Changeset 1623
- Timestamp:
- 06/12/08 18:36:35 (3 months ago)
- Files:
-
- honeyclient/branches/exp/kindlund-strace/auto_drive.pl (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-strace/bin/bootstrap_agent.sh (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-strace/etc/honeyclient.xml (modified) (3 diffs)
- honeyclient/branches/exp/kindlund-strace/lib/HoneyClient/Agent.pm (modified) (10 diffs)
- honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/FileMonitor.exl (modified) (1 diff)
- honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/ProcessMonitor.exl (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/kindlund-strace/auto_drive.pl
r1599 r1623 8 8 use MIME::Base64 qw(encode_base64 decode_base64); 9 9 use Storable qw(thaw); 10 $Storable::Deparse = 1; 11 $Storable::Eval = 1; 10 #$Storable::Deparse = 1; 11 #$Storable::Eval = 1; 12 $Data::Dumper::Indent = 2; 13 $Data::Dumper::Terse = 0; 12 14 13 15 # Create a new SOAP client, to talk to the HoneyClient::Agent … … 23 25 # Drive HoneyClient::Agent::Driver::Browser::IE to a website. 24 26 $som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE", 25 parameters => encode_base64("http://www. cnn.com"));27 parameters => encode_base64("http://www.microsoft.com")); 26 28 27 29 # Check the result to see if any compromise was found. honeyclient/branches/exp/kindlund-strace/bin/bootstrap_agent.sh
r1499 r1623 25 25 26 26 # Ping a remote site, to test for connectivity (optional). 27 /cygdrive/c/windows/system32/ping.exe pingu.honeyclient.org27 #/cygdrive/c/windows/system32/ping.exe pingu.honeyclient.org 28 28 29 29 # Change to the honeyclient directory. … … 31 31 32 32 # Perform an SVN update (optional). 33 svn update33 #svn update 34 34 35 35 # Start up the realtime integrity checker. honeyclient/branches/exp/kindlund-strace/etc/honeyclient.xml
r1582 r1623 81 81 <!-- TODO: Update this. XXX: Command-line option, eventually? --> 82 82 <timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60"> 83 2083 60 84 84 </timeout> 85 <bin_injdll description="The absolute path to the INJDLL.EXE process, that is apart of the STRACE application." default="C:\Program Files\STRACE\INJDLL.EXE"> 86 C:\Program Files\STRACE\INJDLL.EXE 87 </bin_injdll> 88 <dll_strace description="The absolute path to the STRACE.DLL file to use, when STRACE support is enabled." default="C:\Program Files\STRACE\STRACE.DLL_IE6"> 89 C:\Program Files\STRACE\STRACE.DLL_IE6 90 </dll_strace> 91 <work_complete_timeout description="When STRACE support is enabled, this option indicates how many seconds the Driver waits for the STRACE.LOG file to grow in size, before the Driver assumes that all network activity has successfully completed." default="4"> 92 4 93 </work_complete_timeout> 85 94 <Browser> 86 95 <IE> … … 92 101 iexplore.exe 93 102 </process_name> 103 <dll_strace description="The absolute path to the STRACE.DLL file to use, when STRACE support is enabled." default="C:\Program Files\STRACE\STRACE.DLL_IE7"> 104 C:\Program Files\STRACE\STRACE.DLL_IE7 105 </dll_strace> 94 106 </IE> 95 107 <FF> … … 101 113 firefox.exe 102 114 </process_name> 115 <dll_strace description="The absolute path to the STRACE.DLL file to use, when STRACE support is enabled." default="C:\Program Files\STRACE\STRACE.DLL_IE6"> 116 C:\Program Files\STRACE\STRACE.DLL_IE6 117 </dll_strace> 103 118 </FF> 104 119 </Browser> honeyclient/branches/exp/kindlund-strace/lib/HoneyClient/Agent.pm
r1600 r1623 273 273 use DateTime::HiRes; 274 274 275 # Make sure Filesys::CygwinPaths loads. 276 BEGIN { use_ok('Filesys::CygwinPaths') or diag("Can't load Filesys::CygwinPaths package. Check to make sure the package library is correctly listed within the path."); } 277 require_ok('Filesys::CygwinPaths'); 278 use Filesys::CygwinPaths qw(:all); 279 280 # Make sure File::Basename loads. 281 BEGIN { use_ok('File::Basename', qw(basename dirname)) or diag("Can't load File::Basename package. Check to make sure the package library is correctly listed within the path."); } 282 require_ok('File::Basename'); 283 can_ok('File::Basename', 'basename'); 284 can_ok('File::Basename', 'dirname'); 285 use File::Basename qw(basename dirname); 286 275 287 # Make sure Data::Dumper loads. 276 288 BEGIN { use_ok('Data::Dumper') or diag("Can't load Data::Dumper package. Check to make sure the package library is correctly listed within the path."); } … … 337 349 # Use ISO 8601 DateTime Libraries 338 350 use DateTime::HiRes; 351 352 # Use Cygwin Path Resolution Libraries 353 use Filesys::CygwinPaths qw(:all); 354 355 # Use Basename Libraries 356 use File::Basename qw(basename dirname); 339 357 340 358 # Include Logging Library … … 625 643 }, 626 644 # Time inside VM when job was executed. 627 'time_at' => '2008-04-02 22:17:00.889667987' 645 'time_at' => '2008-04-02 22:17:00.889667987', 646 647 # Status of the work performed by the driver. 648 'work_status' => 'completed', 628 649 }; 629 650 … … 668 689 ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 669 690 ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 691 ok(exists($changes->{'work_status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 670 692 ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 671 693 ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); … … 1286 1308 } 1287 1309 ], 1288 'time_at' => '2008-04-02 21:44:40.376' 1310 'time_at' => '2008-04-02 21:44:40.376', 1311 'work_status' => 'completed', 1289 1312 }; 1290 1313 … … 1300 1323 ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 1301 1324 ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 1325 ok(exists($changes->{'work_status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed."); 1302 1326 1303 1327 # Check that os_processes is not empty. … … 1377 1401 my $ret = { 1378 1402 # Time when application was driven. 1379 'time_at' => _getTimestamp(),1403 'time_at' => _getTimestamp(), 1380 1404 1381 1405 # Fingerprint information found (if any). 1382 'fingerprint' => undef,1406 'fingerprint' => undef, 1383 1407 1384 1408 # Status information about the Win32::Job call. 1385 'status' => undef, 1409 'status' => undef, 1410 1411 # Status information about the work performed by the driver. 1412 'work_status' => 'ignored', 1386 1413 }; 1387 1414 … … 1401 1428 my $processName = getVar(name => "process_name", 1402 1429 namespace => $args{'driver_name'}); 1403 # TODO: Updated for initial STRACE support - Clean this up further.1404 1430 my $status = $job->spawn($processExec, $processName . " " . $args{'parameters'}); 1405 #my $status = $job->spawn('C:\WINDOWS\system32\cmd.exe', 'cmd.exe /C C:\cygwin\home\Administrator\src\honeyclient-trunk\bin\strace_wrapper.cmd "' . $processExec . "\" \"" . $args{'parameters'} . "\" && sleep " . ($args{'timeout'} + 10));1406 1431 1407 1432 # Sanity check. … … 1412 1437 } 1413 1438 1414 # TODO: Clean this up, eventually. 1415 $LOG->info($args{'driver_name'} . " - Injecting STRACE.DLL_IE7 into PID (" . $status . ")"); 1416 if (system(q{"/cygdrive/c/Program Files/STRACE/INJDLL.EXE" /p:} . $status . q{ /d:"C:\Program Files\STRACE\STRACE.DLL_IE7" > /dev/null 2>&1}) != 0) { 1417 $LOG->error($args{'driver_name'} . " - Injection FAILED!"); 1418 } 1419 1420 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 1421 1422 # TODO: Updated for initial STRACE support - Clean this up further. 1423 # Run the job. 1424 $job->run($args{'timeout'}); 1425 # TODO: Clean this up, eventually. 1426 #use File::stat; 1427 #my $watch_counter = 0; 1428 #my $size_counter = 0; 1429 #my $current_strace_size = 0; 1430 #my $previous_strace_size = 0; 1431 #$job->watch(sub { 1432 # my $job = shift; 1433 # if ($watch_counter >= $args{'timeout'}) { 1434 # # TODO: Delete this, eventually. 1435 # $LOG->warn("Driver Status: Timeout!"); 1436 # return 1; 1437 # } 1438 # $watch_counter++; 1439 # # TODO: Delete this, eventually. 1440 # $LOG->info("Watch Counter: " . $watch_counter); 1441 # 1442 # # TODO: Clean this up, eventually. 1443 # my $stat_obj = stat("/tmp/strace.log"); 1444 # if (defined($stat_obj)) { 1445 # $current_strace_size = $stat_obj->size; 1446 # } 1447 # # TODO: Delete this, eventually. 1448 # $LOG->info("STrace Log Size: " . $current_strace_size . " (bytes)"); 1449 # # If the size has not changed, then increment 1450 # # the size_counter; otherwise, reset the size_counter 1451 # # to 0. 1452 # if ($previous_strace_size == $current_strace_size) { 1453 # $size_counter++; 1454 # } else { 1455 # $size_counter = 0; 1456 # } 1457 # 1458 # # TODO: Clean this up, eventually. 1459 # if ($size_counter >= 4) { 1460 # # TODO: Delete this, eventually. 1461 # $LOG->info("Driver Status: Done?"); 1462 # return 1; 1463 # } 1464 # 1465 # $previous_strace_size = $current_strace_size; 1466 # return 0; 1467 # }, 1); 1439 # See if STRACE is available. 1440 my $bin_injdll = getVar(name => "bin_injdll", 1441 namespace => $args{'driver_name'}); 1442 my $dll_strace = getVar(name => "dll_strace", 1443 namespace => $args{'driver_name'}); 1444 my $straceFile = undef; 1445 if ((-f fullposixpath($bin_injdll)) && (-f fullposixpath($dll_strace))) { 1446 $LOG->info($args{'driver_name'} . " - Injecting " . basename(fullposixpath($dll_strace)) . " into PID (" . $status . ")"); 1447 if (system(q{"} . fullposixpath($bin_injdll) . q{" /p:} . $status . q{ /d:"} . $dll_strace . q{" > /dev/null 2>&1}) != 0) { 1448 $LOG->error($args{'driver_name'} . " - Injection FAILED!"); 1449 } 1450 1451 # Figure out where the STRACE__PID_X.LOG is located. 1452 $straceFile = fullposixpath($ENV{USERPROFILE}) . "/Desktop/STRACE__PID_" . $status . ".LOG"; 1453 1454 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 1455 1456 # Run the job. 1457 my $watch_counter = 0; 1458 my $size_counter = 0; 1459 my $current_strace_size = 0; 1460 my $previous_strace_size = 0; 1461 $job->watch(sub { 1462 my $job = shift; 1463 # If we've waited as long as our timeout allows and the 1464 # strace log file size is still changing, then we stop the 1465 # job and move on. 1466 if ($watch_counter >= $args{'timeout'}) { 1467 # TODO: Delete this, eventually. 1468 $LOG->warn("Driver Status: Timeout!"); 1469 $ret->{'work_status'} = 'timed_out'; 1470 return 1; 1471 } 1472 $watch_counter++; 1473 # TODO: Delete this, eventually. 1474 #$LOG->info("Watch Counter: " . $watch_counter); 1475 1476 # Get the current size of the strace log. 1477 my $size = (-s $straceFile); 1478 if (defined($size)) { 1479 $current_strace_size = $size; 1480 } 1481 # TODO: Delete this, eventually. 1482 #$LOG->info("STrace Log Size: " . $current_strace_size . " (bytes)"); 1483 # If the size has not changed, then increment 1484 # the size_counter; otherwise, reset the size_counter 1485 # to 0. 1486 if ($previous_strace_size == $current_strace_size) { 1487 $size_counter++; 1488 } else { 1489 $size_counter = 0; 1490 } 1491 1492 # If this strace log size is greater than 0 and our size hasn't 1493 # changed within 'work_complete_timeout' seconds, then we assume the page has fully rendered. 1494 if (($current_strace_size > 0) && ($size_counter >= getVar(name => "work_complete_timeout", 1495 namespace => $args{'driver_name'}))) { 1496 # TODO: Delete this, eventually. 1497 $LOG->info("Driver Status: Done?"); 1498 $ret->{'work_status'} = 'completed'; 1499 return 1; 1500 } 1501 1502 $previous_strace_size = $current_strace_size; 1503 return 0; 1504 }, 1); 1505 1506 } else { 1507 # STRACE is not available, so run the job normally. 1508 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 1509 # Run the job. 1510 $job->run($args{'timeout'}); 1511 $ret->{'work_status'} = 'completed'; 1512 } 1468 1513 1469 1514 # Check to see if run fails. … … 1506 1551 } else { 1507 1552 $LOG->info($args{'driver_name'} . " - Integrity Check: PASSED"); 1553 # If the integrity check passes, then delete the strace log if enabled. 1554 unlink($straceFile); 1508 1555 } 1509 1556 } honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/FileMonitor.exl
r1599 r1623 336 336 337 337 #### Honeyclient - STRACE Functionality 338 + Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\cygwin\\tmp\\strace\.log 338 + Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\Administrator\\Desktop\\STRACE.*\.LOG 339 + Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files.* honeyclient/branches/exp/kindlund-strace/thirdparty/capture-mod/ProcessMonitor.exl
r1599 r1623 15 15 ### Microsoft Internet Explorer 6.0 ### 16 16 ################################################### 17 + iexplore.exe .* C:\\Program Files\\Internet Explorer\\iexplore .exe17 + iexplore.exe .* C:\\Program Files\\Internet Explorer\\iexplore\.exe 18 18 #agent server is an activeX control that starts upon displaying multimedia content 19 + agentsvr.exe .* C:\\WINDOWS\\msagent\\agentsvr .exe19 + agentsvr.exe .* C:\\WINDOWS\\msagent\\agentsvr\.exe 20 20 #messenger activeX 21 + msmsgs.exe .* C:\\Program Files\\Messenger\\msmsgs .exe21 + msmsgs.exe .* C:\\Program Files\\Messenger\\msmsgs\.exe 22 22 ################################################### 23 23 ### Honeyclient added/specific? ### … … 36 36 37 37 #### HONEYCLIENT AUTO EXCLUDE SCRIPT 38 + setup_wm.exe .* C:\\Program Files\\Windows Media Player\\setup_wm .exe39 + wmplayer.exe .* C:\\Program Files\\Windows Media Player\\wmplayer .exe38 + setup_wm.exe .* C:\\Program Files\\Windows Media Player\\setup_wm\.exe 39 + wmplayer.exe .* C:\\Program Files\\Windows Media Player\\wmplayer\.exe 40 40 41 41 #### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates 42 + verclsid.exe .* C:\\WINDOWS\\system32\\verclsid .exe42 + verclsid.exe .* C:\\WINDOWS\\system32\\verclsid\.exe 43 43 #### HONEYCLIENT AUTO EXCLUDE SCRIPT 44 44 #This is related to the language bar...I just installed updates, and it was newly activated 45 45 #thus I consider it something valid to add 46 + ctfmon.exe .* C:\\WINDOWS\\system32\\ctfmon .exe46 + ctfmon.exe .* C:\\WINDOWS\\system32\\ctfmon\.exe 47 47 48 48 #### HONEYCLIENT AUTO EXCLUDE SCRIPT - IE7 accessing live.com 49 + infocard.exe .* C:\\WINDOWS\\Microsoft.NET\\Framework\\v3.0\\Windows Communication Foundation\\infocard .exe49 + infocard.exe .* C:\\WINDOWS\\Microsoft.NET\\Framework\\v3.0\\Windows Communication Foundation\\infocard\.exe 50 50 51 51 #### HONEYCLIENT - Incorporating STRACE 52 + cmd.exe .* C:\\WINDOWS\\system32\\cmd.exe53 + runelevate.exe .* C:\\Program Files\\STRACE\\runelevate.exe54 + withdll.exe .* C:\\Program Files\\STRACE\\withdll.exe52 #+ perl.exe .* C:\\cygwin\\bin\\perl\.exe 53 + sh.exe .* C:\\cygwin\\bin\\sh\.exe 54 + injdll.exe .* C:\\Program Files\\STRACE\\INJDLL\.exe
