coding utf-8 import os import optparse import subprocess import glob f

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# -*- coding: utf-8 -*-
import os
import optparse
import subprocess
import glob
from settings import *
from analysis.csv_processing import process_csv
def main():
options, arguments = parser.parse_args()
params['machine'] = options.machine
params['malware'] = options.virus
if not os.path.exists(params['malware']) or not os.path.exists(params['machine']):
print('files not exists')
return
params['work_dir'] = os.path.join(WORK_DIR, os.path.basename(params['malware']))
if not os.path.exists(params['work_dir']):
os.mkdir(params['work_dir'])
if not create_diff_image():
return
if not copy_malware():
return
if not run_virtual_machine():
return
if not get_reports():
return
run_analysis()
def create_diff_image():
print('creating diff image...')
diff_image = os.path.join(params['work_dir'], 'diff-' + os.path.basename(params['machine']))
try:
call = [QEMU_IMG, 'create', '-f', 'qcow2', '-b', params['machine'], diff_image]
out = subprocess.check_output(call)
print('ok')
params['diff_image'] = diff_image
return True
except subprocess.CalledProcessError:
print('diff image creating error')
return False
def mount_image_nbd(image):
try:
print('load kernel module nbd')
call = [MODPROBE, 'nbd']
out = subprocess.check_output(call)
print('connecting image to nbd0')
call = [QEMU_NBD, '-c', '/dev/nbd0', image]
out = subprocess.check_output(call)
print('parting nbd0')
call = [PARTPROBE, '/dev/nbd0']
out = subprocess.check_output(call)
print('create mount folder')
if not os.path.exists(IMAGE_MOUNT_DIR):
os.mkdir(IMAGE_MOUNT_DIR)
print('mount image to host filesystem')
call = [MOUNT, '/dev/nbd0p1', IMAGE_MOUNT_DIR]
out = subprocess.check_output(call)
except subprocess.CalledProcessError:
print('error on mount image')
return False
return True
def umount_image_nbd():
try:
print('unmounting image')
call = [UMOUNT, IMAGE_MOUNT_DIR]
out = subprocess.check_output(call)
call = [QEMU_NBD, '-d', '/dev/nbd0']
out = subprocess.check_output(call)
except subprocess.CalledProcessError:
print('error on umount image')
return False
return True
def copy_malware():
if not mount_image_nbd(params['diff_image']):
return False
try:
print('copy malware')
dest_folder = os.path.join(IMAGE_MOUNT_DIR, 'av/')
call = [CP, params['malware'], dest_folder]
out = subprocess.check_output(call)
except subprocess.CalledProcessError:
print('error on copy malware')
return False
if not umount_image_nbd():
return False
return True
def run_virtual_machine():
try:
call = [KVM, '-hda', params['diff_image']]
call.extend(KVM_OPTS)
out = subprocess.check_output(call)
except subprocess.CalledProcessError:
print('error on run server')
return False
return True
def get_reports():
if not mount_image_nbd(params['diff_image']):
return False
try:
print('copy reports')
source_folder = os.path.join(IMAGE_MOUNT_DIR, 'output/')
call = [CP, '-rf', source_folder, params['work_dir']]
out = subprocess.check_output(call)
except subprocess.CalledProcessError:
print('error on copy reports')
return False
if not umount_image_nbd():
return False
call = [CHMOD, '-R', '777', params['work_dir']]
out = subprocess.check_output(call)
return True
def run_analysis():
# path to malware = params['work_dir'] + output + *.csv
# process name = os.path.basename(params['malware'])
procname = os.path.basename(params['malware'])
try:
filename = os.path.join(params['work_dir'], 'output')
pattern = 'log-' + procname + '*.csv'
filename = glob.glob(os.path.join(filename, pattern))[ 0]
except IndexError:
print ('error on find files for analysis')
return False
process_csv(filename, procname)
return True
parser = optparse.OptionParser('-m <qemu qcow2 virtual machine> -v <malware file>')
parser.add_option('-m', '--machine', type='string', help='input file of virtual machine')
parser.add_option('-v', '--virus', type='string', help='input file with malwares')
params = {}
main()