Permalink
Browse files

Lot of improvements.

-Introduced the extension configuration file
-Introduced the semi-automatic (manual) analysis (-m)
-Introduced the sandbox spowned processes analysis (comparison with a proviously created baseline)
-some fixes around
-dorothy_start is now catching SIGINT
  • Loading branch information...
1 parent 7f9a202 commit a97428d18510a3029eec9ed7d778f94208db74f7 @m4rco- committed Jul 23, 2013
Showing with 380 additions and 136 deletions.
  1. +12 −6 TODO
  2. +41 −4 bin/dorothy_start
  3. +13 −9 bin/dparser_start
  4. +34 −0 etc/extensions.yml
  5. +169 −66 lib/dorothy2.rb
  6. +2 −2 lib/dorothy2/NAM.rb
  7. +61 −17 lib/dorothy2/VSM.rb
  8. +42 −26 lib/dorothy2/do-init.rb
  9. +6 −6 lib/dorothy2/do-utils.rb
View
18 TODO
@@ -5,17 +5,23 @@
-PORT TO Ruby 2.0
-WGUI
+#IMPROVE INSTALLATION PROCESS
+-Include pcapr-local installation 80%
+
+-ADD args from command line for recreating the baseline
+
+
-BINARY STATIC ANALYSIS
--ANALYZE SYSTEM CHANGES
--SYSTEM ANALYSIS -VMWARE API: QueryChangedDiskAreas
--LIST PROCESSES-> pm.ListProcessesInGuest(:vm => vm, :auth => auth).inspect
+-ANALYZE SYSTEM CHANGES 50%
+ -ListFileInGuest -> Create Files/Folder Baseline.
--CODE- CATCH CTRL-C AND EXIT GRACEFULLY
--INTERACTIVE CONSOLE FOR NETWORK ANALYSIS
+-MANAGE SIG-INT WHILE MULTITHREAD
+-INTERACTIVE CONSOLE 10%
+-ADD VNC CLIENT SPAWN IN MANUAL MODE
-REVIEW DOROTHIVE (binary fullpath?)
--ADD EMAIL AS SOURCETYPE (use ruby mail gem for retreiving the emails, and parse them)
+-ADD EMAIL AS SOURCETYPE (use ruby mail gem for retrieving the emails, and parse them)
-REPORT PLUGIN
-REPORT - MAEC
View
@@ -6,9 +6,9 @@
require 'rubygems'
require 'trollop'
-require 'dorothy2' #comment for testing/developmnet
+#require 'dorothy2' #comment for testing/developmnet
-#load '../lib/dorothy2.rb' #uncomment for testing/developmnet
+load '../lib/dorothy2.rb' #uncomment for testing/developmnet
include Dorothy
@@ -34,8 +34,10 @@ opts = Trollop.options do
opt :verbose, "Enable verbose mode"
opt :infoflow, "Print the analysis flow"
+ opt :baseline, "Create a new process baseline"
opt :source, "Choose a source (from the ones defined in etc/sources.yml)", :type => :string
opt :daemon, "Stay in the backround, by constantly pooling datasources"
+ opt :manual, "Start everyrhing, copy the file, and wait for me."
opt :SandboxUpdate, "Update Dorothive with the new Sandbox file"
opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)", :type => :string
@@ -57,7 +59,8 @@ if opts[:infoflow]
#9) Try to retreive malware info from VirusTotal
#10) Insert data into Dorothy-DB
------------------------------------------
- "
+"
+
exit(0)
end
@@ -75,25 +78,49 @@ puts "
HOME = File.expand_path("..",File.dirname(__FILE__))
VERBOSE = (opts[:verbose] ? true : false)
daemon = (opts[:daemon] ? true : false)
+MANUAL = (opts[:manual] ? true : false)
+
+if MANUAL && daemon
+ "[Dorothy]".yellow + " Manual and Deamon modes can't be executed together"
+ exit(1)
+end
+
#DEFAULT CONF FILES
#conf = HOME + '/etc/dorothy.yml'
conf = "#{File.expand_path("~")}/.dorothy.yml"
+
#LOAD ENV
if Util.exists?(conf)
DoroSettings.load!(conf)
else
DoroConfig.create
exit(0)
-end
+ end
+
+
+#LOAD EXTENSION MGT FILE
+EXTENSIONS=YAML.load_file("#{DoroSettings.env[:home]}/etc/extensions.yml")
+
+
#Logging
logout = (daemon ? DoroSettings.env[:logfile] : STDOUT)
LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
LOGGER.sev_threshold = DoroSettings.env[:loglevel]
+
+if opts[:baseline]
+ puts "[DOROTHY]".yellow + "Creating a new process baseline."
+ Dorothy.run_baseline
+ puts "[WARNING]".red + "Baseline run finished."
+ exit(0)
+end
+
+
+
home = DoroSettings.env[:home]
#check homefolder
unless Util.exists?(home)
@@ -102,6 +129,7 @@ end
sfile = home + '/etc/sources.yml'
sboxfile = home + '/etc/sandboxes.yml'
+baseline_procs = home + '/etc/baseline_processes.yml'
if opts[:DorothiveInit]
Util.init_db(opts[:DorothiveInit])
@@ -153,6 +181,15 @@ unless Util.exists?(sboxfile)
DoroConfig.init_sandbox(sboxfile)
end
+unless Util.exists?(baseline_procs)
+ puts "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
+ Dorothy.run_baseline
+ puts "[WARNING]".red + "Baseline run finished."
+ exit(0)
+end
+
+BASELINE_PROCS = YAML.load_file(baseline_procs)
+
#Check DB sandbox data
if db.table_empty?("sandboxes")
puts "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile
View
@@ -7,9 +7,9 @@
require 'rubygems'
require 'trollop'
require 'dorothy2'
-require 'doroParser'
+#require 'doroParser'
-#load '../lib/doroParser.rb'
+load '../lib/doroParser.rb'
include Dorothy
include DoroParser
@@ -63,22 +63,26 @@ LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
LOGGER.sev_threshold = DoroSettings.env[:loglevel]
-begin
-
-rescue
+if system "sh -c 'type startpcapr > /dev/null 2>&1'"
+ pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
+ unless Util.exists?(pcapr_conf)
+ puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
+ puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
+ exit(1)
+ end
+else
+ puts "[WARNING]".red + "Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
exit(1)
-
end
-
begin
DoroParser.start(daemon)
rescue => e
puts "[PARSER]".yellow + " An error occurred: ".red + $!
if daemon
- puts "[PARSER]".yellow + " For more information check the logfile" + $!
- puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
+ puts "[PARSER]".yellow + " For more information check the logfile" + $!
+ puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
end
LOGGER_PARSER.error "Parser", "An error occurred: " + $!
LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
View
@@ -0,0 +1,34 @@
+#############################################
+### DOROTHY EXTENSION MANAGER #
+#############################################
+### Choose how do you want to open the the
+### binaries into the Sandbox VM.
+### You can add as much extensions as you
+### want.
+#############################################
+---
+exe:
+ prog_name: Windows CMD.exe
+ prog_path: C:\windows\system32\cmd.exe
+ prog_args: /C
+
+dll:
+ prog_name: Windows Rundll32.exe
+ prog_path: C:\windows\system32\rundll32.exe
+ prog_args:
+
+html:
+ prog_name: Microsoft Explorer IEXPLORE.EXE
+ prog_path: C:\windows\system32\cmd.exe
+ prog_args: /C start "C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"
+
+#doc:
+# prog_name: Microsoft Word 2003
+# prog_path:
+# prog_args:
+
+#pdf:
+# prog_name: Acrobat Reader Version 1.0
+# prog_path:
+# prog_args:
+
Oops, something went wrong.

0 comments on commit a97428d

Please sign in to comment.