Changeset 1599

Show
Ignore:
Timestamp:
06/02/08 17:04:47 (3 months ago)
Author:
kindlund
Message:

Very experimental support for STRACE and HTTPREPLAY support. It currently doesn't work well in production, because Capture will either BSOD or yield unpredictable false positivies. Also, currently when we issue a manual Win32::Job→timeout() sometimes the STRACE process won't properly get killed in time before the next drive call is made; as such, we probably need to measure the /tmp/strace.log file BEFORE we spawn the job (to see what size the old strace.log file was). That way, we "kinda/sorta" know if an STRACE job is acting up on us (because the strace.log file size wouldn't change); from this, we could allocate more time to make sure the previous STRACE job has finished dying and also allocating enough time for the new STRACE job to finish. Ideally, it would be really nice if all this functionality were implemented in Capture in the first place, because Win32::Job hates multi-nested process trees, for some reason.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • honeyclient/branches/exp/kindlund-strace/lib/HoneyClient/Agent.pm

    r1499 r1599  
    14011401    my $processName = getVar(name => "process_name", 
    14021402                             namespace => $args{'driver_name'}); 
    1403     my $status = $job->spawn($processExec, $processName . " " . $args{'parameters'}); 
     1403    # TODO: Updated for initial STRACE support - Clean this up further. 
     1404    #my $status = $job->spawn($processExec, $processName . " " . $args{'parameters'}); 
     1405    my $status = $job->spawn('C:\WINDOWS\system32\cmd.exe', 'cmd.exe /C C:\cygwin\home\Administrator\src\honeyclient-trunk\bin\strace_wrapper.cmd "' . $processExec . "\" \"" . $args{'parameters'} . "\" && sleep " . ($args{'timeout'} + 10)); 
    14041406 
    14051407    # Sanity check. 
     
    14121414    $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 
    14131415 
     1416    # TODO: Updated for initial STRACE support - Clean this up further. 
    14141417    # Run the job. 
    1415     $job->run($args{'timeout'}); 
     1418    #$job->run($args{'timeout'}); 
     1419    # TODO: Clean this up, eventually. 
     1420    use File::stat; 
     1421    my $watch_counter = 0; 
     1422    my $size_counter = 0; 
     1423    my $current_strace_size = 0; 
     1424    my $previous_strace_size = 0; 
     1425    $job->watch(sub { 
     1426        my $job = shift; 
     1427        if ($watch_counter >= $args{'timeout'}) { 
     1428            # TODO: Delete this, eventually. 
     1429            $LOG->warn("Driver Status: Timeout!"); 
     1430            return 1; 
     1431        } 
     1432        $watch_counter++; 
     1433        # TODO: Delete this, eventually. 
     1434        $LOG->info("Watch Counter: " . $watch_counter); 
     1435 
     1436        # TODO: Clean this up, eventually. 
     1437        my $stat_obj = stat("/tmp/strace.log"); 
     1438        if (defined($stat_obj)) { 
     1439            $current_strace_size = $stat_obj->size; 
     1440        } 
     1441        # TODO: Delete this, eventually. 
     1442        $LOG->info("STrace Log Size: " . $current_strace_size . " (bytes)"); 
     1443        # If the size has not changed, then increment 
     1444        # the size_counter; otherwise, reset the size_counter 
     1445        # to 0. 
     1446        if ($previous_strace_size == $current_strace_size) { 
     1447            $size_counter++; 
     1448        } else { 
     1449            $size_counter = 0; 
     1450        } 
     1451 
     1452        # TODO: Clean this up, eventually. 
     1453        if ($size_counter >= 4) { 
     1454            # TODO: Delete this, eventually. 
     1455            $LOG->info("Driver Status: Done?"); 
     1456            return 1; 
     1457        } 
     1458 
     1459        $previous_strace_size = $current_strace_size; 
     1460        return 0; 
     1461    }, 1); 
    14161462 
    14171463    # Check to see if run fails. 

  • honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/FileMonitor.exl

    r1578 r1599  
    334334+   Write   C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\LocalService 
    335335+   Write   C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config\\SysEvent\.Evt 
     336 
     337#### Honeyclient - STRACE Functionality 
     338+   Write   C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\cygwin\\tmp\\strace\.log 

  • honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/ProcessMonitor.exl

    r1522 r1599  
    4848#### HONEYCLIENT AUTO EXCLUDE SCRIPT - IE7 accessing live.com 
    4949+   infocard.exe    .*  C:\\WINDOWS\\Microsoft.NET\\Framework\\v3.0\\Windows Communication Foundation\\infocard.exe 
     50 
     51#### HONEYCLIENT - Incorporating STRACE 
     52+   cmd.exe .*  C:\\WINDOWS\\system32\\cmd.exe 
     53+   runelevate.exe  .*  C:\\Program Files\\STRACE\\runelevate.exe 
     54+   withdll.exe .*  C:\\Program Files\\STRACE\\withdll.exe 

  • honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/RegistryMonitor.exl

    r1540 r1599  
    401401# IE7 - accessing multimedia pages 
    402402+   SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\MPEG2Demultiplexer 
     403 
     404#### Honeyclient - STRACE Support 
     405+   SetValueKey C:\\Program Files\\STRACE\\runelevate\.exe  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap 
     406+   SetValueKey C:\\Program Files\\STRACE\\runelevate\.exe  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders 
     407+   SetValueKey C:\\Program Files\\STRACE\\runelevate\.exe  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2.*