Changeset 1271

Show
Ignore:
Timestamp:
02/27/08 14:40:47 (6 months ago)
Author:
kindlund
Message:

Updated VM destruction logic. Added new registry/filesystem excludes.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • honeyclient/trunk/lib/HoneyClient/Manager.pm

    r1270 r1271  
    543543    # Make sure all processes in our process group our dead. 
    544544    # TODO: Need to eventually properly destroy sub-processes. 
    545     kill("KILL", -$$); 
     545    # We can't enable this, otherwise active VM objects won't be properly 
     546    # suspended. 
     547    #kill("KILL", -$$); 
    546548    exit; 
    547549} 

  • honeyclient/trunk/lib/HoneyClient/Manager/VM.pm

    r1202 r1271  
    834834        # try 'KILL'. 
    835835        if (kill("QUIT", $DAEMON_PID)) { 
     836            # XXX: Delete this, eventually. 
     837            $LOG->warn("Killing VM daemon at PID: " . $DAEMON_PID); 
    836838            kill("KILL", $DAEMON_PID); 
    837839        } 

  • honeyclient/trunk/thirdparty/capture-mod/FileMonitor.exl

    r1267 r1271  
    1010#Prefetch 
    1111+   Write   C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch\\.+ 
     12+   Delete  C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch\\.+ 
    1213+   Write   System  C:\\WINDOWS\\Prefetch\\.+ 
    1314#NTFS Metadata 
     
    9495+   Write   C:\\Program Files\\Messenger\\msmsgs\.exe   C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG 
    9596+   Delete  C:\\Program Files\\Messenger\\msmsgs\.exe   C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG 
    96 +   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\$LogFile 
    97 +   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\$Directory 
    98 +   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\$Mft 
    99 +   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  F:\$LogFile 
     97+   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\\$LogFile 
     98+   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\\$Directory 
     99+   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  E:\\$Mft 
     100+   Write   C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe  F:\\$LogFile 
    100101 
    101102################################################### 
     
    168169+   Delete  C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe   C:\\WINDOWS\\system32\\wbem\\Performance\\WmiApRpl\.h 
    169170+   Delete  C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe   C:\\WINDOWS\\system32\\PerfStringBackup\.TMP 
     171 
     172#### Honeyclient manual add - helpsvc.exe 
     173+   Write   C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\DataColl\\.* 
     174+   Delete  C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\DataColl\\.* 

  • honeyclient/trunk/thirdparty/capture-mod/RegistryMonitor.exl

    r1243 r1271  
    312312+   SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Printers 
    313313+   SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Providers 
     314 
     315#### Honeyclient manual add - helpsvc.exe 
     316+   SetValueKey C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc.exe   HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+