-
Notifications
You must be signed in to change notification settings - Fork 6
AuxillaryModules
<--- Back to Analyzer
The auxillary modules are located in darwin/modules/auxillary. They are automatically run by the analyzer.
Using the PyObjC QuartzEvents framework, this moves the mouse around random and clicks the mouse every second. Since this moves at super-human speed, any malware checking for that will be alerted.
The screenshot functions are actually in two scripts:
-
darwin/modules/auxillary/screenshots.py- This module calls the functions from the second one and sends the screenshot to the host if it has changed significantly from the last one. It takes a screenshot with a delay of one second. It also simulates the enter key being pressed when the screen changes to run through rudimentary installers. -
darwin/lib/api/screenshot.py- This module does the actual screenshot-taking and comparing. It takes a screenshot using PyObjC, writes that shot to a temporary file in memory, reads that file into the Python Imaging Library (PIL), and sends it toscreenshots.py. PIL does the actual screenshot comparisons using the Root Mean Square method.