Changeset 998
- Timestamp:
- 11/08/07 16:52:58 (1 year ago)
- Files:
-
- honeyclient/branches/exp/kindlund-dynamic_updates/Capture2 (copied) (copied from honeyclient/trunk/Capture2)
- honeyclient/branches/exp/kindlund-dynamic_updates/bin/capture_out2exclude.pl (copied) (copied from honeyclient/trunk/bin/capture_out2exclude.pl)
- honeyclient/branches/exp/kindlund-dynamic_updates/bin/run.sh (modified) (1 diff)
- honeyclient/branches/exp/kindlund-dynamic_updates/etc/honeyclient.xml (modified) (3 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/etc/honeyclient_log.conf (modified) (1 diff)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent.pm (modified) (3 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser/FF.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser/IE.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity.pm (modified) (16 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Filesystem.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Registry.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Registry/Parser.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Registry/Parser.yp (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB.pm (modified) (44 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Analyst (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Analyst)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Analyst.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Analyst.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Client.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Client.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/File (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/File)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/File.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Fingerprint.pm (modified) (6 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Note.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Process.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Process.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Regkey.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Server.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Server.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/SystemConfig (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/SystemConfig)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/SystemConfig.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/SystemConfig.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Time.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Time.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Url (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Url)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/DB/Url.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/DB/Url.pm)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Manager.pm (modified) (8 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Manager/FW.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Manager/VM.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Manager/VM/Clone.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Util/Config.pm (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Util/SOAP.pm (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/kindlund-dynamic_updates/bin/run.sh
r933 r998 22 22 cd ~/honeyclient && svn update 23 23 24 ~/honeyclient/Capture2/capture-client-xeno-mod/install/CaptureBAT.exe -c -l "C:\cygwin\tmp\realtime-changes.txt"& 25 24 26 while [ true ] ; do 25 27 perl -Ilib bin/StartAgent.pl && sleep 1 honeyclient/branches/exp/kindlund-dynamic_updates/etc/honeyclient.xml
r991 r998 157 157 /tmp/changes.txt 158 158 </changes_found_file> 159 <realtime_changes_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/realtime-changes.txt"> 160 /tmp/realtime-changes.txt 161 </realtime_changes_file> 159 162 <!-- HoneyClient::Agent::Integrity::Filesystem Options --> 160 163 <Filesystem> … … 335 338 </host> 336 339 <dbname description="The name of the HoneyClient database." default="HoneyClient"> 337 H oneyClient340 HcNewSchema 338 341 </dbname> 339 342 <user description="The username to use, when connecting to the HoneyClient database."> 340 h oneyclient_user343 hc_user 341 344 </user> 342 345 <pass description="The password to use, when connecting to the HoneyClient database."> 343 h oneyclient_password346 hc_pass 344 347 </pass> 345 348 <port description="The default TCP port number used to communicate with the database." default="3306"> … … 462 465 <VM> 463 466 <master_vm_config description="The full absolute path to the VM configuration file on the host system that will be used by all subsequent cloned VMs."> 464 /vm/master-vms/Agent.Master-2 4/winXPPro.cfg467 /vm/master-vms/Agent.Master-27/winXPPro.cfg 465 468 </master_vm_config> 466 469 <port description="The TCP port number that the SOAP server of the VM daemon will listen on for requests. Note: This port should be unique and not already be used by other modules, services, or daemons running on the host system." default="8089"> honeyclient/branches/exp/kindlund-dynamic_updates/etc/honeyclient_log.conf
r810 r998 63 63 # Screen Logging Settings 64 64 #log4perl.logger.HoneyClient.Agent.Integrity.Registry=DEBUG, Screen 65 #log4perl.logger.HoneyClient.DB=DEBUG, Screen 65 #log4perl.logger.HoneyClient.Manager=INFO, Screen, Syslog 66 #log4perl.logger.HoneyClient.DB=DEBUG, Screen, Syslog 66 67 #log4perl.logger.HoneyClient.Manager.VM.Clone=DEBUG, Screen 67 68 # Suppress Parser Debugging Messages honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent.pm
r808 r998 38 38 =head1 VERSION 39 39 40 0.99 40 1.00 41 41 42 42 =head1 SYNOPSIS … … 79 79 80 80 # Set our package version. 81 $VERSION = 0.99;81 $VERSION = 1.00; 82 82 83 83 @ISA = qw(Exporter); … … 951 951 $LOG->info($driverName . " - Performing Integrity Checks."); 952 952 $changes = $integrity->check(); 953 if (scalar(@{$changes->{registry}}) || 954 scalar(@{$changes->{filesystem}})) { 953 if (scalar(@{$changes->{processes}})) { 955 954 $LOG->warn($driverName . " - Integrity Check: FAILED"); 956 955 $isCompromised = 1; honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver.pm
r808 r998 38 38 =head1 VERSION 39 39 40 This documentation refers to HoneyClient::Agent::Driver version 0.99.40 This documentation refers to HoneyClient::Agent::Driver version 1.00. 41 41 42 42 =head1 SYNOPSIS … … 120 120 121 121 # Set our package version. 122 $VERSION = 0.99;122 $VERSION = 1.00; 123 123 124 124 @ISA = qw(Exporter); honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser.pm
r808 r998 40 40 =head1 VERSION 41 41 42 This documentation refers to HoneyClient::Agent::Driver::Browser version 0.99.42 This documentation refers to HoneyClient::Agent::Driver::Browser version 1.00. 43 43 44 44 =head1 SYNOPSIS … … 161 161 162 162 # Set our package version. 163 $VERSION = 0.99;163 $VERSION = 1.00; 164 164 165 165 # Define inherited modules. honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser/FF.pm
r808 r998 41 41 =head1 VERSION 42 42 43 This documentation refers to HoneyClient::Agent::Driver::Browser::FF version 0.99.43 This documentation refers to HoneyClient::Agent::Driver::Browser::FF version 1.00. 44 44 45 45 =head1 SYNOPSIS … … 160 160 161 161 # Set our package version. 162 $VERSION = 0.99;162 $VERSION = 1.00; 163 163 164 164 # Define inherited modules. honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Driver/Browser/IE.pm
r808 r998 41 41 =head1 VERSION 42 42 43 This documentation refers to HoneyClient::Agent::Driver::Browser::IE version 0.99.43 This documentation refers to HoneyClient::Agent::Driver::Browser::IE version 1.00. 44 44 45 45 =head1 SYNOPSIS … … 160 160 161 161 # Set our package version. 162 $VERSION = 0.99;162 $VERSION = 1.00; 163 163 164 164 # Define inherited modules. honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity.pm
r812 r998 38 38 =head1 VERSION 39 39 40 This documentation refers to HoneyClient::Agent::Integrity version 0.99.40 This documentation refers to HoneyClient::Agent::Integrity version 1.00. 41 41 42 42 =head1 SYNOPSIS … … 62 62 63 63 # $changes refers to an array of hashtable references, where 64 # each hashtable has the following format: 65 # 66 # $changes = { 67 # registry => [ { 68 # # The registry directory name. 69 # 'key' => 'HKEY_LOCAL_MACHINE\Software...', 70 # 71 # # Indicates if the registry directory was deleted, 72 # # added, or changed. 73 # 'status' => 'deleted' | 'added' | 'changed', 74 # 75 # # An array containing the list of entries within the 76 # # registry directory that have been deleted, added, or 77 # # changed. If this array is empty, then the corresponding 78 # # registry directory in the original and new hives contained 79 # # no entries. 80 # 'entries' => [ { 81 # 'name' => "\"string\"", # A (potentially) quoted string; 82 # # "@" for default 83 # 'new_value' => "string", # New string; maybe undef, if deleted 84 # 'old_value' => "string", # Old string; maybe undef, if added 85 # }, ], 86 # }, ], 87 # 88 # filesystem => [ { 89 # # Indicates if the filesystem entry was deleted, 90 # # added, or changed. 91 # 'status' => 'deleted' | 'added' | 'changed', 92 # 93 # # If the entry has been added/changed, then this 94 # # hashtable contains the file/directory's new information. 95 # 'new' => { 96 # 'name' => 'C:\WINDOWS\SYSTEM32...', 97 # 'size' => 1263, # in bytes 98 # 'mtime' => 1178135092, # modification time, seconds since epoch 99 # }, 100 # 101 # # If the entry has been deleted/changed, then this 102 # # hashtable contains the file/directory's old information. 103 # 'old' => { 104 # 'name' => 'C:\WINDOWS\SYSTEM32...', 105 # 'size' => 802, # in bytes 106 # 'mtime' => 1178135028, # modification time, seconds since epoch 107 # }, 108 # }, ], 109 # } 64 # each hashtable has the format given in the METHODS IMPLEMENTED section related to 65 # check(). 110 66 111 67 # Once you're finished with the $integrity object, be sure to destroy it. … … 122 78 further details about how each check is implemented. 123 79 80 No initialization is currently necessary, as real-time changes are read in from 81 a list exported by the Capture C code. However, in the future it may become 82 desirable to perform an initial baseline of the system, in order to automatically 83 determine the original value for things which were changed. This is because the 84 mechanisms that Capture code uses to record events, may in some cases be unable 85 to record the initial value (e.g., a registry key). 86 124 87 =over 4 125 88 … … 147 110 148 111 # Include the Registry Checking Library 149 use HoneyClient::Agent::Integrity::Registry;112 #use HoneyClient::Agent::Integrity::Registry; 150 113 151 114 # Include the Filesystem Checking Library 152 use HoneyClient::Agent::Integrity::Filesystem;115 #use HoneyClient::Agent::Integrity::Filesystem; 153 116 154 117 # Use Storable Library … … 163 126 use Log::Log4perl qw(:easy); 164 127 128 # Use MD5 129 use Digest::MD5; 130 131 # Use SHA 132 use Digest::SHA; 133 134 # Use IO::File Library 135 use IO::File; 136 137 # Use File::Type Library 138 use File::Type; 139 165 140 ####################################################################### 166 141 # Module Initialization # … … 173 148 174 149 # Set our package version. 175 $VERSION = 0.99;150 $VERSION = 1.00; 176 151 177 152 @ISA = qw(Exporter); … … 253 228 254 229 # Make sure HoneyClient::Agent::Integrity::Registry loads 255 BEGIN { use_ok('HoneyClient::Agent::Integrity::Registry')256 or diag("Can't load HoneyClient::Agent::Integrity::Registry package. Check to make sure the package library is correctly listed within the path."); }257 require_ok('HoneyClient::Agent::Integrity::Registry');258 use HoneyClient::Agent::Integrity::Registry;230 #BEGIN { use_ok('HoneyClient::Agent::Integrity::Registry') 231 # or diag("Can't load HoneyClient::Agent::Integrity::Registry package. Check to make sure the package library is correctly listed within the path."); } 232 #require_ok('HoneyClient::Agent::Integrity::Registry'); 233 #use HoneyClient::Agent::Integrity::Registry; 259 234 260 235 # Make sure HoneyClient::Agent::Integrity::Filesystem loads 261 BEGIN { use_ok('HoneyClient::Agent::Integrity::Filesystem')262 or diag("Can't load HoneyClient::Agent::Integrity::Filesystem package. Check to make sure the package library is correctly listed within the path."); }263 require_ok('HoneyClient::Agent::Integrity::Filesystem');264 use HoneyClient::Agent::Integrity::Filesystem;236 #BEGIN { use_ok('HoneyClient::Agent::Integrity::Filesystem') 237 # or diag("Can't load HoneyClient::Agent::Integrity::Filesystem package. Check to make sure the package library is correctly listed within the path."); } 238 #require_ok('HoneyClient::Agent::Integrity::Filesystem'); 239 #use HoneyClient::Agent::Integrity::Filesystem; 265 240 266 241 # Make sure HoneyClient::Agent::Integrity loads. … … 293 268 =over 4 294 269 295 When set to 1, the object will forgo any type of initial baselining 296 process, upon initialization. Otherwise, baselining will occur 297 as normal, upon initialization. 298 270 Currently defaults to 1, whereby the object will forgo any type of initial baselining 271 process, upon initialization. If set to 0, baselining will occur upon initialization. 272 Baselining is currently deprecated. 299 273 =back 300 274 301 275 =head2 changes_found_file 302 303 =over 4304 276 305 277 A string to the absolute path of a file on the VM's filesystem. … … 408 380 # process, upon initialization. Otherwise, baselining will occur 409 381 # as normal, upon initialization. 410 bypass_baseline => 0, 382 # XXX: Bypass static baselining, for now. 383 # XXX: Baselining will not be used with the current version which includes Capture 384 bypass_baseline => 1, 411 385 412 386 # Contains the Registry object, once initialized. … … 422 396 # file within the compromized honeyclient VM's filesystem. 423 397 changes_found_file => getVar(name => 'changes_found_file'), 398 399 # XXX: comment this 400 realtime_changes_file => getVar(name => 'realtime_changes_file'), 424 401 ); 425 402 … … 457 434 B<$changes>, which is an array of hashtable references, where each 458 435 hashtable has the following format: 459 436 460 437 $changes = { 461 registry => [ { 462 # The registry directory name. 463 'key' => 'HKEY_LOCAL_MACHINE\Software...', 464 465 # Indicates if the registry directory was deleted, 466 # added, or changed. 467 'status' => 'deleted' | 'added' | 'changed', 468 469 # An array containing the list of entries within the 470 # registry directory that have been deleted, added, or 471 # changed. If this array is empty, then the corresponding 472 # registry directory in the original and new hives contained 473 # no entries. 474 'entries' => [ { 475 'name' => "\"string\"", # A (potentially) quoted string; 476 # "@" for default 477 'new_value' => "string", # New string; maybe undef, if deleted 478 'old_value' => "string", # Old string; maybe undef, if added 479 }, ], 480 }, ], 481 482 filesystem => [ { 483 # Indicates if the filesystem entry was deleted, 484 # added, or changed. 485 'status' => 'deleted' | 'added' | 'changed', 486 487 # If the entry has been added/changed, then this 488 # hashtable contains the file/directory's new information. 489 'new' => { 490 'name' => 'C:\WINDOWS\SYSTEM32...', 491 'size' => 1263, # in bytes 492 'mtime' => 1178135092, # modification time, seconds since epoch 493 }, 494 495 # If the entry has been deleted/changed, then this 496 # hashtable contains the file/directory's old information. 497 'old' => { 498 'name' => 'C:\WINDOWS\SYSTEM32...', 499 'size' => 802, # in bytes 500 'mtime' => 1178135028, # modification time, seconds since epoch 501 }, 502 }, ], 438 #A reference to an anonymous array of process objects 439 processes => [ { 440 'name' => "C:\WINDOWS\system32\Notepad.exe", # The process name as a full path 441 'pid' => 1000, # The Windows system process ID 442 'parent_name' => "C:\WINDOWS\system32\explorer.exe", # The process name as 443 # a full path for the process which created this process 444 'parent_pid' => 999, # The Windows system process ID for the 445 # process which created this process 446 447 #The absence of both a created and terminated time implies that the enclosed 448 #filesystem and/or registry events are related to a process which was running 449 #when the realtime checks were started, and was still running when they ended 450 451 #OPTIONAL, its existence signifies that we saw this process be created 452 'created_time' => ISO 8601 Timestamp (yyyy-mm-dd hh24:mi:ss.uuuuuu) 453 454 #OPTIONAL, its existence signifies that we saw this process be terminated 455 'terminated_time' => ISO 8601 Timestamp 456 457 #A reference to an anonymous array of registry objects 458 registry => [ { 459 # The registry directory name in regedit 460 'key_name' => 'HKEY_LOCAL_MACHINE\Software...', 461 462 'time' => ISO 8601 Timestamp, 463 464 #The specific registry event type which took place, as given by it's Windows name 465 'event_type' => { CreateKey | OpenKey | CloseKey | Query Key | 466 QueryValueKey, EnumerateKey | EnumerateValueKey | 467 SetValueKey | DeleteValueKey | DeleteKey }, 468 469 #The "name" which shows up in regedit 470 'value_name' => "my key", 471 472 #The "type" which shows up in regedit. It is only possible to create the first 473 # 6 types by manually using regedit (and REG_NONE is only indirect, for instance 474 # on a DeleteValueKey event_type). 475 'value_type' => { REG_NONE | REG_SZ | REG_BINARY | REG_DWORD | 476 REG_EXPAND_SZ | REG_MULTI_SZ | REG_LINK | 477 REG_DWORD_BIG_ENDIAN | REG_RESOURCE_LIST | 478 REG_FULL_RESOURCE_DESCRIPTOR | 479 REG_RESOURCE_REQUIREMENTS_LIST | 480 REG_QWORD_LITTLE_ENDIAN}, 481 #The "value" which shows up in regedit 482 'value' => many possible data types, but converted into a string, 483 484 }, ], 485 486 #A reference to an anonymous array of file system objects 487 file_system => [ { 488 #The full path and name of the file which was effected 489 'name' => 'C:\WINDOWS\SYSTEM32...', 490 491 'event_type' => { Deleted | Read | Write }, #TODO: add created & renamed/moved 492 493 'time' => ISO 8601 Timestamp, 494 495 #OPTIONAL, this will not exist for deleted files 496 'content' => { 497 'size' => 1234, # size of new content 498 'type' => 'application/octect-stream', # type of new content 499 'md5' => 'b1946ac92492d2347c6235b4d2611184', # md5 of new content 500 'sha1' => 'f572d396fae9206628714fb2ce00f72e94f2258f', # sha1 of new content 501 }, 502 },] 503 },] 503 504 } 504 505 … … 530 531 }); 531 532 532 my $changes = { 533 'registry' => $self->{'_registry'}->check(), 534 'filesystem' => $self->{'_filesystem'}->check(), 535 }; 536 533 # my $changes = { 534 # 'registry' => $self->{'_registry'}->check(), 535 # 'filesystem' => $self->{'_filesystem'}->check(), 536 # }; 537 #XENO - BEGIN REPLACEMENT WITH CAPTURE-READING CODE 538 my $change_file_name = $self->{realtime_changes_file}; 539 my %changes; 540 my @capdump; 541 if(-s $change_file_name > 0 ){ 542 open(CAP, $change_file_name) or die "Can't open $change_file_name"; 543 @capdump = <CAP>; 544 close(CAP); 545 } 546 else{ 547 %changes = ( 548 'processes' => [], 549 ); 550 551 return \%changes; 552 } 553 554 my @reg_list = (); 555 my @reg_lines = (); 556 my @file_list = (); 557 my @file_lines = (); 558 my @proc_list = (); 559 my @proc_lines = (); 560 my @bad_line_list = (); 561 my $key; 562 my $status; 563 my @proc_and_file_list; 564 my @proc_objs = (); 565 my %names = (); 566 #Indices in the string for different types of information 567 my $ENTRY_TYPE = 1; 568 my $R_TIME = 0; 569 my $R_EVENT_TYPE = 2; 570 my $R_PROC_PID = 3; 571 my $R_PROC_NAME = 4; 572 my $R_KEY_NAME = 5; 573 my $R_VALUE_NAME = 6; 574 my $R_VALUE_TYPE = 7; 575 my $R_VALUE = 8; 576 my $F_TIME = 0; 577 my $F_EVENT_TYPE = 2; 578 my $F_PROC_PID = 3; 579 my $F_PROC_NAME = 4; 580 my $F_NAME = 5; 581 my $P_TIME = 0; 582 my $P_EVENT_TYPE = 2; 583 my $P_PARENT_PID = 3; 584 my $P_PARENT_NAME = 4; 585 my $P_PID = 5; 586 my $P_NAME = 6; 587 my $TOTAL_PROC_TOKENS = 7; 588 my $TOTAL_FILE_TOKENS = 6; 589 my $TOTAL_REG_TOKENS = 9; 590 my $STATUS_DELETED = 0; 591 my $STATUS_ADDED = 1; 592 my $STATUS_MODIFIED = 2; 593 594 595 #Get the time of the first event from the first entry and used it for compromise_time 596 my @tmp_toks = split("\",\"",$capdump[0]); 597 $tmp_toks[0] =~ s/^"(.*)/$1/; 598 %changes = ('compromise_time' => $tmp_toks[0]); 599 my $line_num = 0; 600 601 foreach my $line (@capdump){ 602 $line_num++; 603 my $ret = undef; 604 #Get rid of the windows carriage return and newline (sometimes looks like ^M) 605 $line =~ s/\r\n$//; 606 #Get rid of first and last quotes 607 $line =~ s/^\"(.*)/$1/; 608 chop($line); 609 610 my @toks = split("\",\"", $line, $TOTAL_REG_TOKENS+1); 611 my $index = undef; 612 my $proc_obj = undef; 613 my $proc_push; 614 if($toks[$ENTRY_TYPE] eq "process"){ 615 $proc_push = 1; 616 if($toks[$P_EVENT_TYPE] eq "terminated"){ 617 ($ret, $index) = checkForExistingProcObj($toks[$P_PID], $toks[$P_NAME], @proc_objs); 618 #If the object already exists as something which didn't have anything filled in, then fill it in 619 if($ret == 1){ 620 $proc_objs[$index]->{"$toks[$P_EVENT_TYPE]_time"} = $toks[$P_TIME]; 621 $proc_push = 0; 622 } 623 } 624 #create this object 625 $proc_obj = { 626 'pid' => $toks[$P_PID], 627 'name' => $toks[$P_NAME], 628 'parent_pid' => $toks[$P_PARENT_PID], 629 'parent_name' => $toks[$P_PARENT_NAME], 630 "$toks[$P_EVENT_TYPE]_time" => $toks[$P_TIME], 631 'file_system' => [], 632 'registry' => [], 633 }; 634 } 635 else{ 636 $proc_push = 0; 637 638 ($ret, $index) = checkForExistingProcObj($toks[$R_PROC_PID], $toks[$R_PROC_NAME], @proc_objs); 639 if($ret == 1){ 640 $proc_obj = $proc_objs[$index]; 641 } 642 else{ 643 #First build an empty proc object 644 $proc_obj = { 645 'pid' => $toks[$R_PROC_PID], 646 'name' => $toks[$R_PROC_NAME], 647 'registry' => [], 648 'file_system' => [], 649 }; 650 $proc_push = 1; 651 } 652 653 if($toks[$ENTRY_TYPE] eq "registry"){ 654 #Build the registry object and put it in to the proc object 655 #Sanity check incase Capture gets messed up, because the database can't accept 656 # an empty string for key_name, but also we want to make it clear that something 657 # bad happened. 658 my $sanit_key_name; 659 if($toks[$R_KEY_NAME] eq "" || $toks[$R_KEY_NAME] !~ /^[HKLM,HKCU,HKU,HKCR]/){ 660 $sanit_key_name = "KEY NAME ERROR \"$toks[$R_KEY_NAME]\""; 661 print "KEY NAME ERROR at line $line_num \"$toks[$R_KEY_NAME]\"\n"; 662 } 663 else{ 664 $sanit_key_name = $toks[$R_KEY_NAME]; 665 } 666 my $reg_obj = { 667 'time' => $toks[$R_TIME], 668 'event_type' => $toks[$R_EVENT_TYPE], 669 'key_name' => $sanit_key_name, 670 'value_name' => $toks[$R_VALUE_NAME], 671 'value_type' => $toks[$R_VALUE_TYPE], 672 'value' => $toks[$R_VALUE], 673 }; 674 push @{$proc_obj->{'registry'}}, $reg_obj; 675 } 676 elsif($toks[$ENTRY_TYPE] eq "file"){ 677 678 #Build the filesystem object and put it in to the proc object 679 my $fs_ref = $proc_obj->{'file_system'}; 680 if(scalar(@{$fs_ref}) == 0 || $fs_ref->[-1]->{'name'} ne $toks[$F_NAME] || 681 $fs_ref->[-1]->{'event_type'} ne $toks[$F_EVENT_TYPE]){ 682 683 my $file_obj = { 684 'name' => $toks[$F_NAME], 685 'event_type' => $toks[$F_EVENT_TYPE], 686 'time' => $toks[$F_TIME], 687 }; 688 if($toks[$F_EVENT_TYPE] ne "Delete"){ 689 #Fill in the default values, incase the file can't be found due to a rename rather than delete 690 $file_obj->{'contents'} = { 691 'size' => 0, 692 'type' => "UNKNOWN", 693 'md5' => "$toks[$F_NAME]$toks[$F_TIME]", 694 'sha1' => "$toks[$F_NAME]$toks[$F_TIME]", 695 }; 696 my $tmp_name = $toks[$F_NAME]; 697 eval{ 698 if(-f $tmp_name){ 699 my $md5_ctx = Digest::MD5->new(); 700 my $sha1_ctx = Digest::SHA->new("1"); 701 my $type_ctx = File::Type->new(); 702 my $md5 = 'UNKNOWN'; 703 my $sha1 = 'UNKNOWN'; 704 my $type = 'UNKNOWN'; 705 my $size = 0; 706 my $fh = IO::File->new($tmp_name, "r"); 707 #print "md5ing $tmp_name\n"; 708 # Compute MD5 Checksum. 709 $md5_ctx->addfile($fh); 710 $md5 = $md5_ctx->hexdigest(); 711 712 # Rewind file handle. 713 seek($fh, 0, 0); 714 715 #print "sha1ing $tmp_name\n"; 716 # Compute SHA1 Checksum. 717 $sha1_ctx->addfile($fh); 718 $sha1 = $sha1_ctx->hexdigest(); 719 720 #Compute file size 721 $size = -s $tmp_name; 722 723 # Compute File Type. 724 $type = $type_ctx->mime_type($tmp_name); 725 726 # Close the file handle. 727 undef $fh; 728 $file_obj->{'contents'}->{'size'} = $size; 729 $file_obj->{'contents'}->{'md5'} = $md5; 730 $file_obj->{'contents'}->{'sha1'} = $sha1; 731 $file_obj->{'contents'}->{'type'} = $type; 732 } 733 }; 734 if($@){ 735 print "Filesystem error occurred, setting safe values for $tmp_name\n"; 736 $file_obj->{'contents'} = { 737 'size' => 0, 738 'type' => "FSERROR", 739 'md5' => "FSERROR", 740 'sha1' => "FSERROR", 741 }; 742 } 743 push @{$proc_obj->{'file_system'}},$file_obj; 744 } 745 746 } 747 } 748 } 749 if($proc_push){ 750 push @proc_objs, $proc_obj; 751 } 752 }#end foreach 753 754 $changes{'processes'} = \@proc_objs; 755 # $Data::Dumper::Terse = 1; 756 # $Data::Dumper::Indent = 1; 757 # print Dumper(\%changes); 758 759 760 #XENO - END REPLACEMENT WITH CAPTURE-READING CODE 761 537 762 # If any changes were found, write them out to the 538 763 # filesystem. 539 if (scalar(@{$changes->{registry}}) || 540 scalar(@{$changes->{filesystem}})) { 764 if (scalar($changes{'processes'})){ 541 765 if (!open(CHANGE_FILE, ">>" . $self->{changes_found_file})) { 542 766 $LOG->error("Unable to write changes to file '" . $self->{changes_found_file} . "'."); … … 544 768 $Data::Dumper::Terse = 1; 545 769 $Data::Dumper::Indent = 1; 546 print CHANGE_FILE Dumper($changes); 770 print CHANGE_FILE Dumper(\%changes); 771 print Dumper(\%changes); 547 772 close CHANGE_FILE; 548 773 } 549 774 } 550 775 551 return $changes; 776 return \%changes; 777 } 778 779 # TODO: Comment this. 780 # This function looks for if there is already a process object with the given pid and name 781 # and if it exists, returns its index in the processes array 782 # This function is used to find process objects for merging 783 # NOTE: In the future, we may want to make it be a hash, keyed by name:pid rather than an 784 # array, so that lookups are not O(n) 785 # Also, this function is predicated on the assumption that we will not see the same name:pid 786 # pair during our run 787 sub checkForExistingProcObj { 788 my $pid = shift; 789 my $name = shift; 790 my $index = 0; 791 my @proc_objs = @_; 792 793 foreach my $obj (@proc_objs){ 794 #Check if the object already exists 795 #&& !defined $obj->{'terminated_time'} 796 if($obj->{'pid'} eq $pid && $obj->{'name'} eq $name){ 797 #object already exists 798 return (1, $index); 799 } 800 $index++; 801 } 802 return (0, $index); 552 803 } 553 804 … … 619 870 =head1 BUGS & ASSUMPTIONS 620 871 621 This library performs B<STATIC> checks of the Windows OS. If malware 622 modifies the system between the time the $object->new() and $object->check() 623 methods are called, then this library B<MAY FAIL> to detect some624 changes.872 When performing an integrity check, this library assumes that it will never 873 see the same process name and process ID (PID) pair twice, because the malware 874 will not have had enough time to create processes that cause the OS to reissue 875 the same PIDs again. 625 876 626 877 For a complete list of when these checks may fail, see the following sections: … … 670 921 L<http://www.honeyclient.org/trac/newticket> 671 922 923 =head1 ACKNOWLEDGEMENTS 924 925 Christian Seifert E<lt>cseifert@mcs.vuw.ac.nzE<gt> and Ramon Steenson 926 E<lt>rsteenson@gmail.comE<gt> from the Victoria University of Wellington, 927 for their work on the Capture Client-Side Honeypot, which is used to 928 obtain kernel-level system events from Windows in the event of a compromise. 929 930 L<http://www.client-honeynet.org/capture.html> 931 672 932 =head1 AUTHORS 673 933 … … 675 935 676 936 Xeno Kovah, E<lt>xkovah@mitre.orgE<gt> 677 678 Thanh Truong, E<lt>ttruong@mitre.orgE<gt>679 937 680 938 Darien Kindlund, E<lt>kindlund@mitre.orgE<gt> honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Filesystem.pm
r808 r998 37 37 =head1 VERSION 38 38 39 This documentation refers to HoneyClient::Agent::Integrity::Filesystem version 0.99.39 This documentation refers to HoneyClient::Agent::Integrity::Filesystem version 1.00. 40 40 41 41 =head1 SYNOPSIS … … 145 145 146 146 # Set our package version. 147 $VERSION = 0.99;147 $VERSION = 1.00; 148 148 149 149 @ISA = qw(Exporter); honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Registry.pm
r808 r998 38 38 =head1 VERSION 39 39 40 This documentation refers to HoneyClient::Agent::Integrity::Registry version 0.99.40 This documentation refers to HoneyClient::Agent::Integrity::Registry version 1.00. 41 41 42 42 =head1 SYNOPSIS … … 142 142 143 143 # Set our package version. 144 $VERSION = 0.99;144 $VERSION = 1.00; 145 145 146 146 @ISA = qw(Exporter); honeyclient/branches/exp/kindlund-dynamic_updates/lib/HoneyClient/Agent/Integrity/Registry/Parser.pm
r808 r998 55 55 =head1 VERSION 56 56 57 This documentation refers to HoneyClient::Agent::Integrity::Registry::Parser version 0.99.57 This documentation refers to HoneyClient::Agent::Integrity::Registry::Parser version 1.00. 58 58 59 59 =head1 SYNOPSIS … … 133 133 134 134 # Set our package version.