forked from kevoreilly/CAPEv2
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'kevoreilly:master' into master
- Loading branch information
Showing
49 changed files
with
3,617 additions
and
2,720 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
rule SlowLoader | ||
{ | ||
meta: | ||
author = "kevoreilly" | ||
description = "SlowLoader detonation aide for slow cpus (thread race)" | ||
cape_options = "break-on-return=CreateProcessA,action0=sleep:1000,count=0" | ||
packed = "f6eeb73ffb3e6d6cc48f74344cb590614db7e3116ba00a52aefd7dff468a60a5" | ||
strings: | ||
$code = {0F B6 44 07 08 0F B6 54 1F 08 03 C2 25 FF 00 00 80 79 07 48 0D 00 FF FF FF 40 89 45 ?? 6A 00} | ||
condition: | ||
any of them | ||
} |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# Copyright (C) 2024 fdiaz@virustotal.com | ||
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | ||
# See the file 'docs/LICENSE' for copying permission. | ||
import logging | ||
import os | ||
import subprocess | ||
import tempfile | ||
import time | ||
from threading import Thread | ||
|
||
from lib.common.abstracts import Auxiliary | ||
from lib.common.results import upload_to_host | ||
|
||
log = logging.getLogger(__name__) | ||
|
||
|
||
class Browsermonitor(Auxiliary, Thread): | ||
"""Monitors Browser Extension request logs.""" | ||
|
||
def __init__(self, options=None, config=None): | ||
if options is None: | ||
options = {} | ||
Auxiliary.__init__(self, options, config) | ||
Thread.__init__(self) | ||
self.do_run = False | ||
self.enabled = config.browsermonitor | ||
self.startupinfo = subprocess.STARTUPINFO() | ||
self.startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW | ||
self.browser_logfile = "" | ||
self.last_modification = 0.0 | ||
self._is_first_save = True | ||
|
||
def _find_browser_extension(self): | ||
temp_dir = tempfile.gettempdir() | ||
while not self.browser_logfile and self.do_run: | ||
temp_dir_list = os.listdir(temp_dir) | ||
for directory in temp_dir_list: | ||
# TOR Browser saves directly to %temp% | ||
if directory.startswith("bext_") and directory.endswith(".json"): | ||
log.debug(f"Found extension logs: {self.browser_logfile}") | ||
self.browser_logfile = os.path.join(temp_dir, directory) | ||
break | ||
tmp_directory_path = os.path.join(temp_dir, directory) | ||
if not os.path.isdir(tmp_directory_path): | ||
continue | ||
if not directory.startswith("tmp"): | ||
continue | ||
tmp_dir_files = os.listdir(tmp_directory_path) | ||
for file in tmp_dir_files: | ||
if file.startswith("bext_") and file.endswith(".json"): | ||
self.browser_logfile = os.path.join(temp_dir, directory, file) | ||
log.debug(f"Found extension logs: {self.browser_logfile}") | ||
break | ||
time.sleep(1) | ||
|
||
def _collect_browser_logs(self): | ||
if not self._is_first_save and self.last_modification != os.path.getmtime(self.browser_logfile): | ||
return | ||
self.last_modification = os.path.getmtime(self.browser_logfile) | ||
upload_to_host(self.browser_logfile, "browser/requests.log") | ||
self._is_first_save = False | ||
|
||
def run(self): | ||
self.do_run = True | ||
if self.enabled: | ||
self._find_browser_extension() | ||
self.last_modification = os.path.getmtime(self.browser_logfile) | ||
while self.do_run: | ||
self._collect_browser_logs() | ||
time.sleep(1) | ||
return True | ||
return False | ||
|
||
def stop(self): | ||
if self.enabled: | ||
self.do_run = False | ||
if self.browser_logfile: | ||
self._collect_browser_logs() | ||
return True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Copyright (C) 2024 fdiaz@virustotal.com | ||
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | ||
# See the file 'docs/LICENSE' for copying permission. | ||
|
||
import time | ||
import webbrowser | ||
|
||
from lib.common.abstracts import Package | ||
|
||
|
||
class ChromiumExt(Package): | ||
"""Chromium extension analysis package.""" | ||
|
||
PATHS = [ | ||
("LOCALAPPDATA", "Chromium", "chrome.exe"), | ||
] | ||
summary = "Opens the URL in Chromium with loaded extension." | ||
description = """Runs Chromium preloaded with a custom extensios.""" | ||
|
||
def start(self, url): | ||
webbrowser.register("chromium", None, webbrowser.BackgroundBrowser(self.get_path("chrome.exe"))) | ||
chromium = webbrowser.get("chromium") | ||
chromium.open("about:blank") | ||
time.sleep(10) | ||
return chromium.open(url) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Copyright (C) 2024 fdiaz@virustotal.com | ||
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | ||
# See the file 'docs/LICENSE' for copying permission. | ||
import time | ||
import webbrowser | ||
|
||
from lib.common.abstracts import Package | ||
|
||
|
||
class Firefox_Ext(Package): | ||
"""Firefox analysis package (with extension).""" | ||
|
||
PATHS = [ | ||
("ProgramFiles", "Mozilla Firefox", "firefox.exe"), | ||
] | ||
summary = "Opens the URL in firefox." | ||
description = """Spawns firefox.exe and opens the supplied URL.""" | ||
|
||
def start(self, url): | ||
webbrowser.register("firefox", None, webbrowser.BackgroundBrowser(self.get_path("firefox.exe"))) | ||
firefox = webbrowser.get("firefox") | ||
firefox.open("about:blank") | ||
time.sleep(7) # Rough estimate, change based on your setup times. | ||
return firefox.open(url) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Copyright (C) 2024 fdiaz@virustotal.com | ||
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | ||
# See the file 'docs/LICENSE' for copying permission. | ||
import time | ||
import webbrowser | ||
|
||
from lib.common.abstracts import Package | ||
|
||
|
||
class TorBrowserExt(Package): | ||
"""TOR analysis package (with extension).""" | ||
|
||
PATHS = [ | ||
("LOCALAPPDATA", "Tor Browser", "Browser", "firefox.exe"), | ||
] | ||
summary = "Opens the URL in firefox." | ||
description = """Spawns TOR's firefox.exe and opens the supplied URL.""" | ||
|
||
def start(self, url): | ||
webbrowser.register("firefox", None, webbrowser.BackgroundBrowser(self.get_path("firefox.exe"))) | ||
firefox = webbrowser.get("firefox") | ||
time.sleep(15) # Rough estimate, change based on your setup times. | ||
firefox.open(url) | ||
time.sleep(15) # Prevent analysis from finishing too early. | ||
return |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -221,3 +221,6 @@ enabled = no | |
# Community | ||
[malheur] | ||
enabled = no | ||
|
||
[browserext] | ||
enabled = no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.