dorothy2 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. checksums.yaml +8 -8
  2. data/CHANGELOG +39 -14
  3. data/README.md +80 -62
  4. data/UPDATE +6 -14
  5. data/bin/dorothy2 +472 -0
  6. data/dorothy2.gemspec +22 -16
  7. data/etc/ddl/dorothive.ddl +619 -373
  8. data/etc/sources.yml.example +27 -2
  9. data/lib/doroGUI.rb +232 -0
  10. data/lib/doroParser.rb +34 -78
  11. data/lib/dorothy2.rb +288 -248
  12. data/lib/dorothy2/BFM.rb +114 -61
  13. data/lib/dorothy2/DEM.rb +3 -1
  14. data/lib/dorothy2/NAM.rb +2 -2
  15. data/lib/dorothy2/Settings.rb +2 -1
  16. data/lib/dorothy2/VSM.rb +2 -1
  17. data/lib/dorothy2/deep_symbolize.rb +2 -7
  18. data/lib/dorothy2/do-init.rb +286 -19
  19. data/lib/dorothy2/do-logger.rb +1 -1
  20. data/lib/dorothy2/do-utils.rb +382 -33
  21. data/lib/dorothy2/version.rb +1 -1
  22. data/lib/dorothy2/vtotal.rb +30 -20
  23. data/lib/mu/xtractr.rb +11 -11
  24. data/lib/mu/xtractr/stream.rb +1 -1
  25. data/lib/www/public/reset.css +153 -0
  26. data/lib/www/public/style.css +65 -0
  27. data/lib/www/views/analyses.erb +28 -0
  28. data/lib/www/views/email.erb +63 -0
  29. data/lib/www/views/flows.erb +30 -0
  30. data/lib/www/views/layout.erb +27 -0
  31. data/lib/www/views/profile.erb +49 -0
  32. data/lib/www/views/queue.erb +28 -0
  33. data/lib/www/views/resume.erb +135 -0
  34. data/lib/www/views/resume.erb~ +88 -0
  35. data/lib/www/views/samples.erb +20 -0
  36. data/lib/www/views/upload.erb +154 -0
  37. data/share/img/The_big_picture.pdf +0 -0
  38. data/test/tc_dorothy_full.rb +3 -0
  39. metadata +169 -70
  40. data/TODO +0 -27
  41. data/bin/dorothy_start +0 -225
  42. data/bin/dorothy_stop +0 -28
  43. data/bin/dparser_start +0 -94
  44. data/bin/dparser_stop +0 -31
  45. data/etc/dorothy copy.yml.example +0 -39
  46. data/etc/extensions.yml +0 -41
  47. data/share/update-dorothive.sql +0 -19
@@ -1,225 +0,0 @@
1
- #!/usr/bin/env ruby
2
-
3
- # Copyright (C) 2010-2013 marco riccardi.
4
- # This file is part of Dorothy - http://www.honeynet.it/
5
- # See the file 'LICENSE' for copying permission.
6
-
7
- require 'rubygems'
8
- require 'trollop'
9
- require 'dorothy2' #comment for testing/developmnet
10
-
11
- #load '../lib/dorothy2.rb' #uncomment for testing/developmnet
12
-
13
- include Dorothy
14
-
15
-
16
- opts = Trollop.options do
17
- banner <<-EOS
18
-
19
- ####################################################
20
- ## ##
21
- ## The Dorothy Malware Analysis Framework 2.0 ##
22
- ## ##
23
- ####################################################
24
-
25
- marco.riccardi@honeynet.it
26
- www.honeynet.it/dorothy
27
-
28
-
29
- Usage:
30
- dorothy_start [options]
31
- where [options] are:
32
- EOS
33
-
34
- opt :Version, "Print the current version."
35
- opt :verbose, "Enable verbose mode"
36
- opt :infoflow, "Print the analysis flow"
37
- opt :baseline, "Create a new process baseline"
38
- opt :source, "Choose a source (from the ones defined in etc/sources.yml)", :type => :string
39
- opt :daemon, "Stay in the backround, by constantly pooling datasources"
40
- opt :manual, "Start everything, copy the file, and wait for me."
41
- opt :SandboxUpdate, "Update Dorothive with the new Sandbox file"
42
- opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)", :type => :string
43
-
44
- end
45
-
46
- if opts[:infoflow]
47
- puts "
48
- The Dorothy Malware Analysis Framework 2.0
49
- ---------------Execution Flow-------------
50
- #0) Fetch new malwares
51
- #1) Start VM
52
- #2) Copy File to VM
53
- #3) Start Sniffer
54
- #4) Execute file into VM
55
- #5) Make screenshot
56
- #6) Wait X minutes (configure X in the conf file)
57
- #7) Save the running processes
58
- #8) Stop Sniffer
59
- #9) Download Screenshot and trafficdump
60
- #10) Compare the aquired process list with the one taken during the baseline run. Find the new spawned processes.
61
- #11) Try to retreive malware info from VirusTotal
62
- #12) Insert data into Dorothy-DB
63
- ------------------------------------------
64
- "
65
-
66
- exit(0)
67
- end
68
-
69
- if opts[:Version]
70
- puts "Dorothy ".yellow + Dorothy::VERSION
71
- exit(0)
72
- end
73
-
74
- puts "
75
-
76
- ####################################################
77
- ## ##
78
- ## The Dorothy Malware Analysis Framework 2.0 ##
79
- ## ##
80
- ####################################################
81
-
82
- "
83
-
84
- #VARS
85
- HOME = File.expand_path("..",File.dirname(__FILE__))
86
- VERBOSE = (opts[:verbose] ? true : false)
87
- daemon = (opts[:daemon] ? true : false)
88
- MANUAL = (opts[:manual] ? true : false)
89
-
90
- if MANUAL && daemon
91
- "[Dorothy]".yellow + " Manual and Deamon modes can't be executed together"
92
- exit(1)
93
- end
94
-
95
-
96
- #DEFAULT CONF FILES
97
- #conf = HOME + '/etc/dorothy.yml'
98
-
99
- conf = "#{File.expand_path("~")}/.dorothy.yml"
100
-
101
-
102
- #LOAD ENV
103
- if Util.exists?(conf)
104
- DoroSettings.load!(conf)
105
- else
106
- DoroConfig.create
107
- exit(0)
108
- end
109
-
110
-
111
- #LOAD EXTENSION MGT FILE
112
- EXTENSIONS=YAML.load_file("#{DoroSettings.env[:home]}/etc/extensions.yml")
113
-
114
-
115
-
116
- #Logging
117
- logout = (daemon ? DoroSettings.env[:logfile] : STDOUT)
118
- LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
119
- LOGGER.sev_threshold = DoroSettings.env[:loglevel]
120
-
121
-
122
- if opts[:baseline]
123
- puts "[" + "+".red + "] " + "[DOROTHY]".yellow + "Creating a new process baseline."
124
- Dorothy.run_baseline
125
- puts "[" + "+".red + "] " + "[WARNING]".red + "Baseline run finished."
126
- exit(0)
127
- end
128
-
129
-
130
-
131
- home = DoroSettings.env[:home]
132
- #check homefolder
133
- unless Util.exists?(home)
134
- DoroConfig.init_home(home)
135
- end
136
-
137
- sfile = home + '/etc/sources.yml'
138
- sboxfile = home + '/etc/sandboxes.yml'
139
- baseline_procs = home + '/etc/baseline_processes.yml'
140
-
141
- if opts[:DorothiveInit]
142
- Util.init_db(opts[:DorothiveInit])
143
- puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Database loaded, now you can restart Dorothy!"
144
- exit(0)
145
- end
146
-
147
- #INIT DB Connector
148
- begin
149
- db = Insertdb.new
150
- rescue => e
151
- if e.inspect =~ /exist/
152
- puts "[" + "+".red + "] " + "WARNING".yellow + " The database doesn't exist yet. Press Enter to load the ddl into the DB"
153
- gets
154
- Util.init_db(DoroSettings.dorothive[:ddl])
155
- exit(0)
156
- else
157
- puts "[" + "+".red + "] " + "ERROR".red + " Can't connect to the database"
158
- puts e
159
- exit(0)
160
- end
161
- end
162
-
163
-
164
- if opts[:SandboxUpdate]
165
- puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Loading #{sboxfile} into Dorothive"
166
- DoroConfig.init_sandbox(sboxfile)
167
- puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Done."
168
- exit(0)
169
- end
170
-
171
- if Util.exists?(sfile)
172
- sources = YAML.load_file(sfile)
173
- #check if all the source directories exist
174
- sources.keys.each do |s|
175
- unless Util.exists?("#{sources[s]["localdir"]}")
176
- LOGGER.warn "INIT", "Warning, the source's localdir #{s} doesn't exist yet, I'm going to create it"
177
- Dir.mkdir("#{sources[s]["localdir"]}")
178
- end
179
- end
180
- else
181
- puts "[" + "+".red + "] " + "[WARNING]".red + " A source file doesn't exist, please crate one into #{home}/etc. See the example file in #{HOME}/etc/sources.yml.example"
182
- exit(0)
183
- end
184
-
185
- unless Util.exists?(sboxfile)
186
- puts "[" + "+".red + "] " + "[WARNING]".red + " There is no sandbox configured yet. Please do it now."
187
- DoroConfig.create_sandbox(sboxfile)
188
- DoroConfig.init_sandbox(sboxfile)
189
- end
190
-
191
- unless Util.exists?(baseline_procs)
192
- puts "[" + "+".red + "] " + "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
193
- Dorothy.run_baseline
194
- puts "[" + "+".red + "] " + "[WARNING]".red + " Baseline run finished."
195
- exit(0)
196
- end
197
-
198
- BASELINE_PROCS = YAML.load_file(baseline_procs)
199
-
200
- #Check DB sandbox data
201
- if db.table_empty?("sandboxes")
202
- puts "[" + "+".red + "] " + "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile
203
- DoroConfig.init_sandbox(sboxfile)
204
- end
205
-
206
- if opts[:source] && !sources.key?(opts[:source])
207
- puts "[" + "+".red + "] " + "[WARNING]".red + " The selected source is not yet configured.\nThe available sources are: "
208
- puts "[" + "+".red + "] " + sources.keys
209
- exit(0)
210
- end
211
-
212
- db.close
213
-
214
- begin
215
- Dorothy.start sources[opts[:source]], daemon
216
- rescue SignalException
217
- Dorothy.stop_running_analyses
218
- rescue => e
219
- puts "[" + "+".red + "] " + "[Dorothy]".yellow + " An error occurred: \n".red + e.inspect
220
- puts "[" + "+".red + "] " + "[Dorothy]".yellow + " For more information check the logfile \n" + e.inspect if daemon
221
- LOGGER.error "Dorothy", "An error occurred: \n" + e.inspect
222
- LOGGER.debug "Dorothy", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
223
- LOGGER.info "Dorothy", "Dorothy has been stopped"
224
- end
225
-
@@ -1,28 +0,0 @@
1
- #!/usr/bin/env ruby
2
-
3
- # Copyright (C) 2013 marco riccardi.
4
- # This file is part of Dorothy - http://www.honeynet.it/dorothy
5
- # See the file 'LICENSE' for copying permission.
6
-
7
-
8
-
9
- require 'rubygems'
10
- require 'trollop'
11
- require 'dorothy2'
12
-
13
- #load '../lib/dorothy2.rb'
14
-
15
- include Dorothy
16
-
17
- conf = "#{File.expand_path("~")}/.dorothy.yml"
18
- DoroSettings.load!(conf)
19
-
20
- #Logging
21
-
22
- LOGGER = DoroLogger.new(DoroSettings.env[:logfile], DoroSettings.env[:logage])
23
- LOGGER.sev_threshold = DoroSettings.env[:loglevel]
24
-
25
-
26
- Dorothy.stop
27
-
28
-
@@ -1,94 +0,0 @@
1
- #!/usr/bin/env ruby
2
-
3
- # Copyright (C) 2013 marco riccardi.
4
- # This file is part of Dorothy - http://www.honeynet.it/
5
- # See the file 'LICENSE' for copying permission.
6
-
7
- require 'rubygems'
8
- require 'trollop'
9
- require 'dorothy2'
10
- require 'doroParser'
11
-
12
- #load '../lib/dorothy2.rb'
13
- #load '../lib/doroParser.rb'
14
-
15
- include Dorothy
16
- include DoroParser
17
-
18
-
19
-
20
- opts = Trollop.options do
21
- banner <<-EOS
22
-
23
- ####################################################
24
- ## ##
25
- ## The Dorothy Malware Analysis Framework 2.0 ##
26
- ## ##
27
- ####################################################
28
-
29
- marco.riccardi@honeynet.it
30
- www.honeynet.it/dorothy
31
-
32
-
33
- Usage:
34
- dparser_start [options]
35
- where [options] are:
36
- EOS
37
-
38
- opt :verbose, "Enable verbose mode"
39
- opt :nonetbios, "Hide Netbios communication"
40
- opt :daemon, "Stay in the backroud, by constantly pooling datasources"
41
-
42
- end
43
-
44
- def get_time
45
- time = Time.new
46
- return time.utc.strftime("%Y-%m-%d %H:%M:%S")
47
- end
48
-
49
-
50
- NONETBIOS = opts[:nonetbios] ? true : false
51
- VERBOSE = opts[:verbose] ? true : false
52
- daemon = opts[:daemon] ? true : false
53
-
54
-
55
-
56
- conf = "#{File.expand_path("~")}/.dorothy.yml"
57
- DoroSettings.load!(conf)
58
-
59
- #Logging
60
- logout = (daemon ? DoroSettings.env[:logfile_parser] : STDOUT)
61
- LOGGER_PARSER = DoroLogger.new(logout, DoroSettings.env[:logage])
62
- LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
63
-
64
- LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
65
- LOGGER.sev_threshold = DoroSettings.env[:loglevel]
66
-
67
- if DoroSettings.pcapr[:local]=="true"
68
- if system "sh -c 'type startpcapr > /dev/null 2>&1'"
69
- pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
70
- unless Util.exists?(pcapr_conf)
71
- puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
72
- puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
73
- exit(1)
74
- end
75
- else
76
- puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
77
- exit(1)
78
- end
79
- end
80
-
81
-
82
- begin
83
- DoroParser.start(daemon)
84
- rescue => e
85
- puts "[PARSER]".yellow + " An error occurred: ".red + e.inspect
86
- if daemon
87
- puts "[PARSER]".yellow + " For more information check the logfile" + e.inspect
88
- puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
89
- end
90
- LOGGER_PARSER.error "Parser", "An error occurred: " + e.inspect
91
- LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
92
- LOGGER_PARSER.info "Parser", "Dorothy-Parser has been stopped"
93
- end
94
-
@@ -1,31 +0,0 @@
1
- #!/usr/bin/env ruby
2
-
3
- # Copyright (C) 2013 marco riccardi.
4
- # This file is part of Dorothy - http://www.honeynet.it/dorothy
5
- # See the file 'LICENSE' for copying permission.
6
-
7
-
8
- require 'rubygems'
9
- require 'trollop'
10
- require 'dorothy2'
11
- require 'doroParser'
12
-
13
- #load '../lib/doroParser.rb'
14
- #load '../lib/dorothy2.rb'
15
-
16
-
17
-
18
- include Dorothy
19
- include DoroParser
20
-
21
- conf = "#{File.expand_path("~")}/.dorothy.yml"
22
- DoroSettings.load!(conf)
23
-
24
-
25
- #Logging
26
- LOGGER_PARSER = DoroLogger.new(STDOUT, 'weekly')
27
-
28
- LOGGER = DoroLogger.new(STDOUT, 'weekly')
29
-
30
- DoroParser.stop
31
-
@@ -1,39 +0,0 @@
1
- ---
2
- dorothive:
3
- dbuser: postgres
4
- dbpass: password
5
- dbhost: localhost
6
- dbname: dorothive
7
- ddl: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/ddl/dorothive.ddl
8
- env:
9
- geoip: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/geo/GeoLiteCity.dat
10
- geoasn: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/geo/GeoIPASNum.dat
11
- loglevel: 0
12
- testmode: true
13
- dtimeout: 3600
14
- logfile_parser: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/log/parser.log
15
- analysis_dir: /Users/akira/Codes/dorothy-gem-try/dorothy2/opt/analyzed
16
- pidfile_parser: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/doroParser.pid
17
- pidfile: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/dorothy.pid
18
- logage: weekly
19
- logfile: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/log/dorothy.log
20
- home: /Users/akira/Codes/dorothy-gem-try/dorothy2
21
- esx:
22
- user: "root"
23
- pass: "Dorothy!?!"
24
- host: "192.168.187.128"
25
- sandbox:
26
- screen1time: 1
27
- sleeptime: 60
28
- screen2time: 15
29
- nam:
30
- namuser: dorothy
31
- pcaphome: ~/pcaps
32
- nampass: ""
33
- interface: eth0
34
- namserver: ""
35
- virustotal:
36
- vtapikey: "c37baad50a42d7df3f91e957255a2c6a9deabe339c2ff44d4a637fff912def48"
37
-
38
-
39
-
@@ -1,41 +0,0 @@
1
- #############################################
2
- ### DOROTHY EXTENSION MANAGER #
3
- #############################################
4
- ### Choose how do you want to open the the
5
- ### binaries into the Sandbox VM.
6
- ### You can add as much extensions as you
7
- ### want.
8
- #############################################
9
- ---
10
- exe:
11
- prog_name: Windows CMD.exe
12
- prog_path: C:\windows\system32\cmd.exe
13
- prog_args: /C
14
-
15
-
16
- bat:
17
- prog_name: Windows CMD.exe
18
- prog_path: C:\windows\system32\cmd.exe
19
- prog_args: /C
20
-
21
-
22
- dll:
23
- prog_name: Windows Rundll32.exe
24
- prog_path: C:\windows\system32\rundll32.exe
25
- prog_args:
26
-
27
- html: # c:\Program Files\Internet Explorer\iexplore.exe" -new
28
- prog_name: Microsoft Explorer IEXPLORE.EXE
29
- prog_path: C:\windows\system32\cmd.exe
30
- prog_args: /C start "C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"
31
-
32
- #doc:
33
- # prog_name: Microsoft Word 2003
34
- # prog_path:
35
- # prog_args:
36
-
37
- #pdf:
38
- # prog_name: Acrobat Reader Version 1.0
39
- # prog_path:
40
- # prog_args:
41
-