (this->vforking_tid == tid) ? 0 : 1;
/* print output */
self->code = errno == 0 ? "" : "Err#";
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",(this->vforking_tid == tid) ? ppid : pid,tid) : 1;
OPT_relative ? printf("%8d: ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d: ",0) : 1;
OPT_cpu ? printf("%6d ",0) : 1;*/
/*
printf("%s()\t\t = %d %s%d\n","vfork",
(this->vforking_tid == tid) ? pid : 0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
"vfork",
(this->vforking_tid == tid) ? pid : 0,
(int)errno,
this->timestamp, pid);
}
syscall:::entry
/(OPT_command && pid == $target) ||
(OPT_pid && pid == PID) ||
(OPT_name && NAME == strstr(NAME, execname)) ||
(OPT_name && execname == strstr(execname, NAME)) ||
(self->child)/
{
/* set start details */
self->start = timestamp;
self->vstart = vtimestamp;
self->arg0 = arg0;
self->arg1 = arg1;
self->arg2 = arg2;
/* count occurances */
OPT_counts == 1 ? @Counts[probefunc] = count() : 1;
}
/* 5 and 6 arguments */
syscall::select:entry,
syscall::mmap:entry,
syscall::pwrite:entry,
syscall::pread:entry
/(OPT_command && pid == $target) ||
(OPT_pid && pid == PID) ||
(OPT_name && NAME == strstr(NAME, execname)) ||
(OPT_name && execname == strstr(execname, NAME)) ||
(self->child)/
{
self->arg3 = arg3;
self->arg4 = arg4;
self->arg5 = arg5;
}
/*
* Follow children
*/
syscall::fork:entry
/OPT_follow && self->start/
{
/* track this parent process */
trackedpid[pid] = -1;
}
syscall::vfork:entry
/OPT_follow && self->start/
{
/* track this parent process */
trackedpid[pid] = tid;
}
/* syscall::rexit:entry */
syscall::exit:entry
{
/* forget child */
self->child = 0;
trackedpid[pid] = 0;
}
/*
* Check for syscall tracing
*/
syscall:::entry
/OPT_trace && probefunc != TRACE/
{
/* drop info */
self->start = 0;
self->vstart = 0;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
self->arg3 = 0;
self->arg4 = 0;
self->arg5 = 0;
}
/*
* Print return data
*/
/*
* NOTE:
* The following code is written in an intentionally repetetive way.
* The first versions had no code redundancies, but performed badly during
* benchmarking. The priority here is speed, not cleverness. I know there
* are many obvious shortcuts to this code, Ive tried them. This style has
* shown in benchmarks to be the fastest (fewest probes, fewest actions).
*/
/* print 3 args, return as hex */
syscall::sigprocmask:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, 0x%X, 0x%X)\t\t = 0x%X %s%d\n",probefunc,
(int)self->arg0,self->arg1,self->arg2,(int)arg0,
self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
(int)self->arg0, self->arg1, self->arg2,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 3 args, arg0 as a string */
syscall::execve:return,
syscall::stat:return,
syscall::stat64:return,
syscall::lstat:return,
syscall::lstat64:return,
syscall::access:return,
syscall::mkdir:return,
syscall::chdir:return,
syscall::chroot:return,
syscall::getattrlist:return, /* XXX 5 arguments */
syscall::chown:return,
syscall::lchown:return,
syscall::chflags:return,
syscall::readlink:return,
syscall::utimes:return,
syscall::pathconf:return,
syscall::truncate:return,
syscall::getxattr:return,
syscall::setxattr:return,
syscall::removexattr:return,
syscall::unlink:return,
syscall::open:return,
syscall::open_nocancel:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(\"%S\", 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,
copyinstr(self->arg0),self->arg1,self->arg2,(int)arg0,
self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[\"%S\", %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
copyinstr(self->arg0), self->arg1, self->arg2,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 3 args, arg1 as a string */
syscall::write:return,
syscall::write_nocancel:return,
syscall::read:return,
syscall::read_nocancel:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, \"%S\", 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
arg0 == -1 ? "" : stringof(copyin(self->arg1,arg0)),self->arg2,(int)arg0,
self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, \"%S\", %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, arg0 == -1 ? "" : stringof(copyin(self->arg1,arg0)), self->arg2,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 2 args, arg0 and arg1 as strings */
syscall::rename:return,
syscall::symlink:return,
syscall::link:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(\"%S\", \"%S\")\t\t = %d %s%d\n",probefunc,
copyinstr(self->arg0), copyinstr(self->arg1),
(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[\"%S\", \"%S\"], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
copyinstr(self->arg0), copyinstr(self->arg1),
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 0 arg output */
syscall::*fork:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s()\t\t = %d %s%d\n",probefunc,
(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 1 arg output */
syscall::close:return,
syscall::close_nocancel:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print 2 arg output */
syscall::utimes:return,
syscall::munmap:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
self->arg1,(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, self->arg1,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
/* print pread/pwrite with 4 arguments */
syscall::pread*:return,
syscall::pwrite*:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, \"%S\", 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
stringof(copyin(self->arg1,self->arg2)),self->arg2,self->arg3,(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, self->arg1, self->arg2, self->arg3,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
self->arg3 = 0;
}
/* print select with 5 arguments */
syscall::select:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, 0x%X, 0x%X, 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
self->arg1,self->arg2,self->arg3,self->arg4,(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, self->arg1,self->arg2,self->arg3,self->arg4,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
self->arg3 = 0;
self->arg4 = 0;
}
/* mmap has 6 arguments */
syscall::mmap:return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, 0x%X, 0x%X, 0x%X, 0x%X, 0x%X)\t\t = 0x%X %s%d\n",probefunc,self->arg0,
self->arg1,self->arg2,self->arg3,self->arg4,self->arg5, arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, self->arg1, self->arg2, self->arg3, self->arg4, self->arg5,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
self->arg3 = 0;
self->arg4 = 0;
self->arg5 = 0;
}
/* print 3 arg output - default */
syscall:::return
/self->start/
{
/* calculate elapsed time */
this->elapsed = timestamp - self->start;
self->start = 0;
this->cpu = vtimestamp - self->vstart;
self->vstart = 0;
self->code = errno == 0 ? "" : "Err#";
/* print optional fields */
/* OPT_printid ? printf("%5d/%d: ",pid,tid) : 1; */
/*OPT_printid ? printf("%5d/0x%x: ",pid,tid) : 1;
OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
OPT_elapsed ? printf("%7d ",this->elapsed/1000) : 1;
OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
/* print main data */
/*
printf("%s(0x%X, 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
self->arg1,self->arg2,(int)arg0,self->code,(int)errno);
*/
this->timestamp = walltimestamp / 1000000000;
printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
probefunc,
self->arg0, self->arg1, self->arg2,
(int)arg0,
(int)errno,
this->timestamp, pid);
OPT_stack ? ustack() : 1;
OPT_stack ? trace("\n") : 1;
self->arg0 = 0;
self->arg1 = 0;
self->arg2 = 0;
}
profile:::tick-1sec
/OPT_timeout && TIMEOUT > 0/
{
--TIMEOUT;
}
profile:::tick-1sec
/OPT_timeout && TIMEOUT == 0/
{
exit(0);
}
/* print counts */
dtrace:::END
{
OPT_counts == 1 ? printf("\n%-32s %16s\n","CALL","COUNT") : 1;
OPT_counts == 1 ? printa("%-32s %@16d\n",@Counts) : 1;
printf("## dtruss.sh done ##");
}
'
### Run DTrace
#if [ $opt_command -eq 1 ]; then
# /usr/sbin/dtrace -x dynvarsize=$buf -x evaltime=exec -n "$dtrace" \
# -c "$command" >&2
#else
# /usr/sbin/dtrace -x dynvarsize=$buf -n "$dtrace" >&2
#fi
### Run DTrace (Mac OS X)
if [ $opt_command -eq 1 ]; then
sudo /usr/sbin/dtrace -x dynvarsize=$buf -x evaltime=exec -n "$dtrace" \
-o "$output_file" -c "$command"
else
sudo /usr/sbin/dtrace -x dynvarsize=$buf -n "$dtrace" >&2 -o "$output_file"
fi
================================================
FILE: analyzer/darwin/lib/dtrace/follow_children.d
================================================
/* apicalls.d
*
* Copyright (C) 2015 Dmitry Rodionov
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*
*
* Usage:
* 1) `SCRIPT_NAME` and `OUTPUT_FILE` macros must be set in a master script;
* 2) Global integer variable `countdown` must exist;
*/
/* Preprocessor magic: stringification */
#define str(s) str0(s)
#define str0(s) #s
/* Since there's no built-in way to get an output file of the current script,
* we have to inject it into the source code with preprocessor. */
#if !defined(OUTPUT_FILE)
#error Please, specify the output file (e.g. "-DOUTPUT_FILE=./foo.log")
#endif
#ifdef CHILD
dtrace:::BEGIN
{
pidresume($target);
#ifdef WAS_EXECED
/* Since (1) we have now dtrace scripts attached to both
* parent and child processes and (2) they both have *the same* PID,
* we'll get the same results from both these scripts.
* To fix this, I just stop tracing the child here. */
exit(0);
#endif /* WAS_EXECED */
}
/* TODO(rodionovd): it looks like there's a bug in Apple dtrace that keeps
* dtrace running even when its target (specified via -p) was already terminated.
* Maybe I'm doing something wrong, but here's a temporary workaround.
*/
syscall::exit:entry
/ pid == $target/
{
exit(0);
}
#endif /* CHILD */
/* FORK */
proc:::create
/ pid == $target /
{
tracked[args[0]->pr_pid] = 1;
}
/* Attach a new instance of dtrace to the new child process.
* Note that we pause the process before attaching dtrace to it, so we'll even
* catch short-lived ones.
*/
proc:::start
/ tracked[pid] == 1 /
{
tracked[pid] = 0;
stop();
system("sudo dtrace -Z -I./ -C -DCHILD=1 -DANALYSIS_TIMEOUT=%d -DSCRIPT_PATH=./%s -DOUTPUT_FILE=%s -s ./%s -o %s -p %d &",
countdown, SCRIPT_NAME, str(OUTPUT_FILE), SCRIPT_NAME, str(OUTPUT_FILE), pid);
}
/* EXEC */
proc:::exec
/ pid == $target /
{
tracked[pid] = 2;
}
/* Well, we were exec*(), now what?
* Since a new image does contain different symbols and also may require different
* shared libraries -- and we really want to be able to install probes on them -- we
* must re-attach dtrace to this process again so it can see these new stuff.
*
* We wait some time to make sure that all shared libraries are loaded, stop()
* (actually, pause) the process and then spawn a new instance of dtrace attached
* to this process.
* Why start64("/AppleInternal")? This syscall happens at the end of a programm
* initialization process, so it's a great place to do our thing.
*/
syscall::stat64:entry
/ tracked[pid] == 2 && copyinstr(arg0) == "/AppleInternal\0" /
{
tracked[pid] = 0;
stop();
system("sudo dtrace -Z -I./ -C -DCHILD=1 -DWAS_EXECED=1 -DANALYSIS_TIMEOUT=%d -DSCRIPT_PATH=./%s -DOUTPUT_FILE=%s -s ./%s -o %s -p %d &",
countdown, SCRIPT_NAME, str(OUTPUT_FILE), SCRIPT_NAME, str(OUTPUT_FILE), pid);
}
dtrace:::END
{
#ifdef TOPLEVELSCRIPT
system("sleep 1.5 && echo \"## %s done ##\" >> \"%s\"", SCRIPT_NAME, str(OUTPUT_FILE));
#endif
}
================================================
FILE: analyzer/darwin/lib/dtrace/ipconnections.d
================================================
#!/usr/sbin/dtrace -C -s
#pragma D option quiet
/* ipconnections.d
*
* Copyright (C) 2015 Dmitry Rodionov
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*
*
* This script prints results in JSON format, where each entry is a dictionary:
* {
* host : string, // e.g. "192.168.0.1"
* host_port : int, // e.g. 49812
* remote : string, // e.g. "8.8.8.8"
* remote_port : int, // e.g. 80
* protocol : string, // e.g. "TCP"
* timestamp : int, // e.g. 1433765405
* pid : int // e.g. 9213
* }
*
*/
#ifndef ANALYSIS_TIMEOUT
#define ANALYSIS_TIMEOUT -1
#endif
dtrace:::BEGIN
{
countdown = ANALYSIS_TIMEOUT;
}
ip:::receive
/pid == $target/
{
this->protocol = args[2]->ip_ver == 4 ? args[4]->ipv4_protostr : args[5]->ipv6_nextstr;
this->host = args[2]->ip_daddr;
this->remote = args[2]->ip_saddr;
/* Since the second argument (csinfo_t) is always filled with zeros [0],
* the only way to get host and remote ports is to treat the third argument
* as a raw pointer to struct ip and access stuff from there.
*
* Thanks to Quinn "The Eskimo!" from Apple DTS team for this trick!
*
* [0]:
* From http://www.opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/netinet/ip_output.c:
* ------------------------------------------
* DTRACE_IP6(send, struct mbuf *, m, struct inpcb *, NULL,
* struct ip *, ip, struct ifnet *, ifp,
* struct ip *, ip, struct ip6_hdr *, NULL);
* ------------------------------------------
* Note the NULL passed as a value for struct inpcb* (it will become
* csinfo_t in dtrace).
*/
this->host_port = ntohs(*(uint16_t *)(arg2 + 22));
this->remote_port = ntohs(*(uint16_t *)(arg2 + 20));
/* Convert walltimestamp to unix timestamp */
this->timestamp = walltimestamp / 1000000000;
printf("{\"host\":\"%s\", \"host_port\":%d, \"remote\":\"%s\", \"remote_port\":%d, \"protocol\":\"%s\", \"timestamp\": %d, \"pid\":%d}\n",
this->host, this->host_port, this->remote, this->remote_port, this->protocol, this->timestamp, pid);
}
ip:::send
/pid == $target/
{
this->protocol = args[2]->ip_ver == 4 ? args[4]->ipv4_protostr : args[5]->ipv6_nextstr;
this->host = args[2]->ip_saddr;
this->remote = args[2]->ip_daddr;
this->host_port = ntohs(*(uint16_t *)(arg2 + 20));
this->remote_port = ntohs(*(uint16_t *)(arg2 + 22));
this->timestamp = walltimestamp / 1000000000;
printf("{\"host\":\"%s\", \"host_port\":%d, \"remote\":\"%s\", \"remote_port\":%d, \"protocol\":\"%s\", \"timestamp\": %d, \"pid\":%d}\n",
this->host, this->host_port, this->remote, this->remote_port, this->protocol, this->timestamp, pid);
}
profile:::tick-1sec
/countdown > 0/
{
--countdown;
}
profile:::tick-1sec
/ countdown == 0 /
{
exit(0);
}
dtrace:::END
{
printf("## ipconnections.d done ##");
}
================================================
FILE: analyzer/darwin/lib/dtrace/ipconnections.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import os
import json
from common import *
from subprocess import Popen
from collections import namedtuple
from tempfile import NamedTemporaryFile
connection = namedtuple("connection",
"host host_port remote remote_port protocol timestamp, pid")
def ipconnections(target, **kwargs):
"""Returns a list of ip connections made by the target.
A connection is a named tuple with the following properties:
host (string), host_port (int), remote_port (string), protocol (string),
timestamp(int).
"""
if not target:
raise Exception("Invalid target for ipconnections()")
output_file = NamedTemporaryFile()
cmd = ["sudo", "/usr/sbin/dtrace", "-C"]
if "timeout" in kwargs:
cmd += ["-DANALYSIS_TIMEOUT=%d" % kwargs["timeout"]]
cmd += ["-s", path_for_script("ipconnections.d")]
cmd += ["-o", output_file.name]
if "args" in kwargs:
line = "%s %s" % (sanitize_path(target), " ".join(kwargs["args"]))
cmd += ["-c", line]
else:
cmd += ["-c", sanitize_path(target)]
# The dtrace script will take care of timeout itself, so we just launch
# it asynchronously
with open(os.devnull, "w") as f:
handler = Popen(cmd, stdout=f, stderr=f)
for entry in filelines(output_file):
if "## ipconnections.d done ##" in entry.strip():
break
yield _parse_single_entry(entry.strip())
output_file.close()
#
# Parsing implementation details
#
def _parse_single_entry(entry):
entry = entry.replace("\\0", "")
parsed = json.loads(entry)
host = parsed['host']
host_port = parsed['host_port']
remote = parsed['remote']
remote_port = parsed['remote_port']
protocol = parsed['protocol']
timestamp = parsed['timestamp']
pid = parsed['pid']
return connection(host, host_port, remote, remote_port, protocol, timestamp, pid)
================================================
FILE: analyzer/darwin/modules/__init__.py
================================================
================================================
FILE: analyzer/darwin/modules/packages/__init__.py
================================================
================================================
FILE: analyzer/darwin/modules/packages/app.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from os import system, path
from plistlib import readPlist
from lib.core.packages import Package
class App(Package):
""" OS X application analysys package. """
def prepare(self):
# We'll launch an executable file of this .app directly,
# but we need to know what it is, don't we?
info = readPlist(path.join(self.target, "Contents", "Info.plist"))
exe_name = info.get("CFBundleExecutable")
if not exe_name:
raise Exception("Could not locate an executable of the app bundle")
self.target = path.join(self.target, "Contents", "MacOS", exe_name)
# Make sure that our target is executable
system("/bin/chmod +x \"%s\"" % self.target)
================================================
FILE: analyzer/darwin/modules/packages/bash.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from lib.core.packages import Package
class Bash(Package):
""" Bash shell script analysys package. """
def prepare(self):
self.args = [self.target] + self.args
self.target = "/bin/bash"
================================================
FILE: analyzer/darwin/modules/packages/macho.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
from os import system
from lib.core.packages import Package
class Macho(Package):
""" Mach-O executable analysys package. """
def prepare(self):
# Make sure that our target is executable
system("/bin/chmod +x \"%s\"" % self.target)
================================================
FILE: analyzer/darwin/modules/packages/zip.py
================================================
#!/usr/bin/env python
# Copyright (C) 2015 Dmitry Rodionov
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
import logging
from shutil import move
from os import path, environ
from random import SystemRandom
from string import ascii_letters
from subprocess import check_output
from zipfile import ZipFile, BadZipfile
from lib.core.packages import Package, choose_package_class
log = logging.getLogger(__name__)
class Zip(Package):
real_package = None
def prepare(self):
password = self.options.get("password")
files = self._extract(self.target, password)
if not files or len(files) == 0:
raise Exception("Invalid (or empty) zip archive: %s" % self.target)
# Look for a file to analyse
target_name = self.options.get("file")
if not target_name:
# If no file name is provided via option, take the first file
target_name = files[0]
log.debug("Missing file option, auto executing: %s", target_name)
filepath = path.join(environ.get("TEMP", "/tmp"), target_name)
# Remove the trailing slash (if any)
if filepath.endswith("/"):
self.target = filepath[:-1]
else:
self.target = filepath
# Since we don't know what kind of file we're going to analyse, let's
# detect it automatically and create an appropriate analysis package
# for this file
file_info = _fileinfo(self.target)
pkg_class = choose_package_class(file_info, target_name)
if not pkg_class:
raise Exception("Unable to detect analysis package for the file %s" % target_name)
else:
log.debug("Analysing file \"%s\" using package \"%s\"", target_name, pkg_class.__name__)
kwargs = {
"options" : self.options,
"timeout" : self.timeout
}
# We'll forward start() method invocation to the proper package later
self.real_package = pkg_class(self.target, self.host, **kwargs)
def start(self):
# We have nothing to do here; let the proper package do it's job
self.prepare()
if not self.real_package:
raise Exception("Invalid analysis package, aborting")
self.real_package.start()
def _extract(self, filename, password):
archive_path = _prepare_archive_at_path(filename)
if not archive_path:
return None
# Extraction.
extract_path = environ.get("TEMP", "/tmp")
with ZipFile(archive_path, "r") as archive:
try:
archive.extractall(path=extract_path, pwd=password)
except BadZipfile:
raise Exception("Invalid Zip file")
# Try to extract it again, but with a default password
except RuntimeError:
try:
archive.extractall(path=extract_path, pwd="infected")
except RuntimeError as err:
raise Exception("Unable to extract Zip file: %s" % err)
finally:
self._extract_nested_archives(archive, extract_path, password)
return archive.namelist()
def _extract_nested_archives(self, archive, where, password):
for name in archive.namelist():
if name.endswith(".zip"):
self._extract(path.join(where, name), password)
def _prepare_archive_at_path(filename):
""" Verifies that there's a readable zip archive at the given path.
This function returns a new name for the archive (for most cases it's
the same as the original one; but if an archive named "foo.zip" contains
a file named "foo" this archive will be renamed to avoid being overwrite.
"""
# Verify that the archive is actually readable
try:
with ZipFile(filename, "r") as archive:
archive.close()
except BadZipfile:
return None
# Test if zip file contains a file named as itself
if _is_overwritten(filename):
log.debug("ZIP file contains a file with the same name, original is \
going to be overwrite")
# In this case we just change the file name
new_zip_path = filename + _random_extension()
move(filename, new_zip_path)
filename = new_zip_path
return filename
def _is_overwritten(zip_path):
archive = ZipFile(zip_path, "r")
try:
# Test if zip file contains a file named as itself
return any(n == path.basename(zip_path) for n in archive.namelist())
except BadZipfile:
raise Exception("Invalid Zip file")
def _random_extension(length=5):
return '.' + ''.join(SystemRandom().choice(ascii_letters) for _ in range(length))
def _fileinfo(target):
raw = check_output(["file", target])
# The utility has the following output format: "%filename%: %description%",
# so we just skip everything before the actual description
return raw[raw.index(":")+2:]
================================================
FILE: analyzer/linux/analyzer.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import sys
import pkgutil
import logging
import tempfile
import xmlrpclib
import traceback
import time
import datetime
from lib.api.process import Process
from lib.common.abstracts import Package, Auxiliary
from lib.common.constants import PATHS
from lib.common.exceptions import CuckooError, CuckooPackageError
from lib.common.results import upload_to_host
from lib.core.config import Config
from lib.core.startup import create_folders, init_logging
from modules import auxiliary
log = logging.getLogger()
PID = os.getpid()
FILES_LIST = set()
DUMPED_LIST = set()
PROCESS_LIST = set()
SEEN_LIST = set()
PPID = Process(pid=PID).get_parent_pid()
def add_pids(pids):
"""Add PID."""
if not isinstance(pids, (tuple, list, set)):
pids = [pids,]
for pid in pids:
log.info("Added new process to list with pid: %s", pid)
pid = int(pid)
if not pid in SEEN_LIST: PROCESS_LIST.add(pid)
SEEN_LIST.add(pid)
def dump_files():
"""Dump all the dropped files."""
for file_path in FILES_LIST:
log.info("PLS IMPLEMENT DUMP, want to dump %s", file_path)
class Analyzer:
"""Cuckoo Linux Analyzer.
This class handles the initialization and execution of the analysis
procedure, including the auxiliary modules and the analysis packages.
"""
def __init__(self):
self.config = None
self.target = None
def prepare(self):
"""Prepare env for analysis."""
# Create the folders used for storing the results.
create_folders()
# Initialize logging.
init_logging()
# Parse the analysis configuration file generated by the agent.
self.config = Config(cfg="analysis.conf")
if self.config.get("clock", None):
# Set virtual machine clock.
clock = datetime.datetime.strptime(self.config.clock, "%Y%m%dT%H:%M:%S")
# Setting date and time.
os.system("date -s \"{0}\"".format(clock.strftime("%y-%m-%d %H:%M:%S")))
# We update the target according to its category. If it's a file, then
# we store the path.
if self.config.category == "file":
self.target = os.path.join(tempfile.gettempdir(), self.config.file_name)
# If it's a URL, well.. we store the URL.
else:
self.target = self.config.target
def complete(self):
"""End analysis."""
# Dump all the notified files.
dump_files()
# Hell yeah.
log.info("Analysis completed.")
def run(self):
"""Run analysis.
@return: operation status.
"""
self.prepare()
log.debug("Starting analyzer from: %s", os.getcwd())
log.debug("Storing results at: %s", PATHS["root"])
# If no analysis package was specified at submission, we try to select
# one automatically.
if not self.config.package:
log.debug("No analysis package specified, trying to detect "
"it automagically.")
if self.config.category == "file":
package = "generic"
else:
package = "wget"
# If we weren't able to automatically determine the proper package,
# we need to abort the analysis.
if not package:
raise CuckooError("No valid package available for file "
"type: {0}".format(self.config.file_type))
log.info("Automatically selected analysis package \"%s\"", package)
# Otherwise just select the specified package.
else:
package = self.config.package
# Generate the package path.
package_name = "modules.packages.%s" % package
# Try to import the analysis package.
try:
__import__(package_name, globals(), locals(), ["dummy"], -1)
# If it fails, we need to abort the analysis.
except ImportError:
raise CuckooError("Unable to import package \"{0}\", does "
"not exist.".format(package_name))
# Initialize the package parent abstract.
Package()
# Enumerate the abstract subclasses.
try:
package_class = Package.__subclasses__()[0]
except IndexError as e:
raise CuckooError("Unable to select package class "
"(package={0}): {1}".format(package_name, e))
# Initialize the analysis package.
pack = package_class(self.config.get_options())
# Initialize Auxiliary modules
Auxiliary()
prefix = auxiliary.__name__ + "."
for loader, name, ispkg in pkgutil.iter_modules(auxiliary.__path__, prefix):
if ispkg:
continue
# Import the auxiliary module.
try:
__import__(name, globals(), locals(), ["dummy"], -1)
except ImportError as e:
log.warning("Unable to import the auxiliary module "
"\"%s\": %s", name, e)
# Walk through the available auxiliary modules.
aux_enabled, aux_avail = [], []
for module in sorted(Auxiliary.__subclasses__(), key=lambda x: x.priority, reverse=True):
# Try to start the auxiliary module.
try:
aux = module()
aux_avail.append(aux)
aux.start()
except (NotImplementedError, AttributeError):
log.warning("Auxiliary module %s was not implemented",
aux.__class__.__name__)
continue
except Exception as e:
log.warning("Cannot execute auxiliary module %s: %s",
aux.__class__.__name__, e)
continue
finally:
log.debug("Started auxiliary module %s",
aux.__class__.__name__)
aux_enabled.append(aux)
# Start analysis package. If for any reason, the execution of the
# analysis package fails, we have to abort the analysis.
try:
pids = pack.start(self.target)
except NotImplementedError:
raise CuckooError("The package \"{0}\" doesn't contain a run "
"function.".format(package_name))
except CuckooPackageError as e:
raise CuckooError("The package \"{0}\" start function raised an "
"error: {1}".format(package_name, e))
except Exception as e:
raise CuckooError("The package \"{0}\" start function encountered "
"an unhandled exception: "
"{1}".format(package_name, e))
# If the analysis package returned a list of process IDs, we add them
# to the list of monitored processes and enable the process monitor.
if pids:
add_pids(pids)
pid_check = True
# If the package didn't return any process ID (for example in the case
# where the package isn't enabling any behavioral analysis), we don't
# enable the process monitor.
else:
log.info("No process IDs returned by the package, running "
"for the full timeout.")
pid_check = False
# Check in the options if the user toggled the timeout enforce. If so,
# we need to override pid_check and disable process monitor.
if self.config.enforce_timeout:
log.info("Enabled timeout enforce, running for the full timeout.")
pid_check = False
time_counter = 0
while True:
time_counter += 1
if time_counter == int(self.config.timeout):
log.info("Analysis timeout hit, terminating analysis.")
break
try:
# If the process monitor is enabled we start checking whether
# the monitored processes are still alive.
if pid_check:
for pid in list(PROCESS_LIST):
if not Process(pid=pid).is_alive():
log.info("Process with pid %s has terminated", pid)
PROCESS_LIST.remove(pid)
# ask the package if it knows any new pids
add_pids(pack.get_pids())
# also ask the auxiliaries
for aux in aux_avail:
add_pids(aux.get_pids())
# If none of the monitored processes are still alive, we
# can terminate the analysis.
if not PROCESS_LIST:
log.info("Process list is empty, "
"terminating analysis.")
break
# Update the list of monitored processes available to the
# analysis package. It could be used for internal
# operations within the module.
pack.set_pids(PROCESS_LIST)
try:
# The analysis packages are provided with a function that
# is executed at every loop's iteration. If such function
# returns False, it means that it requested the analysis
# to be terminate.
if not pack.check():
log.info("The analysis package requested the "
"termination of the analysis.")
break
# If the check() function of the package raised some exception
# we don't care, we can still proceed with the analysis but we
# throw a warning.
except Exception as e:
log.warning("The package \"%s\" check function raised "
"an exception: %s", package_name, e)
except Exception as e:
log.exception("The PID watching loop raised an exception: %s", e)
finally:
# Zzz.
time.sleep(1)
try:
# Before shutting down the analysis, the package can perform some
# final operations through the finish() function.
pack.finish()
except Exception as e:
log.warning("The package \"%s\" finish function raised an "
"exception: %s", package_name, e)
try:
# Upload files the package created to package_files in the results folder
package_files = pack.package_files()
if package_files != None:
for package in package_files:
upload_to_host(package[0], os.path.join("package_files", package[1]));
except Exception as e:
log.warning("The package \"%s\" package_files function raised an "
"exception: %s", package_name, e)
# Terminate the Auxiliary modules.
for aux in sorted(aux_enabled, key=lambda x: x.priority):
try:
aux.stop()
except (NotImplementedError, AttributeError):
continue
except Exception as e:
log.warning("Cannot terminate auxiliary module %s: %s",
aux.__class__.__name__, e)
if self.config.terminate_processes:
# Try to terminate remaining active processes. We do this to make sure
# that we clean up remaining open handles (sockets, files, etc.).
log.info("Terminating remaining processes before shutdown.")
for pid in PROCESS_LIST:
proc = Process(pid=pid)
if proc.is_alive():
try:
proc.terminate()
except:
continue
# Run the finish callback of every available Auxiliary module.
for aux in aux_avail:
try:
aux.finish()
except (NotImplementedError, AttributeError):
continue
except Exception as e:
log.warning("Exception running finish callback of auxiliary "
"module %s: %s", aux.__class__.__name__, e)
# Let's invoke the completion procedure.
self.complete()
return True
if __name__ == "__main__":
success = False
error = ""
try:
# Initialize the main analyzer class.
analyzer = Analyzer()
# Run it and wait for the response.
success = analyzer.run()
# This is not likely to happen.
except KeyboardInterrupt:
error = "Keyboard Interrupt"
# If the analysis process encountered a critical error, it will raise a
# CuckooError exception, which will force the termination of the analysis.
# Notify the agent of the failure. Also catch unexpected exceptions.
except Exception as e:
# Store the error.
error_exc = traceback.format_exc()
error = str(e)
# Just to be paranoid.
if len(log.handlers):
log.exception(error_exc)
else:
sys.stderr.write("{0}\n".format(error_exc))
# Once the analysis is completed or terminated for any reason, we report
# back to the agent, notifying that it can report back to the host.
finally:
# Establish connection with the agent XMLRPC server.
server = xmlrpclib.Server("http://127.0.0.1:8000")
server.complete(success, error, PATHS["root"])
================================================
FILE: analyzer/linux/lib/__init__.py
================================================
================================================
FILE: analyzer/linux/lib/api/__init__.py
================================================
================================================
FILE: analyzer/linux/lib/api/process.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import subprocess
import logging
log = logging.getLogger(__name__)
class Process:
"""Linux process."""
first_process = True
first_process_pid = None
def __init__(self, pid=0):
"""@param pid: PID.
"""
self.pid = pid
def is_alive(self):
if not os.path.exists("/proc/%u" % self.pid): return False
status = self.get_proc_status()
if not status: return False
if "zombie" in status.get("State:", ""): return False
return True
def get_parent_pid(self):
return self.get_proc_status().get("PPid", None)
def get_proc_status(self):
try:
status = open("/proc/%u/status" % self.pid).readlines()
status_values = dict((i[0], i[1]) for i in [j.strip().split(None, 1) for j in status])
return status_values
except:
log.critical("could not get process status for pid %u", self.pid)
return {}
def execute(self, cmd):
self.proc = proc = subprocess.Popen(cmd)
self.pid = proc.pid
return True
================================================
FILE: analyzer/linux/lib/common/__init__.py
================================================
================================================
FILE: analyzer/linux/lib/common/abstracts.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
from lib.api.process import Process
from lib.common.exceptions import CuckooPackageError
class Package(object):
"""Base abstract analysis package."""
PATHS = []
def __init__(self, options={}):
"""@param options: options dict."""
self.options = options
self.pids = []
def set_pids(self, pids):
"""Update list of monitored PIDs in the package context.
@param pids: list of pids.
"""
self.pids = pids
def start(self):
"""Run analysis package.
@raise NotImplementedError: this method is abstract.
"""
raise NotImplementedError
def check(self):
"""Check."""
return True
def execute(self, cmd):
"""Starts an executable for analysis.
@param path: executable path
@param args: executable arguments
@return: process pid
"""
p = Process()
if not p.execute(cmd):
raise CuckooPackageError("Unable to execute the initial process, "
"analysis aborted.")
return p.pid
def package_files(self):
"""A list of files to upload to host.
The list should be a list of tuples (<path on guest>, <name of file in package_files folder>).
(package_files is a folder that will be created in analysis folder).
"""
return None
def finish(self):
"""Finish run.
If specified to do so, this method dumps the memory of
all running processes.
"""
if self.options.get("procmemdump"):
for pid in self.pids:
p = Process(pid=pid)
p.dump_memory()
return True
def get_pids(self):
return []
class Auxiliary(object):
priority = 0
def get_pids(self):
return []
================================================
FILE: analyzer/linux/lib/common/constants.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import tempfile
from lib.common.utils import random_string
ROOT = os.path.join(tempfile.gettempdir(), random_string(6, 10))
PATHS = {"root" : ROOT,
"logs" : os.path.join(ROOT, "logs"),
"files" : os.path.join(ROOT, "files"),
"shots" : os.path.join(ROOT, "shots"),
"memory" : os.path.join(ROOT, "memory"),
"drop" : os.path.join(ROOT, "drop")}
================================================
FILE: analyzer/linux/lib/common/exceptions.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
class CuckooError(Exception):
pass
class CuckooPackageError(Exception):
pass
================================================
FILE: analyzer/linux/lib/common/hashing.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import hashlib
BUFSIZE = 1024*1024
def sha256_file(path):
return hash_file(hashlib.sha256, path)
def hash_file(method, path):
"""Calculates an hash on a file by path.
@param method: callable hashing method
@param path: file path
@return: computed hash string
"""
f = open(path, "rb")
h = method()
while True:
buf = f.read(BUFSIZE)
if not buf:
break
h.update(buf)
return h.hexdigest()
================================================
FILE: analyzer/linux/lib/common/results.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import logging
import socket
import time
from lib.core.config import Config
log = logging.getLogger(__name__)
BUFSIZE = 1024*1024
def upload_to_host(file_path, dump_path):
nc = infd = None
try:
nc = NetlogFile(dump_path)
infd = open(file_path, "rb")
buf = infd.read(BUFSIZE)
while buf:
nc.send(buf, retry=False)
buf = infd.read(BUFSIZE)
except Exception as e:
log.error("Exception uploading file %s to host: %s", file_path, e)
finally:
if infd:
infd.close()
if nc:
nc.close()
class NetlogConnection(object):
def __init__(self, proto=""):
config = Config(cfg="analysis.conf")
self.hostip, self.hostport = config.ip, config.port
self.sock, self.file = None, None
self.proto = proto
def connect(self):
i = 1
# this can loop forever, if we can't connect the whole analysis is useless anyways
while True:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((self.hostip, self.hostport))
s.sendall(self.proto)
except:
time.sleep(i)
i = min(i + 1, 60)
else:
self.sock = s
self.file = s.makefile()
break
def send(self, data, retry=True):
if not self.sock: self.connect()
try:
self.sock.sendall(data)
except socket.error as e:
if retry:
self.connect()
self.send(data, retry=False)
else:
raise
except Exception as e:
log.error("Unhandled exception in NetlogConnection: %s", str(e))
# We really have nowhere to log this, if the netlog connection
# does not work, we can assume that any logging won't work either.
# So we just fail silently.
self.close()
def close(self):
try:
self.file.close()
self.sock.close()
except Exception:
pass
class NetlogFile(NetlogConnection):
def __init__(self, filepath):
self.filepath = filepath
NetlogConnection.__init__(self, proto="FILE\n{0}\n".format(self.filepath))
self.connect()
class NetlogHandler(logging.Handler, NetlogConnection):
def __init__(self):
logging.Handler.__init__(self)
NetlogConnection.__init__(self, proto="LOG\n")
self.connect()
def emit(self, record):
msg = self.format(record)
self.send("{0}\n".format(msg))
================================================
FILE: analyzer/linux/lib/common/utils.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import random
import string
def random_string(minimum, maximum=None):
if maximum is None:
maximum = minimum
count = random.randint(minimum, maximum)
return "".join(random.choice(string.ascii_letters) for x in xrange(count))
def random_integer(digits):
start = 10 ** (digits - 1)
end = (10 ** digits) - 1
return random.randint(start, end)
================================================
FILE: analyzer/linux/lib/core/__init__.py
================================================
================================================
FILE: analyzer/linux/lib/core/config.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import ConfigParser
class Config:
def __init__(self, cfg):
"""@param cfg: configuration file."""
config = ConfigParser.ConfigParser(allow_no_value=True)
config.read(cfg)
for section in config.sections():
for name, raw_value in config.items(section):
if name == "file_name":
value = config.get(section, name)
else:
try:
value = config.getboolean(section, name)
except ValueError:
try:
value = config.getint(section, name)
except ValueError:
value = config.get(section, name)
setattr(self, name, value)
def get(self, name, default=None):
if hasattr(self, name):
return getattr(self, name)
return default
def get_options(self):
"""Get analysis options.
@return: options dict.
"""
# The analysis package can be provided with some options in the
# following format:
# option1=value1,option2=value2,option3=value3
#
# Here we parse such options and provide a dictionary that will be made
# accessible to the analysis package.
options = {}
if hasattr(self, "options"):
try:
# Split the options by comma.
fields = self.options.split(",")
except ValueError as e:
pass
else:
for field in fields:
# Split the name and the value of the option.
try:
key, value = field.split("=", 1)
except ValueError:
pass
else:
# If the parsing went good, we add the option to the
# dictionary.
options[key.strip()] = value.strip()
return options
================================================
FILE: analyzer/linux/lib/core/startup.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
from lib.common.constants import PATHS
from lib.common.results import NetlogHandler
log = logging.getLogger()
def create_folders():
"""Create folders in PATHS."""
for name, folder in PATHS.items():
if os.path.exists(folder):
continue
try:
os.makedirs(folder)
except OSError:
pass
def init_logging():
"""Initialize logger."""
formatter = logging.Formatter("%(asctime)s [%(name)s] %(levelname)s: %(message)s")
sh = logging.StreamHandler()
sh.setFormatter(formatter)
log.addHandler(sh)
nh = NetlogHandler()
nh.setFormatter(formatter)
log.addHandler(nh)
log.setLevel(logging.DEBUG)
================================================
FILE: analyzer/linux/modules/__init__.py
================================================
================================================
FILE: analyzer/linux/modules/auxiliary/__init__.py
================================================
================================================
FILE: analyzer/linux/modules/auxiliary/lkm.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import platform
from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile
from lib.core.config import Config
log = logging.getLogger(__name__)
class LKM(Auxiliary):
"""helper LKM for sleep skipping etc"""
def __init__(self):
self.config = Config(cfg="analysis.conf")
self.pids_reported = set()
def start(self):
# highest priority: if the vm config specifies the path
if self.config.get("analyzer_lkm_path", None) and os.path.exists(self.config.get("analyzer_lkm_path")):
path = self.config.get("analyzer_lkm_path")
# next: if the analyzer was uploaded with a module for our platform
elif os.path.exists(os.path.join(platform.machine(), "probelkm.ko")):
path = os.path.join(platform.machine(), "probelkm.ko")
# next: default path inside the machine
elif os.path.exists("/root/.cuckoo/probelkm.ko"):
path = "/root/.cuckoo/probelkm.ko"
# next: generic module uploaded with the analyzer (single arch setup maybe?)
elif os.path.exists("probelkm.ko"):
path = "probelkm.ko"
else:
log.warning("Could not find probelkm :(")
return False
os.system("insmod %s trace_descendants=1 target_pid=%u" % (path, os.getpid()))
return True
def get_pids(self):
new = []
fd = open("/var/log/kern.log")
for line in fd:
if not "[probelkm]" in line: continue
pos1 = line.find("forked to ")
pos2 = line.find("@", pos1+10)
if pos1 == -1 or pos2 == -1: continue
forked_pid = int(line[pos1+10:pos2])
if forked_pid in self.pids_reported:
continue
self.pids_reported.add(forked_pid)
new.append(forked_pid)
return new
def stop(self):
# i guess we don't need to unload at all
#os.system("rmmod probelkm")
# now upload the logfile
nf = NetlogFile("logs/all.lkm")
fd = open("/var/log/kern.log")
for line in fd:
if not "[probelkm]" in line: continue
nf.sock.sendall(line) # dirty direct send, no reconnecting
fd.close()
nf.close()
================================================
FILE: analyzer/linux/modules/auxiliary/stap.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import subprocess
import time
import logging
import platform
from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile
from lib.core.config import Config
log = logging.getLogger(__name__)
class STAP(Auxiliary):
"""system-wide syscall trace with stap."""
priority = -10 # low prio to wrap tightly around the analysis
def __init__(self):
self.config = Config(cfg="analysis.conf")
self.fallback_strace = False
def start(self):
# helper function locating the stap module
def has_stap(p):
only_stap = [fn for fn in os.listdir(p) if fn.startswith("stap_") and fn.endswith(".ko")]
if only_stap: return os.path.join(p, only_stap[0])
return False
# highest priority: if the vm config specifies the path
if self.config.get("analyzer_stap_path", None) and os.path.exists(self.config.get("analyzer_stap_path")):
path = self.config.get("analyzer_lkm_path")
# next: if a module was uploaded with the analyzer for our platform
elif os.path.exists(platform.machine()) and has_stap(platform.machine()):
path = has_stap(platform.machine())
# next: default path inside the machine
elif os.path.exists("/root/.cuckoo") and has_stap("/root/.cuckoo"):
path = has_stap("/root/.cuckoo")
# next: generic module uploaded with the analyzer (single arch setup maybe?)
elif has_stap("."):
path = has_stap(".")
else:
# we can't find the stap module, fallback to strace
log.warning("Could not find STAP LKM, falling back to strace.")
return self.start_strace()
stap_start = time.time()
stderrfd = open("stap.stderr", "wb")
self.proc = subprocess.Popen(["staprun", "-v", "-x", str(os.getpid()), "-o", "stap.log", path], stderr=stderrfd)
# read from stderr until the tap script is compiled
# while True:
# if not self.proc.poll() is None:
# break
# line = self.proc.stderr.readline()
# print "DBG LINE", line
# if "Pass 5: starting run." in line:
# break
time.sleep(10)
stap_stop = time.time()
log.info("STAP aux module startup took %.2f seconds" % (stap_stop - stap_start))
return True
def start_strace(self):
try: os.mkdir("strace")
except: pass # don't worry, it exists
stderrfd = open("strace/strace.stderr", "wb")
self.proc = subprocess.Popen(["strace", "-ff", "-o", "strace/straced", "-p", str(os.getpid())], stderr=stderrfd)
self.fallback_strace = True
return True
def get_pids(self):
if self.fallback_strace:
return [self.proc.pid, ]
return []
def stop(self):
try:
r = self.proc.poll()
log.debug("stap subprocess retval %r", r)
self.proc.kill()
except Exception as e:
log.warning("Exception killing stap: %s", e)
if os.path.exists("stap.log"):
# now upload the logfile
nf = NetlogFile("logs/all.stap")
fd = open("stap.log", "rb")
for chunk in fd:
nf.sock.sendall(chunk) # dirty direct send, no reconnecting
fd.close()
nf.close()
# in case we fell back to strace
if os.path.exists("strace"):
for fn in os.listdir("strace"):
# we don't need the logs from the analyzer python process itself
if fn == "straced.%u" % os.getpid(): continue
fp = os.path.join("strace", fn)
# now upload the logfile
nf = NetlogFile("logs/%s" % fn)
fd = open(fp, "rb")
for chunk in fd:
nf.sock.sendall(chunk) # dirty direct send, no reconnecting
fd.close()
nf.close()
================================================
FILE: analyzer/linux/modules/packages/__init__.py
================================================
================================================
FILE: analyzer/linux/modules/packages/generic.py
================================================
# Copyright (C) 2014-2016 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
from lib.common.abstracts import Package
class Generic(Package):
"""Generic analysis package. Uses shell based execution.
"""
def __init__(self, *args, **kwargs):
Package.__init__(self, *args, **kwargs)
self.seen_pids = set()
def start(self, path):
os.chmod(path, 0o755)
return self.execute(["sh", "-c", path])
def get_pids(self):
probelkm_pids = set()
fd = open("/var/log/kern.log")
for line in fd:
if not "[probelkm]" in line: continue
if "forked to" in line:
# [probelkm] task 2102@0x00007fa5d0b8b576 forked to 2107@0xffffffff81352f6d
parts = line[line.find("[probelkm]"):].split()
newtask = parts[-1]
pid, rip = newtask.split("@")
probelkm_pids.add(int(pid))
new_pids = probelkm_pids - self.seen_pids
self.seen_pids |= new_pids
return list(new_pids)
================================================
FILE: analyzer/windows/analyzer.py
================================================
# Copyright (C) 2011-2013 Claudio Guarnieri.
# Copyright (C) 2014-2018 Cuckoo Foundation.
# Copyright (C) 2020-2021 PowerLZY.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import datetime
import hashlib
import logging
import os
import pkgutil
import socket
import struct
import sys
import threading
import traceback
import urllib
import urllib2
import xmlrpclib
import zipfile
from lib.api.process import Process
from lib.common.abstracts import Package, Auxiliary
from lib.common.constants import SHUTDOWN_MUTEX
from lib.common.decide import dump_memory
from lib.common.defines import KERNEL32
from lib.common.exceptions import CuckooError, CuckooDisableModule
from lib.common.hashing import hash_file
from lib.common.rand import random_string
from lib.common.results import upload_to_host
from lib.core.config import Config
from lib.core.ioctl import zer0m0n
from lib.core.packages import choose_package
from lib.core.pipe import PipeServer, PipeForwarder, PipeDispatcher
from lib.core.pipe import disconnect_pipes
from lib.core.privileges import grant_privilege
from lib.core.startup import init_logging, disconnect_logger, set_clock
from modules import auxiliary
log = logging.getLogger("analyzer")
class Files(object):
PROTECTED_NAMES = ()
def __init__(self):
self.files = {}
self.files_orig = {}
self.dumped = []
def is_protected_filename(self, file_name):
"""
Return whether or not to inject into a process with this name.
"""
return file_name.lower() in self.PROTECTED_NAMES
def add_pid(self, filepath, pid, verbose=True):
"""Track a process identifier for this file."""
if not pid or filepath.lower() not in self.files:
return
if pid not in self.files[filepath.lower()]:
self.files[filepath.lower()].append(pid)
verbose and log.info("Added pid %s for %r", pid, filepath)
def add_file(self, filepath, pid=None):
"""Add filepath to the list of files and track the pid."""
if filepath.lower() not in self.files:
log.info(
"Added new file to list with pid %s and path %s",
pid, filepath.encode("utf8")
)
self.files[filepath.lower()] = []
self.files_orig[filepath.lower()] = filepath
self.add_pid(filepath, pid, verbose=False)
def dump_file(self, filepath):
"""Dump a file to the host."""
if not os.path.isfile(filepath):
log.warning("File at path %r does not exist, skip.", filepath)
return False
# Check whether we've already dumped this file -
gitextract_a6c_s16r/
├── .codeclimate.yml
├── .gitignore
├── .travis.yml
├── LICENSE.txt
├── README.md
├── __init__.py
├── _config.yml
├── agent/
│ ├── agent.py
│ └── agent.sh
├── analyzer/
│ ├── android/
│ │ ├── __init__.py
│ │ ├── analyzer.py
│ │ ├── config/
│ │ │ └── hooks.json
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── api/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── adb.py
│ │ │ │ └── screenshot.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstracts.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── exceptions.py
│ │ │ │ ├── results.py
│ │ │ │ └── utils.py
│ │ │ └── core/
│ │ │ ├── __init__.py
│ │ │ ├── config.py
│ │ │ ├── packages.py
│ │ │ └── startup.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ ├── auxiliary/
│ │ │ ├── __init__.py
│ │ │ └── screenshots.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ ├── apk.py
│ │ └── default_browser.py
│ ├── darwin/
│ │ ├── __init__.py
│ │ ├── analyzer.py
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── config.py
│ │ │ │ ├── hashing.py
│ │ │ │ ├── rand.py
│ │ │ │ └── results.py
│ │ │ ├── core/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── data/
│ │ │ │ │ ├── signatures.yml
│ │ │ │ │ └── types.yml
│ │ │ │ ├── filetimes.py
│ │ │ │ ├── host.py
│ │ │ │ ├── osx.py
│ │ │ │ └── packages.py
│ │ │ └── dtrace/
│ │ │ ├── __init__.py
│ │ │ ├── apicalls.d
│ │ │ ├── apicalls.py
│ │ │ ├── autoprobes.py
│ │ │ ├── common.py
│ │ │ ├── dtruss.py
│ │ │ ├── dtruss.sh
│ │ │ ├── follow_children.d
│ │ │ ├── ipconnections.d
│ │ │ └── ipconnections.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ ├── app.py
│ │ ├── bash.py
│ │ ├── macho.py
│ │ └── zip.py
│ ├── linux/
│ │ ├── analyzer.py
│ │ ├── lib/
│ │ │ ├── __init__.py
│ │ │ ├── api/
│ │ │ │ ├── __init__.py
│ │ │ │ └── process.py
│ │ │ ├── common/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstracts.py
│ │ │ │ ├── constants.py
│ │ │ │ ├── exceptions.py
│ │ │ │ ├── hashing.py
│ │ │ │ ├── results.py
│ │ │ │ └── utils.py
│ │ │ └── core/
│ │ │ ├── __init__.py
│ │ │ ├── config.py
│ │ │ └── startup.py
│ │ └── modules/
│ │ ├── __init__.py
│ │ ├── auxiliary/
│ │ │ ├── __init__.py
│ │ │ ├── lkm.py
│ │ │ └── stap.py
│ │ └── packages/
│ │ ├── __init__.py
│ │ └── generic.py
│ └── windows/
│ ├── analyzer.py
│ ├── bin/
│ │ ├── procmon.pmc
│ │ ├── rules.yarac
│ │ └── zer0m0n-x64.sys
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── api/
│ │ │ ├── __init__.py
│ │ │ ├── process.py
│ │ │ └── screenshot.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── abstracts.py
│ │ │ ├── constants.py
│ │ │ ├── decide.py
│ │ │ ├── defines.py
│ │ │ ├── exceptions.py
│ │ │ ├── hashing.py
│ │ │ ├── rand.py
│ │ │ ├── registry.py
│ │ │ └── results.py
│ │ └── core/
│ │ ├── __init__.py
│ │ ├── config.py
│ │ ├── driver.py
│ │ ├── ioctl.py
│ │ ├── packages.py
│ │ ├── pipe.py
│ │ ├── privileges.py
│ │ └── startup.py
│ └── modules/
│ ├── __init__.py
│ ├── auxiliary/
│ │ ├── __init__.py
│ │ ├── dbgview.py
│ │ ├── disguise.py
│ │ ├── dumptls.py
│ │ ├── human.py
│ │ ├── installcert.py
│ │ ├── procmon.py
│ │ ├── reboot.py
│ │ ├── recentfiles.py
│ │ ├── screenshots.py
│ │ └── zer0m0n.py
│ └── packages/
│ ├── __init__.py
│ ├── applet.py
│ ├── bin.py
│ ├── com.py
│ ├── cpl.py
│ ├── dll.py
│ ├── doc.py
│ ├── exe.py
│ ├── ff.py
│ ├── generic.py
│ ├── hta.py
│ ├── hwp.py
│ ├── ie.py
│ ├── jar.py
│ ├── js.py
│ ├── jse.py
│ ├── msi.py
│ ├── pdf.py
│ ├── ppt.py
│ ├── ps1.py
│ ├── pub.py
│ ├── python.py
│ ├── reboot.py
│ ├── vbs.py
│ ├── wsf.py
│ ├── xls.py
│ └── zip.py
├── conf/
│ ├── auxiliary.conf
│ ├── avd.conf
│ ├── cuckoo.conf
│ ├── cuckooml.conf
│ ├── detection.conf
│ ├── esx.conf
│ ├── kvm.conf
│ ├── memory.conf
│ ├── physical.conf
│ ├── processing.conf
│ ├── qemu.conf
│ ├── reporting.conf
│ ├── virtualbox.conf
│ ├── vmware.conf
│ ├── vpn.conf
│ ├── vsphere.conf
│ └── xenserver.conf
├── cuckoo.py
├── data/
│ ├── __init__.py
│ ├── android/
│ │ ├── anti-vm/
│ │ │ ├── fake-build.prop
│ │ │ ├── fake-cpuinfo
│ │ │ └── fake-drivers
│ │ ├── apps/
│ │ │ ├── ImportContacts.apk
│ │ │ ├── Superuser.apk
│ │ │ └── de.robv.android.xposed.installer_v33_36570c.apk
│ │ ├── binaries/
│ │ │ └── su
│ │ ├── create_guest_avd.sh
│ │ └── hooking/
│ │ ├── Droidmon.apk
│ │ └── EmulatorAntiDetect.apk
│ ├── guids.txt
│ ├── html/
│ │ ├── base-report.html
│ │ ├── base-web.html
│ │ ├── browse.html
│ │ ├── error.html
│ │ ├── graphic/
│ │ │ └── logo.html
│ │ ├── js/
│ │ │ └── functions.js
│ │ ├── pagination-menu.html
│ │ ├── pagination-rpp.html
│ │ ├── report.html
│ │ ├── sections/
│ │ │ ├── behavior.html
│ │ │ ├── dropped.html
│ │ │ ├── errors.html
│ │ │ ├── file.html
│ │ │ ├── info.html
│ │ │ ├── network.html
│ │ │ ├── screenshots.html
│ │ │ ├── signatures.html
│ │ │ ├── static.html
│ │ │ ├── url.html
│ │ │ └── volatility.html
│ │ ├── submit.html
│ │ └── success.html
│ ├── mitm.py
│ ├── models/
│ │ ├── MalConv/
│ │ │ ├── malconvtest.py
│ │ │ └── pretrained_malconv.pth
│ │ ├── apistats/
│ │ │ ├── extract_apifeatures.py
│ │ │ └── standard.txt
│ │ └── strings_ngram/
│ │ ├── XGB_model.pkl
│ │ └── raw_train_sample.csv
│ ├── peutils/
│ │ └── UserDB.TXT
│ ├── src/
│ │ └── binpackage/
│ │ ├── Makefile
│ │ └── execsc.c
│ ├── strace.stp
│ ├── test-internet.vbs
│ ├── whitelist/
│ │ └── domain.txt
│ └── yara/
│ ├── binaries/
│ │ ├── embedded.yar
│ │ ├── shellcodes.yar
│ │ └── vmdetect.yar
│ ├── memory/
│ │ ├── .gitignore
│ │ └── index_memory.yar
│ └── urls/
│ └── .gitignore
├── distributed/
│ ├── alembic.ini
│ ├── app.py
│ ├── distributed/
│ │ ├── __init__.py
│ │ ├── api.py
│ │ ├── app.py
│ │ ├── db.py
│ │ ├── exception.py
│ │ └── views/
│ │ ├── __init__.py
│ │ └── api.py
│ ├── instance.py
│ ├── migration/
│ │ ├── env.py
│ │ ├── script.py.mako
│ │ └── versions/
│ │ ├── 151400d38e03_node_status_timestamp_index.py
│ │ ├── 166078eb1311_change_node_id_to_name.py
│ │ ├── 2aa59981b59d_node_task_not_unique.py
│ │ ├── 37c08c9655bb_initial_database.py
│ │ ├── 3cc1509b7fdc_node_status.py
│ │ ├── 3d1d8fd2cdbb_timestamps.py
│ │ ├── 4b86bc0d40aa_node_mode.py
│ │ ├── 4d0a2590e997_node_task_index.py
│ │ └── 69ecf07a99b_finished_to_status.py
│ ├── requirements.txt
│ └── settings.py
├── docs/
│ ├── .debug.yml
│ ├── CNAME
│ ├── Gemfile
│ ├── Makefile
│ ├── README.md
│ ├── _config.yml
│ └── book/
│ ├── DevelopmentDocumentation.md
│ ├── Installation.md
│ ├── Introduction.md
│ ├── README.md
│ ├── Usage.md
│ └── 设计文档.md
├── docs-old/
│ ├── AUTHORS
│ ├── CHANGELOG
│ ├── LICENSE
│ ├── README
│ └── book/
│ └── src/
│ ├── Makefile
│ ├── conf.py
│ ├── customization/
│ │ ├── auxiliary.rst
│ │ ├── index.rst
│ │ ├── machinery.rst
│ │ ├── packages.rst
│ │ ├── processing.rst
│ │ ├── reporting.rst
│ │ └── signatures.rst
│ ├── development/
│ │ ├── code_style.rst
│ │ ├── development_notes.rst
│ │ └── index.rst
│ ├── faq/
│ │ └── index.rst
│ ├── finalremarks/
│ │ └── index.rst
│ ├── index.rst
│ ├── installation/
│ │ ├── guest/
│ │ │ ├── agent.rst
│ │ │ ├── cloning.rst
│ │ │ ├── creation.rst
│ │ │ ├── index.rst
│ │ │ ├── network.rst
│ │ │ ├── requirements.rst
│ │ │ └── saving.rst
│ │ ├── guest_physical/
│ │ │ ├── creation.rst
│ │ │ ├── index.rst
│ │ │ ├── network.rst
│ │ │ ├── requirements.rst
│ │ │ └── saving.rst
│ │ ├── host/
│ │ │ ├── configuration.rst
│ │ │ ├── configuration_android.rst
│ │ │ ├── index.rst
│ │ │ ├── installation.rst
│ │ │ └── requirements.rst
│ │ ├── index.rst
│ │ └── upgrade.rst
│ ├── introduction/
│ │ ├── index.rst
│ │ ├── license.rst
│ │ ├── sandboxing.rst
│ │ └── what.rst
│ └── usage/
│ ├── api.rst
│ ├── clean.rst
│ ├── dist.rst
│ ├── index.rst
│ ├── packages.rst
│ ├── results.rst
│ ├── start.rst
│ ├── submit.rst
│ ├── utilities.rst
│ └── web.rst
├── examples/
│ ├── cuckooml.ipynb
│ ├── cuckooml.py
│ ├── detectiontest.py
│ ├── getjsondata.py
│ ├── instance.py
│ ├── loader.py
│ ├── ml.py
│ └── rundetectiontest.py
├── lib/
│ ├── __init__.py
│ └── cuckoo/
│ ├── __init__.py
│ ├── common/
│ │ ├── __init__.py
│ │ ├── abstracts.py
│ │ ├── colors.py
│ │ ├── compare.py
│ │ ├── config.py
│ │ ├── constants.py
│ │ ├── defines.py
│ │ ├── dns.py
│ │ ├── exceptions.py
│ │ ├── irc.py
│ │ ├── logo.py
│ │ ├── netlog.py
│ │ ├── objects.py
│ │ ├── utils.py
│ │ ├── virustotal.py
│ │ └── whitelist.py
│ └── core/
│ ├── __init__.py
│ ├── database.py
│ ├── guest.py
│ ├── plugins.py
│ ├── resultserver.py
│ ├── rooter.py
│ ├── scheduler.py
│ └── startup.py
├── modules/
│ ├── __init__.py
│ ├── auxiliary/
│ │ ├── __init__.py
│ │ ├── mitm.py
│ │ ├── services.py
│ │ └── sniffer.py
│ ├── detection/
│ │ ├── __init__.py
│ │ ├── apistats.py
│ │ ├── malconv.py
│ │ ├── model.py
│ │ └── strings.py
│ ├── machinery/
│ │ ├── __init__.py
│ │ ├── avd.py
│ │ ├── esx.py
│ │ ├── kvm.py
│ │ ├── physical.py
│ │ ├── qemu.py
│ │ ├── virtualbox.py
│ │ ├── vmware.py
│ │ ├── vsphere.py
│ │ └── xenserver.py
│ ├── processing/
│ │ ├── __init__.py
│ │ ├── analysisinfo.py
│ │ ├── apkinfo.py
│ │ ├── baseline.py
│ │ ├── behavior.py
│ │ ├── buffer.py
│ │ ├── cuckooml.py
│ │ ├── debug.py
│ │ ├── droidmon.py
│ │ ├── dropped.py
│ │ ├── dumptls.py
│ │ ├── googleplay.py
│ │ ├── memory.py
│ │ ├── network.py
│ │ ├── platform/
│ │ │ ├── __init__.py
│ │ │ ├── linux.py
│ │ │ └── windows.py
│ │ ├── procmemory.py
│ │ ├── screenshots.py
│ │ ├── snort.py
│ │ ├── static.py
│ │ ├── strings.py
│ │ ├── suricata.py
│ │ ├── targetinfo.py
│ │ └── virustotal.py
│ └── reporting/
│ ├── __init__.py
│ ├── elasticsearch.py
│ ├── jsondump.py
│ ├── moloch.py
│ ├── mongodb.py
│ └── reporthtml.py
├── oldweb/
│ ├── .gitignore
│ ├── analysis/
│ │ ├── __init__.py
│ │ ├── forms.py
│ │ ├── templatetags/
│ │ │ ├── __init__.py
│ │ │ └── analysis_tags.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── compare/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── dashboard/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── manage.py
│ ├── static/
│ │ ├── css/
│ │ │ ├── lightbox.css
│ │ │ └── style.css
│ │ └── js/
│ │ ├── app.js
│ │ ├── bootstrap-fileupload.js
│ │ ├── hexdump.js
│ │ ├── jquery.js
│ │ └── lightbox.js
│ ├── submission/
│ │ ├── __init__.py
│ │ ├── urls.py
│ │ └── views.py
│ ├── templates/
│ │ ├── analysis/
│ │ │ ├── admin/
│ │ │ │ └── index.html
│ │ │ ├── behavior/
│ │ │ │ ├── _api_call.html
│ │ │ │ ├── _chunk.html
│ │ │ │ ├── _processes.html
│ │ │ │ ├── _search.html
│ │ │ │ ├── _search_results.html
│ │ │ │ ├── _tree.html
│ │ │ │ ├── _tree_process.html
│ │ │ │ └── index.html
│ │ │ ├── buffers/
│ │ │ │ └── index.html
│ │ │ ├── dropped/
│ │ │ │ └── index.html
│ │ │ ├── export.html
│ │ │ ├── import.html
│ │ │ ├── index.html
│ │ │ ├── memory/
│ │ │ │ ├── _apihooks.html
│ │ │ │ ├── _callbacks.html
│ │ │ │ ├── _devicetree.html
│ │ │ │ ├── _gdt.html
│ │ │ │ ├── _idt.html
│ │ │ │ ├── _malfind.html
│ │ │ │ ├── _messagehooks.html
│ │ │ │ ├── _modscan.html
│ │ │ │ ├── _netscan.html
│ │ │ │ ├── _pslist.html
│ │ │ │ ├── _sockscan.html
│ │ │ │ ├── _ssdt.html
│ │ │ │ ├── _svcscan.html
│ │ │ │ ├── _timers.html
│ │ │ │ ├── _yarascan.html
│ │ │ │ └── index.html
│ │ │ ├── network/
│ │ │ │ ├── _dns.html
│ │ │ │ ├── _hosts.html
│ │ │ │ ├── _http.html
│ │ │ │ ├── _icmp.html
│ │ │ │ ├── _irc.html
│ │ │ │ ├── _snort.html
│ │ │ │ ├── _suricata.html
│ │ │ │ ├── _tcp.html
│ │ │ │ ├── _udp.html
│ │ │ │ └── index.html
│ │ │ ├── overview/
│ │ │ │ ├── _file.html
│ │ │ │ ├── _info.html
│ │ │ │ ├── _screenshots.html
│ │ │ │ ├── _signatures.html
│ │ │ │ ├── _summary.html
│ │ │ │ ├── _url.html
│ │ │ │ └── index.html
│ │ │ ├── pending.html
│ │ │ ├── procmemory/
│ │ │ │ └── index.html
│ │ │ ├── report.html
│ │ │ ├── search.html
│ │ │ ├── search_results.html
│ │ │ └── static/
│ │ │ ├── _antivirus.html
│ │ │ ├── _pe32.html
│ │ │ ├── _strings.html
│ │ │ └── index.html
│ │ ├── base.html
│ │ ├── compare/
│ │ │ ├── _info.html
│ │ │ ├── _summary_table.html
│ │ │ ├── both.html
│ │ │ ├── hash.html
│ │ │ └── left.html
│ │ ├── dashboard/
│ │ │ └── index.html
│ │ ├── error.html
│ │ ├── footer.html
│ │ ├── header.html
│ │ ├── standalone_error.html
│ │ ├── submission/
│ │ │ ├── complete.html
│ │ │ ├── index.html
│ │ │ └── status.html
│ │ └── success.html
│ └── web/
│ ├── __init__.py
│ ├── headers.py
│ ├── local_settings.py
│ ├── secret_key.py
│ ├── settings.py
│ ├── urls.py
│ └── wsgi.py
├── requirements.txt
└── utils/
├── api.py
├── community.py
├── darwin/
│ ├── bootstrap_guest.sh
│ └── bootstrap_host.sh
├── db_migration/
│ ├── alembic.ini
│ ├── env.py
│ ├── script.py.mako
│ └── versions/
│ ├── from_0_6_to_1_1.py
│ ├── from_1_1_to_1_2-added_states.py
│ ├── from_1_1_to_1_2-extend_file_type.py
│ ├── from_1_2_to_1_3-add_task_owner.py
│ ├── from_1_2_to_2_0-guest_status.py
│ ├── from_1_2_to_2_0-machine_options.py
│ ├── from_1_2_to_2_0-processing-column.py
│ └── from_1_2_to_2_0-taken-route.py
├── dnsserve.py
├── machine.py
├── process.py
├── process2.py
├── rawdb.py
├── rooter.py
├── service.sh
├── setup.sh
├── smtp_sinkhole.py
├── start-distributed.sh
├── stats.py
├── stop-distributed.sh
├── submit.py
├── suricata.sh
└── vpncheck.py
SYMBOL INDEX (1903 symbols across 216 files)
FILE: agent/agent.py
class Agent (line 28) | class Agent(object):
method __init__ (line 41) | def __init__(self):
method _initialize (line 52) | def _initialize(self):
method get_status (line 78) | def get_status(self):
method get_error (line 86) | def get_error(self):
method add_malware (line 94) | def add_malware(self, data, name):
method add_config (line 126) | def add_config(self, options):
method add_analyzer (line 160) | def add_analyzer(self, data):
method execute (line 183) | def execute(self):
method complete (line 203) | def complete(self, success=True, error="", results=""):
function FakeGetFQDN (line 229) | def FakeGetFQDN(name=""):
FILE: analyzer/android/analyzer.py
class Analyzer (line 25) | class Analyzer(object):
method __init__ (line 26) | def __init__(self):
method complete (line 30) | def complete(self):
method get_options (line 34) | def get_options(self):
method prepare (line 65) | def prepare(self):
method run (line 81) | def run(self):
FILE: analyzer/android/lib/api/adb.py
function install_sample (line 14) | def install_sample(path):
function execute_sample (line 26) | def execute_sample(package, activity):
function dump_droidmon_logs (line 41) | def dump_droidmon_logs(package):
function execute_browser (line 65) | def execute_browser(url):
function take_screenshot (line 80) | def take_screenshot(filename):
FILE: analyzer/android/lib/api/screenshot.py
class Screenshot (line 21) | class Screenshot:
method have_pil (line 24) | def have_pil(self):
method equal_old (line 30) | def equal_old(self, img1, img2):
method equal (line 52) | def equal(self, img1, img2):
FILE: analyzer/android/lib/common/abstracts.py
class Package (line 6) | class Package(object):
method __init__ (line 9) | def __init__(self, options={}):
method set_pids (line 14) | def set_pids(self, pids):
method start (line 20) | def start(self):
method check (line 27) | def check(self):
method finish (line 33) | def finish(self):
class Auxiliary (line 39) | class Auxiliary(object):
FILE: analyzer/android/lib/common/constants.py
function _rand_string (line 10) | def _rand_string(a, b):
FILE: analyzer/android/lib/common/exceptions.py
class CuckooError (line 6) | class CuckooError(Exception):
class CuckooPackageError (line 9) | class CuckooPackageError(Exception):
FILE: analyzer/android/lib/common/results.py
function upload_to_host (line 16) | def upload_to_host(file_path, dump_path):
class NetlogConnection (line 34) | class NetlogConnection(object):
method __init__ (line 35) | def __init__(self, proto=""):
method connect (line 41) | def connect(self):
method send (line 54) | def send(self, data, retry=True):
method close (line 73) | def close(self):
class NetlogFile (line 79) | class NetlogFile(NetlogConnection):
method __init__ (line 80) | def __init__(self, filepath):
class NetlogHandler (line 85) | class NetlogHandler(logging.Handler, NetlogConnection):
method __init__ (line 86) | def __init__(self):
method emit (line 91) | def emit(self, record):
FILE: analyzer/android/lib/common/utils.py
function send_file (line 8) | def send_file(name, data):
FILE: analyzer/android/lib/core/config.py
class Config (line 8) | class Config:
method __init__ (line 9) | def __init__(self, cfg):
FILE: analyzer/android/lib/core/packages.py
function choose_package (line 6) | def choose_package(file_type, file_name):
FILE: analyzer/android/lib/core/startup.py
function create_folders (line 14) | def create_folders():
function init_logging (line 25) | def init_logging():
FILE: analyzer/android/modules/auxiliary/screenshots.py
class Screenshots (line 18) | class Screenshots(Auxiliary, Thread):
method __init__ (line 21) | def __init__(self):
method stop (line 25) | def stop(self):
method run (line 29) | def run(self):
FILE: analyzer/android/modules/packages/apk.py
class Apk (line 13) | class Apk(Package):
method __init__ (line 15) | def __init__(self, options={}):
method start (line 20) | def start(self, path):
method check (line 24) | def check(self):
method finish (line 27) | def finish(self):
FILE: analyzer/android/modules/packages/default_browser.py
class default_browser (line 9) | class default_browser(Package):
method __init__ (line 11) | def __init__(self, options={}):
method start (line 14) | def start(self, target):
method check (line 17) | def check(self):
method finish (line 20) | def finish(self):
FILE: analyzer/darwin/analyzer.py
class Macalyzer (line 21) | class Macalyzer(object):
method __init__ (line 31) | def __init__(self, host, configuration=None):
method bootstrap (line 35) | def bootstrap(self):
method run (line 40) | def run(self):
method _complete (line 56) | def _complete(self):
method _detect_target (line 65) | def _detect_target(self):
method _setup_analysis_package (line 71) | def _setup_analysis_package(self):
method _analysis (line 92) | def _analysis(self, package):
method _upload_file (line 96) | def _upload_file(self, filepath):
function _create_result_folders (line 116) | def _create_result_folders():
function _setup_logging (line 126) | def _setup_logging():
FILE: analyzer/darwin/lib/common/config.py
class Config (line 7) | class Config:
method __init__ (line 8) | def __init__(self, cfg):
method get_options (line 27) | def get_options(self):
FILE: analyzer/darwin/lib/common/hashing.py
function hash_file (line 8) | def hash_file(method, path):
FILE: analyzer/darwin/lib/common/rand.py
function random_string (line 4) | def random_string(minimum, maximum=None):
function random_integer (line 11) | def random_integer(digits):
FILE: analyzer/darwin/lib/common/results.py
function upload_to_host (line 14) | def upload_to_host(file_path, dump_path):
class NetlogConnection (line 32) | class NetlogConnection(object):
method __init__ (line 33) | def __init__(self, proto=""):
method connect (line 39) | def connect(self):
method send (line 55) | def send(self, data, retry=True):
method close (line 73) | def close(self):
class NetlogFile (line 80) | class NetlogFile(NetlogConnection):
method __init__ (line 81) | def __init__(self, filepath):
class NetlogHandler (line 86) | class NetlogHandler(logging.Handler, NetlogConnection):
method __init__ (line 87) | def __init__(self):
method emit (line 92) | def emit(self, record):
FILE: analyzer/darwin/lib/core/filetimes.py
function dt_to_filetime (line 36) | def dt_to_filetime(dt, delta_from_utc):
FILE: analyzer/darwin/lib/core/host.py
class CuckooHost (line 17) | class CuckooHost(object):
method __init__ (line 41) | def __init__(self, host_ip, host_port):
method send_api (line 46) | def send_api(self, thing):
method _create_socket (line 89) | def _create_socket(self):
method _send_api_description (line 97) | def _send_api_description(self, lookup_idx, thing):
method _send_new_process (line 122) | def _send_new_process(self, thing):
method _prepare_args (line 163) | def _prepare_args(self, thing):
method _verify_is_success (line 171) | def _verify_is_success(self, thing):
method _api_category (line 184) | def _api_category(self, thing):
method _api_args_description (line 190) | def _api_args_description(self, thing):
method _load_human_readable_info (line 203) | def _load_human_readable_info(self):
function _proc_name_from_pid (line 214) | def _proc_name_from_pid(pid):
function _filetime_from_timestamp (line 225) | def _filetime_from_timestamp(timestamp):
function _description_file_path (line 233) | def _description_file_path():
FILE: analyzer/darwin/lib/core/osx.py
function set_wallclock (line 9) | def set_wallclock(clock_str, **kwargs):
FILE: analyzer/darwin/lib/core/packages.py
function choose_package_class (line 12) | def choose_package_class(file_type, file_name, suggestion=None):
function _found_target_class (line 40) | def _found_target_class(module, name):
function _guess_package_name (line 48) | def _guess_package_name(file_type, file_name):
class Package (line 61) | class Package(object):
method __init__ (line 67) | def __init__(self, target, host, **kwargs):
method prepare (line 84) | def prepare(self):
method start (line 88) | def start(self):
method apicalls_analysis (line 99) | def apicalls_analysis(self):
method handle_files (line 111) | def handle_files(self, call):
method open_file (line 127) | def open_file(self, filepath):
method move_file (line 130) | def move_file(self, frompath, topath):
method copy_file (line 136) | def copy_file(self, frompath, topath):
method remove_file (line 140) | def remove_file(self, filepath):
function _string_to_bool (line 145) | def _string_to_bool(raw):
FILE: analyzer/darwin/lib/dtrace/apicalls.py
function apicalls (line 19) | def apicalls(target, **kwargs):
function _dtrace_command_line (line 50) | def _dtrace_command_line(target, **kwargs):
function _parse_entry (line 81) | def _parse_entry(entry):
function _stringify_args (line 95) | def _stringify_args(args):
FILE: analyzer/darwin/lib/dtrace/autoprobes.py
function generate_probes (line 11) | def generate_probes(definitions, output_path, overwrite=True):
function read_definitions (line 26) | def read_definitions(fromfile):
function read_types (line 35) | def read_types(infile):
function dump_probes (line 40) | def dump_probes(probes, tofile):
function probe_from_definition (line 48) | def probe_from_definition(definition, types):
function entry_probe_from_definition (line 60) | def entry_probe_from_definition(df):
function return_probe_from_definition (line 70) | def return_probe_from_definition(df, types):
function typedefs_for_custom_structs (line 88) | def typedefs_for_custom_structs(defs, types):
function arguments_section (line 119) | def arguments_section(args, types):
function arguments_format_string (line 129) | def arguments_format_string(args, types):
function retval_section (line 137) | def retval_section(retval_type, types):
function printf_format_for_type (line 144) | def printf_format_for_type(t, types):
function printf_format_for_struct (line 154) | def printf_format_for_struct(t, types):
function serialize_argument_at_idx (line 167) | def serialize_argument_at_idx(idx, all_args, accessor, types):
function serialize_type (line 173) | def serialize_type(name, accessor, types):
function serialize_atomic_type (line 185) | def serialize_atomic_type(argtype, cast, accessor):
function serialize_struct_type (line 199) | def serialize_struct_type(struct_type, accessor, types):
function serialize_type_with_template (line 215) | def serialize_type_with_template(oftype, accessor, types):
function dereference_type (line 225) | def dereference_type(t):
function type_description (line 235) | def type_description(name, types):
function push_on_stack_section (line 242) | def push_on_stack_section(args):
function pop_from_stack_section (line 255) | def pop_from_stack_section(args):
FILE: analyzer/darwin/lib/dtrace/common.py
function sanitize_path (line 9) | def sanitize_path(raw_path):
function path_for_script (line 13) | def path_for_script(script):
function current_directory (line 17) | def current_directory():
function filelines (line 20) | def filelines(source_file):
FILE: analyzer/darwin/lib/dtrace/dtruss.py
function dtruss (line 18) | def dtruss(target, **kwargs):
function _parse_syscall (line 86) | def _parse_syscall(string):
FILE: analyzer/darwin/lib/dtrace/ipconnections.py
function ipconnections (line 17) | def ipconnections(target, **kwargs):
function _parse_single_entry (line 55) | def _parse_single_entry(entry):
FILE: analyzer/darwin/modules/packages/app.py
class App (line 10) | class App(Package):
method prepare (line 13) | def prepare(self):
FILE: analyzer/darwin/modules/packages/bash.py
class Bash (line 8) | class Bash(Package):
method prepare (line 11) | def prepare(self):
FILE: analyzer/darwin/modules/packages/macho.py
class Macho (line 9) | class Macho(Package):
method prepare (line 12) | def prepare(self):
FILE: analyzer/darwin/modules/packages/zip.py
class Zip (line 17) | class Zip(Package):
method prepare (line 21) | def prepare(self):
method start (line 58) | def start(self):
method _extract (line 65) | def _extract(self, filename, password):
method _extract_nested_archives (line 86) | def _extract_nested_archives(self, archive, where, password):
function _prepare_archive_at_path (line 92) | def _prepare_archive_at_path(filename):
function _is_overwritten (line 116) | def _is_overwritten(zip_path):
function _random_extension (line 125) | def _random_extension(length=5):
function _fileinfo (line 129) | def _fileinfo(target):
FILE: analyzer/linux/analyzer.py
function add_pids (line 33) | def add_pids(pids):
function dump_files (line 44) | def dump_files():
class Analyzer (line 49) | class Analyzer:
method __init__ (line 56) | def __init__(self):
method prepare (line 60) | def prepare(self):
method complete (line 86) | def complete(self):
method run (line 94) | def run(self):
FILE: analyzer/linux/lib/api/process.py
class Process (line 11) | class Process:
method __init__ (line 16) | def __init__(self, pid=0):
method is_alive (line 21) | def is_alive(self):
method get_parent_pid (line 28) | def get_parent_pid(self):
method get_proc_status (line 31) | def get_proc_status(self):
method execute (line 40) | def execute(self, cmd):
FILE: analyzer/linux/lib/common/abstracts.py
class Package (line 8) | class Package(object):
method __init__ (line 12) | def __init__(self, options={}):
method set_pids (line 17) | def set_pids(self, pids):
method start (line 23) | def start(self):
method check (line 29) | def check(self):
method execute (line 33) | def execute(self, cmd):
method package_files (line 46) | def package_files(self):
method finish (line 53) | def finish(self):
method get_pids (line 65) | def get_pids(self):
class Auxiliary (line 68) | class Auxiliary(object):
method get_pids (line 71) | def get_pids(self):
FILE: analyzer/linux/lib/common/exceptions.py
class CuckooError (line 5) | class CuckooError(Exception):
class CuckooPackageError (line 8) | class CuckooPackageError(Exception):
FILE: analyzer/linux/lib/common/hashing.py
function sha256_file (line 9) | def sha256_file(path):
function hash_file (line 12) | def hash_file(method, path):
FILE: analyzer/linux/lib/common/results.py
function upload_to_host (line 15) | def upload_to_host(file_path, dump_path):
class NetlogConnection (line 33) | class NetlogConnection(object):
method __init__ (line 34) | def __init__(self, proto=""):
method connect (line 40) | def connect(self):
method send (line 56) | def send(self, data, retry=True):
method close (line 74) | def close(self):
class NetlogFile (line 81) | class NetlogFile(NetlogConnection):
method __init__ (line 82) | def __init__(self, filepath):
class NetlogHandler (line 87) | class NetlogHandler(logging.Handler, NetlogConnection):
method __init__ (line 88) | def __init__(self):
method emit (line 93) | def emit(self, record):
FILE: analyzer/linux/lib/common/utils.py
function random_string (line 8) | def random_string(minimum, maximum=None):
function random_integer (line 15) | def random_integer(digits):
FILE: analyzer/linux/lib/core/config.py
class Config (line 7) | class Config:
method __init__ (line 8) | def __init__(self, cfg):
method get (line 27) | def get(self, name, default=None):
method get_options (line 32) | def get_options(self):
FILE: analyzer/linux/lib/core/startup.py
function create_folders (line 13) | def create_folders():
function init_logging (line 24) | def init_logging():
FILE: analyzer/linux/modules/auxiliary/lkm.py
class LKM (line 15) | class LKM(Auxiliary):
method __init__ (line 18) | def __init__(self):
method start (line 22) | def start(self):
method get_pids (line 42) | def get_pids(self):
method stop (line 62) | def stop(self):
FILE: analyzer/linux/modules/auxiliary/stap.py
class STAP (line 17) | class STAP(Auxiliary):
method __init__ (line 21) | def __init__(self):
method start (line 25) | def start(self):
method start_strace (line 67) | def start_strace(self):
method get_pids (line 76) | def get_pids(self):
method stop (line 81) | def stop(self):
FILE: analyzer/linux/modules/packages/generic.py
class Generic (line 9) | class Generic(Package):
method __init__ (line 13) | def __init__(self, *args, **kwargs):
method start (line 17) | def start(self, path):
method get_pids (line 21) | def get_pids(self):
FILE: analyzer/windows/analyzer.py
class Files (line 42) | class Files(object):
method __init__ (line 45) | def __init__(self):
method is_protected_filename (line 50) | def is_protected_filename(self, file_name):
method add_pid (line 56) | def add_pid(self, filepath, pid, verbose=True):
method add_file (line 65) | def add_file(self, filepath, pid=None):
method dump_file (line 77) | def dump_file(self, filepath):
method delete_file (line 109) | def delete_file(self, filepath, pid=None):
method move_file (line 118) | def move_file(self, oldfilepath, newfilepath, pid=None):
method dump_files (line 126) | def dump_files(self):
class ProcessList (line 131) | class ProcessList(object):
method __init__ (line 132) | def __init__(self):
method add_pid (line 136) | def add_pid(self, pid, track=True):
method add_pids (line 148) | def add_pids(self, pids):
method has_pid (line 156) | def has_pid(self, pid, notrack=True):
method remove_pid (line 166) | def remove_pid(self, pid):
class CommandPipeHandler (line 174) | class CommandPipeHandler(object):
method __init__ (line 182) | def __init__(self, analyzer):
method _handle_debug (line 186) | def _handle_debug(self, data):
method _handle_info (line 190) | def _handle_info(self, data):
method _handle_warning (line 194) | def _handle_warning(self, data):
method _handle_critical (line 198) | def _handle_critical(self, data):
method _handle_loaded (line 202) | def _handle_loaded(self, data):
method _handle_getpids (line 221) | def _handle_getpids(self, data):
method _inject_process (line 225) | def _inject_process(self, process_id, thread_id, mode):
method _handle_process (line 286) | def _handle_process(self, data):
method _handle_process2 (line 296) | def _handle_process2(self, data):
method _handle_file_new (line 312) | def _handle_file_new(self, data):
method _handle_file_del (line 316) | def _handle_file_del(self, data):
method _handle_file_move (line 323) | def _handle_file_move(self, data):
method _handle_kill (line 335) | def _handle_kill(self, data):
method _handle_dumpmem (line 344) | def _handle_dumpmem(self, data):
method _handle_dumpreqs (line 352) | def _handle_dumpreqs(self, data):
method _handle_track (line 372) | def _handle_track(self, data):
method dispatch (line 387) | def dispatch(self, data):
class Analyzer (line 417) | class Analyzer(object):
method __init__ (line 426) | def __init__(self):
method get_pipe_path (line 442) | def get_pipe_path(self, name):
method prepare (line 453) | def prepare(self):
method stop (line 523) | def stop(self):
method complete (line 529) | def complete(self):
method run (line 541) | def run(self):
FILE: analyzer/windows/lib/api/process.py
function spCreateProcessW (line 27) | def spCreateProcessW(application_name, command_line, process_attributes,
function subprocess_checkcall (line 97) | def subprocess_checkcall(args, env=None):
function subprocess_checkoutput (line 103) | def subprocess_checkoutput(args, env=None):
class Process (line 108) | class Process(object):
method __init__ (line 118) | def __init__(self, pid=None, tid=None, process_name=None):
method set_config (line 129) | def set_config(config):
method get_system_info (line 133) | def get_system_info(self):
method open_process (line 138) | def open_process(self):
method open_thread (line 142) | def open_thread(self):
method exit_code (line 146) | def exit_code(self):
method get_filepath (line 158) | def get_filepath(self):
method is_alive (line 190) | def is_alive(self):
method get_parent_pid (line 196) | def get_parent_pid(self):
method _encode_args (line 225) | def _encode_args(self, args):
method is32bit (line 239) | def is32bit(self, pid=None, process_name=None, path=None):
method execute (line 278) | def execute(self, path, args=None, dll=None, free=False, curdir=None,
method terminate (line 402) | def terminate(self):
method inject (line 418) | def inject(self, dll=None, apc=False, track=True, mode=None):
method drop_config (line 486) | def drop_config(self, track=True, mode=None, trigger=None):
method dump_memory (line 524) | def dump_memory(self, addr=None, length=None):
FILE: analyzer/windows/lib/api/screenshot.py
class Screenshot (line 22) | class Screenshot:
method _draw_rectangle (line 25) | def _draw_rectangle(self, img, xy):
method have_pil (line 35) | def have_pil(self):
method equal (line 41) | def equal(self, img1, img2, skip_area=None):
method take (line 75) | def take(self):
FILE: analyzer/windows/lib/common/abstracts.py
class Package (line 15) | class Package(object):
method __init__ (line 20) | def __init__(self, options={}, analyzer=None):
method set_pids (line 32) | def set_pids(self, pids):
method start (line 38) | def start(self, target):
method check (line 44) | def check(self):
method enum_paths (line 48) | def enum_paths(self):
method get_path (line 74) | def get_path(self, application):
method get_path_glob (line 86) | def get_path_glob(self, application):
method move_curdir (line 99) | def move_curdir(self, filepath):
method init_regkeys (line 109) | def init_regkeys(self, regkeys):
method execute (line 131) | def execute(self, path, args, mode=None, maximize=False, env=None,
method package_files (line 171) | def package_files(self):
method finish (line 178) | def finish(self):
class Auxiliary (line 189) | class Auxiliary(object):
method __init__ (line 190) | def __init__(self, options={}, analyzer=None):
method init (line 194) | def init(self):
method start (line 197) | def start(self):
method stop (line 200) | def stop(self):
FILE: analyzer/windows/lib/common/decide.py
function dump_memory (line 8) | def dump_memory(pid):
FILE: analyzer/windows/lib/common/defines.py
class STARTUPINFO (line 109) | class STARTUPINFO(Structure):
class PROCESS_INFORMATION (line 131) | class PROCESS_INFORMATION(Structure):
class LUID (line 139) | class LUID(Structure):
class LUID_AND_ATTRIBUTES (line 145) | class LUID_AND_ATTRIBUTES(Structure):
class TOKEN_PRIVILEGES (line 151) | class TOKEN_PRIVILEGES(Structure):
class MEMORY_BASIC_INFORMATION (line 157) | class MEMORY_BASIC_INFORMATION(Structure):
class PROC_STRUCT (line 168) | class PROC_STRUCT(Structure):
class SYSTEM_INFO_UNION (line 174) | class SYSTEM_INFO_UNION(Union):
class SYSTEM_INFO (line 180) | class SYSTEM_INFO(Structure):
class SYSTEMTIME (line 194) | class SYSTEMTIME(Structure):
class UNICODE_STRING (line 207) | class UNICODE_STRING(Structure):
FILE: analyzer/windows/lib/common/exceptions.py
class CuckooError (line 6) | class CuckooError(Exception):
class CuckooPackageError (line 9) | class CuckooPackageError(Exception):
class CuckooDisableModule (line 12) | class CuckooDisableModule(CuckooError):
FILE: analyzer/windows/lib/common/hashing.py
function hash_file (line 9) | def hash_file(method, path):
FILE: analyzer/windows/lib/common/rand.py
function random_string (line 4) | def random_string(minimum, maximum=None):
function random_integer (line 11) | def random_integer(digits):
FILE: analyzer/windows/lib/common/registry.py
function rename_regkey (line 59) | def rename_regkey(skey, ssubkey, dsubkey):
function regkey_exists (line 82) | def regkey_exists(rootkey, subkey):
function set_regkey (line 90) | def set_regkey(rootkey, subkey, name, type_, value):
function set_regkey_full (line 112) | def set_regkey_full(regkey, type_, value):
function del_regkey (line 124) | def del_regkey(rootkey, regkey):
function query_value (line 127) | def query_value(rootkey, subkey, name):
FILE: analyzer/windows/lib/common/results.py
function upload_to_host (line 17) | def upload_to_host(file_path, dump_path, pids=[]):
class NetlogConnection (line 36) | class NetlogConnection(object):
method __init__ (line 37) | def __init__(self, proto=""):
method connect (line 43) | def connect(self):
method send (line 58) | def send(self, data, retry=True):
method close (line 77) | def close(self):
class NetlogFile (line 85) | class NetlogFile(NetlogConnection):
method init (line 86) | def init(self, dump_path, filepath=None, pids=[]):
class NetlogHandler (line 97) | class NetlogHandler(logging.Handler, NetlogConnection):
method __init__ (line 98) | def __init__(self):
method emit (line 103) | def emit(self, record):
FILE: analyzer/windows/lib/core/config.py
class Config (line 8) | class Config:
method __init__ (line 9) | def __init__(self, cfg):
method parse_options (line 34) | def parse_options(self, options):
FILE: analyzer/windows/lib/core/driver.py
class Driver (line 15) | class Driver(object):
method __init__ (line 16) | def __init__(self, driver_name, install_name):
method install (line 21) | def install(self):
method copy_driver (line 33) | def copy_driver(self):
method set_regkey (line 58) | def set_regkey(self, key, type_, value):
method del_regkeys (line 65) | def del_regkeys(self):
method load_driver (line 75) | def load_driver(self):
FILE: analyzer/windows/lib/core/ioctl.py
class Ioctl (line 23) | class Ioctl(object):
method __init__ (line 24) | def __init__(self, pipepath):
method invoke (line 27) | def invoke(self, ctlcode, value, outlength=0x1000):
class Zer0m0nIoctl (line 61) | class Zer0m0nIoctl(Ioctl):
method invoke (line 74) | def invoke(self, action, buf):
method addpid (line 82) | def addpid(self, pid):
method cmdpipe (line 85) | def cmdpipe(self, pipe):
method channel (line 88) | def channel(self, pipe):
method dumpmem (line 91) | def dumpmem(self, pid):
method yarald (line 94) | def yarald(self, rulepath):
method getpids (line 97) | def getpids(self):
method hidepid (line 101) | def hidepid(self, pid):
method dumpint (line 104) | def dumpint(self, ms):
method resultserver (line 107) | def resultserver(self, ip, port):
FILE: analyzer/windows/lib/core/packages.py
function has_com_exports (line 6) | def has_com_exports(exports):
function choose_package (line 20) | def choose_package(file_type, file_name, exports):
FILE: analyzer/windows/lib/core/pipe.py
class PipeForwarder (line 25) | class PipeForwarder(threading.Thread):
method __init__ (line 31) | def __init__(self, pipe_handle, destination):
method run (line 37) | def run(self):
method stop (line 111) | def stop(self):
class PipeDispatcher (line 114) | class PipeDispatcher(threading.Thread):
method __init__ (line 118) | def __init__(self, pipe_handle, dispatcher):
method _read_message (line 124) | def _read_message(self, buf):
method run (line 142) | def run(self):
method stop (line 161) | def stop(self):
class PipeServer (line 164) | class PipeServer(threading.Thread):
method __init__ (line 168) | def __init__(self, pipe_handler, pipe_name, message=False, **kwargs):
method run (line 177) | def run(self):
method stop (line 206) | def stop(self):
function disconnect_pipes (line 215) | def disconnect_pipes():
FILE: analyzer/windows/lib/core/privileges.py
function grant_privilege (line 12) | def grant_privilege(privilege):
FILE: analyzer/windows/lib/core/startup.py
function init_logging (line 15) | def init_logging():
function disconnect_logger (line 32) | def disconnect_logger():
function set_clock (line 36) | def set_clock(clock):
FILE: analyzer/windows/modules/auxiliary/dbgview.py
class DbgView (line 20) | class DbgView(Auxiliary):
method start (line 22) | def start(self):
method stop (line 45) | def stop(self):
FILE: analyzer/windows/modules/auxiliary/disguise.py
class Disguise (line 19) | class Disguise(Auxiliary):
method change_productid (line 68) | def change_productid(self):
method patch_scsi_identifiers (line 80) | def patch_scsi_identifiers(self):
method patch_bios (line 103) | def patch_bios(self):
method patch_acpi (line 109) | def patch_acpi(self):
method patch_processor (line 141) | def patch_processor(self):
method patch_manufacturer (line 157) | def patch_manufacturer(self):
method patch_hdd_path (line 167) | def patch_hdd_path(self):
method start (line 171) | def start(self):
FILE: analyzer/windows/modules/auxiliary/dumptls.py
class DumpTLSMasterSecrets (line 13) | class DumpTLSMasterSecrets(Auxiliary):
method start (line 15) | def start(self):
FILE: analyzer/windows/modules/auxiliary/human.py
function click (line 24) | def click(hwnd):
function foreach_child (line 29) | def foreach_child(hwnd, lparam):
function get_office_window (line 106) | def get_office_window(hwnd, lparam):
function foreach_window (line 117) | def foreach_window(hwnd, lparam):
function move_mouse (line 124) | def move_mouse():
function click_mouse (line 136) | def click_mouse():
class Human (line 145) | class Human(threading.Thread, Auxiliary):
method __init__ (line 148) | def __init__(self, options={}, analyzer=None):
method stop (line 153) | def stop(self):
method run (line 156) | def run(self):
FILE: analyzer/windows/modules/auxiliary/installcert.py
class InstallCertificate (line 14) | class InstallCertificate(Auxiliary):
method start (line 18) | def start(self):
FILE: analyzer/windows/modules/auxiliary/procmon.py
class Procmon (line 13) | class Procmon(Auxiliary):
method start (line 15) | def start(self):
method stop (line 50) | def stop(self):
FILE: analyzer/windows/modules/auxiliary/reboot.py
class Reboot (line 14) | class Reboot(Auxiliary):
method start (line 17) | def start(self):
method _handle_regkey_written (line 34) | def _handle_regkey_written(self, event):
method _handle_create_process (line 38) | def _handle_create_process(self, event):
FILE: analyzer/windows/modules/auxiliary/recentfiles.py
class RecentFiles (line 19) | class RecentFiles(Auxiliary):
method get_path (line 33) | def get_path(self):
method start (line 54) | def start(self):
FILE: analyzer/windows/modules/auxiliary/screenshots.py
class Screenshots (line 24) | class Screenshots(threading.Thread, Auxiliary):
method __init__ (line 27) | def __init__(self, options={}, analyzer=None):
method stop (line 32) | def stop(self):
method run (line 36) | def run(self):
FILE: analyzer/windows/modules/auxiliary/zer0m0n.py
class LoadZer0m0n (line 15) | class LoadZer0m0n(Auxiliary):
method start (line 18) | def start(self):
FILE: analyzer/windows/modules/packages/applet.py
class Applet (line 10) | class Applet(Package):
method make_html (line 17) | def make_html(self, path, class_name):
method start (line 33) | def start(self, path):
FILE: analyzer/windows/modules/packages/bin.py
class Shellcode (line 8) | class Shellcode(Package):
method start (line 11) | def start(self, path):
FILE: analyzer/windows/modules/packages/com.py
class ComDll (line 10) | class ComDll(Package):
method start (line 16) | def start(self, path):
FILE: analyzer/windows/modules/packages/cpl.py
class CPL (line 8) | class CPL(Package):
method start (line 14) | def start(self, path):
FILE: analyzer/windows/modules/packages/dll.py
class Dll (line 12) | class Dll(Package):
method start (line 18) | def start(self, path):
FILE: analyzer/windows/modules/packages/doc.py
class DOC (line 10) | class DOC(Package):
method start (line 69) | def start(self, path):
FILE: analyzer/windows/modules/packages/exe.py
class Exe (line 11) | class Exe(Package):
method start (line 14) | def start(self, path):
FILE: analyzer/windows/modules/packages/ff.py
class Firefox (line 8) | class Firefox(Package):
method start (line 14) | def start(self, url):
FILE: analyzer/windows/modules/packages/generic.py
class Generic (line 9) | class Generic(Package):
method start (line 17) | def start(self, path):
FILE: analyzer/windows/modules/packages/hta.py
class HTA (line 9) | class HTA(Package):
method start (line 15) | def start(self, path):
FILE: analyzer/windows/modules/packages/hwp.py
class HWP (line 7) | class HWP(Package):
method start (line 13) | def start(self, path):
FILE: analyzer/windows/modules/packages/ie.py
class IE (line 15) | class IE(Package):
method setup_proxy (line 115) | def setup_proxy(self, proxy_host):
method start (line 130) | def start(self, target):
FILE: analyzer/windows/modules/packages/jar.py
class Jar (line 8) | class Jar(Package):
method start (line 14) | def start(self, path):
FILE: analyzer/windows/modules/packages/js.py
class Javascript (line 13) | class Javascript(Package):
method start (line 19) | def start(self, path):
FILE: analyzer/windows/modules/packages/jse.py
class JScript (line 12) | class JScript(Package):
method start (line 18) | def start(self, path):
FILE: analyzer/windows/modules/packages/msi.py
class Msi (line 8) | class Msi(Package):
method start (line 15) | def start(self, path):
FILE: analyzer/windows/modules/packages/pdf.py
class PDF (line 15) | class PDF(Package):
method start (line 58) | def start(self, path):
FILE: analyzer/windows/modules/packages/ppt.py
class PPT (line 9) | class PPT(Package):
method start (line 58) | def start(self, path):
FILE: analyzer/windows/modules/packages/ps1.py
class PS1 (line 12) | class PS1(Package):
method start (line 20) | def start(self, path):
FILE: analyzer/windows/modules/packages/pub.py
class PUB (line 11) | class PUB(Package):
method start (line 67) | def start(self, path):
FILE: analyzer/windows/modules/packages/python.py
class Python (line 10) | class Python(Package):
method start (line 23) | def start(self, path):
FILE: analyzer/windows/modules/packages/reboot.py
class Reboot (line 11) | class Reboot(Package):
method _handle_create_process (line 14) | def _handle_create_process(self, filepath, command_line, source):
method start (line 17) | def start(self, path):
FILE: analyzer/windows/modules/packages/vbs.py
class VBS (line 13) | class VBS(Package):
method start (line 19) | def start(self, path):
FILE: analyzer/windows/modules/packages/wsf.py
class WSF (line 12) | class WSF(Package):
method start (line 18) | def start(self, path):
FILE: analyzer/windows/modules/packages/xls.py
class XLS (line 10) | class XLS(Package):
method start (line 59) | def start(self, path):
FILE: analyzer/windows/modules/packages/zip.py
class Zip (line 17) | class Zip(Package):
method extract_zip (line 20) | def extract_zip(self, zip_path, extract_path, password):
method is_overwritten (line 53) | def is_overwritten(self, zip_path):
method get_infos (line 68) | def get_infos(self, zip_path):
method start (line 79) | def start(self, path):
FILE: cuckoo.py
function cuckoo_init (line 38) | def cuckoo_init(quiet=False, debug=False, artwork=False, test=False, ml=...
function cuckoo_main (line 92) | def cuckoo_main(max_analysis_count=0):
FILE: data/html/js/functions.js
function showHide (line 1) | function showHide(id, lbl) {
FILE: data/src/binpackage/execsc.c
function main (line 5) | int main (int argc, char ** argv) {
FILE: distributed/distributed/api.py
function list_machines (line 11) | def list_machines(url):
function node_status (line 15) | def node_status(url):
function submit_task (line 22) | def submit_task(url, task):
function fetch_tasks (line 48) | def fetch_tasks(url, status):
function store_report (line 53) | def store_report(url, task_id, report_format, dirpath):
function delete_task (line 69) | def delete_task(url, task_id):
function fetch_pcap (line 73) | def fetch_pcap(url, task_id, filepath):
FILE: distributed/distributed/app.py
function create_app (line 18) | def create_app():
FILE: distributed/distributed/db.py
class Serializer (line 14) | class Serializer(object):
method to_dict (line 16) | def to_dict(self):
class StringList (line 22) | class StringList(db.TypeDecorator):
method process_bind_param (line 26) | def process_bind_param(self, value, dialect):
method process_result_value (line 29) | def process_result_value(self, value, dialect):
class JsonType (line 32) | class JsonType(db.TypeDecorator):
method process_bind_param (line 36) | def process_bind_param(self, value, dialect):
method process_result_value (line 39) | def process_result_value(self, value, dialect):
class Node (line 42) | class Node(db.Model):
method __init__ (line 51) | def __init__(self, name, url, mode, enabled=True):
class Machine (line 57) | class Machine(db.Model):
method __init__ (line 65) | def __init__(self, name, platform, tags):
class Task (line 70) | class Task(db.Model, Serializer):
method __init__ (line 112) | def __init__(self, path=None, filename=None, package=None, timeout=None,
class NodeStatus (line 135) | class NodeStatus(db.Model, Serializer):
method __init__ (line 143) | def __init__(self, name, timestamp, status):
class AlembicVersion (line 148) | class AlembicVersion(db.Model):
method __init__ (line 153) | def __init__(self, version_num):
FILE: distributed/distributed/exception.py
class InvalidReport (line 5) | class InvalidReport(Exception):
FILE: distributed/distributed/views/api.py
function json_error (line 19) | def json_error(status_code, message, *args):
function node_url (line 24) | def node_url(ip=None, url=None):
function node_get (line 31) | def node_get(name=None):
function node_post (line 67) | def node_post():
function node_put (line 97) | def node_put(name):
function node_delete (line 116) | def node_delete(name):
function task_list (line 126) | def task_list():
function task_post (line 186) | def task_post():
function task_get (line 217) | def task_get(task_id):
function task_delete (line 244) | def task_delete(task_id):
function report_get (line 273) | def report_get(task_id, report_format="json"):
function pcap_get (line 292) | def pcap_get(task_id):
function status_get (line 311) | def status_get():
FILE: distributed/instance.py
function scheduler (line 20) | def scheduler():
function status_caching (line 48) | def status_caching():
function handle_node (line 76) | def handle_node(instance):
FILE: distributed/migration/env.py
function run_migrations (line 17) | def run_migrations():
FILE: distributed/migration/versions/151400d38e03_node_status_timestamp_index.py
function upgrade (line 16) | def upgrade():
function downgrade (line 19) | def downgrade():
FILE: distributed/migration/versions/166078eb1311_change_node_id_to_name.py
function upgrade (line 17) | def upgrade():
function downgrade (line 31) | def downgrade():
FILE: distributed/migration/versions/2aa59981b59d_node_task_not_unique.py
function upgrade (line 16) | def upgrade():
function downgrade (line 20) | def downgrade():
FILE: distributed/migration/versions/37c08c9655bb_initial_database.py
function upgrade (line 17) | def upgrade():
function downgrade (line 61) | def downgrade():
FILE: distributed/migration/versions/3cc1509b7fdc_node_status.py
function upgrade (line 17) | def upgrade():
function downgrade (line 28) | def downgrade():
FILE: distributed/migration/versions/3d1d8fd2cdbb_timestamps.py
function upgrade (line 17) | def upgrade():
function downgrade (line 23) | def downgrade():
FILE: distributed/migration/versions/4b86bc0d40aa_node_mode.py
function upgrade (line 17) | def upgrade():
function downgrade (line 22) | def downgrade():
FILE: distributed/migration/versions/4d0a2590e997_node_task_index.py
function upgrade (line 16) | def upgrade():
function downgrade (line 19) | def downgrade():
FILE: distributed/migration/versions/69ecf07a99b_finished_to_status.py
function upgrade (line 17) | def upgrade():
function downgrade (line 26) | def downgrade():
FILE: examples/cuckooml.py
function init_cuckooml (line 35) | def init_cuckooml():
class ML (line 174) | class ML(object):
method __init__ (line 392) | def __init__(self, context="standalone"):
method __log_bin (line 403) | def __log_bin(self, value, base=3):
method __normalise_string (line 411) | def __normalise_string(self, string):
method __simplify_string (line 418) | def __simplify_string(self, string, distinguish_voyels=False):
method __n_grams (line 445) | def __n_grams(self, string, n=3, reorder=False):
method __handle_string (line 465) | def __handle_string(self, string):
method extract_labels (line 478) | def extract_labels(self, labels):
method load_labels (line 482) | def load_labels(self, labels):
method extract_simple_features (line 487) | def extract_simple_features(self, simple_features):
method load_simple_features (line 507) | def load_simple_features(self, simple_features):
method export_simple_dataset (line 513) | def export_simple_dataset(self, filename="simple_dataset.csv"):
method simple_feature_category (line 527) | def simple_feature_category(self, category="properties"):
method extract_features (line 537) | def extract_features(self, features, include_API_calls=False, include_...
method load_features (line 691) | def load_features(self, features, include_API_calls=False, include_API...
method export_dataset (line 696) | def export_dataset(self, filename="dataset.csv"):
method feature_category (line 710) | def feature_category(self, category="static", complement=False):
method filter_dataset (line 759) | def filter_dataset(self, dataset=None, feature_coverage=0.1,
method detect_abnormal_behaviour (line 780) | def detect_abnormal_behaviour(self, count_dataset=None, figures=True):
method visualise_data (line 829) | def visualise_data(self, data=None, labels=None, learning_rate=200,
method save_dataset (line 853) | def save_dataset(self, filename="custom_dataset.csv", features=None, \
method cluster_dbscan (line 873) | def cluster_dbscan(self, features=None, eps=20.0, min_samples=5, dry=F...
method cluster_hdbscan (line 906) | def cluster_hdbscan(self, features=None, min_samples=1, \
method save_clustering_results (line 948) | def save_clustering_results(self, loader, save_location=""):
method anomaly_detection (line 976) | def anomaly_detection(self, samples=None, labels=None,
method compare_sample (line 1025) | def compare_sample(self, sample, amend=False):
method assess_clustering (line 1060) | def assess_clustering(self, clustering, labels, data=None,
method clustering_label_distribution (line 1107) | def clustering_label_distribution(self, clustering, labels, plot=False):
class Loader (line 1147) | class Loader(object):
method __init__ (line 1150) | def __init__(self):
method load_binaries (line 1155) | def load_binaries(self, directory):
method update_binaries (line 1165) | def update_binaries(self, elements, root, locations):
method save_binaries (line 1177) | def save_binaries(self, alternative_location=""):
method get_labels (line 1196) | def get_labels(self):
method get_features (line 1203) | def get_features(self):
method get_simple_features (line 1210) | def get_simple_features(self):
class Instance (line 1218) | class Instance(object):
method __init__ (line 1223) | def __init__(self):
method load_json (line 1234) | def load_json(self, json_file, name="unknown"):
method label_sample (line 1262) | def label_sample(self, external_labels=None, label_type="family"):
method update (line 1285) | def update(self, element, location):
method save_json (line 1297) | def save_json(self, root_dir):
method extract_features (line 1302) | def extract_features(self):
method extract_features_static (line 1307) | def extract_features_static(self):
method extract_features_dynamic (line 1316) | def extract_features_dynamic(self):
method feature_static_metadata (line 1324) | def feature_static_metadata(self):
method feature_static_signature (line 1351) | def feature_static_signature(self):
method feature_static_heuristic (line 1367) | def feature_static_heuristic(self):
method feature_static_packer (line 1372) | def feature_static_packer(self):
method feature_static_pef (line 1378) | def feature_static_pef(self):
method feature_static_imports (line 1415) | def feature_static_imports(self):
method feature_dynamic_imports (line 1435) | def feature_dynamic_imports(self):
method feature_dynamic_filesystem (line 1453) | def feature_dynamic_filesystem(self):
method feature_dynamic_network (line 1527) | def feature_dynamic_network(self):
method feature_dynamic_registry (line 1578) | def feature_dynamic_registry(self):
method feature_dynamic_windowsapi (line 1589) | def feature_dynamic_windowsapi(self):
method extract_basic_features (line 1600) | def extract_basic_features(self):
FILE: examples/instance.py
class Instance (line 13) | class Instance(object):
method __init__ (line 18) | def __init__(self):
method load_json (line 31) | def load_json(self, json_file, name="unknown"):
method label_sample (line 60) | def label_sample(self, external_labels=None, label_type="family"):
method update (line 87) | def update(self, element, location):
method save_json (line 100) | def save_json(self, root_dir):
method extract_features (line 106) | def extract_features(self):
method extract_features_static (line 112) | def extract_features_static(self):
method extract_features_dynamic (line 123) | def extract_features_dynamic(self):
method feature_static_metadata (line 132) | def feature_static_metadata(self):
method feature_static_signature (line 159) | def feature_static_signature(self):
method feature_static_heuristic (line 175) | def feature_static_heuristic(self):
method feature_static_packer (line 181) | def feature_static_packer(self):
method feature_static_pef (line 188) | def feature_static_pef(self):
method feature_static_imports (line 226) | def feature_static_imports(self):
method feature_static_string (line 246) | def feature_static_string(self):
method feature_dynamic_imports (line 251) | def feature_dynamic_imports(self):
method feature_dynamic_filesystem (line 272) | def feature_dynamic_filesystem(self):
method feature_dynamic_network (line 346) | def feature_dynamic_network(self):
method feature_dynamic_registry (line 398) | def feature_dynamic_registry(self):
method feature_dynamic_windowsapi (line 410) | def feature_dynamic_windowsapi(self):
method extract_basic_features (line 422) | def extract_basic_features(self):
FILE: examples/loader.py
class Loader (line 12) | class Loader(object):
method __init__ (line 14) | def __init__(self):
method load_binaries_dir (line 20) | def load_binaries_dir(self, directory):
method update_binaries (line 31) | def update_binaries(self, elements, root, locations):
method save_binaries (line 44) | def save_binaries(self, alternative_location=""):
method get_labels (line 64) | def get_labels(self):
method get_features (line 72) | def get_features(self):
method get_simple_features (line 80) | def get_simple_features(self):
FILE: examples/ml.py
class ML (line 23) | class ML(object):
method __init__ (line 241) | def __init__(self, context="standalone"):
method __log_bin (line 252) | def __log_bin(self, value, base=3):
method __normalise_string (line 260) | def __normalise_string(self, string):
method __simplify_string (line 267) | def __simplify_string(self, string, distinguish_voyels=False):
method __n_grams (line 294) | def __n_grams(self, string, n=3, reorder=False):
method __handle_string (line 314) | def __handle_string(self, string):
method extract_labels (line 327) | def extract_labels(self, labels):
method load_labels (line 331) | def load_labels(self, labels):
method extract_simple_features (line 336) | def extract_simple_features(self, simple_features):
method load_simple_features (line 356) | def load_simple_features(self, simple_features):
method export_simple_dataset (line 362) | def export_simple_dataset(self, filename="simple_dataset.csv"):
method simple_feature_category (line 376) | def simple_feature_category(self, category="properties"):
method extract_features (line 386) | def extract_features(self, features, include_API_calls=False, include_...
method load_features (line 540) | def load_features(self, features, include_API_calls=False, include_API...
method export_dataset (line 545) | def export_dataset(self, filename="dataset.csv"):
method feature_category (line 559) | def feature_category(self, category="static", complement=False):
method filter_dataset (line 608) | def filter_dataset(self, dataset=None, feature_coverage=0.1,
method detect_abnormal_behaviour (line 629) | def detect_abnormal_behaviour(self, count_dataset=None, figures=True):
method visualise_data (line 678) | def visualise_data(self, data=None, labels=None, learning_rate=200,
method save_dataset (line 702) | def save_dataset(self, filename="custom_dataset.csv", features=None, \
method cluster_dbscan (line 726) | def cluster_dbscan(self, features=None, eps=20.0, min_samples=5, dry=F...
method cluster_hdbscan (line 759) | def cluster_hdbscan(self, features=None, min_samples=1, \
method save_clustering_results (line 801) | def save_clustering_results(self, loader, save_location=""):
method anomaly_detection (line 829) | def anomaly_detection(self, samples=None, labels=None,
method compare_sample (line 878) | def compare_sample(self, sample, amend=False):
method assess_clustering (line 913) | def assess_clustering(self, clustering, labels, data=None,
method clustering_label_distribution (line 960) | def clustering_label_distribution(self, clustering, labels, plot=False):
FILE: examples/rundetectiontest.py
class RunProcessing (line 30) | class RunProcessing(object):
method __init__ (line 38) | def __init__(self, task):
method process (line 45) | def process(self, module, results):
method run (line 107) | def run(self):
class RunDetection (line 145) | class RunDetection(object):
method __init__ (line 153) | def __init__(self, results):
method process (line 163) | def process(self, module):
method run (line 228) | def run(self):
function import_package (line 261) | def import_package(package):
function import_plugin (line 266) | def import_plugin(name):
function load_plugins (line 275) | def load_plugins(module): # 导入插件
function register_plugin (line 293) | def register_plugin(group, name):
function list_plugins (line 298) | def list_plugins(group=None):
function init_modules (line 304) | def init_modules(machinery=True):
FILE: lib/cuckoo/common/abstracts.py
class Auxiliary (line 42) | class Auxiliary(object):
method __init__ (line 51) | def __init__(self):
method set_task (line 56) | def set_task(self, task):
method set_machine (line 62) | def set_machine(self, machine):
method set_options (line 68) | def set_options(self, options):
method start (line 74) | def start(self):
method stop (line 80) | def stop(self):
class Machinery (line 86) | class Machinery(object):
method __init__ (line 93) | def __init__(self):
method pcap_path (line 104) | def pcap_path(self, task_id):
method set_options (line 109) | def set_options(self, options):
method initialize (line 117) | def initialize(self, module_name):
method _get_resultserver_port (line 129) | def _get_resultserver_port(self):
method _initialize (line 138) | def _initialize(self, module_name):
method _initialize_check (line 203) | def _initialize_check(self):
method machines (line 237) | def machines(self):
method availables (line 245) | def availables(self):
method acquire (line 253) | def acquire(self, machine_id=None, platform=None, tags=None):
method release (line 269) | def release(self, label=None):
method running (line 277) | def running(self):
method shutdown (line 285) | def shutdown(self):
method set_status (line 301) | def set_status(self, label, status):
method start (line 310) | def start(self, label, task):
method stop (line 320) | def stop(self, label=None):
method _list (line 329) | def _list(self):
method dump_memory (line 337) | def dump_memory(self, label, path):
method _wait_status (line 345) | def _wait_status(self, label, state):
class LibVirtMachinery (line 373) | class LibVirtMachinery(Machinery):
method __init__ (line 389) | def __init__(self):
method initialize (line 395) | def initialize(self, module):
method _initialize_check (line 404) | def _initialize_check(self):
method start (line 422) | def start(self, label, task):
method stop (line 477) | def stop(self, label):
method shutdown (line 506) | def shutdown(self):
method dump_memory (line 513) | def dump_memory(self, label, path):
method _status (line 534) | def _status(self, label):
method _connect (line 581) | def _connect(self):
method _disconnect (line 597) | def _disconnect(self, conn):
method _fetch_machines (line 608) | def _fetch_machines(self):
method _lookup (line 619) | def _lookup(self, label):
method _list (line 637) | def _list(self):
method _version_check (line 652) | def _version_check(self):
method _get_snapshot (line 663) | def _get_snapshot(self, label):
class Processing (line 704) | class Processing(object):
method __init__ (line 709) | def __init__(self):
method set_options (line 717) | def set_options(self, options):
method set_task (line 725) | def set_task(self, task):
method set_baseline (line 733) | def set_baseline(self, baseline_path):
method set_path (line 739) | def set_path(self, analysis_path):
method set_results (line 765) | def set_results(self, results):
method run (line 771) | def run(self):
class Instance (line 779) | class Instance(object):
method __init__ (line 786) | def __init__(self):
method load_json (line 798) | def load_json(self, json_file, name="unknown"):
method load_binaries (line 828) | def load_binaries(self, data_path, first_n_byte = 2 ** 20):
method label_sample (line 844) | def label_sample(self, external_labels=None, label_type="family"):
method update (line 869) | def update(self, element, location):
method save_json (line 883) | def save_json(self, root_dir):
method extract_features (line 890) | def extract_features(self):
method extract_features_static (line 895) | def extract_features_static(self):
method extract_features_dynamic (line 905) | def extract_features_dynamic(self):
method feature_static_metadata (line 913) | def feature_static_metadata(self):
method feature_static_signature (line 940) | def feature_static_signature(self):
method feature_static_heuristic (line 956) | def feature_static_heuristic(self):
method feature_static_packer (line 961) | def feature_static_packer(self):
method feature_static_pef (line 968) | def feature_static_pef(self):
method feature_static_imports (line 1006) | def feature_static_imports(self):
method feature_static_string (line 1026) | def feature_static_string(self):
method feature_dynamic_imports (line 1030) | def feature_dynamic_imports(self):
method feature_dynamic_filesystem (line 1048) | def feature_dynamic_filesystem(self):
method feature_dynamic_network (line 1121) | def feature_dynamic_network(self):
method feature_dynamic_registry (line 1172) | def feature_dynamic_registry(self):
method feature_dynamic_windowsapi (line 1183) | def feature_dynamic_windowsapi(self):
method extract_basic_features (line 1194) | def extract_basic_features(self):
class Detection (line 1208) | class Detection(object):
method __init__ (line 1215) | def __init__(self):
method set_options (line 1228) | def set_options(self, options):
method set_path (line 1236) | def set_path(self, analysis_path):
method set_task (line 1246) | def set_task(self, task):
method load_instance (line 1253) | def load_instance(self, results):
method get_features (line 1264) | def get_features(self):
method load_binaries_dir (line 1278) | def load_binaries_dir(self, directory):
method update_binaries (line 1291) | def update_binaries(self, elements, root, locations):
method save_binaries (line 1303) | def save_binaries(self, alternative_location=""):
method get_labels (line 1322) | def get_labels(self):
method get_simple_features (line 1329) | def get_simple_features(self):
method run (line 1336) | def run(self):
class Signature (line 1344) | class Signature(object):
method __init__ (line 1372) | def __init__(self, caller):
method _check_value (line 1386) | def _check_value(self, pattern, subject, regex=False, all=False):
method get_results (line 1422) | def get_results(self, key=None, default=None):
method get_processes (line 1431) | def get_processes(self, name=None):
method get_process_by_pid (line 1441) | def get_process_by_pid(self, pid=None):
method get_summary (line 1451) | def get_summary(self, key=None, default=[]):
method get_summary_generic (line 1456) | def get_summary_generic(self, pid, actions):
method get_files (line 1472) | def get_files(self, pid=None, actions=None):
method get_dll_loaded (line 1490) | def get_dll_loaded(self, pid=None):
method get_keys (line 1499) | def get_keys(self, pid=None, actions=None):
method check_file (line 1515) | def check_file(self, pattern, regex=False, actions=None, pid=None,
method check_dll_loaded (line 1539) | def check_dll_loaded(self, pattern, regex=False, actions=None, pid=None,
method check_key (line 1555) | def check_key(self, pattern, regex=False, actions=None, pid=None,
method get_mutexes (line 1578) | def get_mutexes(self, pid=None):
method check_mutex (line 1587) | def check_mutex(self, pattern, regex=False, all=False):
method get_command_lines (line 1600) | def get_command_lines(self):
method get_wmi_queries (line 1604) | def get_wmi_queries(self):
method get_net_generic (line 1608) | def get_net_generic(self, subtype):
method get_net_hosts (line 1615) | def get_net_hosts(self):
method get_net_domains (line 1619) | def get_net_domains(self):
method get_net_http (line 1623) | def get_net_http(self):
method get_net_http_ex (line 1627) | def get_net_http_ex(self):
method get_net_udp (line 1632) | def get_net_udp(self):
method get_net_icmp (line 1636) | def get_net_icmp(self):
method get_net_irc (line 1640) | def get_net_irc(self):
method get_net_smtp (line 1644) | def get_net_smtp(self):
method get_virustotal (line 1648) | def get_virustotal(self):
method get_volatility (line 1652) | def get_volatility(self, module=None):
method get_apkinfo (line 1657) | def get_apkinfo(self, section=None, default={}):
method get_droidmon (line 1662) | def get_droidmon(self, section=None, default={}):
method get_googleplay (line 1667) | def get_googleplay(self, section=None, default={}):
method check_ip (line 1672) | def check_ip(self, pattern, regex=False, all=False):
method check_domain (line 1685) | def check_domain(self, pattern, regex=False, all=False):
method check_url (line 1702) | def check_url(self, pattern, regex=False, all=False):
method init (line 1719) | def init(self):
method mark_call (line 1722) | def mark_call(self, *args, **kwargs):
method mark_ioc (line 1741) | def mark_ioc(self, category, ioc, description=None):
method mark_vol (line 1755) | def mark_vol(self, plugin, **kwargs):
method mark (line 1765) | def mark(self, **kwargs):
method has_marks (line 1773) | def has_marks(self, count=None):
method on_call (line 1779) | def on_call(self, call, process):
method on_signature (line 1794) | def on_signature(self, signature):
method on_process (line 1802) | def on_process(self, process):
method on_complete (line 1809) | def on_complete(self):
method results (line 1813) | def results(self):
class Report (line 1823) | class Report(object):
method __init__ (line 1827) | def __init__(self):
method _get_analysis_path (line 1833) | def _get_analysis_path(self, subpath):
method set_path (line 1836) | def set_path(self, analysis_path):
method set_options (line 1853) | def set_options(self, options):
method set_task (line 1860) | def set_task(self, task):
method run (line 1867) | def run(self):
class BehaviorHandler (line 1874) | class BehaviorHandler(object):
method __init__ (line 1881) | def __init__(self, behavior_analysis):
method handles_path (line 1884) | def handles_path(self, logpath):
method parse (line 1889) | def parse(self, logpath):
method handle_event (line 1894) | def handle_event(self, event):
method run (line 1898) | def run(self):
class ProtocolHandler (line 1903) | class ProtocolHandler(object):
method __init__ (line 1905) | def __init__(self, handler, version=None):
method init (line 1909) | def init(self):
method close (line 1912) | def close(self):
FILE: lib/cuckoo/common/colors.py
function color (line 10) | def color(text, color_code):
function black (line 25) | def black(text):
function red (line 28) | def red(text):
function green (line 31) | def green(text):
function yellow (line 34) | def yellow(text):
function blue (line 37) | def blue(text):
function magenta (line 40) | def magenta(text):
function cyan (line 43) | def cyan(text):
function white (line 46) | def white(text):
function bold (line 49) | def bold(text):
FILE: lib/cuckoo/common/compare.py
function behavior_categories_percent (line 14) | def behavior_categories_percent(calls):
function combine_behavior_percentages (line 22) | def combine_behavior_percentages(stats):
function iter_task_process_logfiles (line 45) | def iter_task_process_logfiles(tid):
function helper_percentages_storage (line 53) | def helper_percentages_storage(tid1, tid2):
function helper_percentages_mongo (line 68) | def helper_percentages_mongo(results_db, tid1, tid2, ignore_categories=[...
FILE: lib/cuckoo/common/config.py
class Config (line 14) | class Config():
method __init__ (line 21) | def __init__(self, file_name="cuckoo", cfg=None):
method get (line 53) | def get(self, section):
function parse_options (line 67) | def parse_options(options):
function emit_options (line 78) | def emit_options(options):
FILE: lib/cuckoo/common/dns.py
function set_timeout (line 28) | def set_timeout(value):
function set_timeout_value (line 32) | def set_timeout_value(value):
function with_timeout (line 39) | def with_timeout(func, args=(), kwargs={}):
function resolve_thread (line 65) | def resolve_thread(name):
function gethostbyname (line 68) | def gethostbyname(name):
function resolve_cares (line 77) | def resolve_cares(name):
class Resultholder (line 106) | class Resultholder:
function resolve (line 132) | def resolve(name):
FILE: lib/cuckoo/common/exceptions.py
class CuckooCriticalError (line 7) | class CuckooCriticalError(Exception):
class CuckooStartupError (line 10) | class CuckooStartupError(CuckooCriticalError):
class CuckooDatabaseError (line 13) | class CuckooDatabaseError(CuckooCriticalError):
class CuckooDependencyError (line 16) | class CuckooDependencyError(CuckooCriticalError):
class CuckooOperationalError (line 19) | class CuckooOperationalError(Exception):
class CuckooMachineError (line 22) | class CuckooMachineError(CuckooOperationalError):
class CuckooAnalysisError (line 25) | class CuckooAnalysisError(CuckooOperationalError):
class CuckooProcessingError (line 28) | class CuckooProcessingError(CuckooOperationalError):
class CuckooDetectionError (line 31) | class CuckooDetectionError(CuckooOperationalError):
class CuckooReportError (line 34) | class CuckooReportError(CuckooOperationalError):
class CuckooGuestError (line 37) | class CuckooGuestError(CuckooOperationalError):
class CuckooResultError (line 40) | class CuckooResultError(CuckooOperationalError):
FILE: lib/cuckoo/common/irc.py
class ircMessage (line 19) | class ircMessage(object):
method __init__ (line 32) | def __init__(self):
method _unpack (line 39) | def _unpack(self, buf):
method getClientMessages (line 69) | def getClientMessages(self, buf):
method getClientMessagesFilter (line 87) | def getClientMessagesFilter(self, buf, filters):
method getServerMessages (line 105) | def getServerMessages(self, buf):
method getServerMessagesFilter (line 124) | def getServerMessagesFilter(self, buf, filters):
method isthereIRC (line 141) | def isthereIRC(self, buf):
FILE: lib/cuckoo/common/logo.py
function logo (line 13) | def logo():
FILE: lib/cuckoo/common/netlog.py
function pointer_converter_32bit (line 36) | def pointer_converter_32bit(v):
function pointer_converter_64bit (line 39) | def pointer_converter_64bit(v):
function default_converter_32bit (line 42) | def default_converter_32bit(v):
function default_converter_64bit (line 51) | def default_converter_64bit(v):
class BsonParser (line 63) | class BsonParser(ProtocolHandler):
method init (line 85) | def init(self):
method resolve_flags (line 101) | def resolve_flags(self, apiname, argdict, flags):
method determine_unserializers (line 131) | def determine_unserializers(self, arginfo):
method __iter__ (line 153) | def __iter__(self):
FILE: lib/cuckoo/common/objects.py
class Dictionary (line 69) | class Dictionary(dict):
method __getattr__ (line 72) | def __getattr__(self, key):
class URL (line 78) | class URL:
method __init__ (line 81) | def __init__(self, url):
class File (line 85) | class File(object):
method __init__ (line 106) | def __init__(self, file_path):
method get_name (line 118) | def get_name(self):
method valid (line 126) | def valid(self):
method get_data (line 131) | def get_data(self):
method get_chunks (line 138) | def get_chunks(self):
method calc_hashes (line 148) | def calc_hashes(self):
method file_data (line 171) | def file_data(self):
method get_size (line 176) | def get_size(self):
method get_crc32 (line 183) | def get_crc32(self):
method get_md5 (line 192) | def get_md5(self):
method get_sha1 (line 201) | def get_sha1(self):
method get_sha256 (line 210) | def get_sha256(self):
method get_sha512 (line 219) | def get_sha512(self):
method get_ssdeep (line 229) | def get_ssdeep(self):
method get_type (line 246) | def get_type(self):
method get_content_type (line 280) | def get_content_type(self):
method get_exported_functions (line 311) | def get_exported_functions(self):
method get_imported_functions (line 334) | def get_imported_functions(self):
method get_apk_entry (line 361) | def get_apk_entry(self):
method _yara_encode_string (line 407) | def _yara_encode_string(self, s):
method _yara_matches_177 (line 418) | def _yara_matches_177(self, matches):
method get_yara (line 436) | def get_yara(self, category="binaries"):
method get_urls (line 490) | def get_urls(self):
method get_all (line 506) | def get_all(self):
FILE: lib/cuckoo/common/utils.py
function create_folders (line 52) | def create_folders(root=".", folders=[]):
function create_folder (line 62) | def create_folder(root=".", folder=None):
function delete_folder (line 77) | def delete_folder(folder):
function convert_char (line 95) | def convert_char(c):
function is_printable (line 106) | def is_printable(s):
function convert_to_printable (line 113) | def convert_to_printable(s):
function datetime_to_iso (line 123) | def datetime_to_iso(timestamp):
function get_filename_from_path (line 131) | def get_filename_from_path(path):
function store_temp_file (line 140) | def store_temp_file(filedata, filename, path=None):
class TimeoutServer (line 177) | class TimeoutServer(xmlrpclib.ServerProxy):
method __init__ (line 185) | def __init__(self, *args, **kwargs):
method _set_timeout (line 190) | def _set_timeout(self, timeout):
class TimeoutTransport (line 197) | class TimeoutTransport(xmlrpclib.Transport):
method __init__ (line 198) | def __init__(self, *args, **kwargs):
method make_connection (line 202) | def make_connection(self, *args, **kwargs):
class Singleton (line 208) | class Singleton(type):
method __call__ (line 215) | def __call__(cls, *args, **kwargs):
class ThreadSingleton (line 220) | class ThreadSingleton(type):
method __call__ (line 224) | def __call__(cls, *args, **kwargs):
function to_unicode (line 229) | def to_unicode(s):
function cleanup_value (line 274) | def cleanup_value(v):
function classlock (line 281) | def classlock(f):
class SuperLock (line 297) | class SuperLock(object):
method __init__ (line 298) | def __init__(self):
method __enter__ (line 302) | def __enter__(self):
method __exit__ (line 306) | def __exit__(self, type, value, traceback):
function hash_file (line 310) | def hash_file(method, filepath):
function md5_file (line 326) | def md5_file(filepath):
function sha1_file (line 329) | def sha1_file(filepath):
function guid_name (line 334) | def guid_name(guid):
function exception_message (line 347) | def exception_message():
function jsbeautify (line 401) | def jsbeautify(javascript):
function htmlprettify (line 416) | def htmlprettify(html):
function json_default (line 427) | def json_default(obj):
function json_hook (line 435) | def json_hook(obj):
function json_encode (line 442) | def json_encode(obj, **kwargs):
function json_decode (line 446) | def json_decode(x):
function versiontuple (line 450) | def versiontuple(v):
FILE: lib/cuckoo/common/virustotal.py
class VirusTotalResourceNotScanned (line 24) | class VirusTotalResourceNotScanned(CuckooOperationalError):
class VirusTotalAPI (line 27) | class VirusTotalAPI(object):
method __init__ (line 284) | def __init__(self, apikey, timeout, scan=0):
method _request_json (line 295) | def _request_json(self, url, **kwargs):
method _get_report (line 309) | def _get_report(self, url, resource, summary=False):
method url_report (line 373) | def url_report(self, url, summary=False):
method file_report (line 380) | def file_report(self, filepath, summary=False):
method url_scan (line 388) | def url_scan(self, url):
method file_scan (line 397) | def file_scan(self, filepath):
method detect_platform (line 407) | def detect_platform(self, tokens):
method clean_tokens (line 482) | def clean_tokens(self, tokens):
method normalize (line 576) | def normalize(self, variant):
FILE: lib/cuckoo/common/whitelist.py
function is_whitelisted_domain (line 13) | def is_whitelisted_domain(domain):
FILE: lib/cuckoo/core/database.py
class Machine (line 60) | class Machine(Base):
method __repr__ (line 81) | def __repr__(self):
method to_dict (line 84) | def to_dict(self):
method to_json (line 101) | def to_json(self):
method is_analysis (line 108) | def is_analysis(self):
method __init__ (line 117) | def __init__(self, name, label, ip, platform, options, interface,
class Tag (line 129) | class Tag(Base):
method __repr__ (line 136) | def __repr__(self):
method __init__ (line 139) | def __init__(self, name):
class Guest (line 142) | class Guest(Base):
method __repr__ (line 161) | def __repr__(self):
method to_dict (line 164) | def to_dict(self):
method to_json (line 178) | def to_json(self):
method __init__ (line 185) | def __init__(self, name, label, manager):
class Sample (line 190) | class Sample(Base):
method __repr__ (line 206) | def __repr__(self):
method to_dict (line 209) | def to_dict(self):
method to_json (line 219) | def to_json(self):
method __init__ (line 226) | def __init__(self, md5, crc32, sha1, sha256, sha512,
class Error (line 239) | class Error(Base):
method to_dict (line 247) | def to_dict(self):
method to_json (line 257) | def to_json(self):
method __init__ (line 264) | def __init__(self, message, task_id):
method __repr__ (line 268) | def __repr__(self):
class Task (line 271) | class Task(Base):
method duration (line 310) | def duration(self):
method options (line 316) | def options(self):
method options (line 322) | def options(self, value):
method to_dict (line 325) | def to_dict(self):
method to_json (line 349) | def to_json(self):
method __init__ (line 356) | def __init__(self, target=None):
method __repr__ (line 359) | def __repr__(self):
class AlembicVersion (line 362) | class AlembicVersion(Base):
class Database (line 368) | class Database(object):
method __init__ (line 376) | def __init__(self, dsn=None, schema_check=True, echo=False):
method __del__ (line 449) | def __del__(self):
method _connect_database (line 453) | def _connect_database(self, connection_string):
method _get_or_create (line 476) | def _get_or_create(self, session, model, **kwargs):
method drop (line 487) | def drop(self):
method clean_machines (line 495) | def clean_machines(self):
method add_machine (line 512) | def add_machine(self, name, label, ip, platform, options, tags, interf...
method set_status (line 554) | def set_status(self, task_id, status):
method set_route (line 582) | def set_route(self, task_id, route):
method fetch (line 604) | def fetch(self, machine=None, service=True):
method guest_start (line 632) | def guest_start(self, task_id, name, label, manager):
method guest_get_status (line 657) | def guest_get_status(self, task_id):
method guest_set_status (line 675) | def guest_set_status(self, task_id, status):
method guest_remove (line 695) | def guest_remove(self, guest_id):
method guest_stop (line 710) | def guest_stop(self, guest_id):
method list_machines (line 731) | def list_machines(self, locked=False):
method lock_machine (line 750) | def lock_machine(self, label=None, platform=None, tags=None):
method unlock_machine (line 808) | def unlock_machine(self, label):
method count_machines_available (line 838) | def count_machines_available(self):
method get_available_machines (line 854) | def get_available_machines(self):
method set_machine_status (line 870) | def set_machine_status(self, label, status):
method add_error (line 899) | def add_error(self, message, task_id):
method add (line 919) | def add(self, obj, timeout=0, package="", options="", priority=1,
method add_path (line 1021) | def add_path(self, file_path, timeout=0, package="", options="",
method add_url (line 1054) | def add_url(self, url, timeout=0, package="", options="", priority=1,
method add_baseline (line 1084) | def add_baseline(self, timeout=0, owner="", machine="", memory=False):
method add_service (line 1096) | def add_service(self, timeout, owner, tags):
method reschedule (line 1108) | def reschedule(self, task_id, priority=None):
method list_tasks (line 1153) | def list_tasks(self, limit=None, details=True, category=None, owner=None,
method count_tasks (line 1203) | def count_tasks(self, status=None):
method view_task (line 1223) | def view_task(self, task_id, details=True):
method delete_task (line 1246) | def delete_task(self, task_id):
method view_sample (line 1266) | def view_sample(self, sample_id):
method find_sample (line 1289) | def find_sample(self, md5=None, sha256=None):
method count_samples (line 1312) | def count_samples(self):
method view_machine (line 1325) | def view_machine(self, name):
method view_machine_by_label (line 1345) | def view_machine_by_label(self, label):
method view_errors (line 1365) | def view_errors(self, task_id):
method processing_get_task (line 1381) | def processing_get_task(self, instance):
FILE: lib/cuckoo/core/guest.py
function analyzer_zipfile (line 33) | def analyzer_zipfile(platform, monitor):
class OldGuestManager (line 78) | class OldGuestManager(object):
method __init__ (line 87) | def __init__(self, vm_id, ip, platform, task_id):
method wait (line 104) | def wait(self, status):
method upload_analyzer (line 137) | def upload_analyzer(self, monitor):
method start_analysis (line 158) | def start_analysis(self, options, monitor):
method wait_for_completion (line 216) | def wait_for_completion(self):
class GuestManager (line 256) | class GuestManager(object):
method __init__ (line 260) | def __init__(self, vmid, ipaddr, platform, task_id):
method get (line 282) | def get(self, method, *args, **kwargs):
method post (line 302) | def post(self, method, *args, **kwargs):
method wait_available (line 321) | def wait_available(self):
method query_environ (line 341) | def query_environ(self):
method determine_analyzer_path (line 345) | def determine_analyzer_path(self):
method determine_system_drive (line 363) | def determine_system_drive(self):
method determine_temp_path (line 367) | def determine_temp_path(self):
method upload_analyzer (line 372) | def upload_analyzer(self, monitor):
method add_config (line 385) | def add_config(self, options):
method start_analysis (line 402) | def start_analysis(self, options, monitor):
method wait_for_completion (line 516) | def wait_for_completion(self):
method server (line 557) | def server(self):
FILE: lib/cuckoo/core/plugins.py
function enumerate_plugins (line 30) | def enumerate_plugins(dirpath, module_prefix, namespace, class_, attribu...
function import_package (line 60) | def import_package(package):
function import_plugin (line 65) | def import_plugin(name):
function load_plugins (line 74) | def load_plugins(module): # 导入插件
function register_plugin (line 92) | def register_plugin(group, name):
function list_plugins (line 102) | def list_plugins(group=None):
class RunAuxiliary (line 108) | class RunAuxiliary(object):
method __init__ (line 111) | def __init__(self, task, machine):
method start (line 117) | def start(self):
method stop (line 156) | def stop(self):
class RunProcessing (line 168) | class RunProcessing(object):
method __init__ (line 176) | def __init__(self, task):
method process (line 184) | def process(self, module, results):
method run (line 247) | def run(self):
class RunDetection (line 286) | class RunDetection(object):
method __init__ (line 294) | def __init__(self, task, results):
method process (line 303) | def process(self, module):
method run (line 368) | def run(self):
class RunSignatures (line 406) | class RunSignatures(object):
method __init__ (line 409) | def __init__(self, results):
method _should_enable_signature (line 427) | def _should_enable_signature(self, signature):
method check_signature_version (line 449) | def check_signature_version(self, signature):
method call_signature (line 510) | def call_signature(self, signature, handler, *args, **kwargs):
method init_api_sigs (line 525) | def init_api_sigs(self, apiname, category):
method yield_calls (line 539) | def yield_calls(self, proc):
method run (line 554) | def run(self):
class RunReporting (line 590) | class RunReporting(object):
method __init__ (line 598) | def __init__(self, task, results):
method process (line 606) | def process(self, module):
method run (line 653) | def run(self):
FILE: lib/cuckoo/core/resultserver.py
class Disconnect (line 33) | class Disconnect(Exception):
class ResultServer (line 36) | class ResultServer(SocketServer.ThreadingTCPServer, object):
method __init__ (line 47) | def __init__(self, *args, **kwargs):
method add_task (line 92) | def add_task(self, task, machine):
method del_task (line 97) | def del_task(self, task, machine):
method register_handler (line 108) | def register_handler(self, handler):
method get_ctx_for_ip (line 116) | def get_ctx_for_ip(self, ip):
method build_storage_path (line 125) | def build_storage_path(self, ip):
class ResultHandler (line 133) | class ResultHandler(SocketServer.BaseRequestHandler):
method setup (line 139) | def setup(self):
method finish (line 154) | def finish(self):
method wait_sock_or_end (line 162) | def wait_sock_or_end(self):
method seek (line 175) | def seek(self, pos):
method read (line 178) | def read(self, length):
method read_any (line 195) | def read_any(self):
method read_newline (line 203) | def read_newline(self, strip=False):
method negotiate_protocol (line 213) | def negotiate_protocol(self):
method handle (line 236) | def handle(self):
method open_process_log (line 266) | def open_process_log(self, event):
method create_folders (line 293) | def create_folders(self):
class FileUpload (line 303) | class FileUpload(ProtocolHandler):
method init (line 307) | def init(self):
method __iter__ (line 315) | def __iter__(self):
method close (line 395) | def close(self):
class LogHandler (line 399) | class LogHandler(ProtocolHandler):
method init (line 404) | def init(self):
method __iter__ (line 409) | def __iter__(self):
method close (line 428) | def close(self):
method _open (line 432) | def _open(self):
FILE: lib/cuckoo/core/rooter.py
function rooter (line 23) | def rooter(command, *args, **kwargs):
FILE: lib/cuckoo/core/scheduler.py
class AnalysisManager (line 36) | class AnalysisManager(threading.Thread):
method __init__ (line 45) | def __init__(self, task_id, error_queue):
method init_storage (line 62) | def init_storage(self):
method check_file (line 86) | def check_file(self):
method store_file (line 97) | def store_file(self):
method store_task_info (line 132) | def store_task_info(self):
method acquire_machine (line 140) | def acquire_machine(self):
method build_options (line 175) | def build_options(self):
method route_network (line 215) | def route_network(self):
method unroute_network (line 258) | def unroute_network(self):
method wait_finish (line 266) | def wait_finish(self):
method guest_manage (line 275) | def guest_manage(self, options):
method launch_analysis (line 304) | def launch_analysis(self):
method process_results (line 445) | def process_results(self):
method run (line 487) | def run(self):
class Scheduler (line 536) | class Scheduler(object):
method __init__ (line 545) | def __init__(self, maxcount=None):
method initialize (line 552) | def initialize(self):
method stop (line 633) | def stop(self):
method start (line 639) | def start(self):
FILE: lib/cuckoo/core/startup.py
function check_python_version (line 39) | def check_python_version():
function check_working_directory (line 49) | def check_working_directory():
function check_configs (line 64) | def check_configs():
function create_structure (line 85) | def create_structure():
function check_version (line 100) | def check_version():
class DatabaseHandler (line 140) | class DatabaseHandler(logging.Handler):
method emit (line 145) | def emit(self, record):
class ConsoleHandler (line 150) | class ConsoleHandler(logging.StreamHandler):
method emit (line 153) | def emit(self, record):
function init_logging (line 168) | def init_logging():
function init_console_logging (line 186) | def init_console_logging():
function init_tasks (line 196) | def init_tasks():
function delete_file (line 217) | def delete_file(*rel_path):
function init_modules (line 232) | def init_modules(machinery=True):
function init_yara (line 274) | def init_yara():
function init_binaries (line 317) | def init_binaries():
function init_rooter (line 337) | def init_rooter():
function init_routing (line 384) | def init_routing():
function cuckoo_clean (line 467) | def cuckoo_clean():
function drop_privileges (line 538) | def drop_privileges(username):
FILE: modules/auxiliary/mitm.py
class MITM (line 19) | class MITM(Auxiliary):
method __init__ (line 22) | def __init__(self):
method start (line 26) | def start(self):
method stop (line 103) | def stop(self):
FILE: modules/auxiliary/services.py
class Services (line 18) | class Services(Auxiliary):
method start_service (line 23) | def start_service(self, service):
method stop_service (line 33) | def stop_service(self, task_id):
method start (line 37) | def start(self):
method stop (line 70) | def stop(self):
FILE: modules/auxiliary/sniffer.py
class Sniffer (line 17) | class Sniffer(Auxiliary):
method __init__ (line 21) | def __init__(self):
method start (line 25) | def start(self):
method stop (line 109) | def stop(self):
FILE: modules/detection/apistats.py
class Apistats (line 14) | class Apistats(Detection):
method load_features (line 17) | def load_features(self, key):
method load_model (line 32) | def load_model(self):
method predict (line 45) | def predict(self):
method run (line 53) | def run(self):
FILE: modules/detection/malconv.py
class MalConv (line 21) | class MalConv(Detection):
method load_model (line 27) | def load_model(self):
method run (line 42) | def run(self):
class PreMalConv (line 77) | class PreMalConv(nn.Module):
method __init__ (line 82) | def __init__(self, input_length=2 ** 20, window_size=500):
method forward (line 97) | def forward(self, x):
class ExeDataset (line 120) | class ExeDataset(Dataset):
method __init__ (line 124) | def __init__(self, fp_list, data_path, label_list = None, first_n_byte...
method __len__ (line 145) | def __len__(self):
method __getitem__ (line 151) | def __getitem__(self, idx):
FILE: modules/detection/model.py
class MalConv (line 12) | class MalConv(nn.Module):
method __init__ (line 14) | def __init__(self,input_length=2000000,window_size=500):
method forward (line 36) | def forward(self,x):
class PreMalConv (line 56) | class PreMalConv(nn.Module):
method __init__ (line 72) | def __init__(self, input_length=2 ** 20, window_size=500):
method forward (line 89) | def forward(self, x):
class ExeDataset (line 111) | class ExeDataset(Dataset):
method __init__ (line 115) | def __init__(self, fp_list, data_path, label_list = None, first_n_byte...
method __len__ (line 122) | def __len__(self):
method __getitem__ (line 128) | def __getitem__(self, idx):
FILE: modules/detection/strings.py
class Strings_ngram (line 19) | class Strings_ngram(Detection):
method load_features (line 22) | def load_features(self, key):
method load_model (line 38) | def load_model(self):
method predict (line 51) | def predict(self):
method run (line 62) | def run(self):
FILE: modules/machinery/avd.py
class Avd (line 20) | class Avd(Machinery):
method _initialize_check (line 23) | def _initialize_check(self):
method start (line 67) | def start(self, label, task):
method stop (line 80) | def stop(self, label):
method _list (line 88) | def _list(self):
method _status (line 94) | def _status(self, label):
method duplicate_reference_machine (line 101) | def duplicate_reference_machine(self, label):
method delete_old_emulator (line 131) | def delete_old_emulator(self, label):
method replace_content_in_file (line 146) | def replace_content_in_file(self, fileName, contentToReplace, replacem...
method start_emulator (line 161) | def start_emulator(self, label, task):
method stop_emulator (line 198) | def stop_emulator(self, label):
method wait_for_device_ready (line 220) | def wait_for_device_ready(self, label):
method port_forward (line 280) | def port_forward(self, label):
method start_agent (line 288) | def start_agent(self, label):
method check_adb_recognize_emulator (line 296) | def check_adb_recognize_emulator(self, label):
method restart_adb_server (line 313) | def restart_adb_server(self):
method get_task_id (line 327) | def get_task_id(self, label):
class OSCommand (line 335) | class OSCommand(object):
method executeAsyncCommand (line 339) | def executeAsyncCommand(commandAndArgs):
method executeCommand (line 343) | def executeCommand(commandAndArgs):
FILE: modules/machinery/esx.py
class ESX (line 13) | class ESX(LibVirtMachinery):
method _initialize_check (line 16) | def _initialize_check(self):
method _auth_callback (line 31) | def _auth_callback(self, credentials, user_data):
method _connect (line 42) | def _connect(self):
method _global_connect (line 48) | def _global_connect(self):
method _disconnect (line 56) | def _disconnect(self, conn):
method __del__ (line 60) | def __del__(self):
FILE: modules/machinery/kvm.py
class KVM (line 8) | class KVM(LibVirtMachinery):
FILE: modules/machinery/physical.py
class Physical (line 31) | class Physical(Machinery):
method _initialize_check (line 39) | def _initialize_check(self):
method _get_machine (line 65) | def _get_machine(self, label):
method start (line 77) | def start(self, label, task):
method stop (line 94) | def stop(self, label):
method _list (line 123) | def _list(self):
method _status (line 134) | def _status(self, label):
method fog_query (line 176) | def fog_query(self, uri, data={}):
method fog_init (line 190) | def fog_init(self):
method fog_queue_task (line 225) | def fog_queue_task(self, hostname):
method wake_on_lan (line 231) | def wake_on_lan(self, hostname):
FILE: modules/machinery/qemu.py
class QEMU (line 96) | class QEMU(Machinery):
method __init__ (line 104) | def __init__(self):
method _initialize_check (line 108) | def _initialize_check(self):
method start (line 124) | def start(self, label, task):
method stop (line 180) | def stop(self, label):
method _status (line 210) | def _status(self, name):
FILE: modules/machinery/virtualbox.py
class VirtualBox (line 20) | class VirtualBox(Machinery):
method _initialize_check (line 30) | def _initialize_check(self):
method start (line 48) | def start(self, label, task):
method dump_pcap (line 109) | def dump_pcap(self, label, task):
method stop (line 136) | def stop(self, label):
method _list (line 174) | def _list(self):
method _status (line 204) | def _status(self, label):
method dump_memory (line 247) | def dump_memory(self, label, path):
FILE: modules/machinery/vmware.py
class VMware (line 20) | class VMware(Machinery):
method _initialize_check (line 26) | def _initialize_check(self):
method _check_vmx (line 51) | def _check_vmx(self, vmx_path):
method _check_snapshot (line 64) | def _check_snapshot(self, vmx_path, snapshot):
method start (line 89) | def start(self, vmx_path, task):
method stop (line 124) | def stop(self, vmx_path):
method _revert (line 146) | def _revert(self, vmx_path, snapshot):
method _is_running (line 166) | def _is_running(self, vmx_path):
method _snapshot_from_vmx (line 188) | def _snapshot_from_vmx(self, vmx_path):
method dump_memory (line 196) | def dump_memory(self, vmx_path, path):
FILE: modules/machinery/vsphere.py
class vSphere (line 28) | class vSphere(Machinery):
method __init__ (line 37) | def __init__(self):
method _initialize (line 44) | def _initialize(self, module_name):
method _initialize_check (line 53) | def _initialize_check(self):
method start (line 117) | def start(self, label, task):
method stop (line 132) | def stop(self, label):
method dump_memory (line 145) | def dump_memory(self, label, path):
method _list (line 161) | def _list(self):
method _status (line 169) | def _status(self, label):
method _get_virtual_machines (line 184) | def _get_virtual_machines(self, conn):
method _get_virtual_machine_by_label (line 200) | def _get_virtual_machine_by_label(self, conn, label):
method _get_snapshot_by_name (line 206) | def _get_snapshot_by_name(self, vm, name):
method _get_snapshot_power_state (line 214) | def _get_snapshot_power_state(self, vm, name):
method _create_snapshot (line 221) | def _create_snapshot(self, vm, name):
method _delete_snapshot (line 234) | def _delete_snapshot(self, vm, name):
method _revert_snapshot (line 249) | def _revert_snapshot(self, vm, name):
method _download_snapshot (line 264) | def _download_snapshot(self, conn, vm, name, path):
method _stop_virtual_machine (line 302) | def _stop_virtual_machine(self, vm):
method _wait_task (line 311) | def _wait_task(self, task):
method _traverseSnapshots (line 328) | def _traverseSnapshots(self, root):
FILE: modules/machinery/xenserver.py
class XenServerMachinery (line 25) | class XenServerMachinery(Machinery):
method _initialize_check (line 36) | def _initialize_check(self):
method session (line 71) | def session(self):
method _make_xenapi_session (line 78) | def _make_xenapi_session(self, tid=None):
method _get_vm_ref (line 99) | def _get_vm_ref(self, uuid):
method _get_vm_record (line 105) | def _get_vm_record(self, ref):
method _get_vm_power_state (line 111) | def _get_vm_power_state(self, ref):
method _check_vm (line 117) | def _check_vm(self, uuid):
method _check_snapshot (line 139) | def _check_snapshot(self, vm_uuid, snapshot_uuid):
method _check_disks_reset (line 164) | def _check_disks_reset(self, vm):
method _snapshot_from_vm_uuid (line 190) | def _snapshot_from_vm_uuid(self, uuid):
method _is_halted (line 197) | def _is_halted(self, vm):
method start (line 203) | def start(self, label, task):
method stop (line 241) | def stop(self, label=None):
method _list (line 256) | def _list(self):
method _status (line 270) | def _status(self, label):
FILE: modules/processing/analysisinfo.py
class AnalysisInfo (line 19) | class AnalysisInfo(Processing):
method run (line 22) | def run(self):
class MetaInfo (line 62) | class MetaInfo(Processing):
method run (line 65) | def run(self):
FILE: modules/processing/apkinfo.py
class ApkInfo (line 29) | class ApkInfo(Processing):
method check_size (line 32) | def check_size(self, file_list):
method _apk_files (line 44) | def _apk_files(self, apk):
method run (line 57) | def run(self):
method get_methods (line 112) | def get_methods(self, vmx):
FILE: modules/processing/baseline.py
class Baseline (line 15) | class Baseline(Processing):
method deep_tuple (line 19) | def deep_tuple(self, o, bl=None):
method normalize (line 36) | def normalize(self, plugin, o):
method memory (line 42) | def memory(self, baseline, report):
method store_baseline (line 77) | def store_baseline(self, machine, baseline):
method run (line 86) | def run(self):
FILE: modules/processing/behavior.py
class Summary (line 19) | class Summary(BehaviorHandler):
method __init__ (line 25) | def __init__(self, *args, **kwargs):
method handle_event (line 29) | def handle_event(self, event):
method run (line 32) | def run(self):
class Anomaly (line 37) | class Anomaly(BehaviorHandler):
method __init__ (line 46) | def __init__(self, *args, **kwargs):
method handle_event (line 50) | def handle_event(self, call):
method run (line 73) | def run(self):
class ProcessTree (line 77) | class ProcessTree(BehaviorHandler):
method __init__ (line 83) | def __init__(self, *args, **kwargs):
method handle_event (line 87) | def handle_event(self, process):
method run (line 105) | def run(self):
class GenericBehavior (line 113) | class GenericBehavior(BehaviorHandler):
method __init__ (line 119) | def __init__(self, *args, **kwargs):
method handle_process_event (line 123) | def handle_process_event(self, process):
method handle_generic_event (line 136) | def handle_generic_event(self, event):
method run (line 144) | def run(self):
class ApiStats (line 151) | class ApiStats(BehaviorHandler):
method __init__ (line 156) | def __init__(self, *args, **kwargs):
method handle_event (line 160) | def handle_event(self, event):
method run (line 163) | def run(self):
class PlatformInfo (line 166) | class PlatformInfo(BehaviorHandler):
class BehaviorAnalysis (line 179) | class BehaviorAnalysis(Processing):
method _enum_logs (line 226) | def _enum_logs(self):
method run (line 252) | def run(self):
FILE: modules/processing/buffer.py
class DroppedBuffer (line 12) | class DroppedBuffer(Processing):
method run (line 15) | def run(self):
FILE: modules/processing/cuckooml.py
function init_cuckooml (line 33) | def init_cuckooml():
class ML (line 173) | class ML(object):
method __init__ (line 391) | def __init__(self, context="standalone"):
method __log_bin (line 403) | def __log_bin(self, value, base=3):
method __normalise_string (line 414) | def __normalise_string(self, string):
method __simplify_string (line 422) | def __simplify_string(self, string, distinguish_voyels=False):
method __n_grams (line 450) | def __n_grams(self, string, n=3, reorder=False):
method __handle_string (line 471) | def __handle_string(self, string):
method extract_labels (line 485) | def extract_labels(self, labels):
method load_labels (line 490) | def load_labels(self, labels):
method extract_simple_features (line 495) | def extract_simple_features(self, simple_features):
method load_simple_features (line 516) | def load_simple_features(self, simple_features):
method export_simple_dataset (line 523) | def export_simple_dataset(self, filename="simple_dataset.csv"):
method simple_feature_category (line 539) | def simple_feature_category(self, category="properties"):
method extract_features (line 550) | def extract_features(self, features, include_API_calls=False, \
method load_features (line 706) | def load_features(self, features, include_API_calls=False, \
method export_dataset (line 713) | def export_dataset(self, filename="dataset.csv"):
method feature_category (line 729) | def feature_category(self, category="static", complement=False):
method filter_dataset (line 779) | def filter_dataset(self, dataset=None, feature_coverage=0.1,
method detect_abnormal_behaviour (line 801) | def detect_abnormal_behaviour(self, count_dataset=None, figures=True):
method visualise_data (line 852) | def visualise_data(self, data=None, labels=None, learning_rate=200,
method save_dataset (line 877) | def save_dataset(self, filename="custom_dataset.csv", features=None, \
method cluster_dbscan (line 898) | def cluster_dbscan(self, features=None, eps=20.0, min_samples=5, dry=F...
method cluster_hdbscan (line 932) | def cluster_hdbscan(self, features=None, min_samples=1, \
method save_clustering_results (line 975) | def save_clustering_results(self, loader, save_location=""):
method anomaly_detection (line 1004) | def anomaly_detection(self, samples=None, labels=None,
method compare_sample (line 1054) | def compare_sample(self, sample, amend=False):
method assess_clustering (line 1090) | def assess_clustering(self, clustering, labels, data=None,
method clustering_label_distribution (line 1137) | def clustering_label_distribution(self, clustering, labels, plot=False):
class Loader (line 1177) | class Loader(object):
method __init__ (line 1180) | def __init__(self):
method load_binaries (line 1186) | def load_binaries(self, directory):
method update_binaries (line 1197) | def update_binaries(self, elements, root, locations):
method save_binaries (line 1210) | def save_binaries(self, alternative_location=""):
method get_labels (line 1230) | def get_labels(self):
method get_features (line 1238) | def get_features(self):
method get_simple_features (line 1246) | def get_simple_features(self):
class Instance (line 1254) | class Instance(object):
method __init__ (line 1259) | def __init__(self):
method load_json (line 1271) | def load_json(self, json_file, name="unknown"):
method label_sample (line 1300) | def label_sample(self, external_labels=None, label_type="family"):
method update (line 1325) | def update(self, element, location):
method save_json (line 1338) | def save_json(self, root_dir):
method extract_features (line 1344) | def extract_features(self):
method extract_features_static (line 1350) | def extract_features_static(self):
method extract_features_dynamic (line 1360) | def extract_features_dynamic(self):
method feature_static_metadata (line 1369) | def feature_static_metadata(self):
method feature_static_signature (line 1397) | def feature_static_signature(self):
method feature_static_heuristic (line 1414) | def feature_static_heuristic(self):
method feature_static_packer (line 1420) | def feature_static_packer(self):
method feature_static_pef (line 1427) | def feature_static_pef(self):
method feature_static_imports (line 1465) | def feature_static_imports(self):
method feature_dynamic_imports (line 1486) | def feature_dynamic_imports(self):
method feature_dynamic_filesystem (line 1505) | def feature_dynamic_filesystem(self):
method feature_dynamic_network (line 1579) | def feature_dynamic_network(self):
method feature_dynamic_registry (line 1631) | def feature_dynamic_registry(self):
method feature_dynamic_windowsapi (line 1643) | def feature_dynamic_windowsapi(self):
method extract_basic_features (line 1655) | def extract_basic_features(self):
FILE: modules/processing/debug.py
class Debug (line 14) | class Debug(Processing):
method run (line 17) | def run(self):
FILE: modules/processing/droidmon.py
class Droidmon (line 15) | class Droidmon(Processing):
method __init__ (line 18) | def __init__(self):
method _handle_android_os_SystemProperties_get (line 60) | def _handle_android_os_SystemProperties_get(self, api_call):
method _handle_javax_crypto_spec_SecretKeySpec_javax_crypto_spec_SecretKeySpec (line 63) | def _handle_javax_crypto_spec_SecretKeySpec_javax_crypto_spec_SecretKe...
method _handle_javax_crypto_Cipher_doFinal (line 74) | def _handle_javax_crypto_Cipher_doFinal(self, api_call):
method _handle_java_lang_reflect_Method_invoke (line 81) | def _handle_java_lang_reflect_Method_invoke(self, api_call):
method _handle_dalvik_system_BaseDexClassLoader_findResource (line 89) | def _handle_dalvik_system_BaseDexClassLoader_findResource(self, api_ca...
method _handle_android_app_Activity_startActivity (line 92) | def _handle_android_app_Activity_startActivity(self, api_call):
method _handle_java_lang_Runtime_exec (line 95) | def _handle_java_lang_Runtime_exec(self, api_call):
method _handle_java_lang_ProcessBuilder_start (line 102) | def _handle_java_lang_ProcessBuilder_start(self, api_call):
method _handle_libcore_io_IoBridge_open (line 106) | def _handle_libcore_io_IoBridge_open(self, api_call):
method _handle_android_app_ActivityThread_handleReceiver (line 109) | def _handle_android_app_ActivityThread_handleReceiver(self, api_call):
method _handle_android_app_ContextImpl_registerReceiver (line 112) | def _handle_android_app_ContextImpl_registerReceiver(self, api_call):
method _handle_android_telephony_TelephonyManager_getDeviceId (line 118) | def _handle_android_telephony_TelephonyManager_getDeviceId(self, api_c...
method _handle_android_telephony_TelephonyManager_getNetworkOperatorName (line 121) | def _handle_android_telephony_TelephonyManager_getNetworkOperatorName(...
method _handle_android_telephony_TelephonyManager_getSubscriberId (line 124) | def _handle_android_telephony_TelephonyManager_getSubscriberId(self, a...
method _handle_android_telephony_TelephonyManager_getLine1Number (line 127) | def _handle_android_telephony_TelephonyManager_getLine1Number(self, ap...
method _handle_android_telephony_TelephonyManager_getNetworkOperator (line 130) | def _handle_android_telephony_TelephonyManager_getNetworkOperator(self...
method _handle_android_telephony_TelephonyManager_getSimOperatorName (line 133) | def _handle_android_telephony_TelephonyManager_getSimOperatorName(self...
method _handle_android_telephony_TelephonyManager_getSimCountryIso (line 136) | def _handle_android_telephony_TelephonyManager_getSimCountryIso(self, ...
method _handle_android_telephony_TelephonyManager_getSimSerialNumber (line 139) | def _handle_android_telephony_TelephonyManager_getSimSerialNumber(self...
method _handle_android_telephony_TelephonyManager_getNetworkCountryIso (line 142) | def _handle_android_telephony_TelephonyManager_getNetworkCountryIso(se...
method _handle_android_telephony_TelephonyManager_getDeviceSoftwareVersion (line 145) | def _handle_android_telephony_TelephonyManager_getDeviceSoftwareVersio...
method _handle_android_net_wifi_WifiInfo_getMacAddress (line 148) | def _handle_android_net_wifi_WifiInfo_getMacAddress(self, api_call):
method _handle_android_app_SharedPreferencesImpl_EditorImpl_putInt (line 151) | def _handle_android_app_SharedPreferencesImpl_EditorImpl_putInt(self, ...
method _handle_android_app_SharedPreferencesImpl_EditorImpl_putString (line 154) | def _handle_android_app_SharedPreferencesImpl_EditorImpl_putString(sel...
method _handle_android_app_SharedPreferencesImpl_EditorImpl_putFloat (line 157) | def _handle_android_app_SharedPreferencesImpl_EditorImpl_putFloat(self...
method _handle_android_app_SharedPreferencesImpl_EditorImpl_putBoolean (line 160) | def _handle_android_app_SharedPreferencesImpl_EditorImpl_putBoolean(se...
method _handle_android_app_SharedPreferencesImpl_EditorImpl_putLong (line 163) | def _handle_android_app_SharedPreferencesImpl_EditorImpl_putLong(self,...
method _handle_android_content_ContentResolver_query (line 166) | def _handle_android_content_ContentResolver_query(self, api_call):
method _handle_android_content_ContentValues_put (line 169) | def _handle_android_content_ContentValues_put(self, api_call):
method _handle_javax_crypto_Mac_doFinal (line 172) | def _handle_javax_crypto_Mac_doFinal(self, api_call):
method _handle_android_util_Base64_encodeToString (line 175) | def _handle_android_util_Base64_encodeToString(self, api_call):
method _handle_android_util_Base64_encode (line 178) | def _handle_android_util_Base64_encode(self, api_call):
method _handle_android_app_ApplicationPackageManager_setComponentEnabledSetting (line 181) | def _handle_android_app_ApplicationPackageManager_setComponentEnabledS...
method _handle_android_location_Location_getLatitude (line 196) | def _handle_android_location_Location_getLatitude(self, api_call):
method _handle_android_location_Location_getLongitude (line 199) | def _handle_android_location_Location_getLongitude(self, api_call):
method _handle_android_app_ApplicationPackageManager_getInstalledPackages (line 202) | def _handle_android_app_ApplicationPackageManager_getInstalledPackages...
method _handle_dalvik_system_BaseDexClassLoader_findLibrary (line 205) | def _handle_dalvik_system_BaseDexClassLoader_findLibrary(self, api_call):
method _handle_android_telephony_SmsManager_sendTextMessage (line 208) | def _handle_android_telephony_SmsManager_sendTextMessage(self, api_call):
method _handle_android_util_Base64_decode (line 214) | def _handle_android_util_Base64_decode(self, api_call):
method _handle_android_telephony_TelephonyManager_listen (line 217) | def _handle_android_telephony_TelephonyManager_listen(self, api_call):
method _handle_android_content_ContentResolver_registerContentObserver (line 230) | def _handle_android_content_ContentResolver_registerContentObserver(se...
method _handle_android_content_ContentResolver_insert (line 233) | def _handle_android_content_ContentResolver_insert(self, api_call):
method _handle_android_accounts_AccountManager_getAccountsByType (line 236) | def _handle_android_accounts_AccountManager_getAccountsByType(self, ap...
method _handle_dalvik_system_BaseDexClassLoader_findResources (line 240) | def _handle_dalvik_system_BaseDexClassLoader_findResources(self, api_c...
method _handle_android_accounts_AccountManager_getAccounts (line 243) | def _handle_android_accounts_AccountManager_getAccounts(self, api_call):
method _handle_android_telephony_SmsManager_sendMultipartTextMessage (line 246) | def _handle_android_telephony_SmsManager_sendMultipartTextMessage(self...
method _handle_android_content_ContentResolver_delete (line 252) | def _handle_android_content_ContentResolver_delete(self, api_call):
method _handle_android_media_AudioRecord_startRecording (line 255) | def _handle_android_media_AudioRecord_startRecording(self, api_call):
method _handle_android_media_MediaRecorder_start (line 258) | def _handle_android_media_MediaRecorder_start(self, api_call):
method _handle_android_content_BroadcastReceiver_abortBroadcast (line 261) | def _handle_android_content_BroadcastReceiver_abortBroadcast(self, api...
method _handle_dalvik_system_DexFile_loadDex (line 264) | def _handle_dalvik_system_DexFile_loadDex(self, api_call):
method _handle_dalvik_system_DexClass_dalvik_system_DexClassLoader (line 267) | def _handle_dalvik_system_DexClass_dalvik_system_DexClassLoader(self, ...
method _handle_dalvik_system_DexFile_dalvik_system_DexFile (line 270) | def _handle_dalvik_system_DexFile_dalvik_system_DexFile(self, api_call):
method _handle_dalvik_system_PathClassLoader_dalvik_system_PathClassLoader (line 273) | def _handle_dalvik_system_PathClassLoader_dalvik_system_PathClassLoade...
method _handle_android_app_ActivityManager_killBackgroundProcesses (line 276) | def _handle_android_app_ActivityManager_killBackgroundProcesses(self, ...
method _handle_android_os_Process_killProcess (line 279) | def _handle_android_os_Process_killProcess(self, api_call):
method _handle_android_net_ConnectivityManager_setMobileDataEnabled (line 282) | def _handle_android_net_ConnectivityManager_setMobileDataEnabled(self,...
method _handle_org_apache_http_impl_client_AbstractHttpClient_execute (line 285) | def _handle_org_apache_http_impl_client_AbstractHttpClient_execute(sel...
method _handle_java_net_URL_openConnection (line 294) | def _handle_java_net_URL_openConnection(self, api_call):
method _handle_dalvik_system_DexFile_loadClass (line 307) | def _handle_dalvik_system_DexFile_loadClass(self, api_call):
method _handle_java_io_FileOutputStream_write (line 310) | def _handle_java_io_FileOutputStream_write(self, api_call):
method _handle_java_io_FileInputStream_read (line 316) | def _handle_java_io_FileInputStream_read(self, api_call):
method get_pair (line 321) | def get_pair(self, api_call):
method lib_pairs (line 331) | def lib_pairs(self, api_call, key):
method keyCleaner (line 342) | def keyCleaner(self, d):
method run (line 356) | def run(self):
FILE: modules/processing/dropped.py
class Dropped (line 13) | class Dropped(Processing):
method run (line 16) | def run(self):
FILE: modules/processing/dumptls.py
class TLSMasterSecrets (line 12) | class TLSMasterSecrets(Processing):
method run (line 20) | def run(self):
FILE: modules/processing/googleplay.py
class GooglePlay (line 30) | class GooglePlay(Processing):
method run (line 33) | def run(self):
FILE: modules/processing/memory.py
class VolatilityAPI (line 42) | class VolatilityAPI(object):
method __init__ (line 49) | def __init__(self, memdump, osprofile=None):
method get_dtb (line 61) | def get_dtb(self):
method init_config (line 72) | def init_config(self):
method pslist (line 124) | def pslist(self):
method psxview (line 148) | def psxview(self):
method callbacks (line 173) | def callbacks(self):
method idt (line 200) | def idt(self):
method gdt (line 230) | def gdt(self):
method ssdt (line 279) | def ssdt(self):
method timers (line 355) | def timers(self):
method messagehooks (line 388) | def messagehooks(self):
method getsids (line 435) | def getsids(self):
method privs (line 469) | def privs(self):
method malfind (line 505) | def malfind(self, dump_dir=None):
method yarascan (line 533) | def yarascan(self):
method apihooks (line 570) | def apihooks(self):
method dlllist (line 602) | def dlllist(self):
method handles (line 630) | def handles(self):
method ldrmodules (line 651) | def ldrmodules(self):
method mutantscan (line 710) | def mutantscan(self):
method devicetree (line 741) | def devicetree(self):
method svcscan (line 801) | def svcscan(self):
method modscan (line 825) | def modscan(self):
method imageinfo (line 846) | def imageinfo(self):
method sockscan (line 865) | def sockscan(self):
method netscan (line 886) | def netscan(self):
class VolatilityManager (line 909) | class VolatilityManager(object):
method __init__ (line 936) | def __init__(self, memfile, osprofile=None):
method get_osprofile (line 960) | def get_osprofile(self):
method run (line 964) | def run(self):
method mask_filter (line 1003) | def mask_filter(self, old):
method find_taint (line 1023) | def find_taint(self, res):
method cleanup (line 1029) | def cleanup(self):
class Memory (line 1038) | class Memory(Processing):
method run (line 1041) | def run(self):
FILE: modules/processing/network.py
class Pcap (line 69) | class Pcap(object):
method __init__ (line 75) | def __init__(self, filepath):
method _dns_gethostbyname (line 117) | def _dns_gethostbyname(self, name):
method _is_private_ip (line 129) | def _is_private_ip(self, ip):
method _add_hosts (line 171) | def _add_hosts(self, connection):
method _tcp_dissect (line 205) | def _tcp_dissect(self, conn, data):
method _udp_dissect (line 226) | def _udp_dissect(self, conn, data):
method _check_icmp (line 237) | def _check_icmp(self, icmp_data):
method _icmp_dissect (line 248) | def _icmp_dissect(self, conn, data):
method _check_dns (line 274) | def _check_dns(self, udpdata):
method _add_dns (line 286) | def _add_dns(self, udpdata):
method _add_domain (line 396) | def _add_domain(self, domain):
method _check_http (line 418) | def _check_http(self, tcpdata):
method _add_http (line 435) | def _add_http(self, tcpdata, dport):
method _https_identify (line 487) | def _https_identify(self, conn, data):
method _reassemble_smtp (line 532) | def _reassemble_smtp(self, conn, data):
method _process_smtp (line 543) | def _process_smtp(self):
method _check_irc (line 550) | def _check_irc(self, tcpdata):
method _add_irc (line 563) | def _add_irc(self, tcpdata):
method run (line 583) | def run(self):
class Pcap2 (line 715) | class Pcap2(object):
method __init__ (line 720) | def __init__(self, pcap_path, tlsmaster, network_path):
method run (line 733) | def run(self):
class NetworkAnalysis (line 775) | class NetworkAnalysis(Processing):
method run (line 781) | def run(self):
method get_tlsmaster (line 834) | def get_tlsmaster(self):
function iplayer_from_raw (line 847) | def iplayer_from_raw(raw, linktype=1):
function conn_from_flowtuple (line 863) | def conn_from_flowtuple(ft):
function batch_sort (line 873) | def batch_sort(input_iterator, output_path, buffer_size=32000, output_cl...
class SortCap (line 907) | class SortCap(object):
method __init__ (line 911) | def __init__(self, path, linktype=1):
method write (line 918) | def write(self, p):
method __iter__ (line 923) | def __iter__(self):
method close (line 930) | def close(self):
method next (line 935) | def next(self):
function sort_pcap (line 956) | def sort_pcap(inpath, outpath):
function flowtuple_from_raw (line 962) | def flowtuple_from_raw(raw, linktype=1):
function payload_from_raw (line 983) | def payload_from_raw(raw, linktype=1):
function next_connection_packets (line 991) | def next_connection_packets(piter, linktype=1):
function packets_for_stream (line 1011) | def packets_for_stream(fobj, offset):
FILE: modules/processing/platform/linux.py
class FilteredProcessLog (line 17) | class FilteredProcessLog(list):
method __init__ (line 18) | def __init__(self, eventstream, **kwfilters):
method __iter__ (line 22) | def __iter__(self):
method __nonzero__ (line 31) | def __nonzero__(self):
class LinuxSystemTap (line 34) | class LinuxSystemTap(BehaviorHandler):
method __init__ (line 39) | def __init__(self, *args, **kwargs):
method _check_for_probelkm (line 49) | def _check_for_probelkm(self):
method handles_path (line 59) | def handles_path(self, path):
method parse (line 64) | def parse(self, path):
method run (line 90) | def run(self):
class StapParser (line 97) | class StapParser(object):
method __init__ (line 100) | def __init__(self, fd):
method __iter__ (line 103) | def __iter__(self):
FILE: modules/processing/platform/windows.py
class MonitorProcessLog (line 16) | class MonitorProcessLog(list):
method __init__ (line 20) | def __init__(self, eventstream):
method init (line 25) | def init(self):
method _api_COleScript_Compile (line 30) | def _api_COleScript_Compile(self, event):
method _api_CWindow_AddTimeoutCode (line 35) | def _api_CWindow_AddTimeoutCode(self, event):
method _api_CElement_put_innerHTML (line 39) | def _api_CElement_put_innerHTML(self, event):
method _api_CDocument_write (line 43) | def _api_CDocument_write(self, event):
method _api_CIFrameElement_CreateElement (line 48) | def _api_CIFrameElement_CreateElement(self, event):
method _remember_service_name (line 56) | def _remember_service_name(self, event):
method _add_service_name (line 70) | def _add_service_name(self, event):
method _vbe6_newobject (line 81) | def _vbe6_newobject(self, event):
method _api_vbe6_StringConcat (line 91) | def _api_vbe6_StringConcat(self, event):
method _api_vbe6_Import (line 94) | def _api_vbe6_Import(self, event):
method _api_vbe6_GetIDFromName (line 100) | def _api_vbe6_GetIDFromName(self, event):
method _api_vbe6_Invoke (line 111) | def _api_vbe6_Invoke(self, event):
method _api_pdf_eval (line 126) | def _api_pdf_eval(self, event):
method _api_pdf_unescape (line 131) | def _api_pdf_unescape(self, event):
method _api_modifier (line 150) | def _api_modifier(self, event):
method __iter__ (line 162) | def __iter__(self):
method __nonzero__ (line 192) | def __nonzero__(self):
class WindowsMonitor (line 208) | class WindowsMonitor(BehaviorHandler):
method __init__ (line 212) | def __init__(self, *args, **kwargs):
method handles_path (line 218) | def handles_path(self, path):
method parse (line 223) | def parse(self, path):
method run (line 259) | def run(self):
function NT_SUCCESS (line 266) | def NT_SUCCESS(value):
class BehaviorReconstructor (line 269) | class BehaviorReconstructor(object):
method __init__ (line 271) | def __init__(self):
method process_apicall (line 274) | def process_apicall(self, event):
method _api_CreateDirectoryW (line 282) | def _api_CreateDirectoryW(self, return_value, arguments, flags):
method _api_RemoveDirectoryA (line 287) | def _api_RemoveDirectoryA(self, return_value, arguments, flags):
method _api_MoveFileWithProgressW (line 292) | def _api_MoveFileWithProgressW(self, return_value, arguments, flags):
method _api_CopyFileA (line 296) | def _api_CopyFileA(self, return_value, arguments, flags):
method _api_DeleteFileA (line 303) | def _api_DeleteFileA(self, return_value, arguments, flags):
method _api_FindFirstFileExA (line 309) | def _api_FindFirstFileExA(self, return_value, arguments, flags):
method _api_LdrLoadDll (line 314) | def _api_LdrLoadDll(self, return_value, arguments, flags):
method _api_NtCreateFile (line 317) | def _api_NtCreateFile(self, return_value, arguments, flags):
method _api_NtReadFile (line 336) | def _api_NtReadFile(self, return_value, arguments, flags):
method _api_NtWriteFile (line 341) | def _api_NtWriteFile(self, return_value, arguments, flags):
method _api_GetFileAttributesW (line 346) | def _api_GetFileAttributesW(self, return_value, arguments, flags):
method _api_RegOpenKeyExA (line 353) | def _api_RegOpenKeyExA(self, return_value, arguments, flags):
method _api_RegDeleteKeyA (line 360) | def _api_RegDeleteKeyA(self, return_value, arguments, flags):
method _api_RegQueryValueExA (line 368) | def _api_RegQueryValueExA(self, return_value, arguments, flags):
method _api_RegSetValueExA (line 374) | def _api_RegSetValueExA(self, return_value, arguments, flags):
method _api_NtClose (line 380) | def _api_NtClose(self, return_value, arguments, flags):
method _api_URLDownloadToFileW (line 385) | def _api_URLDownloadToFileW(self, return_value, arguments, flags):
method _api_InternetConnectA (line 392) | def _api_InternetConnectA(self, return_value, arguments, flags):
method _api_InternetOpenUrlA (line 397) | def _api_InternetOpenUrlA(self, return_value, arguments, flags):
method _api_DnsQuery_A (line 402) | def _api_DnsQuery_A(self, return_value, arguments, flags):
method _api_connect (line 412) | def _api_connect(self, return_value, arguments, flags):
method _api_NtCreateMutant (line 417) | def _api_NtCreateMutant(self, return_value, arguments, flags):
method _api_CreateProcessInternalW (line 425) | def _api_CreateProcessInternalW(self, return_value, arguments, flags):
method _api_ShellExecuteExW (line 430) | def _api_ShellExecuteExW(self, return_value, arguments, flags):
method _api_system (line 437) | def _api_system(self, return_value, arguments, flags):
method _api_IWbemServices_ExecQuery (line 442) | def _api_IWbemServices_ExecQuery(self, return_value, arguments, flags):
method _api_IWbemServices_ExecQueryAsync (line 445) | def _api_IWbemServices_ExecQueryAsync(self, return_value, arguments, f...
method _api_CoCreateInstance (line 450) | def _api_CoCreateInstance(self, return_value, arguments, flags):
method _api_CoCreateInstanceEx (line 456) | def _api_CoCreateInstanceEx(self, return_value, arguments, flags):
method _api_CoGetClassObject (line 464) | def _api_CoGetClassObject(self, return_value, arguments, flags):
method _api_Ssl3GenerateKeyMaterial (line 472) | def _api_Ssl3GenerateKeyMaterial(self, return_value, arguments, flags):
method _api_PRF (line 482) | def _api_PRF(self, return_value, arguments, flags):
FILE: modules/processing/procmemory.py
class ProcessMemory (line 42) | class ProcessMemory(Processing):
method read_dump (line 44) | def read_dump(self, filepath):
method create_idapy (line 66) | def create_idapy(self, process):
method _fixup_pe_header (line 100) | def _fixup_pe_header(self, pe):
method dump_images (line 122) | def dump_images(self, process, drop_dlls=False):
method run (line 185) | def run(self):
FILE: modules/processing/screenshots.py
class Screenshots (line 15) | class Screenshots(Processing):
method run (line 18) | def run(self):
FILE: modules/processing/snort.py
class Snort (line 18) | class Snort(Processing):
method run (line 30) | def run(self):
FILE: modules/processing/static.py
class PortableExecutable (line 55) | class PortableExecutable(object):
method __init__ (line 58) | def __init__(self, file_path):
method _get_filetype (line 63) | def _get_filetype(self, data):
method _get_peid_signatures (line 89) | def _get_peid_signatures(self):
method _get_imported_symbols (line 102) | def _get_imported_symbols(self):
method _get_exported_symbols (line 127) | def _get_exported_symbols(self):
method _get_sections (line 145) | def _get_sections(self):
method _get_resources (line 166) | def _get_resources(self):
method _get_versioninfo (line 204) | def _get_versioninfo(self):
method _get_imphash (line 233) | def _get_imphash(self):
method _get_timestamp (line 243) | def _get_timestamp(self):
method _get_pdb_path (line 256) | def _get_pdb_path(self):
method _get_signature (line 269) | def _get_signature(self):
method run (line 318) | def run(self):
class WindowsScriptFile (line 345) | class WindowsScriptFile(object):
method __init__ (line 411) | def __init__(self, filepath):
method decode (line 414) | def decode(self, source, start="#:~^", end="^#~:"):
method run (line 443) | def run(self):
class OfficeDocument (line 470) | class OfficeDocument(object):
method __init__ (line 487) | def __init__(self, filepath):
method get_macros (line 490) | def get_macros(self):
method deobfuscate (line 514) | def deobfuscate(self, code):
method run (line 528) | def run(self):
class Static (line 542) | class Static(Processing):
method run (line 552) | def run(self):
method _get_keys (line 585) | def _get_keys(self):
FILE: modules/processing/strings.py
class Strings (line 13) | class Strings(Processing):
method run (line 16) | def run(self):
FILE: modules/processing/suricata.py
class Suricata (line 26) | class Suricata(Processing):
method process_pcap_socket (line 41) | def process_pcap_socket(self):
method process_pcap_binary (line 89) | def process_pcap_binary(self):
method parse_eve_json (line 119) | def parse_eve_json(self):
method parse_files (line 199) | def parse_files(self):
method run (line 254) | def run(self):
FILE: modules/processing/targetinfo.py
class TargetInfo (line 12) | class TargetInfo(Processing):
method run (line 15) | def run(self):
FILE: modules/processing/virustotal.py
class VirusTotal (line 18) | class VirusTotal(Processing):
method run (line 26) | def run(self):
method scan_file (line 66) | def scan_file(self, filepath, summary=False):
method scan_url (line 85) | def scan_url(self, url, summary=False):
method should_scan_file (line 99) | def should_scan_file(self, filetype):
FILE: modules/reporting/elasticsearch.py
class ElasticSearch (line 27) | class ElasticSearch(Report):
method connect (line 30) | def connect(self):
method do_index (line 52) | def do_index(self, obj):
method process_behavior (line 68) | def process_behavior(self, results, paginate=100):
method run (line 96) | def run(self, results):
FILE: modules/reporting/jsondump.py
function default (line 16) | def default(obj):
class JsonDump (line 23) | class JsonDump(Report):
method erase_calls (line 26) | def erase_calls(self, results):
method restore_calls (line 38) | def restore_calls(self, results):
method run (line 47) | def run(self, results):
FILE: modules/reporting/moloch.py
class Moloch (line 16) | class Moloch(Report):
method run (line 19) | def run(self, results):
FILE: modules/reporting/mongodb.py
class MongoDB (line 23) | class MongoDB(Report):
method connect (line 29) | def connect(self):
method store_file (line 47) | def store_file(self, file_obj, filename=""):
method run (line 76) | def run(self, results):
FILE: modules/reporting/reporthtml.py
class ReportHTML (line 23) | class ReportHTML(Report):
method run (line 26) | def run(self, results):
FILE: oldweb/analysis/forms.py
class CommentForm (line 10) | class CommentForm(forms.ModelForm):
class Meta (line 11) | class Meta:
class TagForm (line 15) | class TagForm(forms.ModelForm):
class Meta (line 16) | class Meta:
FILE: oldweb/analysis/templatetags/analysis_tags.py
function mongo_id (line 4) | def mongo_id(value):
function is_dict (line 15) | def is_dict(value):
function get_item (line 20) | def get_item(dictionary, key):
function filter_key_if_has (line 24) | def filter_key_if_has(l, key):
function custom_length (line 32) | def custom_length(dictionary, keys):
function volsort (line 42) | def volsort(l):
function isdeadip (line 57) | def isdeadip(ipaddr, analysis):
function sigsort (line 68) | def sigsort(l):
function ensurelist (line 91) | def ensurelist(o):
function sizeof_fmt (line 97) | def sizeof_fmt(num):
function process_name (line 106) | def process_name(pid, analysis):
FILE: oldweb/analysis/views.py
function index (line 38) | def index(request):
function pending (line 74) | def pending(request):
function chunk (line 87) | def chunk(request, task_id, pid, pagenum):
function filtered_chunk (line 131) | def filtered_chunk(request, task_id, pid, category):
function search_behavior (line 182) | def search_behavior(request, task_id):
function report (line 250) | def report(request, task_id):
function latest_report (line 297) | def latest_report(request):
function file (line 302) | def file(request, category, object_id):
function moloch (line 335) | def moloch(request, **kwargs):
function full_memory_dump_file (line 361) | def full_memory_dump_file(request, analysis_number):
function _search_helper (line 373) | def _search_helper(obj, k, value):
function search (line 391) | def search(request):
function remove (line 440) | def remove(request, task_id):
function pcapstream (line 506) | def pcapstream(request, task_id, conntuple):
function export_analysis (line 555) | def export_analysis(request, task_id):
function export (line 592) | def export(request, task_id):
function import_analysis (line 638) | def import_analysis(request):
FILE: oldweb/compare/views.py
function left (line 19) | def left(request, left_id):
function hash (line 55) | def hash(request, left_id, right_hash):
function both (line 93) | def both(request, left_id, right_id):
FILE: oldweb/dashboard/views.py
function timestamp (line 19) | def timestamp(dt):
function index (line 26) | def index(request):
FILE: oldweb/static/js/jquery.js
function s (line 2) | function s(a){var b=a.length,c=n.type(a);return"function"===c||n.isWindo...
function gb (line 2) | function gb(a,b,d,e){var f,h,j,k,l,o,r,s,w,x;if((b?b.ownerDocument||b:v)...
function hb (line 2) | function hb(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLengt...
function ib (line 2) | function ib(a){return a[u]=!0,a}
function jb (line 2) | function jb(a){var b=n.createElement("div");try{return!!a(b)}catch(c){re...
function kb (line 2) | function kb(a,b){var c=a.split("|"),e=a.length;while(e--)d.attrHandle[c[...
function lb (line 2) | function lb(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sou...
function mb (line 2) | function mb(a){return function(b){var c=b.nodeName.toLowerCase();return"...
function nb (line 2) | function nb(a){return function(b){var c=b.nodeName.toLowerCase();return(...
function ob (line 2) | function ob(a){return ib(function(b){return b=+b,ib(function(c,d){var e,...
function pb (line 2) | function pb(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}
function qb (line 2) | function qb(){}
function rb (line 2) | function rb(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}
function sb (line 2) | function sb(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.firs...
function tb (line 2) | function tb(a){return a.length>1?function(b,c,d){var e=a.length;while(e-...
function ub (line 2) | function ub(a,b,c){for(var d=0,e=b.length;e>d;d++)gb(a,b[d],c);return c}
function vb (line 2) | function vb(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(...
function wb (line 2) | function wb(a,b,c,d,e,f){return d&&!d[u]&&(d=wb(d)),e&&!e[u]&&(e=wb(e,f)...
function xb (line 2) | function xb(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.r...
function yb (line 2) | function yb(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var...
function x (line 2) | function x(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){retur...
function D (line 2) | function D(a,b){while((a=a[b])&&1!==a.nodeType);return a}
function G (line 2) | function G(a){var b=F[a]={};return n.each(a.match(E)||[],function(a,c){b...
function I (line 2) | function I(){l.removeEventListener("DOMContentLoaded",I,!1),a.removeEven...
function K (line 2) | function K(){Object.defineProperty(this.cache={},0,{get:function(){retur...
function P (line 2) | function P(a,b,c){var d;if(void 0===c&&1===a.nodeType)if(d="data-"+b.rep...
function Z (line 3) | function Z(){return!0}
function $ (line 3) | function $(){return!1}
function _ (line 3) | function _(){try{return l.activeElement}catch(a){}}
function jb (line 3) | function jb(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeTyp...
function kb (line 3) | function kb(a){return a.type=(null!==a.getAttribute("type"))+"/"+a.type,a}
function lb (line 3) | function lb(a){var b=gb.exec(a.type);return b?a.type=b[1]:a.removeAttrib...
function mb (line 3) | function mb(a,b){for(var c=0,d=a.length;d>c;c++)L.set(a[c],"globalEval",...
function nb (line 3) | function nb(a,b){var c,d,e,f,g,h,i,j;if(1===b.nodeType){if(L.hasData(a)&...
function ob (line 3) | function ob(a,b){var c=a.getElementsByTagName?a.getElementsByTagName(b||...
function pb (line 3) | function pb(a,b){var c=b.nodeName.toLowerCase();"input"===c&&T.test(a.ty...
function sb (line 3) | function sb(b,c){var d,e=n(c.createElement(b)).appendTo(c.body),f=a.getD...
function tb (line 3) | function tb(a){var b=l,c=rb[a];return c||(c=sb(a,b),"none"!==c&&c||(qb=(...
function xb (line 3) | function xb(a,b,c){var d,e,f,g,h=a.style;return c=c||wb(a),c&&(g=c.getPr...
function yb (line 3) | function yb(a,b){return{get:function(){return a()?void delete this.get:(...
function g (line 3) | function g(){f.style.cssText="-webkit-box-sizing:border-box;-moz-box-siz...
function Fb (line 3) | function Fb(a,b){if(b in a)return b;var c=b[0].toUpperCase()+b.slice(1),...
function Gb (line 3) | function Gb(a,b,c){var d=Ab.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[...
function Hb (line 3) | function Hb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===...
function Ib (line 3) | function Ib(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f...
function Jb (line 3) | function Jb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.styl...
function Kb (line 3) | function Kb(a,b,c,d,e){return new Kb.prototype.init(a,b,c,d,e)}
function Sb (line 3) | function Sb(){return setTimeout(function(){Lb=void 0}),Lb=n.now()}
function Tb (line 3) | function Tb(a,b){var c,d=0,e={height:a};for(b=b?1:0;4>d;d+=2-b)c=R[d],e[...
function Ub (line 3) | function Ub(a,b,c){for(var d,e=(Rb[b]||[]).concat(Rb["*"]),f=0,g=e.lengt...
function Vb (line 3) | function Vb(a,b,c){var d,e,f,g,h,i,j,k,l=this,m={},o=a.style,p=a.nodeTyp...
function Wb (line 3) | function Wb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a...
function Xb (line 3) | function Xb(a,b,c){var d,e,f=0,g=Qb.length,h=n.Deferred().always(functio...
function qc (line 4) | function qc(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var ...
function rc (line 4) | function rc(a,b,c,d){var e={},f=a===mc;function g(h){var i;return e[h]=!...
function sc (line 4) | function sc(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(c in b)voi...
function tc (line 4) | function tc(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[...
function uc (line 4) | function uc(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])fo...
function x (line 4) | function x(a,b,f,h){var j,r,s,u,w,x=b;2!==t&&(t=2,g&&clearTimeout(g),c=v...
function Ac (line 4) | function Ac(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||wc....
function Jc (line 4) | function Jc(a){return n.isWindow(a)?a:9===a.nodeType&&a.defaultView}
FILE: oldweb/static/js/lightbox.js
function LightboxOptions (line 15) | function LightboxOptions() {
function Lightbox (line 35) | function Lightbox(options) {
function addToAlbum (line 135) | function addToAlbum($link) {
function postResize (line 253) | function postResize() {
FILE: oldweb/submission/views.py
function force_int (line 23) | def force_int(value):
function dropped_filepath (line 31) | def dropped_filepath(task_id, sha1):
function render_index (line 48) | def render_index(request, kwargs={}):
function index (line 88) | def index(request, task_id=None, sha1=None):
function status (line 235) | def status(request, task_id):
function resubmit (line 250) | def resubmit(request, task_id):
function submit_dropped (line 275) | def submit_dropped(request, task_id, sha1):
FILE: oldweb/web/headers.py
class CuckooHeaders (line 14) | class CuckooHeaders(object):
method process_response (line 17) | def process_response(self, request, response):
FILE: utils/api.py
function json_error (line 37) | def json_error(status_code, message):
function custom_headers (line 44) | def custom_headers(response):
function tasks_create_file (line 57) | def tasks_create_file():
function tasks_create_url (line 100) | def tasks_create_url():
function tasks_list (line 146) | def tasks_list(limit=None, offset=None):
function tasks_view (line 186) | def tasks_view(task_id):
function tasks_reschedule (line 217) | def tasks_reschedule(task_id, priority=None):
function tasks_delete (line 235) | def tasks_delete(task_id):
function tasks_report (line 260) | def tasks_report(task_id, report_format="json"):
function task_screenshots (line 323) | def task_screenshots(task_id=0, screenshot=None):
function rereport (line 350) | def rereport(task_id):
function files_view (line 367) | def files_view(md5=None, sha256=None, sample_id=None):
function files_get (line 388) | def files_get(sha256):
function pcap_get (line 400) | def pcap_get(task_id):
function machines_list (line 418) | def machines_list():
function machines_view (line 431) | def machines_view(name=None):
function cuckoo_status (line 444) | def cuckoo_status():
function memorydumps_list (line 510) | def memorydumps_list(task_id):
function memorydumps_get (line 528) | def memorydumps_get(task_id, pid=None):
function vpn_status (line 548) | def vpn_status():
FILE: utils/community.py
function download_archive (line 23) | def download_archive():
function extract_archive (line 34) | def extract_archive(data):
function installdir (line 48) | def installdir(src, dst, force, rewrite, origin=[]):
function install (line 102) | def install(enabled, force, rewrite, archive):
function main (line 138) | def main():
FILE: utils/db_migration/env.py
function run_migrations_offline (line 33) | def run_migrations_offline():
function run_migrations_online (line 47) | def run_migrations_online():
FILE: utils/db_migration/versions/from_0_6_to_1_1.py
function upgrade (line 43) | def upgrade():
function mongo_upgrade (line 258) | def mongo_upgrade():
function downgrade (line 311) | def downgrade():
FILE: utils/db_migration/versions/from_1_1_to_1_2-added_states.py
function _perform (line 43) | def _perform(upgrade):
function upgrade (line 225) | def upgrade():
function downgrade (line 228) | def downgrade():
FILE: utils/db_migration/versions/from_1_1_to_1_2-extend_file_type.py
function _perform (line 29) | def _perform(upgrade):
function upgrade (line 108) | def upgrade():
function downgrade (line 111) | def downgrade():
FILE: utils/db_migration/versions/from_1_2_to_1_3-add_task_owner.py
function upgrade (line 21) | def upgrade():
function downgrade (line 25) | def downgrade():
FILE: utils/db_migration/versions/from_1_2_to_2_0-guest_status.py
function upgrade (line 21) | def upgrade():
function downgrade (line 24) | def downgrade():
FILE: utils/db_migration/versions/from_1_2_to_2_0-machine_options.py
function upgrade (line 21) | def upgrade():
function downgrade (line 24) | def downgrade():
FILE: utils/db_migration/versions/from_1_2_to_2_0-processing-column.py
function upgrade (line 21) | def upgrade():
function downgrade (line 24) | def downgrade():
FILE: utils/db_migration/versions/from_1_2_to_2_0-taken-route.py
function upgrade (line 21) | def upgrade():
function downgrade (line 24) | def downgrade():
FILE: utils/dnsserve.py
function dns_serve (line 16) | def dns_serve(args):
FILE: utils/machine.py
function update_conf (line 17) | def update_conf(machinery, args, action=None):
function main (line 68) | def main():
FILE: utils/process.py
function process (line 30) | def process(target=None, copy_path=None, task=None, report=False, auto=F...
function process_wrapper (line 45) | def process_wrapper(*args, **kwargs):
function init_worker (line 52) | def init_worker():
function autoprocess (line 55) | def autoprocess(parallel=1):
function main (line 156) | def main():
FILE: utils/process2.py
function process (line 24) | def process(target=None, copy_path=None, task=None):
function instance (line 35) | def instance(instance):
function main (line 76) | def main():
FILE: utils/rooter.py
function run (line 17) | def run(*args):
function nic_available (line 23) | def nic_available(interface):
function rt_available (line 33) | def rt_available(rt_table):
function vpn_status (line 43) | def vpn_status():
function vpn_enable (line 53) | def vpn_enable(name):
function vpn_disable (line 57) | def vpn_disable(name):
function forward_drop (line 61) | def forward_drop():
function enable_nat (line 65) | def enable_nat(interface):
function disable_nat (line 70) | def disable_nat(interface):
function init_rttable (line 75) | def init_rttable(rt_table, interface):
function flush_rttable (line 87) | def flush_rttable(rt_table):
function forward_enable (line 94) | def forward_enable(src, dst, ipaddr):
function forward_disable (line 103) | def forward_disable(src, dst, ipaddr):
function srcroute_enable (line 112) | def srcroute_enable(rt_table, ipaddr):
function srcroute_disable (line 117) | def srcroute_disable(rt_table, ipaddr):
FILE: utils/smtp_sinkhole.py
class SmtpSink (line 13) | class SmtpSink(SMTPServer):
method process_message (line 19) | def process_message(self, peer, mailfrom, rcpttos, data):
FILE: utils/stats.py
function timestamp (line 16) | def timestamp(dt):
function main (line 20) | def main():
FILE: utils/submit.py
function main (line 27) | def main():
FILE: utils/vpncheck.py
function get_ip_address (line 20) | def get_ip_address(interface):
Condensed preview — 525 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (5,421K chars).
[
{
"path": ".codeclimate.yml",
"chars": 53,
"preview": "languages:\n Python: true\nexclude_paths:\n- \"tests/*\"\n"
},
{
"path": ".gitignore",
"chars": 576,
"preview": "# Ignore Database\ndb/cuckoo.db\n\n# Ignore logs\nlog/*.log\n\n# Ignore analyses\nstorage/*\n\n# Ignore Python byte code\n*.pyc\n\n#"
},
{
"path": ".travis.yml",
"chars": 551,
"preview": "branches:\n only:\n - master\nlanguage: python\npython:\n - 2.7\nbefore_install:\n - sudo apt-get update -qq\n - su"
},
{
"path": "LICENSE.txt",
"chars": 1507,
"preview": "BSD 3-Clause License\n\nCopyright 2021-2024, Zhengyang Li. All Rights Reserved.\n\nRedistribution and use in source and bina"
},
{
"path": "README.md",
"chars": 5859,
"preview": "```shell\n ____ _ _ _____ _ \n | __ ) ___ | | __| |"
},
{
"path": "__init__.py",
"chars": 29,
"preview": "name = \"1111ScorecardBundle\"\n"
},
{
"path": "_config.yml",
"chars": 27,
"preview": "theme: jekyll-theme-cayman\n"
},
{
"path": "agent/agent.py",
"chars": 6678,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# Copyright (C) 2020-2021 Powe"
},
{
"path": "agent/agent.sh",
"chars": 422,
"preview": "#!/bin/bash\n# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# Copyright (C) 20"
},
{
"path": "analyzer/android/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/analyzer.py",
"chars": 10117,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/config/hooks.json",
"chars": 11831,
"preview": "{\n \"hookConfigs\": [\n {\n \"class_name\": \"android.telephony.TelephonyManager\", \n \"method\": "
},
{
"path": "analyzer/android/lib/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/api/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/api/adb.py",
"chars": 2848,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/api/screenshot.py",
"chars": 1603,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/abstracts.py",
"chars": 1135,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/constants.py",
"chars": 709,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/exceptions.py",
"chars": 323,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/results.py",
"chars": 2740,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/common/utils.py",
"chars": 411,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/core/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/core/config.py",
"chars": 881,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/core/packages.py",
"chars": 712,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/lib/core/startup.py",
"chars": 951,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/auxiliary/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/auxiliary/screenshots.py",
"chars": 1821,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/packages/__init__.py",
"chars": 236,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/packages/apk.py",
"chars": 851,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/android/modules/packages/default_browser.py",
"chars": 633,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/analyzer.py",
"chars": 5122,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/lib/common/__init__.py",
"chars": 168,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/lib/common/config.py",
"chars": 2896,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/lib/common/hashing.py",
"chars": 550,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/lib/common/rand.py",
"chars": 373,
"preview": "import random\nimport string\n\ndef random_string(minimum, maximum=None):\n if maximum is None:\n maximum = minimum"
},
{
"path": "analyzer/darwin/lib/common/results.py",
"chars": 2800,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/lib/core/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/lib/core/constants.py",
"chars": 569,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/darwin/lib/core/data/signatures.yml",
"chars": 3262,
"preview": "system:\n is_success_condition: \"retval == 0\"\n args:\n - {name: \"command\", type: \"char *\"}\n retval_type: \"in"
},
{
"path": "analyzer/darwin/lib/core/data/types.yml",
"chars": 2251,
"preview": "# ===============================================\n# Basic types\n#\nint: &int\n # We will print it with something like p"
},
{
"path": "analyzer/darwin/lib/core/filetimes.py",
"chars": 2293,
"preview": "# Copyright (c) 2009, David Buxton <david@gasmark6.com>\n# All rights reserved.\n#\n# Redistribution and use in source and "
},
{
"path": "analyzer/darwin/lib/core/host.py",
"chars": 8826,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/core/osx.py",
"chars": 687,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/core/packages.py",
"chars": 5458,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/dtrace/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/lib/dtrace/apicalls.d",
"chars": 2484,
"preview": "#pragma D option destructive\n#pragma D option quiet\n/* apicalls.d\n *\n * Copyright (C) 2015 Dmitry Rodionov\n * This softw"
},
{
"path": "analyzer/darwin/lib/dtrace/apicalls.py",
"chars": 3607,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/dtrace/autoprobes.py",
"chars": 11512,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/dtrace/common.py",
"chars": 931,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/dtrace/dtruss.py",
"chars": 2959,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/lib/dtrace/dtruss.sh",
"chars": 25575,
"preview": "#!/bin/sh\n# #!/usr/bin/sh\n#\n# dtruss - print process system call time details.\n# Written using DTrace (Solaris "
},
{
"path": "analyzer/darwin/lib/dtrace/follow_children.d",
"chars": 3030,
"preview": "/* apicalls.d\n*\n* Copyright (C) 2015 Dmitry Rodionov\n* This software may be modified and distributed under the terms\n* o"
},
{
"path": "analyzer/darwin/lib/dtrace/ipconnections.d",
"chars": 3095,
"preview": "#!/usr/sbin/dtrace -C -s\n#pragma D option quiet\n/* ipconnections.d\n *\n * Copyright (C) 2015 Dmitry Rodionov\n * This soft"
},
{
"path": "analyzer/darwin/lib/dtrace/ipconnections.py",
"chars": 2080,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/modules/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/modules/packages/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/darwin/modules/packages/app.py",
"chars": 896,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/modules/packages/bash.py",
"chars": 392,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/modules/packages/macho.py",
"chars": 438,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/darwin/modules/packages/zip.py",
"chars": 5026,
"preview": "#!/usr/bin/env python\n# Copyright (C) 2015 Dmitry Rodionov\n# This software may be modified and distributed under the ter"
},
{
"path": "analyzer/linux/analyzer.py",
"chars": 13859,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/lib/api/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/lib/api/process.py",
"chars": 1257,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/lib/common/abstracts.py",
"chars": 2016,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/constants.py",
"chars": 575,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/exceptions.py",
"chars": 254,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/hashing.py",
"chars": 632,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/results.py",
"chars": 2810,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/common/utils.py",
"chars": 542,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/core/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/lib/core/config.py",
"chars": 2211,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/lib/core/startup.py",
"chars": 883,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/modules/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/modules/auxiliary/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/modules/auxiliary/lkm.py",
"chars": 2459,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/modules/auxiliary/stap.py",
"chars": 4176,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/linux/modules/packages/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "analyzer/linux/modules/packages/generic.py",
"chars": 1144,
"preview": "# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/analyzer.py",
"chars": 32392,
"preview": "# Copyright (C) 2011-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# Copyright (C) 2020-2021 Powe"
},
{
"path": "analyzer/windows/lib/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/api/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/api/process.py",
"chars": 19894,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/api/screenshot.py",
"chars": 2610,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/abstracts.py",
"chars": 6798,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/constants.py",
"chars": 308,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/decide.py",
"chars": 413,
"preview": "# Copyright (C) 2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/lib/common/defines.py",
"chars": 6028,
"preview": "# Copyright (C) 2011-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/exceptions.py",
"chars": 397,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/hashing.py",
"chars": 593,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/rand.py",
"chars": 373,
"preview": "import random\nimport string\n\ndef random_string(minimum, maximum=None):\n if maximum is None:\n maximum = minimum"
},
{
"path": "analyzer/windows/lib/common/registry.py",
"chars": 4723,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/common/results.py",
"chars": 3114,
"preview": "# Copyright (C) 2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandb"
},
{
"path": "analyzer/windows/lib/core/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/core/config.py",
"chars": 1757,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/core/driver.py",
"chars": 3109,
"preview": "# Copyright (C) 2017-2018 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/lib/core/ioctl.py",
"chars": 3605,
"preview": "# Copyright (C) 2016-2018 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/lib/core/packages.py",
"chars": 2802,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/core/pipe.py",
"chars": 7501,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/core/privileges.py",
"chars": 2267,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/lib/core/startup.py",
"chars": 1215,
"preview": "# Copyright (C) 2011-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/dbgview.py",
"chars": 1384,
"preview": "# Copyright (C) 2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/auxiliary/disguise.py",
"chars": 6956,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/dumptls.py",
"chars": 1088,
"preview": "# Copyright (C) 2015-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/auxiliary/human.py",
"chars": 6119,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/installcert.py",
"chars": 1620,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/procmon.py",
"chars": 2402,
"preview": "# Copyright (C) 2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/auxiliary/reboot.py",
"chars": 1289,
"preview": "# Copyright (C) 2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/auxiliary/recentfiles.py",
"chars": 2353,
"preview": "# Copyright (C) 2016-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/auxiliary/screenshots.py",
"chars": 2485,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2019 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/auxiliary/zer0m0n.py",
"chars": 1189,
"preview": "# Copyright (C) 2016-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/packages/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/applet.py",
"chars": 1188,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/bin.py",
"chars": 433,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/com.py",
"chars": 1033,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/cpl.py",
"chars": 507,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/dll.py",
"chars": 1370,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/doc.py",
"chars": 2714,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/exe.py",
"chars": 635,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/ff.py",
"chars": 515,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/generic.py",
"chars": 1129,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/hta.py",
"chars": 583,
"preview": "# Copyright (C) 2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/packages/hwp.py",
"chars": 577,
"preview": "# Copyright (C) 2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/packages/ie.py",
"chars": 4925,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/jar.py",
"chars": 696,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/js.py",
"chars": 833,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/jse.py",
"chars": 787,
"preview": "# Copyright (C) 2017-2018 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/packages/msi.py",
"chars": 499,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/pdf.py",
"chars": 2426,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/ppt.py",
"chars": 2399,
"preview": "# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/packages/ps1.py",
"chars": 1070,
"preview": "# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/packages/pub.py",
"chars": 2816,
"preview": "# Copyright (C) 2016-2018 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See "
},
{
"path": "analyzer/windows/modules/packages/python.py",
"chars": 936,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/reboot.py",
"chars": 742,
"preview": "# Copyright (C) 2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/packages/vbs.py",
"chars": 749,
"preview": "# Copyright (C) 2013 Claudio Guarnieri.\n# Copyright (C) 2014-2018 Cuckoo Foundation.\n# This file is part of Cuckoo Sandb"
},
{
"path": "analyzer/windows/modules/packages/wsf.py",
"chars": 793,
"preview": "# Copyright (C) 2016 Cuckoo Foundation.\n# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org\n# See the f"
},
{
"path": "analyzer/windows/modules/packages/xls.py",
"chars": 2374,
"preview": "# Copyright (C) 2012-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2017 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "analyzer/windows/modules/packages/zip.py",
"chars": 3700,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "conf/auxiliary.conf",
"chars": 2182,
"preview": "[sniffer]\n# Enable or disable the use of an external sniffer (tcpdump) [yes/no].\nenabled = yes\n\n# Specify the path to yo"
},
{
"path": "conf/avd.conf",
"chars": 2260,
"preview": "[avd]\n# Specify whether we're running the Android emulator in headless mode (no GUI)\n# or with GUI - for an interactive "
},
{
"path": "conf/cuckoo.conf",
"chars": 7157,
"preview": "[cuckoo]\n# Enable or disable startup version check. When enabled, Cuckoo will connect\n# to a remote location to verify w"
},
{
"path": "conf/cuckooml.conf",
"chars": 1176,
"preview": "[cuckooml]\n# Set folder for reports to be used for clustering\ndata_directory = sample_data/dict\n\n# Do clustering?\ncluste"
},
{
"path": "conf/detection.conf",
"chars": 72,
"preview": "[strings]\nenabled = no\n\n[malconv]\nenabled = yes\n\n[apistats]\nenabled = no"
},
{
"path": "conf/esx.conf",
"chars": 2661,
"preview": "[esx]\n# ?no_verify disables the SSL signature check. By default it is self signed\ndsn = esx://127.0.0.1/?no_verify=1\nuse"
},
{
"path": "conf/kvm.conf",
"chars": 2551,
"preview": "[kvm]\n# Specify a comma-separated list of available machines to be used. For each\n# specified ID you have to define a de"
},
{
"path": "conf/memory.conf",
"chars": 3425,
"preview": "# Volatility configuration\n\n# Basic settings\n[basic]\n# Profile to avoid wasting time identifying it\nguest_profile = WinX"
},
{
"path": "conf/physical.conf",
"chars": 1525,
"preview": "[physical]\n# Specify a comma-separated list of available machines to be used. For each\n# specified ID you have to define"
},
{
"path": "conf/processing.conf",
"chars": 3666,
"preview": "# Enable or disable the available processing modules [yes/no].\n# If you add a custom processing module to your Cuckoo se"
},
{
"path": "conf/qemu.conf",
"chars": 2553,
"preview": "[qemu]\n# Path to one qemu binary (assumes the other ones are there as well)\npath = /usr/bin/qemu-system-x86_64\n\n# Specif"
},
{
"path": "conf/reporting.conf",
"chars": 1708,
"preview": "# Enable or disable the available reporting modules [on/off].\n# If you add a custom reporting module to your Cuckoo setu"
},
{
"path": "conf/virtualbox.conf",
"chars": 4537,
"preview": "[virtualbox]\n# Specify which VirtualBox mode you want to run your machines on.\n# Can be \"gui\" or \"headless\". Please refe"
},
{
"path": "conf/vmware.conf",
"chars": 2560,
"preview": "[vmware]\n# Specify which Vmware Workstation mode you want to run your machines on.\n# Can be \"gui\" or \"nogui\". Refer to V"
},
{
"path": "conf/vpn.conf",
"chars": 1271,
"preview": "[vpn]\n# By default we disable VPN support as it requires running utils/rooter.py as\n# root next to cuckoo.py (which shou"
},
{
"path": "conf/vsphere.conf",
"chars": 2533,
"preview": "[vsphere]\n\n# ESXi host connection parameters\nhost = 10.0.0.1\nport = 443\nuser = username_goes_here\npwd = password_goes_he"
},
{
"path": "conf/xenserver.conf",
"chars": 2999,
"preview": "[xenserver]\n# Specify the XenServer username for authentication.\nuser = root\n\n# Specify the XenServer password for authe"
},
{
"path": "cuckoo.py",
"chars": 5041,
"preview": "#!/usr/bin/env python\n# coding=utf-8\n# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Found"
},
{
"path": "data/__init__.py",
"chars": 213,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "data/android/anti-vm/fake-build.prop",
"chars": 3706,
"preview": "# begin build properties\n# autogenerated by buildinfo.sh\nro.build.id=KTU84P\nro.build.display.id=KTU84P\nro.build.version."
},
{
"path": "data/android/anti-vm/fake-cpuinfo",
"chars": 316,
"preview": "Processor\t: ARMv7 Processor rev 0 (v7l)\nBogoMIPS\t: 366.18\nFeatures\t: swp half thumb fastmult vfp edsp neon vfpv3 \nCPU im"
},
{
"path": "data/android/anti-vm/fake-drivers",
"chars": 670,
"preview": "/dev/tty /dev/tty 5 0 system:/dev/tty\n/dev/console /dev/console 5 1 system:con"
},
{
"path": "data/android/create_guest_avd.sh",
"chars": 1549,
"preview": "#/usr/bin/env bash\n\n#this script is meant for easy creation on an analysis machine for android emulator avd\n\n#Path to th"
},
{
"path": "data/guids.txt",
"chars": 34130,
"preview": "00000000-0000-0000-0000-000000000000 EmptyField https://msdn.microsoft.com/en-us/library/system.guid.empty.aspx\n00000000"
},
{
"path": "data/html/base-report.html",
"chars": 4122,
"preview": "<!--\n Cuckoo Sandbox - Automated Malware Analysis\n Copyright (C) 2010-2015 Cuckoo Foundation.\n http://www.cuckoosandb"
},
{
"path": "data/html/base-web.html",
"chars": 3170,
"preview": "<!--\n Cuckoo Sandbox - Automated Malware Analysis\n Copyright (C) 2010-2015 Cuckoo Foundation.\n http://www.cuckoosandb"
},
{
"path": "data/html/browse.html",
"chars": 2431,
"preview": "{% extends \"base-web.html\" %}\n{% block content %}\n <div class=\"tasks\">\n <div class=\"page-header\">\n "
},
{
"path": "data/html/error.html",
"chars": 321,
"preview": "{% extends \"base-web.html\" %}\n{% block content %}\n <div class=\"page-header\">\n <h3>Ouch! KaBoom!</h3>\n </div"
},
{
"path": "data/html/graphic/logo.html",
"chars": 16217,
"preview": "<img src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARcAAABaCAYAAACSYhLSAAAACXBIWXMAAAsTAAALEwEAmpwYAAAK\nT2lDQ1BQaG9"
},
{
"path": "data/html/js/functions.js",
"chars": 393,
"preview": "function showHide(id, lbl) {\n var e = document.getElementById(id);\n\n if (lbl !== \"undefined\")\n var l = docu"
},
{
"path": "data/html/pagination-menu.html",
"chars": 3700,
"preview": " <div class=\"row-fluid\">\n <div class=\"span4\" style=\"text-align: left;\">\n <div class=\"pa"
},
{
"path": "data/html/pagination-rpp.html",
"chars": 1024,
"preview": " <script language=\"text/javascript\">\n \n </script>\n <div class=\"span4\" style=\"text-align:"
},
{
"path": "data/html/report.html",
"chars": 709,
"preview": "{% extends \"base-report.html\" %}\n{% block content %}\n {% include \"sections/info.html\" %}\n {% include \"sections/err"
},
{
"path": "data/html/sections/behavior.html",
"chars": 6548,
"preview": "<section id=\"behavior\">\n {% if results.behavior and results.behavior.anomaly %}\n <div class=\"section-title\">\n "
},
{
"path": "data/html/sections/dropped.html",
"chars": 3351,
"preview": "<section id=\"dropped\">\n <div class=\"section-title\">\n <h4>Dropped Files</h4>\n </div>\n {% if results.dropp"
},
{
"path": "data/html/sections/errors.html",
"chars": 262,
"preview": "{% if results.debug.errors %}\n<div class=\"section-title\">\n <h4>Errors</h4>\n</div>\n<section id=\"errors\">\n <ul>\n "
},
{
"path": "data/html/sections/file.html",
"chars": 5020,
"preview": "<section id=\"file\">\n <div class=\"section-title\">\n <h4>File Details</h4>\n </div>\n <table class=\"table tab"
},
{
"path": "data/html/sections/info.html",
"chars": 1541,
"preview": "<section id=\"info\">\n <table class=\"table table-striped table-bordered\">\n <thead>\n <tr>\n "
},
{
"path": "data/html/sections/network.html",
"chars": 4476,
"preview": "<section id=\"network\">\n <div class=\"section-title\">\n <h4>Network Analysis</h4>\n </div>\n {% if results.ne"
},
{
"path": "data/html/sections/screenshots.html",
"chars": 429,
"preview": "<section id=\"screenshots\">\n <div class=\"section-title\">\n <h4>Screenshots</h4>\n </div>\n {% if results.scr"
},
{
"path": "data/html/sections/signatures.html",
"chars": 1141,
"preview": "<section id=\"signatures\">\n <div class=\"section-title\">\n <h4>Signatures</h4>\n </div>\n {% if results.signa"
},
{
"path": "data/html/sections/static.html",
"chars": 5557,
"preview": "<section id=\"static\">\n <div class=\"section-title\">\n <h4>Static Analysis</h4>\n </div>\n {% if results.stat"
},
{
"path": "data/html/sections/url.html",
"chars": 2311,
"preview": "<section id=\"url\">\n <div class=\"section-title\">\n <h4>URL Details</h4>\n </div>\n <table class=\"table table"
},
{
"path": "data/html/sections/volatility.html",
"chars": 32815,
"preview": "<section id=\"volatility\">\n <div class=\"section-title\">\n <h4>Volatility</h4>\n </div>\n\n {% if results.memo"
},
{
"path": "data/html/submit.html",
"chars": 5401,
"preview": "{% extends \"base-web.html\" %}\n{% block content %}\n <div class=\"fileupload\">\n <div class=\"page-header\">\n "
},
{
"path": "data/html/success.html",
"chars": 414,
"preview": "{% extends \"base-web.html\" %}\n{% block content %}\n <div class=\"page-header\">\n <h3>New Analysis</h3>\n </div>"
},
{
"path": "data/mitm.py",
"chars": 335,
"preview": "# Copyright (C) 2010-2013 Claudio Guarnieri.\n# Copyright (C) 2014-2016 Cuckoo Foundation.\n# This file is part of Cuckoo "
},
{
"path": "data/models/MalConv/malconvtest.py",
"chars": 969,
"preview": "# coding=utf-8\nimport os\nimport sys\nimport torch\nfrom modules.detection.model import *\nfrom torch.utils.data import Data"
},
{
"path": "data/models/apistats/extract_apifeatures.py",
"chars": 1717,
"preview": "# coding=utf-8\nimport json, glob, os\nimport numpy as np\nfrom sklearn.ensemble import RandomForestClassifier\n\napistats_di"
},
{
"path": "data/models/apistats/standard.txt",
"chars": 2006,
"preview": "NtTerminateProcess\nRtlAddVectoredExceptionHandler\nGetFileType\nRegOpenKeyExA\nNtCreateThreadEx\nRegQueryValueExA\nNtProtectV"
},
{
"path": "data/models/strings_ngram/raw_train_sample.csv",
"chars": 1297976,
"preview": "words,labels\nprogram cannot RichH rdata reloc ffffff fffff EEEEEE MQURj XnYpJ rxUUt TvzHw FoyYr wMduDeE QBVYu SllgL xjyv"
},
{
"path": "data/peutils/UserDB.TXT",
"chars": 492361,
"preview": "; By BoB / Team PEiD ..\n; 1832 Signatures in list ..\n\n[!EP (ExE Pack) V1.0 -> Elite Coding Group]\nsignature = 60 68 ??"
},
{
"path": "data/src/binpackage/Makefile",
"chars": 58,
"preview": "execsc.exe: execsc.c\n\ti586-mingw32msvc-cc -Wall -o $@ $<\n\n"
},
{
"path": "data/src/binpackage/execsc.c",
"chars": 360,
"preview": "#include <unistd.h>\n#include <stdio.h>\n#include <windows.h>\n\nint main (int argc, char ** argv) {\n\tint fd;\n\tchar buf[2048"
}
]
// ... and 325 more files (download for full content)
About this extraction
This page contains the full source code of the PowerLZY/Bold-Falcon GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 525 files (4.9 MB), approximately 1.3M tokens, and a symbol index with 1903 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.