dorothy2 1.2.0 → 2.0.0

data/lib/dorothy2.rb

@@ -7,7 +7,8 @@
 
 ##.for irb debug:
 ##from $home, irb and :
-##load 'lib/dorothy2.rb'; include Dorothy; LOGGER = DoroLogger.new(STDOUT, "weekly"); DoroSettings.load!('etc/dorothy.yml'); VERBOSE = true
+#load 'dorothy2.rb'; include Dorothy; LOGGER = DoroLogger.new(STDOUT, "weekly"); DoroSettings.load!("#{File.expand_path("~")}/.dorothy.yml")
+##/
 
 require 'net/ssh'
 require 'net/scp'
@@ -21,8 +22,16 @@ require 'pg'
 require 'filemagic'
 require 'rbvmomi'
 require 'timeout'
-require 'virustotal'
+require 'uirusu'
 require 'digest'
+require 'mail'
+require 'io/console'
+require 'base64'
+require 'open-uri'
+require 'csv'
+require 'whois'
+
+
 
 require File.dirname(__FILE__) + '/dorothy2/do-init'
 require File.dirname(__FILE__) + '/dorothy2/Settings'
@@ -35,60 +44,77 @@ require File.dirname(__FILE__) + '/dorothy2/do-utils'
 require File.dirname(__FILE__) + '/dorothy2/do-logger'
 require File.dirname(__FILE__) + '/dorothy2/version'
 
-module Dorothy
 
-  def get_time(local=Time.new)
-    time = local
-    time.utc.strftime("%Y-%m-%d %H:%M:%S")
-  end
 
 
-  def start_analysis(bins)
+
+module Dorothy
+
+  def start_analysis(queue)
     #Create a mutex for monitoring the access to the methods
-    @binum = bins.size
-    bins.each do |bin|
-      next unless check_support(bin)
-      scan(bin) unless DoroSettings.env[:testmode]   #avoid to stress VT if we are just testing
-      if MANUAL #no multithread
-        db = Insertdb.new
-        guestvm = db.find_vm
-        analyze(bin, guestvm)
-        db.free_vm(guestvm[0])
-        db.close
-      else      #Use multithreading
-        @analysis_threads << Thread.new(bin.filename){
-          db = Insertdb.new
-          sleep rand(@binum * 2)  #OPTIMIZE #REVIEW
-          sleep rand(30) while !(guestvm = db.find_vm)  #guestvm struct: array ["sandbox id", "sandbox name", "ipaddress", "user", "password"]
-          analyze(bin, guestvm)
-          db.free_vm(guestvm[0])
-          db.close
-        }
+    @queue_size = queue.size
+
+     unless @queue_size == 0
+      queue.each do |qentry|
+
+        bin = Loadmalw.new(qentry["path"].strip, qentry["filename"])
+        profile = Util.load_profile(qentry['profile'])
+
+        next unless profile
+        next unless check_support(bin, qentry["id"], profile)
+        scan(bin) if profile[1]['vtotal_query']   #avoid to stress VT if we are just testing
+
+        if MANUAL #no multithread
+          execute_analysis(bin, qentry["id"], profile)
+        else      #Use multithreading
+          @analysis_threads << Thread.new(bin.filename){
+            sleep rand(@queue_size * 2)  #OPTIMIZE #REVIEW
+            execute_analysis(bin, qentry["id"],profile,rand(30))
+          }
+        end
       end
+    else
+      LOGGER.warn("Analyser", "The queue is currently empty!") if DEBUG
     end
   end
 
 
-  def check_support(bin)
-    if EXTENSIONS.key?(bin.extension)
-      true
-    else
-      LOGGER.warn("VSM", "File extension #{bin.extension} currently not configured in etc/extensions.yml, skipping")
-      LOGGER.debug("VSM", "Filtype: #{bin.type}") if VERBOSE
-      dir_not_supported = File.dirname(bin.binpath) + "/not_supported"
-      Dir.mkdir(dir_not_supported) unless File.exists?(dir_not_supported)
-      FileUtils.cp(bin.binpath,dir_not_supported) #mv?
-      FileUtils.rm(bin.binpath) ## mv?
-      return false
+
+  def execute_analysis(bin, qentry, profile, timer=0)
+    db = Insertdb.new
+
+    prof_info = profile[1]
+
+    #guestvm struct: array ["sandbox id", "sandbox name", "ipaddress", "user", "password"]
+    sleep timer until (guestvm = db.find_vm(prof_info['OS']['type'], prof_info['OS']['version'], prof_info['OS']['lang']))
+
+    db.analysis_queue_mark(qentry, "processing")
+
+    begin
+      if analyze(bin, guestvm, qentry, profile)
+        db.analysis_queue_mark(qentry, "analysed")
+      else
+        db.analysis_queue_mark(qentry, "error")
+      end
+    rescue
+      db.analysis_queue_mark(qentry, "cancelled")
     end
+
+    db.free_vm(guestvm[0])
+    db.close
+
   end
 
+
+
+
 ###ANALYZE THE SOURCE
-  def analyze(bin, guestvm)
+  def analyze(bin, guestvm, queueid, profile)
 
     #RESERVING AN ANALYSIS ID
     db = Insertdb.new
     anal_id = db.get_anal_id
+    prof_info = profile[1]
 
     #set home vars
     sample_home = DoroSettings.env[:analysis_dir] + "/#{anal_id}"
@@ -99,6 +125,7 @@ module Dorothy
 
     vm_log_header = "VM#{guestvm[0]} ".yellow + "[" + "#{anal_id}".red + "] "
 
+
     LOGGER.info "VSM", vm_log_header + "Analyzing binary #{bin.filename}"
 
     begin
@@ -111,12 +138,11 @@ module Dorothy
         Dir.mkdir bin.dir_screens
         Dir.mkdir bin.dir_downloads
 
-        if VERBOSE
-          LOGGER.debug "VSM", sample_home
-          LOGGER.debug "VSM",bin.dir_bin
-          LOGGER.debug "VSM",bin.dir_pcap
-          LOGGER.debug "VSM",bin.dir_screens
-        end
+        LOGGER.debug "VSM", sample_home
+        LOGGER.debug "VSM",bin.dir_bin
+        LOGGER.debug "VSM",bin.dir_pcap
+        LOGGER.debug "VSM",bin.dir_screens
+
 
       else
         LOGGER.warn "VSM",vm_log_header + "Malware #{bin.md5} sample_home already present, WTF!? Skipping.."
@@ -125,8 +151,7 @@ module Dorothy
       end
 
 
-
-      FileUtils.cp(bin.binpath,bin.dir_bin)  # mv?
+      FileUtils.ln_s(bin.binpath,bin.dir_bin + bin.filename)  # put a symbolic link from the analysis folder to the bins repo
 
 
       #Creating a new VSM object for managing the SandBox VM
@@ -164,29 +189,31 @@ module Dorothy
       dumpname = anal_id.to_s + "-" + bin.md5
       pid = @nam.start_sniffer(guestvm[2],DoroSettings.nam[:interface], dumpname, DoroSettings.nam[:pcaphome])
       LOGGER.info "NAM",vm_log_header + "Start sniffing module"
-      LOGGER.debug "NAM",vm_log_header + "Tcpdump instance #{pid} started" if VERBOSE
+      LOGGER.debug "NAM",vm_log_header + "Tcpdump instance #{pid} started"
 
       #sleep 5
 
       @screenshots = Array.new
 
       #Execute File into VM
-      LOGGER.info "VSM",vm_log_header + "Executing #{bin.full_filename} with #{EXTENSIONS[bin.extension]["prog_name"]}"
+      LOGGER.info "VSM",vm_log_header + "Executing #{bin.full_filename} with #{prof_info['extensions'][bin.extension]['prog_name']}"
 
       if MANUAL
-        LOGGER.debug "VSM",vm_log_header + " MANUAL mode detected. You can now logon to rdp:// "
+        LOGGER.debug "MANUAL-MODE",vm_log_header + " MANUAL mode detected. You can now logon to rdp://#{guestvm[2]} "
 
         menu="
-
-          Choose your next action:
-          1) Take Screenshot
-          2) Take ProcessList
-          3) Execute #{bin.full_filename}
-          0) Continue and revert the machine.
+        #{"Choose your next action:".yellow}
+          ------------------------
+          #{"1".yellow}) Take Screenshot
+          #{"2".yellow}) Take ProcessList
+          #{"3".yellow}) Execute #{bin.full_filename}
+        #{"0".yellow}) Continue and revert the machine.
+          ------------------------
 
           Select a nuber:"
 
-        LOGGER.info "MANUAL-MODE",vm_log_header + menu
+        print menu
+        $stdout.flush
         answer = gets.chop
 
         until answer == "0"
@@ -201,11 +228,12 @@ module Dorothy
                 LOGGER.info "MANUAL-MODE", vm_log_header + "[" + "+".red + "]" + " PID: #{pid}, NAME: #{@current_procs[pid]["pname"]}, COMMAND: #{@current_procs[pid]["cmdLine"]}"
               end
             when "3"
-              guestpid = vsm.exec_file("C:\\#{bin.full_filename}",EXTENSIONS[bin.extension])
+              guestpid = vsm.exec_file("C:\\#{bin.full_filename}",prof_info['extensions'][bin.extension])
               LOGGER.debug "MANUAL-MODE",vm_log_header + "Program executed with PID #{guestpid}"
             #when "x" then -- More interactive actions to add
             else
-              LOGGER.info "MANUAL-MODE",vm_log_header +  menu
+              print menu
+              $stdout.flush
           end
           answer = gets.chop
         end
@@ -214,21 +242,21 @@ module Dorothy
 
 
       else
-        guestpid = vsm.exec_file("C:\\#{bin.full_filename}",EXTENSIONS[bin.extension])
-        LOGGER.debug "VSM",vm_log_header + "Program executed with PID #{guestpid}" if VERBOSE
+        guestpid = vsm.exec_file("C:\\#{bin.full_filename}",prof_info['extensions'][bin.extension])
+        LOGGER.debug "VSM",vm_log_header + "Program executed with PID #{guestpid}"
         sleep 1
         returncode = vsm.get_status(guestpid)
         raise "The program was not correctly executed into the Sandbox. Status code: #{returncode}" unless returncode == 0 || returncode.nil?
 
-        LOGGER.info "VSM",vm_log_header + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
-        sleep DoroSettings.sandbox[:screen1time] % DoroSettings.sandbox[:sleeptime]
+        LOGGER.info "VSM",vm_log_header + " Sleeping #{prof_info['sleeptime']} seconds".yellow
+        sleep prof_info['screenshots']['delay_first'] % prof_info['sleeptime']
 
-        DoroSettings.sandbox[:num_screenshots].times do
+        prof_info['screenshots']['number'].times do
           @screenshots.push vsm.screenshot
-          sleep DoroSettings.sandbox[:screen2time] % DoroSettings.sandbox[:sleeptime] if DoroSettings.sandbox[:screen2time]
+          sleep prof_info['screenshots']['delay_inbetween'] % prof_info['sleeptime'] if prof_info['screenshots']['delay_inbetween']
         end
 
-        sleep DoroSettings.sandbox[:sleeptime]
+        sleep prof_info['sleeptime']
 
         #Get Procs
         @current_procs = vsm.get_running_procs
@@ -246,7 +274,7 @@ module Dorothy
       LOGGER.info "VSM", vm_log_header + "Checking for spowned processes"
 
       unless @current_procs.nil?
-        @procs = vsm.get_new_procs(@current_procs)
+        @procs = vsm.get_new_procs(@current_procs, "#{DoroSettings.env[:home]}/etc/#{profile[0]}_baseline_procs.yml")
         if @procs.size > 0
           LOGGER.info "VSM", vm_log_header + "#{@procs.size} new process(es) found"
           @procs.each_key do |pid|
@@ -284,7 +312,7 @@ module Dorothy
         pcaprid = Loadmalw.calc_pcaprid(dump.filename, dump.size).rstrip
       end
 
-      LOGGER.debug "NAM", vm_log_header + "Pcaprid: " + pcaprid if VERBOSE
+      LOGGER.debug "NAM", vm_log_header + "Pcaprid: " + pcaprid
 
       empty_pcap = false
 
@@ -296,7 +324,7 @@ module Dorothy
 
       dumpvalues = [dump.sha, dump.size, pcaprid, dump.binpath, 'false']
       dump.sha = "EMPTYPCAP" if empty_pcap
-      analysis_values = [anal_id, bin.sha, guestvm[0], dump.sha, get_time]
+      analysis_values = [anal_id, bin.sha, guestvm[0], dump.sha, Util.get_time, queueid]
 
       if pcaprid.nil? || bin.dir_pcap.nil? || bin.sha.nil? || bin.md5.nil?
         LOGGER.error "VSM", "VM#{guestvm[0]} Can't retrieve the required information"
@@ -304,7 +332,7 @@ module Dorothy
       end
 
 
-      LOGGER.debug "DB", "VM#{guestvm[0]} Database insert phase" if VERBOSE
+      LOGGER.debug "DB", "VM#{guestvm[0]} Database insert phase"
 
       db.begin_t  #needed for rollbacks
       in_transaction = true
@@ -324,9 +352,9 @@ module Dorothy
       end
 
       @procs.each_key do |pid|
-        @procs[pid]["endTime"] ? end_time = get_time(@procs[pid]["endTime"]) : end_time = "null"
+        @procs[pid]["endTime"] ? end_time = Util.get_time(@procs[pid]["endTime"]) : end_time = "null"
         @procs[pid]["exitCode"] ? exit_code = @procs[pid]["exitCode"] : exit_code = "null"
-        sys_procs_values = [anal_id, pid, @procs[pid]["pname"], @procs[pid]["owner"], @procs[pid]["cmdLine"], get_time(@procs[pid]["startTime"]), end_time, exit_code ]
+        sys_procs_values = [anal_id, pid, @procs[pid]["pname"], @procs[pid]["owner"], @procs[pid]["cmdLine"], Util.get_time(@procs[pid]["startTime"]), end_time, exit_code ]
         unless db.insert("sys_procs", sys_procs_values)
           LOGGER.fatal "DB", vm_log_header + "Error while inserting data into table sys_procs. Skipping binary #{bin.md5}"
           raise "DB-ERROR"
@@ -336,33 +364,33 @@ module Dorothy
 
       #TODO ADD RT CODE
 
+
       db.commit
       in_transaction = false
       db.close
 
-      LOGGER.info "VSM", vm_log_header + "Removing file from /bins directory"
-      FileUtils.rm(bin.binpath)
       LOGGER.info "VSM", vm_log_header + "Process compleated successfully"
 
-    rescue SignalException, RuntimeError
+    rescue SignalException #, RuntimeError
       LOGGER.warn "DOROTHY", "SIGINT".red + " Catched, exiting gracefully."
       stop_nam_revertvm(@nam, pid, vsm, reverted, vm_log_header)
       LOGGER.debug "VSM", vm_log_header + "Removing working dir"
       FileUtils.rm_r(sample_home)
+
       if in_transaction
         db.rollback  #rollback in case there is a transaction on going
         db.close
       end
 
+      raise
     rescue Exception => e
       LOGGER.error "VSM", vm_log_header + "An error occurred while analyzing #{bin.filename}, skipping\n"
-      LOGGER.debug "Dorothy" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
+      LOGGER.debug "Analyser" , "#{$!}\n #{e.inspect} \n #{e.backtrace}"
 
-      LOGGER.warn "Dorothy", vm_log_header + "Stopping NAM instances if presents, reverting the Sandbox, and removing working directory"
+      LOGGER.warn "Analyser", vm_log_header + "Stopping NAM instances if presents, reverting the Sandbox, and removing working directory"
 
       stop_nam_revertvm(@nam, pid, vsm, reverted, vm_log_header)
       LOGGER.debug "VSM", vm_log_header + "Removing working dir"
-
       FileUtils.rm_r(sample_home)
 
       if in_transaction
@@ -371,228 +399,240 @@ module Dorothy
       end
 
       LOGGER.warn "VSM", vm_log_header + "Recover finished."
-
+      false
 
     end
 
   end
 
-#Stop NAM instance and Revert VM
-  def stop_nam_revertvm(nam, pid, vsm, reverted, vm_log_header)
 
-    if pid
-      LOGGER.info "VSM", vm_log_header + " Stopping sniffing module " + pid.to_s
-      nam.stop_sniffer(pid)
-    end
 
-    unless reverted || vsm.nil?
-      LOGGER.info "VSM", vm_log_header + " Reverting VM"
-      vsm.revert_vm
-      sleep 3   #wait some seconds for letting the vm revert..
-    end
-  end
+  #########################
+  ##			MAIN	        	#
+  #########################
 
-###Create Baseline
-  def self.run_baseline
-    db = Insertdb.new
-    db.vm_init
-    guestvm = db.find_vm
-    if guestvm
-      begin
-        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Executng the baseline run"
-        vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
-        vsm.check_internet
-        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
-        sleep DoroSettings.sandbox[:sleeptime]
-        vsm.get_running_procs(nil, true)  #save on file
-        LOGGER.info "VSM", "VM#{guestvm[0]} ".red + "Reverting VM".yellow
-        vsm.revert_vm
-        db.free_vm(guestvm[0])
-        db.close
-      rescue => e
-        LOGGER.error "VSM", "VM#{guestvm[0]} ".yellow + "An error occurred while performing the BASELINE run, please retry"
-        LOGGER.debug "Dorothy" , "VM#{guestvm[0]} ".yellow + "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
-        LOGGER.warn "VSM", "VM#{guestvm[0]} ".yellow + "[RECOVER] Reverting VM"
-        vsm.revert_vm
-        db.free_vm(guestvm[0])
-        db.close
-       end
-      else
-        LOGGER.fatal "VSM", "[CRITICAL]".red + " There are no free VM at the moment..how it is possible?"
-      end
-    end
+  def self.start(daemon=false)
+    @vtotal_threads = []
+    @analysis_threads = []
+    @bins = []
+    @db = Insertdb.new
+
+
+    LOGGER.info "Analyser", "Started".yellow
+
+
+    #Creating a new NAM object for managing the sniffer
+    @nam = Doro_NAM.new(DoroSettings.nam)
+    #Be sure that there are no open tcpdump instances opened
+    @nam.init_sniffer
+
+
+    finish = false
+    infinite = true
 
-########################
-## VTOTAL SCAN		####
-########################
-    private
-    def scan(bin)
-      #puts "TOTAL", "Forking for VTOTAL"
-      @vtotal_threads << Thread.new(bin.sha) {
-        LOGGER.info "VTOTAL", "Scanning file #{bin.md5}".yellow
+    #be sure that all the vm are available by forcing their release
+    @db.vm_init
 
-        vt = Vtotal.new
-        id = vt.analyze_file(bin.binpath)
+    #Check if the are some analysis pending in the queue
+    unless @db.analysis_queue_pull.empty? || daemon
+      LOGGER.warn "WARNING", "There are some pending analyses in the queue, what do you want to do?"
+      menu="
+          --------------------------------------
+          #{"1".yellow}) Mark as analysed and continue
+          #{"2".yellow}) Append the new files and analyse also the pending ones
+          #{"3".yellow}) List pending analyses
+          --------------------------------------
+          Select a nuber:"
+
+      print menu
+      $stdout.flush
+      answer = gets.chop
+
+      until finish
+        case answer
+          when "1" then
+            @db.analysis_queue_mark_all
+            LOGGER.info "Analyser", "Queue Cleared, proceding.."
+            finish = true
 
-        LOGGER.debug "VTOTAL", "Sleeping"
+          when "2"
+            LOGGER.info "Analyser", "Proceding.."
+            finish = true
 
-        sleep 15
+          when "3"
+            @db.analysis_queue_view
 
-        until vt.get_report(id)
-          LOGGER.info "VTOTAL", "Waiting a while and keep retring..."
-          sleep 30
+          else
+            LOGGER.warn "Analyser", "There are some pending analyses in the queue, what do you want to do?"
+            print menu
+            $stdout.flush
         end
 
-        LOGGER.info "VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}"
-        LOGGER.info "VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}"
+        answer = gets.chop unless finish
+      end
+    end
+
+
+    begin
+      while infinite  #infinite loop
 
-        LOGGER.info "VTOTAL", "Updating DB"
-        vtvalues = [bin.sha, vt.family, vt.vendor, vt.version, vt.rate, vt.updated, vt.detected]
-        db = Insertdb.new
-        db.begin
         begin
-          db.insert("malwares", vtvalues)
-          db.close
-        rescue
-          db.rollback
-          LOGGER.error "VTOTAL", "Error while inserting values in malware table"
+          start_analysis(@db.analysis_queue_pull)
+          infinite = daemon #exit if wasn't set
+        rescue SignalException #, RuntimeError
+          LOGGER.warn "DOROTHY", "SIGINT".red + " Catched [2], exiting gracefully."
+          stop_running_analyses
+          Process.kill('HUP',Process.pid)
         end
 
-        #TODO upload evidence to RT
-      }
+        # Sleeping a while if -d wasn't set, then quit.
+        if daemon
+          LOGGER.info "Analyser", "SLEEPING" if DEBUG
+          sleep DoroSettings.env[:sleeptime].to_i
+        end
 
-    end
+        wait_end  #TODO: is really required (here)?
 
+      end
+    rescue SignalException #, RuntimeError
+      LOGGER.warn "DOROTHY", "SIGINT".red + " Catched [3], exiting gracefully."
+    end
+    @db.close
 
+  end
 
-#########################
-##			MAIN	        	#
-#########################
+  def wait_end
 
-    def self.start(source=nil, daemon=nil)
+    unless @vtotal_threads.empty?
+      @vtotal_threads.each { |aThread|  aThread.join}
+      LOGGER.info "VTOTAL","Process compleated successfully" if DEBUG
+    end
 
-      @vtotal_threads = []
-      @analysis_threads = []
-      @db = Insertdb.new
+    @analysis_threads.each { |aThread|  aThread.join }
+    LOGGER.info "Analyser", "Process finished" if DEBUG
 
-      daemon ||= false
+  end
 
-      puts "[" + "+".red + "] " +  "[Dorothy]".yellow +  " Process Started"
+  ############# END OF MAIN
 
 
-      LOGGER.info "Dorothy", "Started".yellow
 
-      if daemon
-        check_pid_file DoroSettings.env[:pidfile]
-        puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Going in backround with pid #{Process.pid}"
-        puts "[" + "+".red + "] " + "[Dorothy]".yellow + " Logging on #{DoroSettings.env[:logfile]}"
-        Process.daemon
-        create_pid_file DoroSettings.env[:pidfile]
-        puts "[" + "+".red + "] " +  "[Dorothy]".yellow +  " Going in backround with pid #{Process.pid}"
-      end
 
-      #Creating a new NAM object for managing the sniffer
-      @nam = Doro_NAM.new(DoroSettings.nam)
-      #Be sure that there are no open tcpdump instances opened
-      @nam.init_sniffer
 
 
 
-      infinite = true
 
-      #be sure that all the vm are available by forcing their release
-      @db.vm_init
-
-      if source # a source has been specified
-        while infinite  #infinite loop
-          dfm = DorothyFetcher.new(source)
-          start_analysis(dfm.bins)
-          infinite = daemon #exit if wasn't set
-          wait_end
-          LOGGER.info "Dorothy", "SLEEPING" if daemon
-          sleep DoroSettings.env[:dtimeout] if daemon # Sleeping a while if -d wasn't set, then quit.
-        end
-      else  # no sources specified, analyze all of them
-        while infinite  #infinite loop
-          sources = YAML.load_file(DoroSettings.env[:home] + '/etc/sources.yml')
-          sources.keys.each do |sname|
-            dfm = DorothyFetcher.new(sources[sname])
-            start_analysis(dfm.bins)
-          end
-          infinite = daemon #exit if wasn't set
-          wait_end
-          LOGGER.info "Dorothy", "SLEEPING" if daemon
-          sleep DoroSettings.env[:dtimeout].to_i if daemon # Sleeping a while if -d wasn't set, then quit.
-        end
-      end
+  #Stop NAM instance and Revert VM
+  def stop_nam_revertvm(nam, pid, vsm, reverted, vm_log_header)
 
-      @db.close
+    if pid
+      LOGGER.info "VSM", vm_log_header + " Stopping sniffing module " + pid.to_s
+      nam.stop_sniffer(pid)
+    end
 
+    unless reverted || vsm.nil?
+      LOGGER.info "VSM", vm_log_header + " Reverting VM"
+      vsm.revert_vm
+      sleep 3   #wait some seconds for letting the vm revert..
     end
+  end
 
-    def wait_end
 
-      unless @vtotal_threads.empty?
-        @vtotal_threads.each { |aThread|  aThread.join}
-        LOGGER.info "VTOTAL","Process compleated successfully"
-      end
+ #Check the sample's md5 hash with VirusTotal
+ def scan(bin)
+    #puts "TOTAL", "Forking for VTOTAL"
+    @vtotal_threads << Thread.new(bin.sha) {
+      LOGGER.info "VTOTAL", "Scanning file #{bin.md5}".yellow
 
-      @analysis_threads.each { |aThread|  aThread.join }
-      LOGGER.info "Dorothy", "Process finished"
+      vt_results = Vtotal.check_hash(bin.md5)
 
-    end
+      if vt_results != false
+
+        LOGGER.info "VTOTAL", vt_results[:rate]
+        db = Insertdb.new
+        db.begin_t
 
-    def check_pid_file(file)
-      if File.exist? file
-        # If we get Errno::ESRCH then process does not exist and
-        # we can safely cleanup the pid file.
-        pid = File.read(file).to_i
         begin
-          Process.kill(0, pid)
-        rescue Errno::ESRCH
-          stale_pid = true
-        end
+          @id = db.get_curr_malwares_id
+          vtvalues = [bin.sha, vt_results[:rate], vt_results[:positive], vt_results[:date], vt_results[:link], @id]
+          db.insert("malwares", vtvalues)
+
+          #Instert DB
+          vt_results[:results].each do |av|
+            vendor = av[0]
+            if av[1]["detected"]
+              family = av[1]["result"]
+              updated = (av[1]["update"] != "-" ? av[1]["update"] : "null")
+              version = (av[1]["version"] != "-" ? av[1]["version"] : "null")
+              vtvalues = [@id, vendor, family, version, updated]
+              db.insert("av_signs", vtvalues)
+            end
+          end
 
-        unless stale_pid
-          puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Dorothy is already running (pid=#{pid})"
-          exit(1)
+        rescue => e
+          LOGGER.debug "VTOTAL" , "#{$!}\n #{e.inspect} \n #{e.backtrace}"
+          db.rollback
         end
+        db.commit
+        db.close
       end
-    end
+    }
+  end
 
-    def create_pid_file(file)
-      File.open(file, "w") { |f| f.puts Process.pid }
 
-      # Remove pid file during shutdown
-      at_exit do
-        LOGGER.info "Dorothy", "Shutting down." rescue nil
-        if File.exist? file
-          File.unlink file
-        end
+  ###Create Baseline
+  def self.run_baseline(profile)
+    db = Insertdb.new
+    db.vm_init
+    prof_info = profile[1]
+    guestvm = db.find_vm(prof_info['OS']['type'], prof_info['OS']['version'], prof_info['OS']['lang'])
+    if guestvm
+      begin
+        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Executng the baseline run"
+        vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
+        LOGGER.info "VSM","VM#{guestvm[0]}".red + " Sleeping #{prof_info['sleeptime']} seconds".yellow
+        sleep prof_info['sleeptime']
+        vsm.get_running_procs(nil, true, "#{DoroSettings.env[:home]}/etc/#{profile[0]}_baseline_procs.yml")  #save on file
+        LOGGER.info "VSM", "VM#{guestvm[0]} ".red + "Reverting VM".yellow
+        vsm.revert_vm
+        db.free_vm(guestvm[0])
+        db.close
+      rescue => e
+        LOGGER.error "VSM", "VM#{guestvm[0]} ".yellow + "An error occurred while performing the BASELINE run, please retry"
+        LOGGER.debug "Analyser" , "VM#{guestvm[0]} ".yellow + "#{$!}\n #{e.inspect} \n #{e.backtrace}"
+        LOGGER.warn "VSM", "VM#{guestvm[0]} ".yellow + "[RECOVER] Reverting VM"
+        vsm.revert_vm   #TODO vsm var might be nil here
+        db.free_vm(guestvm[0])
+        db.close
       end
+    else
+      LOGGER.fatal "VSM", "[CRITICAL]".red + " There are no free VM at the moment..how it is possible?"
     end
+  end
 
-    def self.stop_running_analyses
-      LOGGER.info "Dorothy", "Killing curent live analysis threads.."
-      @analysis_threads.each { |aThread|
-        aThread.raise
-        aThread.join
-      }
-    end
-## Sends SIGTERM to process in pidfile. Server should trap this
-# and shutdown cleanly.
-    def self.stop
-      puts "[" + "+".red + "]" + " Dorothy is shutting now.."
-      LOGGER.info "Dorothy", "Shutting down."
-      pid_file = DoroSettings.env[:pidfile]
-      if pid_file and File.exist? pid_file
-        pid = Integer(File.read(pid_file))
-        Process.kill(-2,-pid)
-        LOGGER.info "Dorothy", "Process #{pid} terminated"
-        puts "[" + "+".red + "]" + " Dorothy Process #{pid} terminated"
-      else
-        LOGGER.info "Dorothy", "Can't find PID file, is Dorothy really running?"
-      end
+
+  #Check if the sample extension is supported (= is configured into the extension.yml).
+  def check_support(bin, qentry, profile)
+    if profile[1]['extensions'].key?(bin.extension)
+      true
+    else
+      db = Insertdb.new           #TODO too many db sessions opened. review, and try to use less
+      db.analysis_queue_mark(qentry, "error")
+      db.close
+      LOGGER.warn("VSM", "File extension #{bin.extension} currently not configured in the selected profile #{profile[0]}, skipping")
+      LOGGER.debug("VSM", "Filtype: #{bin.type}")
+      false
     end
+  end
+
 
+
+  def self.stop_running_analyses
+    LOGGER.info "Analyser", "Killing curent live analysis threads.."
+    @analysis_threads.each { |aThread|
+      aThread.raise
+      aThread.join
+    }
   end
+
+end