# -*- coding: utf-8 -*- import os import optparse import subprocess import glob from settings import * from analysis.csv_processing import process_csv def main(): options, arguments = parser.parse_args() params['machine'] = options.machine params['malware'] = options.virus if not os.path.exists(params['malware']) or not os.path.exists(params['machine']): print('files not exists') return params['work_dir'] = os.path.join(WORK_DIR, os.path.basename(params['malware'])) if not os.path.exists(params['work_dir']): os.mkdir(params['work_dir']) if not create_diff_image(): return if not copy_malware(): return if not run_virtual_machine(): return if not get_reports(): return run_analysis() def create_diff_image(): print('creating diff image...') diff_image = os.path.join(params['work_dir'], 'diff-' + os.path.basename(params['machine'])) try: call = [QEMU_IMG, 'create', '-f', 'qcow2', '-b', params['machine'], diff_image] out = subprocess.check_output(call) print('ok') params['diff_image'] = diff_image return True except subprocess.CalledProcessError: print('diff image creating error') return False def mount_image_nbd(image): try: print('load kernel module nbd') call = [MODPROBE, 'nbd'] out = subprocess.check_output(call) print('connecting image to nbd0') call = [QEMU_NBD, '-c', '/dev/nbd0', image] out = subprocess.check_output(call) print('parting nbd0') call = [PARTPROBE, '/dev/nbd0'] out = subprocess.check_output(call) print('create mount folder') if not os.path.exists(IMAGE_MOUNT_DIR): os.mkdir(IMAGE_MOUNT_DIR) print('mount image to host filesystem') call = [MOUNT, '/dev/nbd0p1', IMAGE_MOUNT_DIR] out = subprocess.check_output(call) except subprocess.CalledProcessError: print('error on mount image') return False return True def umount_image_nbd(): try: print('unmounting image') call = [UMOUNT, IMAGE_MOUNT_DIR] out = subprocess.check_output(call) call = [QEMU_NBD, '-d', '/dev/nbd0'] out = subprocess.check_output(call) except subprocess.CalledProcessError: print('error on umount image') return False return True def copy_malware(): if not mount_image_nbd(params['diff_image']): return False try: print('copy malware') dest_folder = os.path.join(IMAGE_MOUNT_DIR, 'av/') call = [CP, params['malware'], dest_folder] out = subprocess.check_output(call) except subprocess.CalledProcessError: print('error on copy malware') return False if not umount_image_nbd(): return False return True def run_virtual_machine(): try: call = [KVM, '-hda', params['diff_image']] call.extend(KVM_OPTS) out = subprocess.check_output(call) except subprocess.CalledProcessError: print('error on run server') return False return True def get_reports(): if not mount_image_nbd(params['diff_image']): return False try: print('copy reports') source_folder = os.path.join(IMAGE_MOUNT_DIR, 'output/') call = [CP, '-rf', source_folder, params['work_dir']] out = subprocess.check_output(call) except subprocess.CalledProcessError: print('error on copy reports') return False if not umount_image_nbd(): return False call = [CHMOD, '-R', '777', params['work_dir']] out = subprocess.check_output(call) return True def run_analysis(): # path to malware = params['work_dir'] + output + *.csv # process name = os.path.basename(params['malware']) procname = os.path.basename(params['malware']) try: filename = os.path.join(params['work_dir'], 'output') pattern = 'log-' + procname + '*.csv' filename = glob.glob(os.path.join(filename, pattern))[ 0] except IndexError: print ('error on find files for analysis') return False process_csv(filename, procname) return True parser = optparse.OptionParser('-m -v ') parser.add_option('-m', '--machine', type='string', help='input file of virtual machine') parser.add_option('-v', '--virus', type='string', help='input file with malwares') params = {} main()