-
Notifications
You must be signed in to change notification settings - Fork 16
/
dynamic.py
100 lines (88 loc) · 3.14 KB
/
dynamic.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Name : dynamic.py
# Version : 0.1
# Author : Abdesslem Amri
# Date : 15-01-2014
# Owner : Abdesslem Amri
# License : GPLv2
# Description : This script is used to dynamically analyse the file
#--------------------------------------------------------------------
from utils import VBoxAuto
import os, sys, time, shutil
import subprocess
from analysis import TShark
from analysis import Volatility
from analysis import INetSim
import analysis
'''
path to shared folder on your host machine where you'll
place malware to be picked up by the guest. this folder
should be shared with read-only permissions
Linux: vbox_hostpath = '/home/ask3m/winVm'
'''
#TODO Get the directory path from config file
vbox_hostpath = '/home/ask3m/winVm'
# path to shared folder on your guest machine. this will
# always be in the form \\vboxsvr\YOURSHARENAME
vbox_guestpath = '\\\\vboxsvr\\malware'
def dynamic(file):
# Instantiate the virtual machine
vm = VBoxAuto('winxp')
if not vm.check():
print 'Error initializing'
sys.exit()
# copy the malware to the shared folder
try:
shutil.copy(file, vbox_hostpath)
except Exception, e:
print 'Cannot copy: %s' % e
return
try:
# Start the VM
vm.start()
# Execute INetSim to simulate Internet protocols
simnet=INetSim("NetsimDir")
simnet.start()
# Execute The suspicious file in the VM
vm.winexec(
'test',
'test',
["%s\\%s" % (vbox_guestpath, os.path.basename(file))]
)
# VM has to run in order to be able to make the RAM dump, then:
os.system("rm -f dump.elf")
print "Dumping the memory ...."
subprocess.call("vboxmanage debugvm winxp dumpguestcore --filename dump.elf", shell=True)
os.system("rm -f test.pcap")
pcap=open("file.pcap","a+")
cap = TShark("file.pcap")
cap.start("wlan0")
time.sleep(10)
cap.stop()
analysis.snortscan("file.pcap","/etc/snort/snort.conf")
simnet.read()
simnet.stop()
#Analyse the memory dump
print "Analyse the memory dump"
open("dump.elf","r")
vol=Volatility("dump.elf")
open("processlist.txt", "w").write(vol.pslist())
open("connection.txt", "w").write(vol.conns())
#open("hooks.txt", "w").write(vol.hooks("hook"))
open("sockets.txt", "w").write(vol.sockets())
#open("malfind.txt", "w").write(vol.malfind())
open("psxview.txt", "w").write(vol.psxview())
#vol.malfind()
#analysis.snortscan("test.pcap")
#revert the VM to a clean state
vm.revert('cleanimg')
subprocess.call("vboxmanage controlvm winxp poweroff", shell=True)
#vm.stop()
#vboxmanage guestcontrol winxp exec --image "/opt/unique_scripts/test.py" --username foo --password bar --verbose --wait-stdout
#HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
#regwatch
except Exception, e:
print e
return