Changeset 153 for honeyclient/branches/exp/stephenson-link_scoring/lib
- Timestamp:
- 01/10/07 14:06:43 (2 years ago)
- Files:
-
- honeyclient/branches/exp/stephenson-link_scoring (modified) (1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent.pm (modified) (10 diffs, 2 props)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver.pm (modified) (5 diffs, 2 props)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser.pm (modified) (27 diffs, 1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser/FF.pm (modified) (1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser/IE.pm (modified) (3 diffs, 2 props)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Integrity (copied) (copied from honeyclient/trunk/lib/HoneyClient/Agent/Integrity)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Integrity.pm (modified) (26 diffs, 1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Manager.pm (modified) (4 diffs, 2 props)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Manager/FW.pm (modified) (8 diffs, 1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Manager/VM.pm (modified) (6 diffs, 1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Util/Config.pm (modified) (7 diffs, 1 prop)
- honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Util/SOAP.pm (modified) (5 diffs, 1 prop)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/stephenson-link_scoring
- Property sc:bug-fix-release-branch set to 0.9
honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent.pm
- Property svn:executable deleted
- Property svn:keywords set to Id "$file"
r13 r153 5 5 # Description: Central library used for agent-based operations. 6 6 # 7 # CVS: $Id : Agent.pm 1049 2006-06-28 16:37:41Z flindiakos$7 # CVS: $Id$ 8 8 # 9 9 # @author knwang, ttruong, kindlund … … 38 38 =head1 VERSION 39 39 40 $Rev: 1626 $ 40 0.92 41 41 42 42 =head1 SYNOPSIS … … 79 79 80 80 # Set our package version. 81 $VERSION = 0.9 ;81 $VERSION = 0.92; 82 82 83 83 @ISA = qw(Exporter); … … 210 210 # TODO: Update unit tests to include 'dclone' 211 211 use Storable qw(nfreeze thaw dclone); 212 $Storable::Deparse = 1; 213 $Storable::Eval = 1; 212 214 213 215 # Include Base64 Libraries … … 236 238 our $PERFORM_INTEGRITY_CHECKS : shared = 237 239 getVar(name => "perform_integrity_checks"); 240 241 # A globally shared, serialized hashtable, containing the 242 # initialized integrity state of the VM -- ready to be checked 243 # against, at any time. 244 our $integrityState : shared = undef; 238 245 239 246 # A globally shared, serialized hashtable, containing data per … … 359 366 $driverUpdateQueues{$driverName} = new Thread::Queue; 360 367 } 368 369 # Perform initial integrity baseline check. 370 #my $integrity = undef; 371 #if ($PERFORM_INTEGRITY_CHECKS) { 372 # print "Initializing Integrity Check...\n"; 373 # # TODO: Initialize Integrity Checks 374 # $integrity = HoneyClient::Agent::Integrity->new(); 375 # $integrity->initAll(); 376 #} 377 #$integrityState = $integrity->serialize(); 361 378 362 379 # Release data lock. … … 688 705 eval { 689 706 690 my $integrity = undef;691 if ($PERFORM_INTEGRITY_CHECKS) {692 print "Initializing Filesystem Integrity Check...\n";693 # TODO: Initialize Integrity Checks694 $integrity = HoneyClient::Agent::Integrity->new();695 $integrity->initAll();696 }697 698 707 ################################### 699 708 ### Driver Initialization Phase ### 700 709 ################################### 710 711 # Initially set local integrity object to undef. 712 my $integrity = undef; 701 713 702 714 # Initially set all driver objects to undef. … … 705 717 # Acquire lock on stored driver state. 706 718 $data = _lock(); 719 720 if ($PERFORM_INTEGRITY_CHECKS) { 721 # XXX: WARNING - The $integrityState object data is NOT thread-safe 722 # (since it relies on external data stored on the file system). 723 # As such, do NOT try to call integrity checks on multiple, simultaneous 724 # asynchronous threaded drivers. 725 #$integrity = thaw($integrityState); 726 # Perform initial integrity baseline check. 727 print "Initializing Integrity Check...\n"; 728 # TODO: Initialize Integrity Checks 729 $integrity = HoneyClient::Agent::Integrity->new(); 730 $integrity->initAll(); 731 732 # TODO: Delete this. 733 #$Data::Dumper::Indent = 1; 734 #$Data::Dumper::Terse = 1; 735 #print "Integrity: " . Dumper($integrity) . "\n"; 736 } 707 737 708 738 # Now, initialize each driver object. … … 805 835 # For now, we update a scalar called 'is_compromised' within 806 836 # the $data->{$driverName}->{'status'} sub-hashtable. 807 print "Performing Filesystem Integrity Check...\n";837 print "Performing Integrity Checks...\n"; 808 838 if ($integrity->checkAll()) { 809 839 print "Integrity Check: FAILED\n"; … … 1099 1129 =head1 SEE ALSO 1100 1130 1101 XXX: Fill this in. 1102 1103 XXX: If you have a mailing list, mention it here. 1104 1105 XXX: If you have a web site set up for your module, mention it here. 1131 L<http://www.honeyclient.org/trac> 1106 1132 1107 1133 =head1 REPORTING BUGS 1108 1134 1109 XXX: Mention website/mailing list to use, when reporting bugs. 1135 L<http://www.honeyclient.org/trac/newticket> 1110 1136 1111 1137 =head1 ACKNOWLEDGEMENTS honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver.pm
- Property svn:executable deleted
- Property svn:keywords set to Id "$file"
r13 r153 6 6 # HoneyClient VM. 7 7 # 8 # CVS: $Id : Driver.pm 1412 2006-10-18 20:33:18Z kindlund$8 # CVS: $Id$ 9 9 # 10 10 # @author knwang, ttruong, kindlund … … 38 38 =head1 VERSION 39 39 40 This documentation refers to HoneyClient::Agent::Driver version 1.0.40 This documentation refers to HoneyClient::Agent::Driver version 0.92. 41 41 42 42 =head1 SYNOPSIS … … 120 120 121 121 # Set our package version. 122 $VERSION = 0.9 ;122 $VERSION = 0.92; 123 123 124 124 @ISA = qw(Exporter); … … 160 160 # Make sure Log::Log4perl loads 161 161 BEGIN { use_ok('Log::Log4perl', qw(:nowarn)) 162 or diag("Can't load Log::Log4perl package. Check to make sure the package library is correctly li nsted within the path.");162 or diag("Can't load Log::Log4perl package. Check to make sure the package library is correctly listed within the path."); 163 163 164 164 # Suppress all logging messages, since we need clean output for unit testing. … … 697 697 L<perltoot/"Autoloaded Data Methods"> 698 698 699 XXX: If you have a mailing list, mention it here. 700 701 XXX: If you have a web site set up for your module, mention it here. 699 L<http://www.honeyclient.org/trac> 702 700 703 701 =head1 REPORTING BUGS 704 702 705 XXX: Mention website/mailing list to use, when reporting bugs. 703 L<http://www.honeyclient.org/trac/newticket> 706 704 707 705 =head1 AUTHORS honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser.pm
- Property svn:keywords set to Id "$file"
r147 r153 7 7 # HoneyClient VM. 8 8 # 9 # CVS: $Id : Browser.pm 1423 2006-11-6 14:21:47Z stephenson$9 # CVS: $Id$ 10 10 # 11 11 # @author knwang, kindlund, stephenson … … 40 40 =head1 VERSION 41 41 42 This documentation refers to HoneyClient::Agent::Driver::Browser version 1.0.42 This documentation refers to HoneyClient::Agent::Driver::Browser version 0.92. 43 43 44 44 =head1 SYNOPSIS … … 84 84 $browser->{links_to_visit}->{'http://www.mitre.org'} = 1; 85 85 86 # Now, drive IEfor one iteration.86 # Now, drive the browser for one iteration. 87 87 $browser->drive(); 88 88 … … 90 90 91 91 This library allows the Agent module to drive an instance of any broswer, 92 running inside the HoneyClient VM. The purpose 93 of this module is to programmatically navigate the browser to different 94 websites, in order to become purposefully infected with new malware. 95 The module implements the logic necessary to decide the order in which 96 the 92 running inside the HoneyClient VM. The purpose of this module is to 93 programmatically navigate the browser to different websites, in order to 94 become purposefully infected with new malware. 97 95 98 96 This module is object-oriented in design, retaining all state information … … 157 155 158 156 # Set our package version. 159 $VERSION = 0.9 ;157 $VERSION = 0.92; 160 158 161 159 # Define inherited modules. … … 175 173 # Do not simply export all your public functions/methods/constants. 176 174 177 # This allows declaration use HoneyClient::Agent::Driver:: IE':all';175 # This allows declaration use HoneyClient::Agent::Driver::Browser ':all'; 178 176 # If you do not need this, moving things directly into @EXPORT or @EXPORT_OK 179 177 # will save memory. … … 213 211 214 212 # Use Storable Library 213 # TODO: Need unit testing. 215 214 use Storable qw(dclone); 216 215 … … 240 239 =head1 DEFAULT PARAMETER LIST 241 240 242 When a n IEB<$object> is instantiated using the B<new()> function,241 When a Browser B<$object> is instantiated using the B<new()> function, 243 242 the following parameters are supplied default values. Each value 244 243 can be overridden by specifying the new (key => value) pair into the … … 302 301 This parameter is a hashtable of fully qualified URLs, such that each 303 302 URL shares a common B<hostname>. This is an internal hashtable used 304 by the IE driver that should be initially empty. As the IE driver305 extracts and removes new URLs off the B<links_to_visit> hashtable,303 by the Browser driver that should be initially empty. As the Browser 304 driver extracts and removes new URLs off the B<links_to_visit> hashtable, 306 305 driving the browser to each URL, any B<relative> links found are 307 306 added into this hashtable; any B<external> links found are added … … 364 363 =over 4 365 364 366 A string containing the process name of the Internet Explorer 367 browser application, as it appears in the Task Manager. This is 368 usually called "iexplore.exe". 365 A string containing the process name of the browser application, 366 as it appears in the Task Manager. 369 367 370 368 =back … … 458 456 ignore_links_timed_out => getVar(name => "ignore_links_timed_out"), 459 457 460 # A string containing the process name of the Internet Explorer 461 # browser application, as it appears in the Task Manager. This is 462 # usually called "iexplore.exe". 458 # A string containing the process name of the browser application, 459 # as it appears in the Task Manager. 463 460 process_name => getVar(name => "process_name"), 464 461 … … 499 496 # 'links_to_visit' hashtable is checked. 500 497 # 501 # Inputs: HoneyClient::Agent::Driver:: IEobject498 # Inputs: HoneyClient::Agent::Driver::Browser object 502 499 # Outputs: link, or undef if all applicable scalars/hashtables are empty 503 500 sub _getNextLink { … … 718 715 # already in the hashtable. 719 716 # 720 # Inputs: HoneyClient::Agent::Driver:: IEobject, url to validate717 # Inputs: HoneyClient::Agent::Driver::Browser object, url to validate 721 718 # Outputs: url if valid, empty string if invalid 722 719 sub _validateLink { … … 805 802 =head1 METHODS IMPLEMENTED 806 803 807 The following functions have been implemented by the IEdriver. Many804 The following functions have been implemented by the Browser driver. Many 808 805 of these methods were implementations of the parent Driver interface. 809 806 … … 812 809 Driver interface, see the L<HoneyClient::Agent::Driver> documentation. 813 810 814 =head2 HoneyClient::Agent::Driver:: IE->new($param => $value, ...)811 =head2 HoneyClient::Agent::Driver::Browser->new($param => $value, ...) 815 812 816 813 =over 4 817 814 818 Creates a new IEdriver object, which contains a hashtable815 Creates a new Browser driver object, which contains a hashtable 819 816 containing any of the supplied "param => value" arguments. 820 817 … … 826 823 corresponding $value(s) B<must> also be specified. 827 824 828 I<Output>: The instantiated IEdriver B<$object>, fully initialized.825 I<Output>: The instantiated Browser driver B<$object>, fully initialized. 829 826 830 827 =back … … 888 885 =pod 889 886 890 =head2 $object->drive( )887 =head2 $object->drive(url => $url) 891 888 892 889 =over 4 893 890 894 Drives an instance of Microsoft Internet Explorer for one iteration,891 Drives an instance of the browser for one iteration, 895 892 navigating to the next URL and updating the driver's corresponding 896 893 internal hashtables accordingly. … … 900 897 the "DEFAULT PARAMETER LIST" section. 901 898 902 Once a drive() iteration has completed, the corresponding Microsoft 903 Internet Explorer browser process is terminated. Thus, each call to 904 drive() invokes a new instance of the browser. 905 906 I<Output>: The updated IE driver B<$object>, containing state information 907 from driving Microsoft Internet Explorer for one iteration. 908 909 B<Warning>: This method will B<croak> if the IE driver object is B<unable> 899 Once a drive() iteration has completed, the corresponding browser process 900 is terminated. Thus, each call to drive() invokes a new instance of the 901 browser. 902 903 I<Inputs>: 904 B<$url> is an optional argument, specifying the next immediate URL the browser must drive to. 905 906 I<Output>: The updated Browser driver B<$object>, containing state information 907 from driving the browser for one iteration. 908 909 B<Warning>: This method will B<croak> if the Browser driver object is B<unable> 910 910 to navigate to a new link, because its list of links to visit is empty. 911 911 … … 1046 1046 =over 4 1047 1047 1048 Returns the next URL that the Microsoft Internet Explorer browser will 1049 navigate to, upon the next subsequent call to the B<$object>'s drive() 1050 method. 1048 Returns the next URL that the browser will navigate to, upon the next 1049 subsequent call to the B<$object>'s drive() method. 1051 1050 1052 1051 I<Output>: The next URL that the browser will be driven to. The returned 1053 data may be undef, if the IEdriver is finished and there are no links1052 data may be undef, if the Browser driver is finished and there are no links 1054 1053 left to navigate to. 1055 1054 … … 1101 1100 1102 1101 Returns the next set of server hostnames and/or IP addresses that the 1103 Microsoft Internet Explorer browser will contact, upon the next subsequent 1104 call to the B<$object>'sdrive() method.1102 browser will contact, upon the next subsequent call to the B<$object>'s 1103 drive() method. 1105 1104 1106 1105 Specifically, the returned data is a reference to a hashtable, containing … … 1382 1381 =over 4 1383 1382 1384 Indicates if the IE driver B<$object> has driven the Microsoft Internet1385 Explorer browserto all possible links it has found within its hashtables1383 Indicates if the Browser driver B<$object> has driven the browser 1384 process to all possible links it has found within its hashtables 1386 1385 and is unable to navigate the browser further without additional, external 1387 1386 input. 1388 1387 1389 I<Output>: True if the IEdriver B<$object> is finished, false otherwise.1390 1391 B<Note>: Additional links can be fed to this IEdriver at any time, by1388 I<Output>: True if the Browser driver B<$object> is finished, false otherwise. 1389 1390 B<Note>: Additional links can be fed to this Browser driver at any time, by 1392 1391 simply adding new hashtable entries to the B<links_to_visit> hashtable 1393 1392 within the B<$object>. 1394 1393 1395 1394 For example, if you wanted to add the URL "http://www.mitre.org" 1396 to the IEdriver B<$object>, simply use the following code:1395 to the Browser driver B<$object>, simply use the following code: 1397 1396 1398 1397 $object->{links_to_visit}->{'http://www.mitre.org'} = 1; … … 1434 1433 =over 4 1435 1434 1436 Returns the current status of the IEdriver B<$object>, as it's state1435 Returns the current status of the Browser driver B<$object>, as it's state 1437 1436 exists, between subsequent calls to $object->driver(). 1438 1437 1439 1438 Specifically, the data returned is a reference to a hashtable, 1440 1439 containing specific statistical information about the status 1441 of the IEdriver's progress, between iterations of driving the1442 Microsoft Internet Explorer browser.1440 of the Browser driver's progress, between iterations of driving the 1441 browser process. 1443 1442 1444 1443 The following is an example hashtable, containing all the … … 1457 1456 1458 1457 I<Output>: A corresponding B<$hashref>, containing statistical information 1459 about the IEdriver's progress, as previously mentioned.1458 about the Browser driver's progress, as previously mentioned. 1460 1459 1461 1460 # XXX: Resolve this, per parent Driver description. … … 1525 1524 1526 1525 =head1 BUGS & ASSUMPTIONS 1527 1528 This module makes extensive use of the Win32::IE::Mechanize module.1529 Any bugs found within that library will most likely be present here.1530 1526 1531 1527 In a nutshell, this object is nothing more than a blessed anonymous … … 1536 1532 or overriding (key => value) pairs. 1537 1533 1538 However, additional links can be fed to any IEdriver at any time, by1534 However, additional links can be fed to any Browser driver at any time, by 1539 1535 simply adding new hashtable entries to the B<links_to_visit> hashtable 1540 1536 within the B<$object>. 1541 1537 1542 1538 For example, if you wanted to add the URL "http://www.mitre.org" 1543 to the IEdriver B<$object>, simply use the following code:1539 to the Browser driver B<$object>, simply use the following code: 1544 1540 1545 1541 $object->{links_to_visit}->{'http://www.mitre.org'} = 1; 1546 1542 1547 XXX: At some point, we may want to replace all the instances of '1' 1548 with more useful data, like a sub-hashtable that contains a set of 1549 L<Win32::OLE> options that would be fed directly into each 1550 instance of Win32::IE::Mechanize->new(%options). 1551 1552 In general, the IE driver does B<not> know how many links it will 1543 In general, the Browser driver does B<not> know how many links it will 1553 1544 ultimately end up browsing to, until it conducts an exhaustive 1554 1545 spider of all initial URLs supplied. As such, expect the output … … 1569 1560 =head1 SEE ALSO 1570 1561 1571 Win32::IE::Mechanize 1572 1573 Win32::OLE 1574 1575 XXX: If you have a mailing list, mention it here. 1576 1577 XXX: If you have a web site set up for your module, mention it here. 1562 L<http://www.honeyclient.org/trac> 1578 1563 1579 1564 =head1 REPORTING BUGS 1580 1565 1581 XXX: Mention website/mailing list to use, when reporting bugs. 1566 L<http://www.honeyclient.org/trac/newticket> 1582 1567 1583 1568 =head1 AUTHORS … … 1588 1573 1589 1574 Darien Kindlund, E<lt>kindlund@mitre.orgE<gt> 1575 1576 Brad Stephenson, E<lt>stephenson@mitre.orgE<gt> 1590 1577 1591 1578 =head1 COPYRIGHT & LICENSE honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser/FF.pm
- Property svn:keywords set to Id "$file"
honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Driver/Browser/IE.pm
- Property svn:executable deleted
- Property svn:keywords set to Id "$file"
r13 r153 7 7 # HoneyClient VM. 8 8 # 9 # CVS: $Id : IE.pm 1599 2006-11-08 20:04:30Z kindlund$9 # CVS: $Id$ 10 10 # 11 11 # @author knwang, ttruong, kindlund, stephenson … … 43 43 =head1 VERSION 44 44 45 This documentation refers to HoneyClient::Agent::Driver::Browser::IE version 1.0.45 This documentation refers to HoneyClient::Agent::Driver::Browser::IE version 0.92. 46 46 47 47 =head1 SYNOPSIS … … 74 74 75 75 # Set our package version. 76 $VERSION = 0.9 ;76 $VERSION = 0.92; 77 77 78 78 # Define inherited modules. honeyclient/branches/exp/stephenson-link_scoring/lib/HoneyClient/Agent/Integrity.pm
- Property svn:keywords set to Id "$file"
r13 r153 1 1 ################################################################################ 2 # Created on: June 1, 20062 # Created on: June 01, 2006 3 3 # Package: HoneyClient::Agent 4 4 # File: Integrity.pm 5 # Description: Module for checking the system integrity for possible modification 5 # Description: Module for checking the system integrity for possible 6 # modifications. 6 7 # 7 8 # @author knwang, xkovah, ttruong … … 26 27 ################################################################################ 27 28 28 29 30 29 =pod 31 30 … … 39 38 =head1 VERSION 40 39 41 0. 0840 0.92 42 41 43 42 =head1 SYNOPSIS … … 105 104 can_ok('HoneyClient::Agent::Integrity', 'initFileSystem'); 106 105 can_ok('HoneyClient::Agent::Integrity', 'checkFileSystem'); 107 can_ok('HoneyClient::Agent::Integrity', 'initRegistry'); 108 can_ok('HoneyClient::Agent::Integrity', 'checkRegistry'); 109 use HoneyClient::Agent::Integrity qw(initAll checkAll initRegistry checkRegistry initFileSystem checkFileSystem); 106 use HoneyClient::Agent::Integrity qw(initAll checkAll initFileSystem checkFileSystem); 110 107 111 108 # Make sure HoneyClient::Util::Config loads. … … 134 131 135 132 # Make sure Storable loads. 136 BEGIN { use_ok('Storable', qw(dclone )) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }133 BEGIN { use_ok('Storable', qw(dclone nfreeze thaw)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); } 137 134 require_ok('Storable'); 138 135 can_ok('Storable', 'dclone'); 139 use Storable qw(dclone); 136 can_ok('Storable', 'nfreeze'); 137 can_ok('Storable', 'thaw'); 138 use Storable qw(dclone nfreeze thaw); 140 139 141 140 ###Testing Globals### … … 159 158 # Include Global Configuration Processing Library 160 159 use HoneyClient::Util::Config qw(getVar); 160 use HoneyClient::Agent::Integrity::Registry; 161 161 use File::Find qw(find); 162 162 #use Win32::TieRegistry; 163 163 use Digest::MD5; 164 164 use MIME::Base64; 165 use Switch; 166 use Storable qw(dclone); 165 use Storable qw(nfreeze thaw dclone); 166 $Storable::Deparse = 1; 167 $Storable::Eval = 1; 167 168 use Data::Dumper; 169 use File::Basename qw(dirname); 168 170 169 171 BEGIN { … … 173 175 174 176 # Set our package version. 175 $VERSION = 0.9 ;177 $VERSION = 0.92; 176 178 177 179 @ISA = qw(Exporter); 178 180 179 181 # Symbols to export on request 180 @EXPORT = qw(new initAll checkAll initRegistry checkRegistry initFileSystem checkFileSystem);182 @EXPORT = qw(new initAll checkAll); 181 183 182 184 # Items to export into callers namespace by default. Note: do not export … … 208 210 #Used *for now* to signal whether any changes occured (if they == 1) 209 211 my $g_fs_changes = 0; 210 my $g_reg_changes = 0; 211 212 #Used to initialize a default registry space to check if they don't specify anything when creating the object 213 my @default_reg_check_array = ("HKEY_LOCAL_MACHINE", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_USERS", "HKEY_CURRENT_CONFIG"); 214 215 #I have no idea why slashes need to be triple-slashes since it's single quoted, but that's what works... 216 #also, of course [ and ] and any other special characters you find need to be escaped 217 my @default_reg_exclude_array = ( '\[HKEY_LOCAL_MACHINE\\\SOFTWARE\\\Microsoft\\\Cryptography\\\RNG\]', 218 '\[HKEY_CURRENT_USER\\\SessionInformation\]', 219 '\[HKEY_USERS\\\.+\\\SessionInformation\]', 220 '\[HKEY_LOCAL_MACHINE\\\SOFTWARE\\\Microsoft\\\Windows\\\CurrentVersion\\\WindowsUpdate\\\Auto Update\]', 221 '\[HKEY_USERS\\\.+\\\Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Explorer\\\UserAssist\\\.*\\\Count\]', 222 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\CurrentControlSet\\\Services\\\.+\\\Parameters\\\Tcpip\]', 223 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\CurrentControlSet\\\Services\\\Tcpip\\\Parameters\\\Interfaces\\\.+\]', 224 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\CurrentControlSet\\\Services\\\Dhcp\\\Parameters\]', 225 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\ControlSet.+\\\Services\\\.+\\\Parameters\\\Tcpip\]', 226 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\ControlSet.+\\\Services\\\Tcpip\\\Parameters\\\Interfaces\\\.+\]', 227 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\ControlSet.+\\\Services\\\Dhcp\\\Parameters\]', 228 '\[HKEY_LOCAL_MACHINE\\\SOFTWARE\\\Microsoft\\\Windows\\\CurrentVersion\\\BITS]', 229 '\[HKEY_USERS\\\.+\\\Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Explorer\\\UserAssist\\\.+\\\Count\]', 230 '\[HKEY_CURRENT_USER\\\Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Explorer\\\UserAssist\\\.+\\\Count\]', 231 '\[HKEY_LOCAL_MACHINE\\\SOFTWARE\\\Microsoft\\\Windows\\\CurrentVersion\\\Group Policy\\\State\\\Machine\\\Extension-List\\\.+\]', 232 '\[HKEY_LOCAL_MACHINE\\\SOFTWARE\\\Microsoft\\\Windows\\\CurrentVersion\\\Group Policy\\\State\\\.+\\\Extension-List\\\.+\]', 233 '\[HKEY_USERS\\\.+\\\Software\\\Microsoft\\\Windows\\\ShellNoRoam\\\BagMRU\]', 234 '\[HKEY_CURRENT_USER\\\Software\\\Microsoft\\\Windows\\\ShellNoRoam\\\BagMRU\]', 235 '\[HKEY_CURRENT_USER\\\Volatile Environment\]', 236 '\[HKEY_USERS\\\.+\\\UNICODE Program Groups\]', 237 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\ControlSet.+\\\Services\\\SharedAccess\\\Epoch\]', 238 '\[HKEY_LOCAL_MACHINE\\\SYSTEM\\\CurrentControlSet\\\Services\\\SharedAccess\\\Epoch\]', 239 ); 240 241 my @default_file_exclude_array = ( '/cygdrive/c/cygwin/tmp/changes.txt', 242 '/cygdrive/c/cygwin/tmp/cleanfile.txt', 243 '/cygdrive/c/Documents and Settings/Administrator/Desktop/honeyclient', 244 '/cygdrive/c/WINDOWS/Prefetch/', 245 '/cygdrive/c/WINDOWS/WindowsUpdate.log', 246 '/cygdrive/c/WINDOWS/Debug/UserMode/userenv.log', 247 '/cygdrive/c/WINDOWS/SoftwareDistribution/DataStore/', 248 '/cygdrive/c/WINDOWS/SchedLgU.Txt', 249 '/cygdrive/c/WINDOWS/SoftwareDistribution/ReportingEvents.log', 250 '/cygdrive/c/WINDOWS/system32/config/SysEvent.Evt', 251 '/cygdrive/c/WINDOWS/PCHEALTH/HELPCTR/DataColl/', 252 #Can't be included cause it's user specific 253 #'/cygdrive/c/WINDOWS/SoftwareDistribution/WuRedir/9482F4B4-E343-43B6-B170-9A65BC822C77/wuredir.cab.bak', 254 '/cygdrive/c/Documents and Settings/All Users/Application Data/Microsoft/Network/Downloader/', 255 '/cygdrive/c/Documents and Settings/Administrator/Application Data/Mozilla/Firefox/Profiles/', 256 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/Application Data/Mozilla/Firefox/Profiles/', 257 '/cygdrive/c/Documents and Settings/Administrator/Application Data/Talkback/MozillaOrg/Firefox15/Win32/2006050817/permdata.box', 258 '/cygdrive/c/Documents and Settings/Administrator/Cookies/index.dat', 259 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/History/History.IE5/', 260 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5', 261 '/cygdrive/c/Documents and Settings/Administrator/Recent/', 262 '/cygdrive/c/Program Files/Mozilla Firefox/updates/', 263 '/cygdrive/c/Program Files/Mozilla Firefox/active-update.xml', 264 '/cygdrive/c/Program Files/Mozilla Firefox/updates.xml', 265 ); 212 213 # XXX: All dirs must NEVER end in a trailing slash. 214 my @default_file_exclude_array = ( 215 '/cygdrive/c/cygwin/tmp/changes.txt', 216 '/cygdrive/c/cygwin/tmp/cleanfile.txt', 217 '/cygdrive/c/cygwin/home/Administrator', 218 '/cygdrive/c/Documents and Settings/Administrator/Desktop/honeyclient', 219 '/cygdrive/c/WINDOWS/Prefetch', 220 '/cygdrive/c/WINDOWS/WindowsUpdate.log', 221 '/cygdrive/c/WINDOWS/Debug/UserMode/userenv.log', 222 '/cygdrive/c/WINDOWS/SoftwareDistribution/DataStore', 223 '/cygdrive/c/WINDOWS/SchedLgU.Txt', 224 '/cygdrive/c/WINDOWS/SoftwareDistribution/ReportingEvents.log', 225 '/cygdrive/c/WINDOWS/system32/config/SysEvent.Evt', 226 '/cygdrive/c/WINDOWS/system32/wbem', 227 '/cygdrive/c/WINDOWS/PCHEALTH/HELPCTR/DataColl', 228 '/cygdrive/c/Documents and Settings/All Users/Application Data/Microsoft/Network/Downloader', 229 '/cygdrive/c/Documents and Settings/Administrator/Application Data/Mozilla/Firefox/Profiles', 230 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/Application Data/Mozilla/Firefox/Profiles', 231 '/cygdrive/c/Documents and Settings/Administrator/Application Data/Talkback/MozillaOrg/Firefox15/Win32/2006050817/permdata.box', 232 '/cygdrive/c/Documents and Settings/Administrator/Cookies/index.dat', 233 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/History/History.IE5', 234 '/cygdrive/c/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5', 235 '/cygdrive/c/Documents and Settings/Administrator/Recent', 236 '/cygdrive/c/Program Files/Mozilla Firefox/updates', 237 '/cygdrive/c/Program Files/Mozilla Firefox/active-update.xml', 238 '/cygdrive/c/Program Files/Mozilla Firefox/updates.xml', 239 '/cygdrive/c/WINDOWS/SoftwareDistribution/WuRedir', 240 '/cygdrive/c/WINDOWS/SYSTEM32/config/SecEvent.Evt', 241 '/cygdrive/c/WINDOWS/SYSTEM32/config/SysEvent.Evt', 242 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/INDEX.BTR', 243 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/INDEX.MAP', 244 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/MAPPING.VER', 245 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/MAPPING1.MAP', 246 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/MAPPING2.MAP', 247 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/OBJECTS.DATA', 248 '/cygdrive/c/WINDOWS/SYSTEM32/wbem/Repository/FS/OBJECTS.MAP', 249 ); 266 250 267 251 268 252 my %PARAMS = ( 269 253 270 ### Files which are read in only ### 271 # List of files and directories to check during filesystem checking 272 file_checklist => getVar(name => "file_checklist", namespace => "HoneyClient::Agent::Integrity"), 254 # Contains the Registry object, once initialized. 255 _registry => undef, 256 257 # XXX: Clean the rest of these variables up. 258 ### Files which are read in only ### 259 # List of files and directories to check during filesystem checking 260 file_checklist => getVar(name => "file_checklist", namespace => "HoneyClient::Agent::Integrity"), 273 261 274 262 # List of files or directories to exclude if found in subdirs during 275 263 # filesystem check. 276 file_exclude => getVar(name => "file_exclude", namespace => "HoneyClient::Agent::Integrity"), 277 278 # List of registry keys to check 279 reg_list_to_check => getVar(name => "reg_list_to_check", namespace => "HoneyClient::Agent::Integrity"), 264 file_exclude => getVar(name => "file_exclude", namespace => "HoneyClient::Agent::Integrity"), 280 265 281 266 ### Files to write and read ### 282 267 # File to store hashes for files selected during the baseline 283 268 clean_file => getVar(name => "clean_file", namespace => "HoneyClient::Agent::Integrity"), 284 269 285 270 # File to write any found changes to 286 271 change_file => getVar(name => "change_file", namespace => "HoneyClient::Agent::Integrity"), 287 272 288 # Stores baseline for the registry. Always appended with a number 289 clean_reg => getVar(name => "clean_reg", namespace => "HoneyClient::Agent::Integrity"), 273 #vars 274 file_exclude_hash => undef, #hash, holds files to exclude 275 file_list => undef, #list, files to check when checking filesystem 290 276 291 # Stores the current state of the registry to check against the292 # clean state293 current_reg => getVar(name => "current_reg", namespace => "HoneyClient::Agent::Integrity"),294 295 # The file for the diff command to redirect it's output to.296 # Always appended with a number.297 diffs => getVar(name => "diffs", namespace => "HoneyClient::Agent::Integrity"),298 299 #vars300 file_exclude_hash => undef, #hash, holds files to exclude301 file_list => undef, #list, files to check when checking filesystem302 reg1 => undef, #list, holds entire contents of first file to diff303 reg2 => undef, #list, holds entire contents of second file to diff304 305 #array that holds the locations in the registry to check306 reg_check_array => undef,307 #array that holds the registry locations that should be excluded from the detected changes308 reg_exclude_array => undef,309 310 277 #works exactly like the reg_exclude_array, and is initialized in a similar way 311 file_exclude_array => undef, 312 313 changes => undef, #multi-dimensional array used for holding individual instances of a diff output 314 g_count => -1, #highest level index for, each $g_count will be a different instance of a diff grouping 278 file_exclude_array => undef, 279 280 changes => undef, #multi-dimensional array used for holding individual instances of a diff output 315 281 ); 316 282 … … 379 345 380 346 sub initAll { 381 my $self = shift; 382 $self->initRegistry(); 347 my $self = shift; 348 # XXX: initRegistry() MUST be called before initFileSystem, since initRegistry 349 # creates new files that must exist to be added to the exclusion list for 350 # initFileSystem. 351 $self->{'_registry'} = HoneyClient::Agent::Integrity::Registry->new(); 383 352 $self->initFileSystem(); 384 353 } … … 395 364 396 365 sub checkAll { 397 my $self = shift; 398 my $retval; 399 400 #Add any new created checks here 401 402 $self->startCheckProcesses(); #currently a dummy method that just returns 366 my $self = shift; 367 my $retval; 368 403 369 # If at all possible we want the (faster) registry checks to short circut 404 370 # the overall checks so we don't have to do the very slow filesystem checks. 405 $retval = $self->checkRegistry(); 406 if($retval){ 407 return $retval; 408 } 409 $retval = $self->checkFileSystem(); 371 my $changes = $self->{'_registry'}->check(); 372 if (scalar(@{$changes})) { 373 print "Registry has changed:\n"; 374 foreach my $change (@{$changes}) { 375 print $change->{'key'} . " (" . $change->{'status'} . ")\n"; 376 } 377 open CHANGES, ">>$self->{change_file}" or die "Cannot open $self->{change_file}: $!\n"; 378 $Data::Dumper::Terse = 1; 379 $Data::Dumper::Indent = 1; 380 print CHANGES Dumper($changes); 381 close CHANGES; 382 return $changes; 383 } 384 print "No registry changes have occurred.\n"; 385 $retval = $self->checkFileSystem(); 410 386 411 387 return $retval; 412 413 414 } 388 } 389 390 # TODO: Comment this. 391 sub serialize { 392 my $self = shift; 393 394 if (defined($self->{'_registry'})) { 395 $self->{'_registry'}->closeFiles(); 396 } 397 398 return nfreeze($self); 399 } 400 415 401 ################################################################################ 416 402 … … 479 465 $g_hack = $self->{file_list}; 480 466 $g_ex_hash = (); 467 my $file; 481 468 482 469 my @checkdirs = $self->_get_directories_to_check(); … … 494 481 } 495 482 496 foreach my $file (@{$self->{file_exclude_array}}){ 483 $/ = "\n"; 484 foreach $file (@{$self->{file_exclude_array}}){ 497 485 chomp $file; 498 486 if(-f $file){ … … 501 489 # because you can't get to that in _found() 502 490 } 503 else { if(-d $file){ 504 find (\&_recursive_exclude, $file); 505 } 506 else{ 507 #XXX: Does this case matter(exist?) for pipes for instance? 508 print "A file that isn't a file or directory (or just general problem, or the file just isn't there) was found with file: $file\n"; 509 } 491 elsif(-d $file){ 492 print "excluding $file\n"; 493 $g_ex_hash->{$file} = 1; #used in lieu of the $self->file_exclude_hash 494 #find (\&_recursive_exclude, $file); 495 } 496 else{ 497 #XXX: Does this case matter(exist?) for pipes for instance? 498 print "A file that isn't a file or directory (or just general problem, or the file just isn't there) was found with file: $file\n"; 510 499 } 511 500 } 512 501 513 502 print "Finding Files in initFileSystem...Be Patient.\n"; 514 foreach my $checkdir (@checkdirs) {503 foreach my $checkdir (@checkdirs) { 515 504 find (\&_found, "$checkdir"); #this will populate @{$self->{file_list}} 516 505 } … … 518 507 $self->{file_list} = $g_hack; 519 508 $self->{file_exclude_hash} = $g_ex_hash; 520 ## #print "file_exclude_hash in init\n" . Dumper($self->{file_exclude_hash}) . "\n";509 ## print "file_exclude_hash in init\n" . Dumper($self->{file_exclude_hash}) . "\n"; 521 510 522 511 print "Hashing Files in initFileSystem...Be Patient\n"; 523 512 open CLEANFILE, ">$self->{clean_file}" or die "Cannot open $self->{clean_file}: $!\n"; 524 foreach my$file (@{$self->{file_list}}) {513 foreach $file (@{$self->{file_list}}) { 525 514 # print "hashing $file\n"; 526 515 if(open HASHFILE, "$file") { … … 603 592 sub checkFileSystem { 604 593 605 my $self = shift; #Object 606 %{$self->{clean_file_hash}} = (); 607 %{$self->{changed_file_hash}} = (); 608 my %current_file_hash = (); 609 my %new_file_hash = (); 610 my %del_file_hash = (); 611 my @checkdirs; 612 my $standalone_test = 0; 594 my $self = shift; #Object 595 %{$self->{clean_file_hash}} = (); 596 %{$self->{changed_file_hash}} = (); 597 my %current_file_hash = (); 598 my %new_file_hash = (); 599 my %del_file_hash = (); 600 my @checkdirs; 601 my $standalone_test = 0; 602 my $file; 603 my $key; 613 604 614 605 ### print "file_exclude_hash in check\n" . Dumper($self->{file_exclude_hash}) . "\n"; … … 620 611 #open file to create hash of values for clean files 621 612 open CLEANFILE, "$self->{clean_file}" or die "Cannot open $self->{clean_file}: $!\n"; 613 $/ = "\n"; 622 614 while(<CLEANFILE>) { 623 615 my $line = $_; … … 656 648 } 657 649 658 foreach my $file (@{$self->{file_exclude_array}}){ 650 $/ = "\n"; 651 foreach $file (@{$self->{file_exclude_array}}){ 659 652 chomp $file; 660 653 if(-f $file){ … … 686 679 #also detects new files 687 680 print "Hashing Files in checkFileSystem...Be Patient\n"; 688 foreach my$file (@{$self->{file_list}}) {689 681 foreach $file (@{$self->{file_list}}) { 682 if(open HASHFILE, "$file") { 690 683 my $md5ctx = Digest::MD5->new(); 691 684 # If this call fails, an exception will be generated. … … 704 697 705 698 #check for deleted files 706 foreach my$key (keys %{$self->{clean_file_hash}}) {699 foreach $key (keys %{$self->{clean_file_hash}}) { 707 700 if(!($current_file_hash{$key})) { 708 701 $del_file_hash{$key} = $self->{clean_file_hash}->{$key}; … … 716 709 717 710 print CHANGES "Files deleted:\n"; 718 foreach my$key (sort keys %del_file_hash) {711 foreach $key (sort keys %del_file_hash) { 719 712 print CHANGES "$key\n"; 720 713 } 721 714 print CHANGES "\n\n"; 722 715 print CHANGES "Files added:\n";