-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathanalysis.py
216 lines (189 loc) · 6.35 KB
/
analysis.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Name : analysis.py
# Version : 0.1
# Author : Abdesslem Amri
# Date : 15-01-2014
# Owner : Abdesslem Amri
# License : GPLv2
# Description : This script is used to manipulate tools used to perform dynamic analysis (tshark, volatility, snort)
#--------------------------------------------------------------------
import os, sys, time
import hashlib
from commands import getoutput
import shutil, subprocess
import glob
# -----------------------------------------------------------------------
# on windows this is 'C:\\Program Files\\Wireshark\\tshark.exe'
#TODO Get paths from config files
tshark = '/usr/bin/tshark'
inetsim = '/home/ask3m/inetsim/inetsim'
python = '/usr/bin/python'
volatility = '/home/ask3m/volatility'
# This class is used to start and execute volatility command to analyse the memory dump
# [NOTES] --------------------------------------------------
# Volatility have to be installed and the path properly set
class Volatility:
def __init__(self, mem_file):
'''
mem_file: path to the memory dump to analyze
'''
self.mem_file = mem_file
def run_cmd(self, cmd, args=[]):
'''
Execute a Volatility command with optional arguments
'''
pargs = [python, volatility+"/vol.py", cmd, '-f', self.mem_file]
if len(args):
pargs.extend(args)
proc = subprocess.Popen(pargs, stdout=subprocess.PIPE)
return proc.communicate()[0]
def pslist(self):
print("ok")
return self.run_cmd('psscan --output=dot --output-file=psscan.dot')
def psxview(self):
return self.run_cmd('psxview')
def sockets(self):
return self.run_cmd('sockets')
def conns(self):
return self.run_cmd('connections')
def malfind(self, rules="", outdir='malfind'):
args = ['-d', outdir]
if os.path.isfile(rules):
args.extend(['-y', rules])
return self.run_cmd('malfind', args)
def hooks(self, outdir='.'):
args = ['-d', outdir]
return self.run_cmd('apihooks', args)
# -----------------------------------------------------------------------
# This class is used to manipulate INetsim and simulate Internet protocols
class INetSim:
def __init__(self, outdir):
'''
outdir: directory to store logs
'''
self.outdir = outdir
self.proc = None
if os.name != "posix":
raise Exception("InetSim is only available on Posix systems")
if not os.path.isfile(inetsim):
raise Exception('Cannot find inetsim in ' + inetsim)
def start(self):
'''
Start InetSim using the specified output dir
'''
#subprocess.Popen(['sudo','/usr/bin/tshark'])
self.proc = subprocess.Popen(
[
inetsim,
'--log-dir', self.outdir,
'--report-dir', self.outdir,
],
cwd=os.path.dirname(inetsim),
stdout=subprocess.PIPE,
stdin=subprocess.PIPE
)
def stop(self):
'''
Stop InetSim by sending a SIGTERM
'''
if self.proc != None and self.proc.poll() == None:
self.proc.terminate()
time.sleep(5)
def read(self):
'''
This reads the InetSim logs and return them
'''
outp = ''
svclog = self.outdir + '/service.log'
if os.path.isfile(svclog):
outp += open(svclog).read()
for f in glob.glob(self.outdir + '/report.*.txt'):
outp += open(f).read()
return outp
# -----------------------------------------------------------------------
# This class is used to capture the trafic while executing the file
class TShark:
def __init__(self, pcap_file):
'''
pcap_file: path on disk to save the pcap file
'''
self.pcap_file = pcap_file
self.proc = None
if not os.path.isfile(tshark):
raise Exception('Cannot find tshark in ' + tshark)
def start(self, iface, guest_ip=None):
'''
iface: interface to capture packets
guest_ip: set a filter to only capture this host
'''
pargs = [tshark, '-p', '-i', iface]
pargs.extend(['-w', self.pcap_file])
if guest_ip:
pargs.extend(['-f', 'host %s' % guest_ip])
#logfile = open('file.pcap', 'a+')
self.proc = subprocess.Popen(pargs)
#,stdout=subprocess.PIPE)
#for line in self.proc.stdout:
#sys.stdout.write(line)
#logfile.write(line)
#self.proc.wait()
#subprocess.Popen(['sudo','/usr/bin/tshark'])
def stop(self):
if self.proc != None and self.proc.poll() == None:
self.proc.terminate()
time.sleep(5)
def read(self):
'''
Print statistics and details on packet capture
'''
proc = subprocess.Popen(
[
tshark, '-z', 'http_req,tree',
'-z', 'ip_hosts,tree', '-z', 'io,phs',
'-r', self.pcap_file
],
stdout=subprocess.PIPE
)
return proc.communicate()[0]
# -----------------------------------------------------------------------
def nmap(guest_ip, useTcp=True):
'''
Scan an IP for open UDP/TCP ports
'''
type = '-sT' if useTcp else '-sU'
proc = subprocess.Popen(
[
'nmap', '-T', 'insane', type, '-p', '0-65535', guest_ip
],
stdout=subprocess.PIPE
)
proc.wait()
return proc.communicate()[0]
def snortscan(pcap_file, config="", outdir="."):
'''
Scan a packet capture with Snort IDS
'''
#with open('snort.txt', 'w') as output:
#server = subprocess.Popen('./server.py', stdout=output)
#server.communicate()
proc = subprocess.Popen(
[
'snort', '-r', pcap_file,
'-l', outdir, '-c', config
],
stdout=subprocess.PIPE
)
while True:
line = proc.stdout.readline()
open("snort.txt","w").write(line)
if not line:
break
#proc.communicate()
#proc.wait()
alert = outdir + '/alert'
if os.path.isfile(alert):
return open(alert).read()
else:
return None