Skip to content

MainScript

Jump to bottom
Elizabeth edited this page Jul 8, 2016 · 1 revision

<---Back to Analyzer

The analyzer.py script in the root of the darwin folder is responsible for starting all the different analyzer components and returning the results when it is done. It also handles the interprocess communication from the hooked syscalls. I tried to follow the Cuckoo Windows analyzer structure as much as possible, so this may not be the most efficient way of doing things. This is an overview of the class structure and important functions.

PipeServer class

The syscall hooks communicate back to the Python analyzer via a named Unix pipe. The PipeSever class is responsible for creating the pipe and watching it for input (ideally, to avoid blocking by the input handlers). When it sees input on the pipe, it starts a PipeHandler to deal with it (the maximum running at once is 20).

PipeHandler class

The PipeHandler threads read input from the inter-process pipe and write it to the appropriate log file. These are mostly log files dealing with file activity. Each input starts with a specific string that determines how it is handled. One piece of input always ends in a newline.

This class is also responsible for tracing new processes as they are created. When the sample spawns a new process, the syscall suspends the process and sends the pid back to the analyzer. The PipeHandler class then passes the pid to the analyzer's process.py class, which sets up the syscall hooks and Dtrace scripts before resuming the process.

Analyzer class

This class is what the agent runs when it receives the sample file. The execution outline of the import functions are:

  • prepare()
    • create the results folders
    • initialize the logging
    • start the PipeServer
    • start tracing all process creation
  • run()
    • choose the analysis package to use to run the file, if one is not specified (usually you don't need to specify one)
    • run the axillary modules, in this case the human-imitator module and the screenshot module. It will automatically pick up any new modules that are added to the folder.
    • run the analysis package on the file
    • every second, check the list of monitored pids to see if they are done running. If a pid is not running, remove it from the list.
    • When the pid list is empty or the timeout has been hit, call the complete() function and exit
  • complete()
    • stop the PipeServer
    • pick up all the files in the results folder and send them to the host
    • send all dropped files back to the host
Clone this wiki locally