RubyGems - dorothy2 - Versions diffs - 0.0.2 → 0.0.3 - Mend

dorothy2 0.0.2 → 0.0.3

Files changed (13) hide show

data/README.md +85 -19
data/bin/dorothy_start +1 -1
data/bin/dparser_start +13 -8
data/lib/doroParser.rb +10 -3
data/lib/dorothy2.rb +3 -2
data/lib/dorothy2/{do-parsers.rb → DEM.rb} +0 -0
data/lib/dorothy2/NAM.rb +40 -0
data/lib/dorothy2/VSM.rb +131 -0
data/lib/dorothy2/do-init.rb +12 -5
data/lib/dorothy2/do-utils.rb +77 -1
data/lib/dorothy2/version.rb +1 -1
metadata +6 -5
data/lib/dorothy2/MAM.rb +0 -239

data/README.md CHANGED

@@ -2,23 +2,35 @@
 A malware/botnet analysis framework written in Ruby.
+For a perfect view of this document (images and links), open it through the project's [code repository](https://github.com/m4rco-/dorothy2/blob/master/README.md).
 ##Introduction
 Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed.
 However, static binary analysis and system behavior analysis will be shortly introduced in the next version.
-Dorothy2 is a continuation of my degree's final project ([Dorothy: inside the Storm](https://www.honeynet.it/wp-content/uploads/Dorothy/The_Dorothy_Project.pdf) ) that I presented on Feb 2009.
+Dorothy2 is a continuation of my Bachelor degree's final project ([Dorothy: inside the Storm](https://www.honeynet.it/wp-content/uploads/Dorothy/The_Dorothy_Project.pdf) ) that I presented on Feb 2009.
 The main framework's structure remained almost the same, and it has been fully detailed in my degree's final project or in this short [paper](http://www.honeynet.it/wp-content/uploads/Dorothy/EC2ND-Dorothy.pdf). More information about the whole project can be found on the Italian Honeyproject [website](http://www.honeynet.it).
 The framework is manly composed by four big elements that can be even executed separately:
-* The Dorothy analysis engine (this gem)
-* The Network analysis module (included in this module, but still not working perfectly at the time of this writing)
+* The Dorothy analysis engine (included in this gem)
+ In charge of executing a binary file into a sandbox, and then storing the generated network traffic and its screenshots into the analysis folder (moreover populating Dorothive with the basic information of the file, and CouchDB with the network pcaps).
+* The (network) Data Extraction Module aka dparser (included in this gem)
+ In charge of dissecting the pcaps file, and storing the most relevant information (flows data, GeoIP info, etc) into Dorothive. In addition, it extracts all the files downloaded by the sandbox through HTTP/HTTPS and store them into the binary file's analysis folder.
 * The Webgui (Coded in Rails by Andrea Valerio, and not yet included in this gem)
+ (Working in progress) A rails application which allows to have an interactive overview on all the acquired data. For a first glance on Andrea's first PoC take a look [this](http://youtu.be/W4DdMYPp4Ws) video (commented in Italian).
 * The Java Dorothy Drone (Mainly coded by Patrizia Martemucci and Domenico Chiarito, but not part of this gem and not publicly available.)
+ Our botnet infiltration module, refers to this [ppt](https://www.honeynet.it/wp-content/uploads/Presentations/JDrone.pptx) presentation for an overview.
 The first three modules are (or will be soon) publicly released under GPL 2/3 license as tribute to the the [Honeynet Project Alliance](http://www.honeynet.org).
 All the information generated by the framework - i.e. binary info, timestamps, dissected network analysis - are stored into a postgres DB (Dorothive) in order to be used for further analysis.
 A no-SQL database (CouchDB) is also used to mass strore all the traffic dumps thanks to the [pcapr/xtractr](https://code.google.com/p/pcapr/wiki/Xtractr) technology.
@@ -70,26 +82,61 @@ It is recommended to follow this step2step process:
  * Configure a static IP
  * After configuring everything on the Guest OS, create a snapshot of the sandbox VM from vSphere console. Dorothy will use it when reverting the VM after a binary execution.
-3. Configure the unix VM dedicated to the NAM
-* Configure the NIC on the virtual machine that will be used for the network sniffing purpose (NAM).
-       >The vSwitch where the vNIC resides must allow the promisc mode, to enable it from vSphere:
-       >Configuration->Networking->Proprieties on the vistualSwitch used for the analysis->Double click on the virtual network used for the analysis->Securiry->Tick "Promiscuous Mode", then select "Accept" from the list menu.
+3. From vSphere, create a unix VM dedicated to the NAM
 * Install tcpdump and sudo
-            #apt-get install tcpdump sudo
+        #apt-get install tcpdump sudo
 * Create a dedicated user for dorothy (e.g. "dorothy")
-              #useradd dorothy
+        #useradd dorothy
+* Create a directory inside the dorothy user's home where storing the network dumps
+        #su dorothy
+        $mkdir /home/dorothy/pcaps
 * Add dorothy's user permission to execute/kill tcpdump to the sudoers file:
-               #visudo
-                add the following line:
-                dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+        #visudo
+        add the following line:
+        dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+* If you want to install pcapr on this machine (recommended) install also these packages  (refer to this blog [post](https://github.com/pcapr-local/pcapr-local) for a detailed howto)
+        #apt-get install ruby1.8 rubygems  tshark zip couchdb
+* Start the couchdb server
+        #/etc/init.d/couchdb start
+* Install pcapr-local
+        #gem install pcapr-local
+* Start pcapr-local by using the dorothy's account and configure it. When prompted, insert the folder path used to store the network dumps
+        $startpcapr
+        ....
+        Which directory would you like to scan for indexable pcaps? [/root/pcapr.Local/pcaps]
+        /home/dorothy/pcaps
+ In addition, remember to allow pcapr to run on all the interfaces
+        What IP address should pcapr.Local run on? Use 0.0.0.0 to listen on all interfaces [127.0.0.1]
+        0.0.0.0
+* If everything went fine, you should be able to browse to
+        http//{ip-used-by-NAM}:8000
+4 From vSphere, configure the NIC on the virtual machine that will be used for the network sniffing purpose (NAM).
+       >The vSwitch where the vNIC resides must allow the promisc mode, to enable it from vSphere:
+       >Configuration->Networking->Proprieties on the vistualSwitch used for the analysis->Double click on the virtual network used for the analysis->Securiry->Tick "Promiscuous Mode", then select "Accept" from the list menu.
 #### * Sample Setups
 1. Basic setup
@@ -114,7 +161,10 @@ or
         http://www.postgresql.org/download/
-2. Configure a dedicated postgres user for Dorothy (or use root user instead, up to you :)
+2. Configure a dedicated postgres user for Dorothy (or use the default postgres user instead, up to you :)
+> Note:
+> If you want to use Postgres "as is", and then configure Dorothy to use "postgres" degault the user, configure a password for this user at least (by default it comes with no password)
 3. Install the following packages
@@ -125,7 +175,7 @@ or
         $ brew install libmagic
         $ brew link libmagic
-Add a user dedicated to dorothy (or use the root one, up to you :)
+4. Install the xtractr gem, for a detailed howto, go [here](https://code.google.com/p/pcapr/wiki/Xtractr).
 ### 3. Install Dorothy gem
@@ -164,8 +214,9 @@ The first time you execute Dorothy, it will ask you to fill those information in
 ## Usage
-	Usage:
-	$./dorothy_start [options]
+### Dorothy usage:
+	$dorothy_start [options]
 	where [options] are:
        --verbose, -v:   Enable verbose mode
       --infoflow, -i:   Print the analysis flow
@@ -177,9 +228,24 @@ The first time you execute Dorothy, it will ask you to fill those information in
  >Example
+>
+     $dorothy_start -v -s malwarefolder
+### DoroParser usage:
+    $dparser_start [options]
+	where [options] are:
+    --verbose, -v:   Enable verbose mode
+    --nonetbios, -n:   Hide Netbios communication
+     --daemon, -d:   Stay in the backroud, by constantly pooling datasources
+       --help, -h:   Show this message
+ >Example
+>
+     $dparser_start -d start
+     $dparser_stop
- >   $dorothy_start -v -s malwarefolder
- >   $dorothy_stop
+If executed in daemon mode, DoroParser will poll the database every X seconds (where X is defined by the "dtimeout:" field in the configuration file) looking for new pcaps that has been inserted.
 ###6. Debugging problems

data/bin/dorothy_start CHANGED

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 # Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 require 'rubygems'

data/bin/dparser_start CHANGED

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 # Copyright (C) 2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 require 'rubygems'
@@ -18,17 +18,22 @@ include DoroParser
 opts = Trollop.options do
   banner <<-EOS
-	The Dorothy Malware Analysis Framework 2.0
-	www.honeynet.it
+   ####################################################
+   ##                                                ##
+   ##  The Dorothy Malware Analysis Framework 2.0    ##
+   ##                                                ##
+   ####################################################
+        marco.riccardi@honeynet.it
+	www.honeynet.it/dorothy
 	Usage:
-	"do-dissector.rb" [options]
+  dparser_start [options]
 	where [options] are:
   EOS
   opt :verbose, "Enable verbose mode"
   opt :nonetbios, "Hide Netbios communication"
   opt :daemon, "Stay in the backroud, by constantly pooling datasources"

data/lib/doroParser.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 #!/usr/local/bin/ruby
@@ -8,6 +8,14 @@
 #Install mu/xtractr from svn checkout http://pcapr.googlecode.com/svn/trunk/ pcapr-read-only
+############################
+## Dorothy                ##
+## Data Definition Module ##
+############################
 require 'rubygems'
 require 'mu/xtractr'
 require 'md5'
@@ -17,7 +25,6 @@ require 'net/dns'
 require 'net/dns/packet'
 require 'ipaddr'
 require 'colored'
-require 'trollop'
 require 'ftools'
 require 'filemagic'                                    #require 'pcaplet'
 require 'geoip'
@@ -27,7 +34,7 @@ require 'tmail'
 require 'ipaddr'
 require File.dirname(__FILE__) + '/dorothy2/environment'
-require File.dirname(__FILE__) + '/dorothy2/do-parsers'
+require File.dirname(__FILE__) + '/dorothy2/DEM'
 require File.dirname(__FILE__) + '/dorothy2/do-utils'
 require File.dirname(__FILE__) + '/dorothy2/do-logger'
 require File.dirname(__FILE__) + '/dorothy2/deep_symbolize'

data/lib/dorothy2.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 ##for irb debug:
@@ -29,7 +29,8 @@ require File.dirname(__FILE__) + '/dorothy2/Settings'
 require File.dirname(__FILE__) + '/dorothy2/deep_symbolize'
 require File.dirname(__FILE__) + '/dorothy2/environment'
 require File.dirname(__FILE__) + '/dorothy2/vtotal'
-require File.dirname(__FILE__) + '/dorothy2/MAM'
+require File.dirname(__FILE__) + '/dorothy2/VSM'
+require File.dirname(__FILE__) + '/dorothy2/NAM'
 require File.dirname(__FILE__) + '/dorothy2/BFM'
 require File.dirname(__FILE__) + '/dorothy2/do-utils'
 require File.dirname(__FILE__) + '/dorothy2/do-logger'

data/lib/dorothy2/{do-parsers.rb → DEM.rb} RENAMED

File without changes

data/lib/dorothy2/NAM.rb ADDED

@@ -0,0 +1,40 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/
+# See the file 'LICENSE' for copying permission.
+module Dorothy
+  #Dorothy module-class for controlling the network sniffers i.e. tcpdump instances
+  class Doro_NAM
+    #Create a dotothy user in the NSM machine, and add this line to the sudoers :
+    #   dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+    #
+    def initialize(namdata)
+      @server = namdata[:host]
+      @user= namdata[:user]
+      @pass= namdata[:pass]
+      @port = namdata[:port]
+    end
+    def start_sniffer(vmaddress, interface, name, pcaphome)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
+        # @ssh.exec "nohup sudo tcpdump -i eth0 -s 1514 -w ~/pcaps/#{name}.pcap host #{vmaddress} > blah.log 2>&1 & "
+        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} > log.tmp 2>&1 & "
+        t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
+        pid = t.split(" ")[1]
+        return pid.to_i
+      end
+    end
+    def stop_sniffer(pid)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
+        ssh.exec "sudo kill -2 #{pid}"
+        #LOGGER.info "[NAM]".yellow + "Tcpdump instance #{pid} stopped"
+      end
+    end
+  end
+end

data/lib/dorothy2/VSM.rb ADDED

@@ -0,0 +1,131 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/
+# See the file 'LICENSE' for copying permission.
+module Dorothy
+  #Dorothy module-class for managig the virtual sandboxes
+  class Doro_VSM
+    #ESX5 interface
+    class ESX
+      #Creates a new instance for communicating with ESX through the vSpere5's API
+      def initialize(server,user,pass,vmname,guestuser,guestpass)
+        begin
+          vim = RbVmomi::VIM.connect(:host => server , :user => user, :password=> pass, :insecure => true)
+        rescue Timeout::Error
+          raise "Fail to connect to the ESXi server #{server} - TimeOut (Are you sure that is the right address?)"
+        end
+        @server = server
+        dc = vim.serviceInstance.find_datacenter
+        @vm = dc.find_vm(vmname)
+        raise "Virtual Machine #{vmname} not present within ESX!!" if @vm.nil?
+        om = vim.serviceContent.guestOperationsManager
+        am = om.authManager
+        @pm = om.processManager
+        @fm = om.fileManager
+        #AUTHENTICATION
+        guestauth = {:interactiveSession => false, :username => guestuser, :password => guestpass}
+        @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
+        abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
+      end
+      def revert_vm
+        @vm.RevertToCurrentSnapshot_Task
+      end
+      def copy_file(filename,file)
+        filepath = "C:\\#{filename}" #put md5 hash
+        begin
+          url = @fm.InitiateFileTransferToGuest(:vm => @vm, :auth=> @auth, :guestFilePath=> filepath, :fileSize => file.size, :fileAttributes => '', :overwrite => true).sub('*:443', @server)
+          RestClient.put(url, file)
+        rescue RbVmomi::Fault
+          LOGGER.error "VSM", "Fail to copy the file #{file} to #{@vm}: #{$!}"
+          abort
+        end
+      end
+      def exec_file(filename, arguments="")
+        filepath = "C:\\#{filename}"
+        if File.extname(filename) == ".dll"
+          cmd = { :programPath => "C:\\windows\\system32\\rundll32.exe", :arguments => filepath}
+          LOGGER.info "VSM", ".:: Executing dll #{filename}"
+        else
+          cmd = { :programPath => filepath, :arguments => arguments }
+        end
+        pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
+        pid.to_i
+      end
+      def check_internet
+         exec_file("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
+      end
+      def get_status(pid)
+        p = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => Array(pid) ).inspect
+        status = (p =~ /exitCode=>([0-9])/ ? $1.to_i : nil )
+        return status
+      end
+      def screenshot
+        a = @vm.CreateScreenshot_Task.wait_for_completion.split(" ")
+        ds = @vm.datastore.find { |ds| ds.name  == a[0].delete("[]")}
+        screenpath = "/vmfs/volumes/" + a[0].delete("[]") + "/" + a[1]
+        return screenpath
+      end
+    end
+    #Empty method for showing how it could be easy to extend the dorothy's VSM with another virtual manager.
+    class VirtualBox
+      def initialize
+      end
+      def revert_vm
+      end
+      def copy_file
+      end
+      def exec_file
+      end
+      def check_internet
+      end
+      def get_status
+      end
+      def screenshot
+      end
+    end
+  end
+end

data/lib/dorothy2/do-init.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 module Dorothy
@@ -80,9 +80,6 @@ module Dorothy
         conf["env"]["loglevel"] = 0
         conf["env"]["logage"] = "weekly"
-        conf["env"]["testmode"] = true
         ######################################################
         ###DOROTHIVE
@@ -104,7 +101,6 @@ module Dorothy
         conf["dorothive"]["ddl"] = "#{HOME}/etc/ddl/dorothive.ddl"
         ######################################################
         ###ESX
         ######################################################
@@ -182,6 +178,17 @@ module Dorothy
         puts "In order to retrieve Virus signatures, Dorothy needs to contact VirusTotal,\n please enter your VT API key here, if you don't have one yet, go here (or press enter):\nhttps://www.virustotal.com/en/#dlg-join "
         conf["virustotal"]["vtapikey"] = gets.chop
+        puts "Enable test mode? In test mode dorothy will avoid to poll Virustotal [y]"
+        t = gets.chop
+        if t.empty? || t == "y" || t == "yes"
+          conf["env"]["testmode"] = true
+        else
+          conf["env"]["testmode"] = false
+        end
+        ##########CONF FINISHED##################
         puts "\n######### [" + " Configuration finished ".yellow + "] #########"
         puts "Confirm? [y]"

data/lib/dorothy2/do-utils.rb CHANGED

@@ -1,5 +1,5 @@
 # Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 module Dorothy
@@ -220,4 +220,80 @@ module Dorothy
   end
+  class Loadmalw
+    attr_reader :pcaprid
+    attr_reader :type
+    attr_reader :dbtype
+    attr_accessor :sha
+    attr_reader :md5
+    attr_reader :binpath
+    attr_reader :filename
+    attr_reader :ctime
+    attr_reader :size
+    attr_reader :pcapsize
+    attr_reader :extension
+    attr_accessor :sourceinfo   #used for storing info about where the binary come from (if needed)
+    #	attr_accessor :dir_home
+    attr_accessor :dir_pcap
+    attr_accessor :dir_bin
+    attr_accessor :dir_screens
+    attr_accessor :dir_downloads
+    def initialize(file)
+      fm = FileMagic.new
+      sha = Digest::SHA2.new
+      md5 = Digest::MD5.new
+      @binpath = file
+      @filename = File.basename file
+      @extension = File.extname file
+      @dbtype = "null"  #TODO: remove type column in sample table
+      File.open(file, 'rb') do |fh1|
+        while buffer1 = fh1.read(1024)
+          @sha = sha << buffer1
+          @md5 = md5 << buffer1
+        end
+      end
+      @sha = @sha.to_s
+      @md5 = @md5.to_s.rstrip
+      @sourceinfo = nil
+      timetmp = File.ctime(file)
+      @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
+      @type = fm.file(file)
+      if @extension.empty?    #no extension, trying to put the right one..
+        case @type
+          when /^PE32/ then
+            @extension = (@type =~ /DLL/ ? ".dll" : ".exe")
+          when /^MS-DOS/ then
+            @extension = ".bat"
+          when /^HTML/ then
+            @extension = ".html"
+          else
+            @extension = nil
+        end
+      end
+      @size = File.size(file)
+    end
+    def self.calc_pcaprid(file, size)
+      #t = file.split('/')
+      #dumpname = t[t.length - 1]
+      @pcaprid = Digest::MD5.new
+      @pcaprid << "#{file}:#{size}"
+      @pcaprid = @pcaprid.dup.to_s.rstrip
+    end
+  end
 end

data/lib/dorothy2/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Dorothy2
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dorothy2
 version: !ruby/object:Gem::Version
-  hash: 27
+  hash: 25
   prerelease:
   segments:
   - 0
   - 0
-  - 2
-  version: 0.0.2
+  - 3
+  version: 0.0.3
 platform: ruby
 authors:
 - marco riccardi
@@ -257,12 +257,13 @@ files:
 - lib/doroParser.rb
 - lib/dorothy2.rb
 - lib/dorothy2/BFM.rb
-- lib/dorothy2/MAM.rb
+- lib/dorothy2/DEM.rb
+- lib/dorothy2/NAM.rb
 - lib/dorothy2/Settings.rb
+- lib/dorothy2/VSM.rb
 - lib/dorothy2/deep_symbolize.rb
 - lib/dorothy2/do-init.rb
 - lib/dorothy2/do-logger.rb
-- lib/dorothy2/do-parsers.rb
 - lib/dorothy2/do-utils.rb
 - lib/dorothy2/environment.rb
 - lib/dorothy2/version.rb

data/lib/dorothy2/MAM.rb DELETED

@@ -1,239 +0,0 @@
-# Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
-# See the file 'LICENSE' for copying permission.
-module Dorothy
-  class Doro_VSM
-    #Creates a new instance for communicating with ESX through the vSpere5's API
-    class ESX
-      def initialize(server,user,pass,vmname,guestuser,guestpass)
-        begin
-          vim = RbVmomi::VIM.connect(:host => server , :user => user, :password=> pass, :insecure => true)
-        rescue Timeout::Error
-          raise "Fail to connect to the ESXi server #{server} - TimeOut (Are you sure that is the right address?)"
-        end
-        @server = server
-        dc = vim.serviceInstance.find_datacenter
-        @vm = dc.find_vm(vmname)
-        raise "Virtual Machine #{vmname} not present within ESX!!" if @vm.nil?
-        om = vim.serviceContent.guestOperationsManager
-        am = om.authManager
-        @pm = om.processManager
-        @fm = om.fileManager
-        #AUTHENTICATION
-        guestauth = {:interactiveSession => false, :username => guestuser, :password => guestpass}
-        @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
-        abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
-      end
-      def revert_vm
-        @vm.RevertToCurrentSnapshot_Task
-      end
-      def copy_file(filename,file)
-        filepath = "C:\\#{filename}" #put md5 hash
-        begin
-          url = @fm.InitiateFileTransferToGuest(:vm => @vm, :auth=> @auth, :guestFilePath=> filepath, :fileSize => file.size, :fileAttributes => '', :overwrite => true).sub('*:443', @server)
-          RestClient.put(url, file)
-        rescue RbVmomi::Fault
-          LOGGER.error "VSM", "Fail to copy the file #{file} to #{@vm}: #{$!}"
-          abort
-        end
-      end
-      def exec_file(filename, arguments="")
-        filepath = "C:\\#{filename}"
-        if File.extname(filename) == ".dll"
-          cmd = { :programPath => "C:\\windows\\system32\\rundll32.exe", :arguments => filepath}
-          LOGGER.info "VSM", ".:: Executing dll #{filename}"
-        else
-          cmd = { :programPath => filepath, :arguments => arguments }
-        end
-        pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
-        pid.to_i
-      end
-      def check_internet
-         exec_file("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
-      end
-      def get_status(pid)
-        p = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => Array(pid) ).inspect
-        status = (p =~ /exitCode=>([0-9])/ ? $1.to_i : nil )
-        return status
-      end
-      def screenshot
-        a = @vm.CreateScreenshot_Task.wait_for_completion.split(" ")
-        ds = @vm.datastore.find { |ds| ds.name  == a[0].delete("[]")}
-        screenpath = "/vmfs/volumes/" + a[0].delete("[]") + "/" + a[1]
-        return screenpath
-      end
-    end
-    #TODO. Example of how a new VSM´s structure should look like
-    class VirtualBox
-      def initialize
-      end
-      def revert_vm
-      end
-      def copy_file
-      end
-      def exec_file
-      end
-      def check_internet
-      end
-      def get_status
-      end
-      def screenshot
-      end
-    end
-  end
-  class Loadmalw
-    attr_reader :pcaprid
-    attr_reader :type
-    attr_reader :dbtype
-    attr_accessor :sha
-    attr_reader :md5
-    attr_reader :binpath
-    attr_reader :filename
-    attr_reader :ctime
-    attr_reader :size
-    attr_reader :pcapsize
-    attr_reader :extension
-    attr_accessor :sourceinfo   #used for storing info about where the binary come from (if needed)
-    #	attr_accessor :dir_home
-    attr_accessor :dir_pcap
-    attr_accessor :dir_bin
-    attr_accessor :dir_screens
-    attr_accessor :dir_downloads
-    def initialize(file)
-      fm = FileMagic.new
-      sha = Digest::SHA2.new
-      md5 = Digest::MD5.new
-      @binpath = file
-      @filename = File.basename file
-      @extension = File.extname file
-      @dbtype = "null"  #TODO: remove type column in sample table
-      File.open(file, 'rb') do |fh1|
-        while buffer1 = fh1.read(1024)
-          @sha = sha << buffer1
-          @md5 = md5 << buffer1
-        end
-      end
-      @sha = @sha.to_s
-      @md5 = @md5.to_s.rstrip
-      @sourceinfo = nil
-      timetmp = File.ctime(file)
-      @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
-      @type = fm.file(file)
-      if @extension.empty?    #no extension, trying to put the right one..
-        case @type
-          when /^PE32/ then
-            @extension = (@type =~ /DLL/ ? ".dll" : ".exe")
-          when /^MS-DOS/ then
-            @extension = ".bat"
-          when /^HTML/ then
-            @extension = ".html"
-          else
-            @extension = nil
-        end
-      end
-      @size = File.size(file)
-      #  @dir_pcap = "#{ANALYSIS_DIR}/#{@md5}/pcap/"
-      #  @dir_bin = "#{ANALYSIS_DIR}/#{@md5}/bin/"
-      #  @dir_screens = "#{ANALYSIS_DIR}/#{@md5}/screens/"
-      #  @dir_downloads = "#{ANALYSIS_DIR}/#{@md5}/downloads/"
-    end
-    def self.calc_pcaprid(file, size)
-      #t = file.split('/')
-      #dumpname = t[t.length - 1]
-      @pcaprid = Digest::MD5.new
-      @pcaprid << "#{file}:#{size}"
-      @pcaprid = @pcaprid.dup.to_s.rstrip
-    end
-  end
-  class Doro_NAM
-    #Create a dotothy user in the NSM machine, and add this line to the sudoers :
-    #   dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
-    #
-    def initialize(namdata)
-      @server = namdata[:host]
-      @user= namdata[:user]
-      @pass= namdata[:pass]
-      @port = namdata[:port]
-    end
-    def start_sniffer(vmaddress, interface, name, pcaphome)
-      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
-        # @ssh.exec "nohup sudo tcpdump -i eth0 -s 1514 -w ~/pcaps/#{name}.pcap host #{vmaddress} > blah.log 2>&1 & "
-        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} > log.tmp 2>&1 & "
-        t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
-        pid = t.split(" ")[1]
-        return pid.to_i
-      end
-    end
-    def stop_sniffer(pid)
-      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
-        ssh.exec "sudo kill -2 #{pid}"
-        #LOGGER.info "[NAM]".yellow + "Tcpdump instance #{pid} stopped"
-      end
-    end
-  end
-end