dorothy2 1.0.9 → 1.1.0

data/README.md

@@ -4,6 +4,7 @@ A malware/botnet analysis framework written in Ruby.
 
 For a perfect view of this document (images and links), open it through the project's [code repository](https://github.com/m4rco-/dorothy2/blob/master/README.md).
 
+For any issue, use our [Redmine](https://redmine.honeynet.it/projects/dorothy2)
 ##Introduction
 
 Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed.
@@ -108,7 +109,7 @@ It is recommended to follow this step2step process:
 
         #visudo
         add the following line:
-        dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+        dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill, /usr/bin/killall
 
 * If you want to install pcapr on this machine (if you want to use dorohy from a MacOSX machine, you have to do it) install also these packages  (refer to this blog [post](https://github.com/pcapr-local/pcapr-local) for a detailed howto). However, if you are installing Dorothy into a Linux machine, I recommended you to install pcapr on the same machine where the Dorothy gem was installed.
 
@@ -283,7 +284,7 @@ Below there are some tips about how understand the root-cause of your crash.
 
 > $dorothy_start -v -s malwarefolder
 
-3. Drop an email to info at honeynet.it with the output of your errors :)
+3. If any error occours, go to our Redmine and raise a [bug-ticket](https://redmine.honeynet.it/projects/dorothy2/)!    
 
 ------------------------------------------
 

data/UPDATE

@@ -1,8 +1,8 @@
 #######################################
-#Updating from Dorothy 1.0.x to 1.1.0##
+#Updating from Dorothy 1.0.x to >= 1.0.9##
 #######################################
 
-Dorothy 1.1.0 introduces several features that improve the overall framework.
+Dorothy 1.0.9 introduces several features that improve the overall framework.
 Below, the recommended steps needed to update your Dorothy environment.
 
 a) Remove the Dorothy configuration file

data/bin/dorothy_start

@@ -120,9 +120,9 @@ LOGGER.sev_threshold = DoroSettings.env[:loglevel]
 
 
 if opts[:baseline]
-  puts "[DOROTHY]".yellow + "Creating a new process baseline."
+  puts "[" + "+".red + "] " +  "[DOROTHY]".yellow + "Creating a new process baseline."
   Dorothy.run_baseline
-  puts "[WARNING]".red + "Baseline run finished."
+  puts "[" + "+".red + "] " +  "[WARNING]".red + "Baseline run finished."
   exit(0)
 end
 
@@ -140,7 +140,7 @@ baseline_procs = home + '/etc/baseline_processes.yml'
 
 if opts[:DorothiveInit]
   Util.init_db(opts[:DorothiveInit])
-  puts "[Dorothy]".yellow + " Database loaded, now you can restart Dorothy!"
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Database loaded, now you can restart Dorothy!"
   exit(0)
 end
 
@@ -149,12 +149,12 @@ begin
   db = Insertdb.new
 rescue => e
   if e.inspect =~ /exist/
-    puts "WARNING".yellow + " The database doesn't exist yet. Press Enter to load the ddl into the DB"
+    puts "[" + "+".red + "] " +  "WARNING".yellow + " The database doesn't exist yet. Press Enter to load the ddl into the DB"
     gets
     Util.init_db(DoroSettings.dorothive[:ddl])
     exit(0)
   else
-    puts "ERROR".red + " Can't connect to the database"
+    puts "[" + "+".red + "] " +  "ERROR".red + " Can't connect to the database"
     puts e
     exit(0)
   end
@@ -162,9 +162,9 @@ end
 
 
 if opts[:SandboxUpdate]
-  puts "[Dorothy]".yellow + " Loading #{sboxfile} into Dorothive"
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Loading #{sboxfile} into Dorothive"
   DoroConfig.init_sandbox(sboxfile)
-  puts "[Dorothy]".yellow + " Done."
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Done."
   exit(0)
 end
 
@@ -178,20 +178,20 @@ if Util.exists?(sfile)
     end
   end
 else
-  puts "[WARNING]".red + " A source file doesn't exist, please crate one into #{home}/etc. See the example file in #{HOME}/etc/sources.yml.example"
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " A source file doesn't exist, please crate one into #{home}/etc. See the example file in #{HOME}/etc/sources.yml.example"
   exit(0)
 end
 
 unless Util.exists?(sboxfile)
-  puts "[WARNING]".red + " There is no sandbox configured yet. Please do it now."
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " There is no sandbox configured yet. Please do it now."
   DoroConfig.create_sandbox(sboxfile)
   DoroConfig.init_sandbox(sboxfile)
 end
 
 unless Util.exists?(baseline_procs)
-  puts "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
   Dorothy.run_baseline
-  puts "[WARNING]".red + "Baseline run finished."
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " Baseline run finished."
   exit(0)
 end
 
@@ -199,13 +199,13 @@ BASELINE_PROCS = YAML.load_file(baseline_procs)
 
 #Check DB sandbox data
 if db.table_empty?("sandboxes")
-  puts "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile
   DoroConfig.init_sandbox(sboxfile)
 end
 
 if opts[:source] && !sources.key?(opts[:source])
-  puts "[WARNING]".red + " The selected source is not yet configured.\nThe available sources are: "
-  puts sources.keys
+  puts "[" + "+".red + "] " +  "[WARNING]".red + " The selected source is not yet configured.\nThe available sources are: "
+  puts "[" + "+".red + "] " +  sources.keys
   exit(0)
 end
 
@@ -213,9 +213,11 @@ db.close
 
 begin
   Dorothy.start sources[opts[:source]], daemon
+rescue SignalException
+   Dorothy.stop_running_analyses
 rescue => e
-  puts "[Dorothy]".yellow + " An error occurred: ".red + $!
-  puts "[Dorothy]".yellow + " For more information check the logfile" + $! if daemon
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " An error occurred: ".red + $!
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " For more information check the logfile" + $! if daemon
   LOGGER.error "Dorothy", "An error occurred: " + $!
   LOGGER.debug "Dorothy", "#{e.inspect} --BACKTRACE:  #{e.backtrace}"
   LOGGER.info "Dorothy", "Dorothy has been stopped"

data/etc/extensions.yml

@@ -17,7 +17,7 @@ dll:
   prog_path: C:\windows\system32\rundll32.exe
   prog_args:
 
-html:
+html:          # c:\Program Files\Internet Explorer\iexplore.exe" -new
   prog_name: Microsoft Explorer IEXPLORE.EXE
   prog_path: C:\windows\system32\cmd.exe
   prog_args: /C start "C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"

data/lib/doroParser.rb

@@ -51,8 +51,6 @@ module DoroParser
 
   def search_irc(streamdata)
 
-    util = Util.new
-
     ircvalues = []
     streamdata.each do |m|
       #	if m[1] == 0  #we fetch only outgoing traffic

data/lib/dorothy2.rb

@@ -44,6 +44,7 @@ module Dorothy
 
 
   def start_analysis(bins)
+    #Create a mutex for monitoring the access to the methods
     @binum = bins.size
     bins.each do |bin|
       next unless check_support(bin)
@@ -157,7 +158,7 @@ module Dorothy
       LOGGER.info "VSM",vm_log_header + "Copying #{bin.md5} to VM"
 
       filecontent = File.open(bin.binpath, "rb") { |byte| byte.read } #load filebinary
-      vsm.copy_file(bin.filename,filecontent)
+      vsm.copy_file(bin.full_filename,filecontent)    #Using full_filename, we do want to be sure that it has an extension
 
       #Start Sniffer
       dumpname = anal_id.to_s + "-" + bin.md5
@@ -170,20 +171,22 @@ module Dorothy
       @screenshots = Array.new
 
       #Execute File into VM
-      LOGGER.info "VSM",vm_log_header + "Executing #{bin.md5} with #{EXTENSIONS["prog_args"]}"
+      LOGGER.info "VSM",vm_log_header + "Executing #{bin.full_filename} with #{EXTENSIONS[bin.extension]["prog_name"]}"
 
       if MANUAL
         LOGGER.debug "VSM",vm_log_header + " MANUAL mode detected. You can now logon to rdp:// "
 
-        LOGGER.info "MANUAL-MODE",vm_log_header + "
+        menu="
 
           Choose your next action:
           1) Take Screenshot
           2) Take ProcessList
-          3) Execute #{bin.filename}
+          3) Execute #{bin.full_filename}
           0) Continue and revert the machine.
 
           Select a nuber:"
+
+        LOGGER.info "MANUAL-MODE",vm_log_header + menu
         answer = gets.chop
 
         until answer == "0"
@@ -194,12 +197,15 @@ module Dorothy
             when "2"
               @current_procs = vsm.get_running_procs
               LOGGER.info "MANUAL-MODE",vm_log_header +  "Current ProcessList taken"
+              @current_procs.each_key do |pid|
+                LOGGER.info "MANUAL-MODE", vm_log_header + "[" + "+".red + "]" + " PID: #{pid}, NAME: #{@current_procs[pid]["pname"]}, COMMAND: #{@current_procs[pid]["cmdLine"]}"
+              end
             when "3"
-              guestpid = vsm.exec_file("C:\\#{bin.filename}",EXTENSIONS[bin.extension])
+              guestpid = vsm.exec_file("C:\\#{bin.full_filename}",EXTENSIONS[bin.extension])
               LOGGER.debug "MANUAL-MODE",vm_log_header + "Program executed with PID #{guestpid}"
             #when "x" then -- More interactive actions to add
             else
-              LOGGER.info "MANUAL-MODE",vm_log_header +  "Please select a number"
+              LOGGER.info "MANUAL-MODE",vm_log_header +  menu
           end
           answer = gets.chop
         end
@@ -208,7 +214,7 @@ module Dorothy
 
 
       else
-        guestpid = vsm.exec_file("C:\\#{bin.filename}",EXTENSIONS[bin.extension])
+        guestpid = vsm.exec_file("C:\\#{bin.full_filename}",EXTENSIONS[bin.extension])
         LOGGER.debug "VSM",vm_log_header + "Program executed with PID #{guestpid}" if VERBOSE
         sleep 1
         returncode = vsm.get_status(guestpid)
@@ -231,7 +237,7 @@ module Dorothy
 
 
       #Stop Sniffer, revert the VM
-      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
+      stop_nam_revertvm(@nam, pid, vsm, reverted, vm_log_header)
 
       vsm.revert_vm
       reverted = true
@@ -338,9 +344,9 @@ module Dorothy
       FileUtils.rm(bin.binpath)
       LOGGER.info "VSM", vm_log_header + "Process compleated successfully"
 
-    rescue SignalException
+    rescue SignalException, RuntimeError
       LOGGER.warn "DOROTHY", "SIGINT".red + " Catched, exiting gracefully."
-      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
+      stop_nam_revertvm(@nam, pid, vsm, reverted, vm_log_header)
       LOGGER.debug "VSM", vm_log_header + "Removing working dir"
       FileUtils.rm_r(sample_home)
       if in_transaction
@@ -354,7 +360,7 @@ module Dorothy
 
       LOGGER.warn "Dorothy", vm_log_header + "Stopping NAM instances if presents, reverting the Sandbox, and removing working directory"
 
-      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
+      stop_nam_revertvm(@nam, pid, vsm, reverted, vm_log_header)
       LOGGER.debug "VSM", vm_log_header + "Removing working dir"
 
       FileUtils.rm_r(sample_home)
@@ -372,83 +378,90 @@ module Dorothy
   end
 
 #Stop NAM instance and Revert VM
-def stop_nam_revertvm(nam, pid, vsm, guestvm, reverted, vm_log_header)
+  def stop_nam_revertvm(nam, pid, vsm, reverted, vm_log_header)
 
-  if pid
-    LOGGER.info "VSM", vm_log_header + " Stopping sniffing module " + pid.to_s
-    nam.stop_sniffer(pid)
-  end
+    if pid
+      LOGGER.info "VSM", vm_log_header + " Stopping sniffing module " + pid.to_s
+      nam.stop_sniffer(pid)
+    end
 
-  unless reverted || vsm.nil?
-    LOGGER.info "VSM", vm_log_header + " Reverting VM"
-    vsm.revert_vm
-    sleep 3   #wait some seconds for letting the vm revert..
+    unless reverted || vsm.nil?
+      LOGGER.info "VSM", vm_log_header + " Reverting VM"
+      vsm.revert_vm
+      sleep 3   #wait some seconds for letting the vm revert..
+    end
   end
-end
 
 ###Create Baseline
-  def run_baseline
+  def self.run_baseline
     db = Insertdb.new
+    db.vm_init
     guestvm = db.find_vm
-    LOGGER.info "VSM","VM#{guestvm[0]}".red + " Executng the baseline run"
-    vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
-    vsm.check_internet
-    LOGGER.info "VSM","VM#{guestvm[0]}".red + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
-    sleep DoroSettings.sandbox[:sleeptime]
-    vsm.get_running_procs(nil, true)  #save on file
-    LOGGER.info "VSM", "VM#{guestvm[0]} ".red + "Reverting VM".yellow
-    vsm.revert_vm
-    db.free_vm(guestvm[0])
-    db.close
-  rescue => e
-    LOGGER.error "VSM", "VM#{guestvm[0]} An error occurred while performing the BASELINE run, please retry"
-    LOGGER.debug "Dorothy" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
-    LOGGER.warn "VSM", "VM#{guestvm[0]} ".red + "[RECOVER] Reverting VM".yellow
-    vsm.revert_vm
-    db.free_vm(guestvm[0])
-    db.close
-  end
+    if guestvm
+      begin
+        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Executng the baseline run"
+        vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
+        vsm.check_internet
+        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
+        sleep DoroSettings.sandbox[:sleeptime]
+        vsm.get_running_procs(nil, true)  #save on file
+        LOGGER.info "VSM", "VM#{guestvm[0]} ".red + "Reverting VM".yellow
+        vsm.revert_vm
+        db.free_vm(guestvm[0])
+        db.close
+      rescue => e
+        LOGGER.error "VSM", "VM#{guestvm[0]} ".yellow + "An error occurred while performing the BASELINE run, please retry"
+        LOGGER.debug "Dorothy" , "VM#{guestvm[0]} ".yellow + "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
+        LOGGER.warn "VSM", "VM#{guestvm[0]} ".yellow + "[RECOVER] Reverting VM"
+        vsm.revert_vm
+        db.free_vm(guestvm[0])
+        db.close
+       end
+      else
+        LOGGER.fatal "VSM", "[CRITICAL]".red + " There are no free VM at the moment..how it is possible?"
+      end
+    end
 
 ########################
 ## VTOTAL SCAN		####
 ########################
-  private
-  def scan(bin)
-    #puts "TOTAL", "Forking for VTOTAL"
-    @vtotal_threads << Thread.new(bin.sha) {
-      LOGGER.info "VTOTAL", "Scanning file #{bin.md5}".yellow
+    private
+    def scan(bin)
+      #puts "TOTAL", "Forking for VTOTAL"
+      @vtotal_threads << Thread.new(bin.sha) {
+        LOGGER.info "VTOTAL", "Scanning file #{bin.md5}".yellow
 
-      vt = Vtotal.new
-      id = vt.analyze_file(bin.binpath)
+        vt = Vtotal.new
+        id = vt.analyze_file(bin.binpath)
 
-      LOGGER.debug "VTOTAL", "Sleeping"
+        LOGGER.debug "VTOTAL", "Sleeping"
 
-      sleep 15
+        sleep 15
 
-      until vt.get_report(id)
-        LOGGER.info "VTOTAL", "Waiting a while and keep retring..."
-        sleep 30
-      end
+        until vt.get_report(id)
+          LOGGER.info "VTOTAL", "Waiting a while and keep retring..."
+          sleep 30
+        end
 
-      LOGGER.info "VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}"
-      LOGGER.info "VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}"
+        LOGGER.info "VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}"
+        LOGGER.info "VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}"
 
-      LOGGER.info "VTOTAL", "Updating DB"
-      vtvalues = [bin.sha, vt.family, vt.vendor, vt.version, vt.rate, vt.updated, vt.detected]
-      db = Insertdb.new
-      db.begin
-      begin
-        db.insert("malwares", vtvalues)
-        db.close
-      rescue
-        db.rollback
-        LOGGER.error "VTOTAL", "Error while inserting values in malware table"
-      end
+        LOGGER.info "VTOTAL", "Updating DB"
+        vtvalues = [bin.sha, vt.family, vt.vendor, vt.version, vt.rate, vt.updated, vt.detected]
+        db = Insertdb.new
+        db.begin
+        begin
+          db.insert("malwares", vtvalues)
+          db.close
+        rescue
+          db.rollback
+          LOGGER.error "VTOTAL", "Error while inserting values in malware table"
+        end
 
-      #TODO upload evidence to RT
-    }
+        #TODO upload evidence to RT
+      }
 
-  end
+    end
 
 
 
@@ -456,118 +469,129 @@ end
 ##			MAIN	        	#
 #########################
 
-  def self.start(source=nil, daemon=nil)
+    def self.start(source=nil, daemon=nil)
 
-    @db = Insertdb.new
-    daemon ||= false
+      @db = Insertdb.new
+      daemon ||= false
 
-    puts "[Dorothy]".yellow +  " Process Started"
+      puts "[" + "+".red + "] " +  "[Dorothy]".yellow +  " Process Started"
 
 
-    LOGGER.info "Dorothy", "Started".yellow
+      LOGGER.info "Dorothy", "Started".yellow
 
-    if daemon
-      check_pid_file DoroSettings.env[:pidfile]
-      puts "[Dorothy]".yellow + " Going in backround with pid #{Process.pid}"
-      puts "[Dorothy]".yellow + " Logging on #{DoroSettings.env[:logfile]}"
-      Process.daemon
-      create_pid_file DoroSettings.env[:pidfile]
-      puts "[Dorothy]".yellow +  " Going in backround with pid #{Process.pid}"
-    end
+      if daemon
+        check_pid_file DoroSettings.env[:pidfile]
+        puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Going in backround with pid #{Process.pid}"
+        puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Logging on #{DoroSettings.env[:logfile]}"
+        Process.daemon
+        create_pid_file DoroSettings.env[:pidfile]
+        puts "[" + "+".red + "] " +  "[Dorothy]".yellow +  " Going in backround with pid #{Process.pid}"
+      end
 
-    #Creating a new NAM object for managing the sniffer
-    @nam = Doro_NAM.new(DoroSettings.nam)
+      #Creating a new NAM object for managing the sniffer
+      @nam = Doro_NAM.new(DoroSettings.nam)
+      #Be sure that there are no open tcpdump instances opened
+      @nam.init_sniffer
 
-    @vtotal_threads = []
-    @vtotal_threads = []
-    @analysis_threads = []
+      @vtotal_threads = []
+      @vtotal_threads = []
+      @analysis_threads = []
 
-    infinite = true
+      infinite = true
 
-    #be sure that all the vm are available by forcing their release
-    @db.vm_init
+      #be sure that all the vm are available by forcing their release
+      @db.vm_init
 
-    if source # a source has been specified
-      while infinite  #infinite loop
-        dfm = DorothyFetcher.new(source)
-        start_analysis(dfm.bins)
-        infinite = daemon #exit if wasn't set
-        wait_end
-        LOGGER.info "Dorothy", "SLEEPING" if daemon
-        sleep DoroSettings.env[:dtimeout] if daemon # Sleeping a while if -d wasn't set, then quit.
-      end
-    else  # no sources specified, analyze all of them
-      while infinite  #infinite loop
-        sources = YAML.load_file(DoroSettings.env[:home] + '/etc/sources.yml')
-        sources.keys.each do |sname|
-          dfm = DorothyFetcher.new(sources[sname])
+      if source # a source has been specified
+        while infinite  #infinite loop
+          dfm = DorothyFetcher.new(source)
           start_analysis(dfm.bins)
+          infinite = daemon #exit if wasn't set
+          wait_end
+          LOGGER.info "Dorothy", "SLEEPING" if daemon
+          sleep DoroSettings.env[:dtimeout] if daemon # Sleeping a while if -d wasn't set, then quit.
+        end
+      else  # no sources specified, analyze all of them
+        while infinite  #infinite loop
+          sources = YAML.load_file(DoroSettings.env[:home] + '/etc/sources.yml')
+          sources.keys.each do |sname|
+            dfm = DorothyFetcher.new(sources[sname])
+            start_analysis(dfm.bins)
+          end
+          infinite = daemon #exit if wasn't set
+          wait_end
+          LOGGER.info "Dorothy", "SLEEPING" if daemon
+          sleep DoroSettings.env[:dtimeout].to_i if daemon # Sleeping a while if -d wasn't set, then quit.
         end
-        infinite = daemon #exit if wasn't set
-        wait_end
-        LOGGER.info "Dorothy", "SLEEPING" if daemon
-        sleep DoroSettings.env[:dtimeout].to_i if daemon # Sleeping a while if -d wasn't set, then quit.
       end
-    end
 
-    @db.close
+      @db.close
 
-  end
+    end
 
-  def wait_end
+    def wait_end
 
-    unless @vtotal_threads.empty?
-      @vtotal_threads.each { |aThread|  aThread.join}
-      LOGGER.info "VTOTAL","Process compleated successfully"
-    end
+      unless @vtotal_threads.empty?
+        @vtotal_threads.each { |aThread|  aThread.join}
+        LOGGER.info "VTOTAL","Process compleated successfully"
+      end
 
-    @analysis_threads.each { |aThread|  aThread.join }
-    LOGGER.info "Dorothy", "Process finished"
+      @analysis_threads.each { |aThread|  aThread.join }
+      LOGGER.info "Dorothy", "Process finished"
 
-  end
+    end
 
-  def check_pid_file(file)
-    if File.exist? file
-      # If we get Errno::ESRCH then process does not exist and
-      # we can safely cleanup the pid file.
-      pid = File.read(file).to_i
-      begin
-        Process.kill(0, pid)
-      rescue Errno::ESRCH
-        stale_pid = true
-      end
+    def check_pid_file(file)
+      if File.exist? file
+        # If we get Errno::ESRCH then process does not exist and
+        # we can safely cleanup the pid file.
+        pid = File.read(file).to_i
+        begin
+          Process.kill(0, pid)
+        rescue Errno::ESRCH
+          stale_pid = true
+        end
 
-      unless stale_pid
-        puts "[Dorothy]".yellow + " Dorothy is already running (pid=#{pid})"
-        exit(1)
+        unless stale_pid
+          puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Dorothy is already running (pid=#{pid})"
+          exit(1)
+        end
       end
     end
-  end
 
-  def create_pid_file(file)
-    File.open(file, "w") { |f| f.puts Process.pid }
+    def create_pid_file(file)
+      File.open(file, "w") { |f| f.puts Process.pid }
 
-    # Remove pid file during shutdown
-    at_exit do
-      Logger.info "Dorothy", "Shutting down." rescue nil
-      if File.exist? file
-        File.unlink file
+      # Remove pid file during shutdown
+      at_exit do
+        LOGGER.info "Dorothy", "Shutting down." rescue nil
+        if File.exist? file
+          File.unlink file
+        end
       end
     end
-  end
 
+    def self.stop_running_analyses
+      LOGGER.info "Dorothy", "Killing curent live analysis threads.."
+      @analysis_threads.each { |aThread|
+        aThread.raise
+        aThread.join
+      }
+    end
 ## Sends SIGTERM to process in pidfile. Server should trap this
 # and shutdown cleanly.
-  def self.stop
-    LOGGER.info "Dorothy", "Shutting down."
-    pid_file = DoroSettings.env[:pidfile]
-    if pid_file and File.exist? pid_file
-      pid = Integer(File.read(pid_file))
-      Process.kill(-15, -pid)
-      LOGGER.info "Dorothy", "Process #{pid} terminated"
-    else
-      LOGGER.info "Dorothy", "Can't find PID file, is Dorothy really running?"
+    def self.stop
+      puts "[" + "+".red + "]" + " Dorothy is shutting now.."
+      LOGGER.info "Dorothy", "Shutting down."
+      pid_file = DoroSettings.env[:pidfile]
+      if pid_file and File.exist? pid_file
+        pid = Integer(File.read(pid_file))
+        Process.kill(-2,-pid)
+        LOGGER.info "Dorothy", "Process #{pid} terminated"
+        puts "[" + "+".red + "]" + " Dorothy Process #{pid} terminated"
+      else
+        LOGGER.info "Dorothy", "Can't find PID file, is Dorothy really running?"
+      end
     end
-  end
 
-end
+  end

data/lib/dorothy2/NAM.rb

@@ -22,12 +22,31 @@ module Dorothy
       Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
         MANUAL ? not_rdp = "and not port 3389" : not_rdp = ""
         @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} #{not_rdp} 2> log.tmp  & "
-        t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
-        pid = t.split(" ")[1]
+
+        begin
+          t = @ssh.exec!"ps aux |grep #{name}|grep -v grep|grep -v bash"
+          pid = t.split(" ")[1]
+        rescue
+          r = 0
+          if r <= 2
+            r = r+1
+            LOGGER.warn "NSM", " NAM has failed to catch the Tcpdump PID, retry n. #{r}/3"
+            sleep 2
+            retry
+          end
+          LOGGER.warn "NSM", " NAM has failed to catch the Tcpdump PID, retry n. #{r}/3"
+          raise
+        end
         return pid.to_i
       end
     end
 
+    def init_sniffer
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
+        ssh.exec "sudo killall tcpdump"
+      end
+    end
+
     def stop_sniffer(pid)
       Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
         ssh.exec "sudo kill -2 #{pid}"

data/lib/dorothy2/VSM.rb

@@ -6,7 +6,6 @@ module Dorothy
 
   #Dorothy module-class for managig the virtual sandboxes
   class Doro_VSM
-
     #ESX vSphere5 interface
     class ESX
 
@@ -73,7 +72,7 @@ module Dorothy
 
       def exec_file(filename, program)
         program["prog_args"].nil? ? args = "" : args = program["prog_args"]
-        args << " #{filename}"
+        args += " #{filename}"
         cmd = { :programPath => program["prog_path"], :arguments => args }
         pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
         pid.to_i
@@ -100,7 +99,7 @@ module Dorothy
         @pp2 = Hash.new
         procs = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => pid )
         procs.each {|pp2| @pp2.merge! Hash[pp2.pid, Hash["pname", pp2.name, "owner", pp2.owner, "cmdLine", pp2.cmdLine, "startTime", pp2.startTime, "endTime", pp2.endTime, "exitCode", pp2.exitCode]]}
-          if save_tofile
+        if save_tofile
           Util.write(filename, @pp2.to_yaml)
           LOGGER.info "VSM", "Current running processes saved to #{filename}"
         end

data/lib/dorothy2/do-utils.rb

@@ -5,7 +5,6 @@
 module Dorothy
 
   module Util
-
     extend self
 
     def write(file, string)
@@ -89,6 +88,8 @@ module Dorothy
           value1 = value
         elsif value =~ /currval/
           value1 = value
+        elsif table == "sys_procs"   #avoiding noising escape-issue for \u
+          value1 = "E'#{value.inspect}'"
         else
           #if present, remove ""
           value.gsub! /^"|"$/, '' if values.class.inspect == "String"
@@ -230,6 +231,7 @@ module Dorothy
     attr_reader :md5
     attr_reader :binpath
     attr_reader :filename
+    attr_reader :full_filename  #here i'm sure that the file has an extension and can be executed by windows
     attr_reader :ctime
     attr_reader :size
     attr_reader :pcapsize
@@ -266,20 +268,25 @@ module Dorothy
       @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
       @type = fm.file(file)
 
+
       if @extension.nil?    #no extension, trying to put the right one..
         case @type
           when /^PE32/ then
             @extension = (@type =~ /DLL/ ? "dll" : "exe")
+          when /^COM/ then
+            @extension = "exe"
           when /^MS-DOS/ then
             @extension = "bat"
           when /^HTML/ then
             @extension = "html"
           else
-            @extension = nil
+            @extension = "unknown"
         end
+        @full_filename = @filename + "." +  @extension
+      else
+        @full_filename = @filename
       end
 
-
       @size = File.size(file)
     end
 

data/lib/dorothy2/version.rb

@@ -1,3 +1,3 @@
 module Dorothy
-  VERSION = "1.0.9"
+  VERSION = "1.1.0"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: dorothy2
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 19
   prerelease: 
   segments: 
   - 1
+  - 1
   - 0
-  - 9
-  version: 1.0.9
+  version: 1.1.0
 platform: ruby
 authors: 
 - marco riccardi
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-08-11 00:00:00 Z
+date: 2013-09-24 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: net-scp