dorothy2 1.0.1 → 1.0.9

data/lib/dorothy2/NAM.rb

@@ -20,8 +20,8 @@ module Dorothy
 
     def start_sniffer(vmaddress, interface, name, pcaphome)
       Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
-        # @ssh.exec "nohup sudo tcpdump -i eth0 -s 1514 -w ~/pcaps/#{name}.pcap host #{vmaddress} > blah.log 2>&1 & "
-        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} > log.tmp 2>&1 & "
+        MANUAL ? not_rdp = "and not port 3389" : not_rdp = ""
+        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} #{not_rdp} 2> log.tmp  & "
         t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
         pid = t.split(" ")[1]
         return pid.to_i

data/lib/dorothy2/VSM.rb

@@ -7,7 +7,7 @@ module Dorothy
   #Dorothy module-class for managig the virtual sandboxes
   class Doro_VSM
 
-    #ESX5 interface
+    #ESX vSphere5 interface
     class ESX
 
       #Creates a new instance for communicating with ESX through the vSpere5's API
@@ -32,8 +32,24 @@ module Dorothy
 
         #AUTHENTICATION
         guestauth = {:interactiveSession => false, :username => guestuser, :password => guestpass}
-        @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
-        abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
+        r = 0
+        begin
+          @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
+          abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
+        rescue RbVmomi::Fault => e
+          if e.inspect =~ /InvalidPowerState/
+            if r <= 5
+              r = r+1
+              LOGGER.debug "VSM", "VM busy (maybe still revertig, retrying.."
+              sleep 2
+              retry
+            end
+            LOGGER.error "VSM", "Error, can't connect to VM #{@vm[:name]}"
+            LOGGER.debug "VSM", e
+            raise "VSM Error"
+          end
+        end
+
       end
 
       def revert_vm
@@ -55,36 +71,61 @@ module Dorothy
 
       end
 
-      def exec_file(filename, arguments="")
-        filepath = "C:\\#{filename}"
-
-        if File.extname(filename) == ".dll"
-          cmd = { :programPath => "C:\\windows\\system32\\rundll32.exe", :arguments => filepath}
-          LOGGER.info "VSM", ".:: Executing dll #{filename}"
-
-        else
-          cmd = { :programPath => filepath, :arguments => arguments }
-        end
+      def exec_file(filename, program)
+        program["prog_args"].nil? ? args = "" : args = program["prog_args"]
+        args << " #{filename}"
+        cmd = { :programPath => program["prog_path"], :arguments => args }
+        pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
+        pid.to_i
+      end
 
+      def exec_file_raw(filename, arguments="")
+        filepath = "C:\\#{filename}"
+        cmd = { :programPath => filepath, :arguments => arguments }
         pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
         pid.to_i
       end
 
       def check_internet
-         exec_file("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
+        exec_file_raw("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
       end
 
-
       def get_status(pid)
-        p = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => Array(pid) ).inspect
-        status = (p =~ /exitCode=>([0-9])/ ? $1.to_i : nil )
-        return status
+        p = get_running_procs(pid)
+        p["exitCode"]
       end
 
+      def get_running_procs(pid=nil, save_tofile=false, filename="#{DoroSettings.env[:home]}/etc/baseline_processes.yml")
+        pid = Array(pid) unless pid.nil?
+        @pp2 = Hash.new
+        procs = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => pid )
+        procs.each {|pp2| @pp2.merge! Hash[pp2.pid, Hash["pname", pp2.name, "owner", pp2.owner, "cmdLine", pp2.cmdLine, "startTime", pp2.startTime, "endTime", pp2.endTime, "exitCode", pp2.exitCode]]}
+          if save_tofile
+          Util.write(filename, @pp2.to_yaml)
+          LOGGER.info "VSM", "Current running processes saved to #{filename}"
+        end
+        @pp2
+      end
+
+      def get_new_procs(current_procs, original_procs=BASELINE_PROCS)
+        @new_procs = Hash.new
+        current_procs.each_key {|pid|
+          @new_procs.merge!(Hash[pid, current_procs[pid]]) unless original_procs.has_key?(pid)
+        }
+        @new_procs
+      end
+
+      def get_files(path)
+        fm_files = @fm.ListFilesInGuest(:vm => @vm, :auth=> @auth, :filePath=> path).files
+        @files = Hash.new
+        fm_files.each {|file|
+          @files.merge!(Hash[file.path, Hash[:size, file.size, :type, file.type, :attrs, file.attributes]])
+        }
+        @files
+      end
 
       def screenshot
         a = @vm.CreateScreenshot_Task.wait_for_completion.split(" ")
-        ds = @vm.datastore.find { |ds| ds.name  == a[0].delete("[]")}
         screenpath = "/vmfs/volumes/" + a[0].delete("[]") + "/" + a[1]
         return screenpath
       end

data/lib/dorothy2/do-init.rb

@@ -1,6 +1,7 @@
 # Copyright (C) 2010-2013 marco riccardi.
 # This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
+require 'fileutils'
 
 module Dorothy
 
@@ -9,7 +10,7 @@ module Dorothy
     extend self
 
     def init_home(home)
-      puts "INIT".yellow + " Creating Directoy structure in #{home}"
+      puts "[INIT]".yellow + " Creating Directoy structure in #{home}"
       Dir.mkdir(home) unless Util.exists?("#{home}")
       unless Util.exists?("#{home}/opt")
         Dir.mkdir("#{home}/opt")
@@ -24,14 +25,14 @@ module Dorothy
         Dir.mkdir("#{home}/var")
         Dir.mkdir("#{home}/var/log")
       end
-      puts "INIT".yellow + " Done"
+      puts "[INIT]".yellow + " Done\n\n"
     end
 
     def create
 
       puts "
       [WARNING]".red + " It seems that the Dorothy configuration file is not present,
-      please answer to the following question in order to create it now.
+                please answer to the following question in order to create it now.
       "
 
       correct = false
@@ -53,16 +54,11 @@ module Dorothy
         ################################################
 
         puts "\n######### [" + " Dorothy Environment settings ".red + "] #########"
-
-        puts "Please insert the home folder for dorothy [#{HOME}]"
-        conf["env"]["home"] = (t = gets.chop).empty? ? HOME : t
+        puts "Please insert the home folder for dorothy [#{File.expand_path("~")}/Dorothy]"
+        conf["env"]["home"] = (t = gets.chop).empty? ? "#{File.expand_path("~")}/Dorothy" : t
 
         home = conf["env"]["home"]
 
-        self.init_home(home)
-
-
-
         puts "The Dorothy home directory is #{home}"
 
         conf["env"]["pidfile"] = "#{home}/var/dorothy.pid"
@@ -123,11 +119,16 @@ module Dorothy
         puts "Insert the time (seconds) that the Sandbox should be run before it's reverted [60]"
         conf["sandbox"]["sleeptime"] = (t = gets.chop).empty? ? 60 : t
 
-        puts "Insert the time (seconds) when Dorothy should take the first screenshot [1]"
-        conf["sandbox"]["screen1time"] = (t = gets.chop).empty? ? 1 : t
+        puts "Insert how many screenshots do you want to take [1]"
+        conf["sandbox"]["num_screenshots"] = (t = gets.chop).empty? ? 1 : t.to_i
 
-        puts "Insert the time (seconds) when Dorothy should take the second screenshot [15]"
-        conf["sandbox"]["screen2time"] = (t = gets.chop).empty? ? 15 : t
+        if conf["sandbox"]["num_screenshots"] > 1
+          puts "Insert the time interval (seconds) between each screenshot [5] "
+          conf["sandbox"]["screen2time"] = (t = gets.chop).empty? ? 5 : t
+        end
+
+        puts "After how many seconds do you want to take the first screenshot? [1]"
+        conf["sandbox"]["screen1time"] = (t = gets.chop).empty? ? 1 : t
 
         ######################################################
         ###NAM
@@ -152,8 +153,8 @@ module Dorothy
         puts "SSH Port [22] :"
         conf["nam"]["port"] = (t = gets.chop).empty? ? 22 : t
 
-        puts "Folder where to store PCAP files [~/pcaps]"
-        conf["nam"]["pcaphome"] = (t = gets.chop).empty? ? "~/pcaps" : t
+        puts "Folder where to store PCAP files [/home/#{conf["nam"]["user"]}/pcaps]"
+        conf["nam"]["pcaphome"] = (t = gets.chop).empty? ? "/home/#{conf["nam"]["user"]}/pcaps" : t
 
         ######################################################
         ###PCAPR
@@ -161,12 +162,23 @@ module Dorothy
 
         puts "\n######### [" + " Pcapr configuration ".red + "] #########"
 
-        puts "Host [NAM: #{conf["nam"]["host"]}]:"
-        conf["pcapr"]["host"] = (t = gets.chop).empty? ? conf["nam"]["host"] : t
+        puts "Are you going to use Pcapr on this machine? [yes] WARNING: Pcapr is only compatible with Linux "
 
-        puts "Port [8080]:"
+        t = gets.chop
+        if t.empty? || t == "y" || t == "yes"
+          conf["pcapr"]["local"] = true
+          puts "[WARNING]".yellow + " Be careful in setting Pcapr to scan #{conf["env"]["analysis_dir"]}"
+          conf["pcapr"]["host"] = "localhost"
+        else
+          conf["pcapr"]["local"] = false
+          puts "Pcapr Host [NAM: #{conf["nam"]["host"]}]:"
+          conf["pcapr"]["host"] = (t = gets.chop).empty? ? conf["nam"]["host"] : t
+        end
+
+        puts "Pcapr HTTP Port [8080]:"
         conf["pcapr"]["port"] = (t = gets.chop).empty? ? 8080 : t
 
+
         ######################################################
         ###VIRUS TOTAL
         ######################################################
@@ -179,11 +191,7 @@ module Dorothy
         puts "Enable test mode? In test mode dorothy will avoid to poll Virustotal [y]"
 
         t = gets.chop
-        if t.empty? || t == "y" || t == "yes"
-          conf["env"]["testmode"] = true
-        else
-          conf["env"]["testmode"] = false
-        end
+        (t.empty? || t == "y" || t == "yes") ? conf["env"]["testmode"] = true : conf["env"]["testmode"] = false
 
         ##########CONF FINISHED##################
 
@@ -192,11 +200,21 @@ module Dorothy
 
         t = gets.chop
         if t.empty? || t == "y" || t == "yes"
-          File.open("#{File.expand_path("~")}/.dorothy.yml", 'w+') {|f| f.write(conf.to_yaml) }
-          FileUtils.ln_s("#{File.expand_path("~")}/.dorothy.yml", "#{home}/etc/dorothy.yml")
-          correct = true
-          puts "Configuration file has been saved in ~/.dorothy.conf and a symlink has been created in\n#{home}/etc/dorothy.yml for an easier edit. You can either modify such file directly."
-          puts "\n######### [" + " Now you can restart dorothy, enjoy! ".yellow + "] #########"
+          begin
+            self.init_home(home)
+            File.open("#{File.expand_path("~")}/.dorothy.yml", 'w+') {|f| f.write(conf.to_yaml) }
+            FileUtils.ln_s("#{File.expand_path("~")}/.dorothy.yml", "#{home}/etc/dorothy.yml") unless Util.exists?("#{home}/etc/dorothy.yml")
+
+            #copy the default extension file to the user-defined home
+            FileUtils.cp("#{HOME}/etc/extensions.yml", "#{home}/etc/extensions.yml")
+            correct = true
+            puts "Configuration file has been saved in ~/.dorothy.conf and a symlink has been created in\n#{home}/etc/dorothy.yml for an easier edit."
+            puts "\n######### [" + " Now you can restart dorothy, enjoy! ".yellow + "] #########"
+          rescue => e
+            puts e.inspect
+            puts "[ERROR]".red + " Configuration aborted, please redo."
+            FileUtils.rm("#{home}/etc/dorothy.yml")
+          end
         else
           puts "Please reinsert the info"
           correct = false
@@ -206,6 +224,7 @@ module Dorothy
 
     end
 
+    #Creates the sandbox configuration file
     def create_sandbox(sboxfile)
 
       correct = false

data/lib/dorothy2/do-utils.rb

@@ -90,7 +90,9 @@ module Dorothy
         elsif value =~ /currval/
           value1 = value
         else
-          value1 = "'#{value}'"
+          #if present, remove ""
+          value.gsub! /^"|"$/, '' if values.class.inspect == "String"
+          value1 = "E'#{value}'"
         end
         if n == values.size
           @sqlstring << value1
@@ -186,7 +188,7 @@ module Dorothy
     def find_vm
       vm = @db.exec("SELECT id, hostname, ipaddress, username, password FROM dorothy.sandboxes where is_available is true").first
       if vm.nil?
-        LOGGER.warn "DB","At this time there are no free VM available"
+        LOGGER.debug "DB","At this time there are no free VM available"  if VERBOSE
         return false
       else
         @db.exec("UPDATE dorothy.sandboxes set is_available = false where id = '#{vm["id"]}'")
@@ -246,8 +248,8 @@ module Dorothy
       sha = Digest::SHA2.new
       md5 = Digest::MD5.new
       @binpath = file
-      @filename = File.basename file
-      @extension = File.extname file
+      @filename = File.basename(file)
+      @extension = File.extname(file)[1..-1]
 
       File.open(file, 'rb') do |fh1|
         while buffer1 = fh1.read(1024)
@@ -264,14 +266,14 @@ module Dorothy
       @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
       @type = fm.file(file)
 
-      if @extension.empty?    #no extension, trying to put the right one..
+      if @extension.nil?    #no extension, trying to put the right one..
         case @type
           when /^PE32/ then
-            @extension = (@type =~ /DLL/ ? ".dll" : ".exe")
+            @extension = (@type =~ /DLL/ ? "dll" : "exe")
           when /^MS-DOS/ then
-            @extension = ".bat"
+            @extension = "bat"
           when /^HTML/ then
-            @extension = ".html"
+            @extension = "html"
           else
             @extension = nil
         end

data/lib/dorothy2/version.rb

@@ -1,3 +1,3 @@
-module Dorothy2
-  VERSION = "1.0.1"
+module Dorothy
+  VERSION = "1.0.9"
 end

data/share/update-dorothive.sql

@@ -0,0 +1,19 @@
+CREATE TABLE dorothy.sys_procs
+(
+  analysis_id integer NOT NULL,
+  pid integer NOT NULL,
+  "name" character varying,
+  "owner" character varying,
+  "cmdLine" character varying,
+  "startTime" timestamp without time zone,
+  "endTime" timestamp without time zone,
+  "exitCode" integer,
+  CONSTRAINT "procs-pk" PRIMARY KEY (analysis_id, pid),
+  CONSTRAINT "anal_id-fk" FOREIGN KEY (analysis_id)
+      REFERENCES dorothy.analyses (id) MATCH SIMPLE
+      ON UPDATE NO ACTION ON DELETE NO ACTION
+)
+WITH (
+  OIDS=FALSE
+);
+ALTER TABLE dorothy.sys_procs OWNER TO postgres;

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: dorothy2
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 5
   prerelease: 
   segments: 
   - 1
   - 0
-  - 1
-  version: 1.0.1
+  - 9
+  version: 1.0.9
 platform: ruby
 authors: 
 - marco riccardi
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-07-01 00:00:00 Z
+date: 2013-08-11 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: net-scp
@@ -253,8 +253,8 @@ executables:
 - dparser_stop
 extensions: []
 
-extra_rdoc_files: []
-
+extra_rdoc_files: 
+- README.md
 files: 
 - .gitignore
 - Gemfile
@@ -262,6 +262,7 @@ files:
 - README.md
 - Rakefile
 - TODO
+- UPDATE
 - bin/dorothy_start
 - bin/dorothy_stop
 - bin/dparser_start
@@ -269,6 +270,7 @@ files:
 - dorothy2.gemspec
 - etc/ddl/dorothive.ddl
 - etc/dorothy copy.yml.example
+- etc/extensions.yml
 - etc/sandboxes.yml.example
 - etc/sources.yml.example
 - lib/doroParser.rb
@@ -315,12 +317,13 @@ files:
 - share/img/Dorothy-Basic.pdf
 - share/img/Setup-Advanced.pdf
 - share/img/The_big_picture.pdf
+- share/update-dorothive.sql
 - test/tc_dorothy_full.rb
 - var/log/parser.log
 homepage: https://github.com/m4rco-/dorothy2
 licenses: []
 
-post_install_message: 
+post_install_message: If you are upgrating from a previous version, read the UPDATE file!
 rdoc_options: []
 
 require_paths: