dorothy2 1.0.1 → 1.0.9

data/README.md

@@ -7,7 +7,8 @@ For a perfect view of this document (images and links), open it through the proj
 ##Introduction
 
 Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed.
-However, static binary analysis and system behavior analysis will be shortly introduced in the next version.
+Additionally, it is able to recognize new spawned processes by comparing them with a previously created baseline.
+Static binary analysis and an improved system behavior analysis will be shortly introduced in the next versions.
 
 Dorothy2 is a continuation of my Bachelor degree's final project ([Dorothy: inside the Storm](https://www.honeynet.it/wp-content/uploads/Dorothy/The_Dorothy_Project.pdf) ) that I presented on Feb 2009.
 The main framework's structure remained almost the same, and it has been fully detailed in my degree's final project or in this short [paper](http://www.honeynet.it/wp-content/uploads/Dorothy/EC2ND-Dorothy.pdf). More information about the whole project can be found on the Italian Honeyproject [website](http://www.honeynet.it).
@@ -109,7 +110,7 @@ It is recommended to follow this step2step process:
         add the following line:
         dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
 
-* If you want to install pcapr on this machine (recommended) install also these packages  (refer to this blog [post](https://github.com/pcapr-local/pcapr-local) for a detailed howto)
+* If you want to install pcapr on this machine (if you want to use dorohy from a MacOSX machine, you have to do it) install also these packages  (refer to this blog [post](https://github.com/pcapr-local/pcapr-local) for a detailed howto). However, if you are installing Dorothy into a Linux machine, I recommended you to install pcapr on the same machine where the Dorothy gem was installed.
 
         #apt-get install ruby1.8 rubygems  tshark zip couchdb
 
@@ -180,6 +181,10 @@ or
         $ brew install libmagic
         $ brew link libmagic
 
+In case you want to install pcapr here do this as well:
+
+        $sudo apt-get install tshark zip couchdb
+
 ### 3. Install Dorothy gem
 
 *Install Dorothy gem
@@ -207,6 +212,7 @@ The following message should appear
     * The ESX Virtual machines used for the analysis
 
 The first time you execute Dorothy, it will ask you to fill those information in order to create the required configuration files into the etc/ folder. However, you are free to modify/create such files directly - configuration example files can be found there too.
+Finally, check out the file extensions.yml within the /etc folder: it instructs Dorothy's sandboxes about how to process the binaries to analize.
 
 ###5. Use Dorothy
 1. Copy a .exe or .bat file into $yourdorothyhome/opt/bins/manual/
@@ -221,12 +227,15 @@ The first time you execute Dorothy, it will ask you to fill those information in
 
 	$dorothy_start [options]
 	where [options] are:
+       --Verbose, -V:   Print the current version
        --verbose, -v:   Enable verbose mode
       --infoflow, -i:   Print the analysis flow
+      --baseline, -b:   Create a new process baseline
     --source, -s <s>:   Choose a source (from the ones defined in etc/sources.yml)
         --daemon, -d:   Stay in the background, by constantly pooling datasources
-  --SandboxUpdate, -S:   Update Dorothive with the new Sandbox file
-  --DorothiveInit, -D:   (RE)Install the Dorothy Database (Dorothive)
+        --manual, -m:   Start everything, copy the file, and wait for me.
+  --SandboxUpdate, -S:  Update Dorothive with the new Sandbox file
+  --DorothiveInit, -D:  (RE)Install the Dorothy Database (Dorothive)
           --help, -h:   Show this message
 
 

data/TODO

@@ -5,17 +5,23 @@
 -PORT TO Ruby 2.0
 -WGUI
 
+#IMPROVE INSTALLATION PROCESS
+-Include pcapr-local installation 80%
+
+-ADD args from command line for recreating the baseline
+
+
 -BINARY STATIC ANALYSIS
--ANALYZE SYSTEM CHANGES
--SYSTEM ANALYSIS -VMWARE API: QueryChangedDiskAreas
--LIST PROCESSES-> pm.ListProcessesInGuest(:vm => vm, :auth => auth).inspect
+-ANALYZE SYSTEM CHANGES 50%
+	-ListFileInGuest -> Create Files/Folder Baseline.
 
--CODE- CATCH CTRL-C AND EXIT GRACEFULLY
--INTERACTIVE CONSOLE FOR NETWORK ANALYSIS
+-MANAGE SIG-INT WHILE MULTITHREAD 
+-INTERACTIVE CONSOLE 10%
+-ADD VNC CLIENT SPAWN IN MANUAL MODE
 
 -REVIEW DOROTHIVE (binary fullpath?)
 
--ADD EMAIL AS SOURCETYPE (use ruby mail gem for retreiving the emails, and parse them)
+-ADD EMAIL AS SOURCETYPE (use ruby mail gem for retrieving the emails, and parse them)
 
 -REPORT PLUGIN
  -REPORT - MAEC

data/UPDATE

@@ -0,0 +1,21 @@
+#######################################
+#Updating from Dorothy 1.0.x to 1.1.0##
+#######################################
+
+Dorothy 1.1.0 introduces several features that improve the overall framework.
+Below, the recommended steps needed to update your Dorothy environment.
+
+a) Remove the Dorothy configuration file
+    rm ~/.dorothy.yml
+   And recreate it by restarting Dorothy. You will see that the init script will ask you more question than before.
+
+b) Since a new configuration file has been added in your Dorothy's etc/ folder (extension.yml), go and edit it
+   accordingly to your environment.
+
+c) From Dorothy home, execute the following SQL script in order to update the database schema. It will add the new table sys_procs.
+
+sudo -u postgres psql dorothive -f share/update_dorothive.sql
+
+That's all! You are ready to go!
+
+

data/bin/dorothy_start

@@ -31,11 +31,13 @@ opts = Trollop.options do
 	where [options] are:
   EOS
 
-
+  opt :Version, "Print the current version."
   opt :verbose, "Enable verbose mode"
   opt :infoflow, "Print the analysis flow"
+  opt :baseline, "Create a new process baseline"
   opt :source, "Choose a source (from the ones defined in etc/sources.yml)", :type => :string
   opt :daemon, "Stay in the backround, by constantly pooling datasources"
+  opt :manual, "Start everything, copy the file, and wait for me."
   opt :SandboxUpdate, "Update Dorothive with the new Sandbox file"
   opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)", :type => :string
 
@@ -52,12 +54,20 @@ if opts[:infoflow]
 	#4) Execute file into VM
 	#5) Make screenshot
 	#6) Wait X minutes (configure X in the conf file)
-	#7) Stop Sniffer
-	#8) Download Screenshot and trafficdump
-	#9) Try to retreive malware info from VirusTotal
-	#10) Insert data into Dorothy-DB
+  #7) Save the running processes
+	#8) Stop Sniffer
+	#9) Download Screenshot and trafficdump
+	#10) Compare the aquired process list with the one taken during the baseline run. Find the new spawned processes.
+  #11) Try to retreive malware info from VirusTotal
+	#12) Insert data into Dorothy-DB
 	------------------------------------------
-	"
+"
+
+  exit(0)
+end
+
+if opts[:Version]
+  puts "Dorothy ".yellow + Dorothy::VERSION
   exit(0)
 end
 
@@ -75,25 +85,49 @@ puts "
 HOME = File.expand_path("..",File.dirname(__FILE__))
 VERBOSE = (opts[:verbose] ? true : false)
 daemon = (opts[:daemon] ? true : false)
+MANUAL =  (opts[:manual] ? true : false)
+
+if MANUAL && daemon
+  "[Dorothy]".yellow + " Manual and Deamon modes can't be executed together"
+  exit(1)
+end
+
 
 #DEFAULT CONF FILES
 #conf = HOME + '/etc/dorothy.yml'
 
 conf = "#{File.expand_path("~")}/.dorothy.yml"
 
+
 #LOAD ENV
 if Util.exists?(conf)
   DoroSettings.load!(conf)
   else
   DoroConfig.create
   exit(0)
-end
+  end
+
+
+#LOAD EXTENSION MGT FILE
+EXTENSIONS=YAML.load_file("#{DoroSettings.env[:home]}/etc/extensions.yml")
+
+
 
 #Logging
 logout = (daemon ? DoroSettings.env[:logfile] : STDOUT)
 LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
 LOGGER.sev_threshold = DoroSettings.env[:loglevel]
 
+
+if opts[:baseline]
+  puts "[DOROTHY]".yellow + "Creating a new process baseline."
+  Dorothy.run_baseline
+  puts "[WARNING]".red + "Baseline run finished."
+  exit(0)
+end
+
+
+
 home = DoroSettings.env[:home]
 #check homefolder
 unless Util.exists?(home)
@@ -102,6 +136,7 @@ end
 
 sfile = home + '/etc/sources.yml'
 sboxfile = home + '/etc/sandboxes.yml'
+baseline_procs = home + '/etc/baseline_processes.yml'
 
 if opts[:DorothiveInit]
   Util.init_db(opts[:DorothiveInit])
@@ -153,6 +188,15 @@ unless Util.exists?(sboxfile)
   DoroConfig.init_sandbox(sboxfile)
 end
 
+unless Util.exists?(baseline_procs)
+  puts "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
+  Dorothy.run_baseline
+  puts "[WARNING]".red + "Baseline run finished."
+  exit(0)
+end
+
+BASELINE_PROCS = YAML.load_file(baseline_procs)
+
 #Check DB sandbox data
 if db.table_empty?("sandboxes")
   puts "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile

data/bin/dparser_start

@@ -63,22 +63,26 @@ LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
 LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
 LOGGER.sev_threshold = DoroSettings.env[:loglevel]
 
-begin
-
-rescue
+if system "sh -c 'type startpcapr > /dev/null 2>&1'"
+  pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
+  unless Util.exists?(pcapr_conf)
+    puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
+    puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
+    exit(1)
+  end
+else
+  puts "[WARNING]".red + "Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
   exit(1)
-
 end
 
 
-
 begin
   DoroParser.start(daemon)
 rescue => e
   puts "[PARSER]".yellow + " An error occurred: ".red + $!
   if daemon
-  puts "[PARSER]".yellow + " For more information check the logfile" + $!
-  puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
+    puts "[PARSER]".yellow + " For more information check the logfile" + $!
+    puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
   end
   LOGGER_PARSER.error "Parser", "An error occurred: " + $!
   LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"

data/dorothy2.gemspec

@@ -5,7 +5,7 @@ require 'dorothy2/version'
 
 Gem::Specification.new do |gem|
   gem.name          = "dorothy2"
-  gem.version       = Dorothy2::VERSION
+  gem.version       = Dorothy::VERSION
   gem.authors       = ["marco riccardi"]
   gem.email         = ["marco.riccardi@honeynet.it"]
   gem.description   = %q{A malware/botnet analysis framework written in Ruby.}
@@ -14,6 +14,7 @@ Gem::Specification.new do |gem|
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.extra_rdoc_files = ["README.md"]
   gem.require_paths = ["lib"]
   gem.add_dependency(%q<net-scp>, [">= 1.0.4"])
   gem.add_dependency(%q<net-ssh>, [">= 2.2.1"])
@@ -30,5 +31,6 @@ Gem::Specification.new do |gem|
   gem.add_dependency(%q<net-dns>, [">= 0.8.0"])
   gem.add_dependency(%q<geoip>, [">= 1.2.1"])
   gem.add_dependency(%q<tmail>, [">= 1.2.7.1"])
+  gem.post_install_message = 'If you are upgrating from a previous version, read the UPDATE file!'
 end
 

data/etc/ddl/dorothive.ddl

@@ -1072,6 +1072,32 @@ ALTER SEQUENCE whois_id_seq OWNED BY whois.id;
 SELECT pg_catalog.setval('whois_id_seq', 1, false);
 
 
+
+
+
+--
+-- Name: sys_procs; Type: TABLE; Schema: dorothy; Owner: postgres; Tablespace:
+--
+
+CREATE TABLE dorothy.sys_procs
+(
+  analysis_id integer NOT NULL,
+  pid integer NOT NULL,
+  name character varying,
+  owner character varying,
+  "cmdLine" character varying,
+  "startTime" timestamp without time zone,
+  "endTime" timestamp without time zone,
+  "exitCode" integer,
+  CONSTRAINT "procs-pk" PRIMARY KEY (analysis_id , pid ),
+  CONSTRAINT "anal_id-fk" FOREIGN KEY (analysis_id)
+      REFERENCES dorothy.analyses (id) MATCH SIMPLE
+      ON UPDATE NO ACTION ON DELETE NO ACTION
+)
+
+
+ALTER TABLE dorothy.sys_procs OWNER TO postgres;
+
 --
 -- Name: id; Type: DEFAULT; Schema: dorothy; Owner: postgres
 --

data/etc/extensions.yml

@@ -0,0 +1,34 @@
+#############################################
+### DOROTHY EXTENSION MANAGER               #
+#############################################
+### Choose how do you want to open the the
+### binaries into the Sandbox VM.
+### You can add as much extensions as you
+### want.
+#############################################
+---
+exe:
+  prog_name: Windows CMD.exe
+  prog_path: C:\windows\system32\cmd.exe
+  prog_args: /C
+
+dll:
+  prog_name: Windows Rundll32.exe
+  prog_path: C:\windows\system32\rundll32.exe
+  prog_args:
+
+html:
+  prog_name: Microsoft Explorer IEXPLORE.EXE
+  prog_path: C:\windows\system32\cmd.exe
+  prog_args: /C start "C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"
+
+#doc:
+#  prog_name: Microsoft Word 2003
+#  prog_path:
+#  prog_args:
+
+#pdf:
+#  prog_name: Acrobat Reader Version 1.0
+#  prog_path:
+#  prog_args:
+

data/lib/doroParser.rb

@@ -424,7 +424,6 @@ module DoroParser
       #gets
       @insertdb.set_analyzed(dump['hash'])
       @insertdb.commit
-      @insertdb.close
     end
   end
 
@@ -454,6 +453,7 @@ module DoroParser
       sleep DoroSettings.env[:dtimeout].to_i if daemon # Sleeping a while if -d wasn't set, then quit.
     end
     LOGGER_PARSER.info "PARSER" , "There are no more pcaps to analyze.".yellow
+    @insertdb.close
     exit(0)
   end
 

data/lib/dorothy2.rb

@@ -2,9 +2,9 @@
 # This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 
-##for irb debug:
+##.for irb debug:
 ##from $home, irb and :
-##load 'lib/dorothy2.rb'; include Dorothy; LOGGER = DoroLogger.new(STDOUT, "weekly"); DoroSettings.load!('etc/dorothy.yml')
+##load 'lib/dorothy2.rb'; include Dorothy; LOGGER = DoroLogger.new(STDOUT, "weekly"); DoroSettings.load!('etc/dorothy.yml'); VERBOSE = true
 
 require 'net/ssh'
 require 'net/scp'
@@ -19,7 +19,7 @@ require 'filemagic'
 require 'rbvmomi'
 require 'timeout'
 require 'virustotal'
-require 'ftools' #deprecated at ruby 1.9 !!!
+require 'ftools' #deprecated in ruby 1.9 !!!
 require 'filemagic'
 require 'md5'
 
@@ -33,35 +33,47 @@ require File.dirname(__FILE__) + '/dorothy2/NAM'
 require File.dirname(__FILE__) + '/dorothy2/BFM'
 require File.dirname(__FILE__) + '/dorothy2/do-utils'
 require File.dirname(__FILE__) + '/dorothy2/do-logger'
+require File.dirname(__FILE__) + '/dorothy2/version'
 
 module Dorothy
 
-  def get_time
-    time = Time.new
+  def get_time(local=Time.new)
+    time = local
     time.utc.strftime("%Y-%m-%d %H:%M:%S")
   end
 
 
   def start_analysis(bins)
+    @binum = bins.size
     bins.each do |bin|
       next unless check_support(bin)
       scan(bin) unless DoroSettings.env[:testmode]   #avoid to stress VT if we are just testing
-      @analysis_threads << Thread.new(bin.filename){
+      if MANUAL #no multithread
         db = Insertdb.new
-        sleep 30 while !(guestvm = db.find_vm)  #guestvm struct: array ["sandbox id", "sandbox name", "ipaddress", "user", "password"]
+        guestvm = db.find_vm
         analyze(bin, guestvm)
         db.free_vm(guestvm[0])
         db.close
-      }
+      else      #Use multithreading
+        @analysis_threads << Thread.new(bin.filename){
+          db = Insertdb.new
+          sleep rand(@binum * 2)  #OPTIMIZE #REVIEW
+          sleep rand(30) while !(guestvm = db.find_vm)  #guestvm struct: array ["sandbox id", "sandbox name", "ipaddress", "user", "password"]
+          analyze(bin, guestvm)
+          db.free_vm(guestvm[0])
+          db.close
+        }
+      end
     end
   end
 
 
   def check_support(bin)
-    if bin.extension == ".exe" || bin.extension == ".bat"
+    if EXTENSIONS.key?(bin.extension)
       true
     else
-      LOGGER.warn("SANDBOX", "File #{bin.filename} actually not supported, skipping\n" + "	Filtype: #{bin.type}") # if VERBOSE
+      LOGGER.warn("VSM", "File extension #{bin.extension} currently not configured in etc/extensions.yml, skipping")
+      LOGGER.debug("VSM", "Filtype: #{bin.type}") if VERBOSE
       dir_not_supported = File.dirname(bin.binpath) + "/not_supported"
       Dir.mkdir(dir_not_supported) unless File.exists?(dir_not_supported)
       FileUtils.cp(bin.binpath,dir_not_supported) #mv?
@@ -77,12 +89,6 @@ module Dorothy
     db = Insertdb.new
     anal_id = db.get_anal_id
 
-
-
-    #source.each do |sname, sinfo|
-
-    #Dir.chdir(sinfo[:dir])
-
     #set home vars
     sample_home = DoroSettings.env[:analysis_dir] + "/#{anal_id}"
     bin.dir_bin = "#{sample_home}/bin/"
@@ -90,13 +96,14 @@ module Dorothy
     bin.dir_screens = "#{sample_home}/screens/"
     bin.dir_downloads = "#{sample_home}/downloads/"
 
+    vm_log_header = "VM#{guestvm[0]} ".yellow + "[" + "#{anal_id}".red + "] "
 
-    LOGGER.info "SANDBOX", "VM#{guestvm[0]} ".yellow + "[" + "#{anal_id}".red + "]" + " Analyzing binary #{bin.filename}"
+    LOGGER.info "VSM", vm_log_header + "Analyzing binary #{bin.filename}"
 
     begin
       #crate dir structure in analisys home
       unless File.directory?(sample_home)
-        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Creating DIRS"
+        LOGGER.info "VSM",vm_log_header + "Creating DIRS"
         Dir.mkdir sample_home
         Dir.mkdir bin.dir_bin
         Dir.mkdir bin.dir_pcap
@@ -111,7 +118,7 @@ module Dorothy
         end
 
       else
-        LOGGER.warn "SANDBOX","Malware #{bin.md5} sample_home already present, WTF!? Skipping.."
+        LOGGER.warn "VSM",vm_log_header + "Malware #{bin.md5} sample_home already present, WTF!? Skipping.."
         #print "\n"
         return false
       end
@@ -122,9 +129,11 @@ module Dorothy
 
 
       #Creating a new VSM object for managing the SandBox VM
-      LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Connecting to ESX Server #{DoroSettings.esx[:host]}"
+      LOGGER.info "VSM",vm_log_header + "Connecting to ESX Server #{DoroSettings.esx[:host]}"
 
       vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
+      reverted = false
+
 
       #Copy File to VM
       r = 0
@@ -134,112 +143,147 @@ module Dorothy
       rescue
         if r <= 2
           r = r+1
-          LOGGER.warn "SANDBOX","VM#{guestvm[0]}".yellow + " GUESTOS Connection problem to Internet, retry n. #{r}/3"
+          LOGGER.warn "VSM",vm_log_header + " GUESTOS Connection problem to Internet, retry n. #{r}/3"
           sleep 20
           retry
         end
-        LOGGER.error "SANDBOX", "VM#{guestvm[0]}".yellow + " Guest system is not able to connect to internet"
+        LOGGER.error "VSM", vm_log_header + " Guest system is not able to connect to internet"
         r = 0
         retry
       end
 
 
 
-      LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Copying #{bin.md5} to VM"
+      LOGGER.info "VSM",vm_log_header + "Copying #{bin.md5} to VM"
 
       filecontent = File.open(bin.binpath, "rb") { |byte| byte.read } #load filebinary
-      vsm.copy_file("#{bin.md5}#{bin.extension}",filecontent)
+      vsm.copy_file(bin.filename,filecontent)
 
       #Start Sniffer
       dumpname = anal_id.to_s + "-" + bin.md5
       pid = @nam.start_sniffer(guestvm[2],DoroSettings.nam[:interface], dumpname, DoroSettings.nam[:pcaphome])
-      LOGGER.info "NAM","VM#{guestvm[0]} ".yellow + "Start sniffing module"
-      LOGGER.debug "NAM","VM#{guestvm[0]} ".yellow + "Tcpdump instance #{pid} started" if VERBOSE
-
-      sleep 5
-
-      begin
-        #Execute File into VM
-        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Executing #{bin.md5} File into VM"
-
-        guestpid = vsm.exec_file("#{bin.md5}#{bin.extension}")
-
-        LOGGER.debug "VSM","VM#{guestvm[0]} ".yellow + "Program executed with PID #{guestpid}" if VERBOSE
-
-
-        LOGGER.info "VSM","VM#{guestvm[0]}".yellow + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
-
-        #wait n seconds
-
-        (1..DoroSettings.sandbox[:sleeptime]).each do |i|
-          @screenshot1 = vsm.screenshot if i == DoroSettings.sandbox[:screen1time]
-          @screenshot2 = vsm.screenshot if i == DoroSettings.sandbox[:screen2time]
-          #t = "."*i
-          #print "VM#{guestvm[0]}Sleeping #{SLEEPTIME} seconds".yellow  + " #{t}\r"
-          #print "VM#{guestvm[0]}Sleeping #{SLEEPTIME} seconds".yellow + " #{t}" + " [Done]\n".green if i == SLEEPTIME
-          sleep 1
-          $stdout.flush
+      LOGGER.info "NAM",vm_log_header + "Start sniffing module"
+      LOGGER.debug "NAM",vm_log_header + "Tcpdump instance #{pid} started" if VERBOSE
+
+      #sleep 5
+
+      @screenshots = Array.new
+
+      #Execute File into VM
+      LOGGER.info "VSM",vm_log_header + "Executing #{bin.md5} with #{EXTENSIONS["prog_args"]}"
+
+      if MANUAL
+        LOGGER.debug "VSM",vm_log_header + " MANUAL mode detected. You can now logon to rdp:// "
+
+        LOGGER.info "MANUAL-MODE",vm_log_header + "
+
+          Choose your next action:
+          1) Take Screenshot
+          2) Take ProcessList
+          3) Execute #{bin.filename}
+          0) Continue and revert the machine.
+
+          Select a nuber:"
+        answer = gets.chop
+
+        until answer == "0"
+          case answer
+            when "1" then
+              @screenshots.push vsm.screenshot
+              LOGGER.info "MANUAL-MODE",vm_log_header +  "Screenshot taken"
+            when "2"
+              @current_procs = vsm.get_running_procs
+              LOGGER.info "MANUAL-MODE",vm_log_header +  "Current ProcessList taken"
+            when "3"
+              guestpid = vsm.exec_file("C:\\#{bin.filename}",EXTENSIONS[bin.extension])
+              LOGGER.debug "MANUAL-MODE",vm_log_header + "Program executed with PID #{guestpid}"
+            #when "x" then -- More interactive actions to add
+            else
+              LOGGER.info "MANUAL-MODE",vm_log_header +  "Please select a number"
+          end
+          answer = gets.chop
         end
 
+        LOGGER.info "MANUAL-MODE",vm_log_header + "Moving forward.."
 
 
-        #Stopt Sniffer
-        LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Stopping sniffing module " + pid.to_s
-        @nam.stop_sniffer(pid)
-
-        #Stop/Revert VM
-        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Reverting VM"
-        vsm.revert_vm
+      else
+        guestpid = vsm.exec_file("C:\\#{bin.filename}",EXTENSIONS[bin.extension])
+        LOGGER.debug "VSM",vm_log_header + "Program executed with PID #{guestpid}" if VERBOSE
+        sleep 1
+        returncode = vsm.get_status(guestpid)
+        raise "The program was not correctly executed into the Sandbox. Status code: #{returncode}" unless returncode == 0 || returncode.nil?
+
+        LOGGER.info "VSM",vm_log_header + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
+        sleep DoroSettings.sandbox[:screen1time] % DoroSettings.sandbox[:sleeptime]
+
+        DoroSettings.sandbox[:num_screenshots].times do
+          @screenshots.push vsm.screenshot
+          sleep DoroSettings.sandbox[:screen2time] % DoroSettings.sandbox[:sleeptime]
+        end
 
-        sleep 5
+        sleep DoroSettings.sandbox[:sleeptime]
 
-      rescue => e
+        #Get Procs
+        @current_procs = vsm.get_running_procs
 
-        LOGGER.error "SANDBOX", "VM#{guestvm[0]} - An error occourred while executing the file into the vm:\n  #{$!}"
+      end
 
-        LOGGER.debug "SANDBOX" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
 
-        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Stopping sniffing module ".yellow + pid.to_s
-        @nam.stop_sniffer(pid)
+      #Stop Sniffer, revert the VM
+      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
 
-        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Reverting VM".yellow
-        vsm.revert_vm
-        sleep 5
+      vsm.revert_vm
+      reverted = true
 
-        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Recovering finished, skipping to next binaries".yellow
-        FileUtils.rm_r(sample_home)
-        return false
+      #Analyze new procs
+      LOGGER.info "VSM", vm_log_header + "Checking for spowned processes"
 
+      unless @current_procs.nil?
+        @procs = vsm.get_new_procs(@current_procs)
+        if @procs.size > 0
+          LOGGER.info "VSM", vm_log_header + "#{@procs.size} new process(es) found"
+          @procs.each_key do |pid|
+            LOGGER.info "VSM", vm_log_header + "[" + "+".red + "]" + " PID: #{pid}, NAME: #{@procs[pid]["pname"]}, COMMAND: #{@procs[pid]["cmdLine"]}"
+          end
+        end
       end
 
-
       #Downloading PCAP
-      LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Downloading #{dumpname}.pcap to #{bin.dir_pcap}"
+      LOGGER.info "NAM", vm_log_header + "Downloading #{dumpname}.pcap to #{bin.dir_pcap}"
       Ssh.download(DoroSettings.nam[:host], DoroSettings.nam[:user],DoroSettings.nam[:pass], DoroSettings.nam[:pcaphome] + "/#{dumpname}.pcap", bin.dir_pcap)
 
       #Downloading Screenshots from esx
-      LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Downloading Screenshots"
-      Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], @screenshot1, bin.dir_screens)
-      Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], @screenshot2, bin.dir_screens)
+      LOGGER.info "NAM", vm_log_header + "Downloading Screenshots"
 
-      #Put them to 644
-      File.chmod(0644, bin.dir_screens + File.basename(@screenshot1), bin.dir_screens + File.basename(@screenshot2) )
+      @screenshots.each do |screen|
+        Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], screen, bin.dir_screens)
+        #Put them to 644
+        File.chmod(0644, bin.dir_screens + File.basename(screen), bin.dir_screens + File.basename(screen) )
+      end
 
-      #####################
-      #UPDATE DOROTHIBE DB#
-      #####################
+      #UPDATE DOROTHIBE DB###################################
 
       dump = Loadmalw.new(bin.dir_pcap + dumpname + ".pcap")
 
-      #pcaprpath = bin.md5 + "/pcap/" + dump.filename
-      pcaprid = Loadmalw.calc_pcaprid(dump.filename, dump.size).rstrip
+      #TODO: dump.filname depends on the PCAPR pcaps path.
+      #9/pcap/9-7bbf2e721d9b03988dc448344fd45a0c.pcap
+      #pcapr_filename = anal_id + "/pcap/" + dump.filename
+
+
+      if DoroSettings.pcapr[:local]
+        pcapr_filename = "#{anal_id}/pcap/#{dump.filename}"
+        pcaprid = Loadmalw.calc_pcaprid(pcapr_filename, dump.size).rstrip
+      else
+        pcaprid = Loadmalw.calc_pcaprid(dump.filename, dump.size).rstrip
+      end
 
-      LOGGER.debug "NAM", "VM#{guestvm[0]} ".yellow + "Pcaprid: " + pcaprid if VERBOSE
+      LOGGER.debug "NAM", vm_log_header + "Pcaprid: " + pcaprid if VERBOSE
 
       empty_pcap = false
 
       if dump.size <= 30
-        LOGGER.warn "NAM", "VM#{guestvm[0]} WARNING - EMPTY PCAP FILE!!!! ::.."
+        LOGGER.warn "NAM", vm_log_header + "WARNING - EMPTY PCAP FILE!!!! ::.."
         #FileUtils.rm_r(sample_home)
         empty_pcap = true
       end
@@ -249,56 +293,120 @@ module Dorothy
       analysis_values = [anal_id, bin.sha, guestvm[0], dump.sha, get_time]
 
       if pcaprid.nil? || bin.dir_pcap.nil? || bin.sha.nil? || bin.md5.nil?
-        LOGGER.error "SANDBOX", "VM#{guestvm[0]} Can't retrieve the required information"
-        FileUtils.rm_r(sample_home)
-        return false
+        LOGGER.error "VSM", "VM#{guestvm[0]} Can't retrieve the required information"
+        raise "Some info missing.."
       end
 
 
       LOGGER.debug "DB", "VM#{guestvm[0]} Database insert phase" if VERBOSE
 
-      db = Insertdb.new
       db.begin_t  #needed for rollbacks
+      in_transaction = true
 
       unless empty_pcap
         unless db.insert("traffic_dumps", dumpvalues)
           LOGGER.fatal "DB", "VM#{guestvm[0]} Error while inserting data into table traffic_dumps. Skipping binary #{bin.md5}"
-          FileUtils.rm_r(sample_home)
-          return false
+          raise "DB-ERROR"
         end
       end
 
 
 
       unless db.insert("analyses", analysis_values)
-        LOGGER.fatal "DB", "VM#{guestvm[0]} Error while inserting data into table analyses. Skipping binary #{bin.md5}"
-        FileUtils.rm_r(sample_home)
-        return false
+        LOGGER.fatal "DB", vm_log_header + "Error while inserting data into table analyses. Skipping binary #{bin.md5}"
+        raise "DB-ERROR"
       end
 
+      @procs.each_key do |pid|
+        @procs[pid]["endTime"] ? end_time = get_time(@procs[pid]["endTime"]) : end_time = "null"
+        @procs[pid]["exitCode"] ? exit_code = @procs[pid]["exitCode"] : exit_code = "null"
+        sys_procs_values = [anal_id, pid, @procs[pid]["pname"], @procs[pid]["owner"], @procs[pid]["cmdLine"], get_time(@procs[pid]["startTime"]), end_time, exit_code ]
+        unless db.insert("sys_procs", sys_procs_values)
+          LOGGER.fatal "DB", vm_log_header + "Error while inserting data into table sys_procs. Skipping binary #{bin.md5}"
+          raise "DB-ERROR"
+        end
+      end
+
+
       #TODO ADD RT CODE
 
       db.commit
+      in_transaction = false
       db.close
 
-      LOGGER.info "VSM", "VM#{guestvm[0]} ".yellow + "Removing file from /bins directory"
+      LOGGER.info "VSM", vm_log_header + "Removing file from /bins directory"
       FileUtils.rm(bin.binpath)
-      LOGGER.info "VSM", "VM#{guestvm[0]} ".yellow + "Process compleated successfully"
+      LOGGER.info "VSM", vm_log_header + "Process compleated successfully"
 
-    rescue => e
+    rescue SignalException
+      LOGGER.warn "DOROTHY", "SIGINT".red + " Catched, exiting gracefully."
+      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
+      LOGGER.debug "VSM", vm_log_header + "Removing working dir"
+      FileUtils.rm_r(sample_home)
+      if in_transaction
+        db.rollback  #rollback in case there is a transaction on going
+        db.close
+      end
 
-      LOGGER.error "SANDBOX", "VM#{guestvm[0]} An error occurred while analyzing #{bin.filename}, skipping\n"
+    rescue Exception => e
+      LOGGER.error "VSM", vm_log_header + "An error occurred while analyzing #{bin.filename}, skipping\n"
       LOGGER.debug "Dorothy" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
 
+      LOGGER.warn "Dorothy", vm_log_header + "Stopping NAM instances if presents, reverting the Sandbox, and removing working directory"
+
+      stop_nam_revertvm(@nam, pid, vsm, guestvm[0], reverted, vm_log_header)
+      LOGGER.debug "VSM", vm_log_header + "Removing working dir"
+
       FileUtils.rm_r(sample_home)
-      db.rollback unless db.nil?  #rollback in case there is a transaction on going
-      return false
+
+      if in_transaction
+        db.rollback  #rollback in case there is a transaction on going
+        db.close
+      end
+
+      LOGGER.warn "VSM", vm_log_header + "Recover finished."
+
+
     end
 
+  end
 
+#Stop NAM instance and Revert VM
+def stop_nam_revertvm(nam, pid, vsm, guestvm, reverted, vm_log_header)
 
+  if pid
+    LOGGER.info "VSM", vm_log_header + " Stopping sniffing module " + pid.to_s
+    nam.stop_sniffer(pid)
+  end
 
+  unless reverted || vsm.nil?
+    LOGGER.info "VSM", vm_log_header + " Reverting VM"
+    vsm.revert_vm
+    sleep 3   #wait some seconds for letting the vm revert..
+  end
+end
 
+###Create Baseline
+  def run_baseline
+    db = Insertdb.new
+    guestvm = db.find_vm
+    LOGGER.info "VSM","VM#{guestvm[0]}".red + " Executng the baseline run"
+    vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
+    vsm.check_internet
+    LOGGER.info "VSM","VM#{guestvm[0]}".red + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
+    sleep DoroSettings.sandbox[:sleeptime]
+    vsm.get_running_procs(nil, true)  #save on file
+    LOGGER.info "VSM", "VM#{guestvm[0]} ".red + "Reverting VM".yellow
+    vsm.revert_vm
+    db.free_vm(guestvm[0])
+    db.close
+  rescue => e
+    LOGGER.error "VSM", "VM#{guestvm[0]} An error occurred while performing the BASELINE run, please retry"
+    LOGGER.debug "Dorothy" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
+    LOGGER.warn "VSM", "VM#{guestvm[0]} ".red + "[RECOVER] Reverting VM".yellow
+    vsm.revert_vm
+    db.free_vm(guestvm[0])
+    db.close
   end
 
 ########################
@@ -322,8 +430,8 @@ module Dorothy
         sleep 30
       end
 
-      LOGGER.info("VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}")
-      LOGGER.info("VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}")
+      LOGGER.info "VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}"
+      LOGGER.info "VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}"
 
       LOGGER.info "VTOTAL", "Updating DB"
       vtvalues = [bin.sha, vt.family, vt.vendor, vt.version, vt.rate, vt.updated, vt.detected]
@@ -418,7 +526,7 @@ module Dorothy
 
   end
 
-  def check_pid_file file
+  def check_pid_file(file)
     if File.exist? file
       # If we get Errno::ESRCH then process does not exist and
       # we can safely cleanup the pid file.
@@ -436,7 +544,7 @@ module Dorothy
     end
   end
 
-  def create_pid_file file
+  def create_pid_file(file)
     File.open(file, "w") { |f| f.puts Process.pid }
 
     # Remove pid file during shutdown
@@ -462,4 +570,4 @@ module Dorothy
     end
   end
 
-end
+end