Merge pull request #1 from kevoreilly/master

Syncing original to fork
kevoreilly · Jan 28, 2020 · 4ee97f1 · 4ee97f1
2 parents 7e62f7b + 8652015
commit 4ee97f1
Show file tree

Hide file tree

Showing 107 changed files with 2,491 additions and 544 deletions.
diff --git a/acknowledgment.md b/acknowledgment.md
@@ -25,5 +25,6 @@
 *  kalos
 *  Spiralem
 *  John Peng
+*  mabj
 * And many others <3
 
diff --git a/agent/agent.py b/agent/agent.py
@@ -22,7 +22,7 @@
 import http.server
 import socketserver
 
-AGENT_VERSION = "0.10"
+AGENT_VERSION = "0.11"
 AGENT_FEATURES = [
     "execpy", "pinning", "logs", "largefile", "unicodepath",
 ]
@@ -36,6 +36,10 @@
 state = dict()
 state["status"] = STATUS_INIT
 
+#To send output to stdin comment out this 2 lines
+sys.stdout = StringIO()
+sys.stderr = StringIO()
+
 class MiniHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
     server_version = "Cuckoo Agent"
 
@@ -196,7 +200,7 @@ def json_success(message, **kwargs):
 @app.route("/")
 def get_index():
     return json_success(
-        "Cuckoo Agent!", version=AGENT_VERSION, features=AGENT_FEATURES
+        "CAPE Agent!", version=AGENT_VERSION, features=AGENT_FEATURES
     )
 
 @app.route("/status")
@@ -428,10 +432,5 @@ def do_kill():
     parser = argparse.ArgumentParser()
     parser.add_argument("host", nargs="?", default="0.0.0.0")
     parser.add_argument("port", nargs="?", default="8000")
-    parser.add_argument("--redirout", action="store_true", default=False)
     args = parser.parse_args()
-    if args.redirout:
-        sys.stdout = StringIO()
-        sys.stderr = StringIO()
-
     app.run(host=args.host, port=int(args.port))
diff --git a/analyzer/windows/analyzer.py b/analyzer/windows/analyzer.py
@@ -808,9 +808,7 @@ def dump_file(self, filepath, metadata="", pids=False, category="files"):
             log.info("Error dumping file from path \"%s\": %s", filepath, e)
             return
 
-        #filename = "%s_%s" % (sha256[:16], os.path.basename(filepath))
-        filename = os.path.basename(filepath)
-        upload_path = os.path.join(category, filename)
+        upload_path = os.path.join(category, sha256)
 
         try:
             upload_to_host(

diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/analyzer/windows/dll/logs_dispatcher.exe b/analyzer/windows/dll/logs_dispatcher.exe
diff --git a/analyzer/windows/dll/zer0m0n.sys b/analyzer/windows/dll/zer0m0n.sys
diff --git a/analyzer/windows/dll/zer0m0n_x64.sys b/analyzer/windows/dll/zer0m0n_x64.sys
diff --git a/analyzer/windows/lib/core/packages.py b/analyzer/windows/lib/core/packages.py
@@ -58,7 +58,7 @@ def choose_package(file_type, file_name, exports, target):
         return "rar"
     elif "Macromedia Flash" in file_type or file_name.endswith(".swf"):
         return "swf"
-    elif file_name.endswith((b".py", ".pyc")) or "Python script" in file_type:
+    elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type:
         return "python"
     elif file_name.endswith(".msi"):
         return "msi"

diff --git a/analyzer/windows/modules/packages/Compression.py b/analyzer/windows/modules/packages/Compression.py
@@ -16,8 +16,8 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         args = self.options.get("arguments")

diff --git a/analyzer/windows/modules/packages/Compression_dll.py b/analyzer/windows/modules/packages/Compression_dll.py
@@ -18,8 +18,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
         #if self.config.timeout > 10:
         #    self.config.timeout = 5

diff --git a/analyzer/windows/modules/packages/Compression_doc.py b/analyzer/windows/modules/packages/Compression_doc.py
@@ -22,8 +22,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         self.options["dll"] = "Compression.dll"

diff --git a/analyzer/windows/modules/packages/Compression_js.py b/analyzer/windows/modules/packages/Compression_js.py
@@ -17,8 +17,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         wscript = self.get_path("wscript.exe")

diff --git a/analyzer/windows/modules/packages/Compression_pdf.py b/analyzer/windows/modules/packages/Compression_pdf.py
@@ -15,8 +15,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         reader = self.get_path_glob("Adobe Reader")

diff --git a/analyzer/windows/modules/packages/Compression_zip.py b/analyzer/windows/modules/packages/Compression_zip.py
@@ -35,8 +35,8 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Compression.dll"
-        self.options["dll_64"] = "Compression_x64.dll"
+        self.options["compression"] = "1"
+        self.options["procdump"] = "0"
 
     def extract_zip(self, zip_path, extract_path, password, recursion_depth):
         """Extracts a nested ZIP file.

diff --git a/analyzer/windows/modules/packages/Emotet.py b/analyzer/windows/modules/packages/Emotet.py
@@ -16,8 +16,10 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Extraction.dll"
-        self.options["exclude-apis"] = "RegOpenKeyExA"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
+        self.options["single-process"] = "1"
+        self.options["exclude-apis"] = "RegOpenKeyExA:SendMessageA"
 
     def start(self, path):
         args = self.options.get("arguments")

diff --git a/analyzer/windows/modules/packages/Emotet_batch.py b/analyzer/windows/modules/packages/Emotet_batch.py
@@ -32,8 +32,8 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
         self.options["exclude-apis"] = "RegOpenKeyExA"
         self.options["single-process"] = "1"
 

diff --git a/analyzer/windows/modules/packages/Emotet_doc.py b/analyzer/windows/modules/packages/Emotet_doc.py
@@ -2,7 +2,6 @@
 # Copyright(C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
 # See the file 'docs/LICENSE' for copying permission.
 
-from __future__ import absolute_import
 import os
 from lib.common.abstracts import Package
 
@@ -19,7 +18,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
         self.options["exclude-apis"] = "RegOpenKeyExA"
 
     def start(self, path):

diff --git a/analyzer/windows/modules/packages/Extraction.py b/analyzer/windows/modules/packages/Extraction.py
@@ -4,23 +4,27 @@
 
 from __future__ import absolute_import
 import os
+import shutil
 
 from lib.common.abstracts import Package
 
 class Extraction(Package):
     """CAPE Extraction analysis package."""
+    #PATHS = [
+    #    ("SystemRoot", "system32"),
+    #]
 
     def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         arguments = self.options.get("arguments")
-
+        
         # If the file doesn't have an extension, add .exe
         # See CWinApp::SetCurrentHandles(), it will throw
         # an exception that will crash the app if it does
@@ -29,5 +33,5 @@ def start(self, path):
             new_path = path + ".exe"
             os.rename(path, new_path)
             path = new_path
-
+        
         return self.execute(path, arguments, path)
diff --git a/analyzer/windows/modules/packages/Extraction_dll.py b/analyzer/windows/modules/packages/Extraction_dll.py
@@ -18,8 +18,7 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
 
     def start(self, path):
         rundll32 = self.get_path("rundll32.exe")
@@ -47,4 +46,4 @@ def start(self, path):
             rundll32 = newname
 
         return self.execute(rundll32, args, path)
-
+        
diff --git a/analyzer/windows/modules/packages/Extraction_jar.py b/analyzer/windows/modules/packages/Extraction_jar.py
@@ -15,8 +15,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         java = self.get_path_glob("Java")

diff --git a/analyzer/windows/modules/packages/Extraction_js.py b/analyzer/windows/modules/packages/Extraction_js.py
@@ -17,8 +17,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         wscript = self.get_path("wscript.exe")

diff --git a/analyzer/windows/modules/packages/Extraction_pdf.py b/analyzer/windows/modules/packages/Extraction_pdf.py
@@ -15,7 +15,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         reader = self.get_path_glob("Adobe Reader")

diff --git a/analyzer/windows/modules/packages/Extraction_ps1.py b/analyzer/windows/modules/packages/Extraction_ps1.py
@@ -17,8 +17,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         powershell = self.get_path_glob("PowerShell")

diff --git a/analyzer/windows/modules/packages/Extraction_regsvr.py b/analyzer/windows/modules/packages/Extraction_regsvr.py
@@ -4,6 +4,7 @@
 
 from __future__ import absolute_import
 import os
+import shutil
 
 from lib.common.abstracts import Package
 
@@ -17,8 +18,8 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         regsvr32 = self.get_path("regsvr32.exe")

diff --git a/analyzer/windows/modules/packages/Extraction_zip.py b/analyzer/windows/modules/packages/Extraction_zip.py
@@ -31,8 +31,8 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Extraction.dll"
-        self.options["dll_64"] = "Extraction_x64.dll"
+        self.options["extraction"] = "1"
+        self.options["procdump"] = "0"
 
     def extract_zip(self, zip_path, extract_path, password, recursion_depth):
         """Extracts a nested ZIP file.
@@ -103,8 +103,8 @@ def get_infos(self, zip_path):
     def start(self, path):
         root = os.environ["TEMP"]
         password = self.options.get("password")
-        exe_regex = re.compile(b'(\.exe|\.scr|\.msi|\.bat|\.lnk|\.js|\.jse|\.vbs|\.vbe|\.wsf)$',flags=re.IGNORECASE)
-        dll_regex = re.compile(b'(\.dll|\.ocx)$',flags=re.IGNORECASE)
+        exe_regex = re.compile('(\.exe|\.scr|\.msi|\.bat|\.lnk|\.js|\.jse|\.vbs|\.vbe|\.wsf)$',flags=re.IGNORECASE)
+        dll_regex = re.compile('(\.dll|\.ocx)$',flags=re.IGNORECASE)
         zipinfos = self.get_infos(path)
         self.extract_zip(path, root, password, 0)
 

diff --git a/analyzer/windows/modules/packages/Hancitor.py b/analyzer/windows/modules/packages/Hancitor.py
@@ -16,8 +16,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Hancitor.dll"
-        #self.options["dll_64"] = "Hancitor_x64.dll"
+        self.options["hancitor"] = "1"
 
     def start(self, path):
         args = self.options.get("arguments")

diff --git a/analyzer/windows/modules/packages/Hancitor_dll.py b/analyzer/windows/modules/packages/Hancitor_dll.py
@@ -0,0 +1,43 @@
+# Copyright (C) 2010-2015 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from __future__ import absolute_import
+import os
+import shutil
+
+from lib.common.abstracts import Package
+
+class Hancitor_Dll(Package):
+    """DLL analysis package."""
+    PATHS = [
+        ("SystemRoot", "system32", "rundll32.exe"),
+    ]
+
+    def start(self, path):
+        rundll32 = self.get_path("rundll32.exe")
+        function = self.options.get("function", "#1")
+        arguments = self.options.get("arguments")
+        dllloader = self.options.get("dllloader")
+        self.options["hancitor"] = "1"
+
+        # Check file extension.
+        ext = os.path.splitext(path)[-1].lower()
+        # If the file doesn't have the proper .dll extension force it
+        # and rename it. This is needed for rundll32 to execute correctly.
+        # See ticket #354 for details.
+        if ext != ".dll":
+            new_path = path + ".dll"
+            os.rename(path, new_path)
+            path = new_path
+
+        args = "\"{0}\",{1}".format(path, function)
+        if arguments:
+            args += " {0}".format(arguments)
+
+        if dllloader:
+            newname = os.path.join(os.path.dirname(rundll32), dllloader)
+            shutil.copy(rundll32, newname)
+            rundll32 = newname
+
+        return self.execute(rundll32, args, path)
diff --git a/analyzer/windows/modules/packages/Hancitor_doc.py b/analyzer/windows/modules/packages/Hancitor_doc.py
@@ -20,8 +20,7 @@ def __init__(self, options={}, config=None):
         """@param options: options dict."""
         self.config = config
         self.options = options
-        self.options["dll"] = "Hancitor.dll"
-        #self.options["dll_64"] = "Hancitor_x64.dll"
+        self.options["hancitor"] = "1"
 
     def start(self, path):
         word = self.get_path_glob("Microsoft Office Word")

diff --git a/analyzer/windows/modules/packages/Injection.py b/analyzer/windows/modules/packages/Injection.py
@@ -16,8 +16,8 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.pids = []
-        self.options["dll"] = "Injection.dll"
-        self.options["dll_64"] = "Injection_x64.dll"
+        self.options["injection"] = "1"
+        self.options["procdump"] = "0"
 
     def start(self, path):
         args = self.options.get("arguments")