line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# |
2
|
|
|
|
|
|
|
# $Id$ |
3
|
|
|
|
|
|
|
# |
4
|
|
|
|
|
|
|
# remote::sandbox Brik |
5
|
|
|
|
|
|
|
# |
6
|
|
|
|
|
|
|
package Metabrik::Remote::Sandbox; |
7
|
1
|
|
|
1
|
|
797
|
use strict; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
35
|
|
8
|
1
|
|
|
1
|
|
5
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
27
|
|
9
|
|
|
|
|
|
|
|
10
|
1
|
|
|
1
|
|
5
|
use base qw(Metabrik::Remote::Winexe); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
2386
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
sub brik_properties { |
13
|
|
|
|
|
|
|
return { |
14
|
0
|
|
|
0
|
1
|
|
revision => '$Revision$', |
15
|
|
|
|
|
|
|
tags => [ qw(unstable) ], |
16
|
|
|
|
|
|
|
author => 'GomoR ', |
17
|
|
|
|
|
|
|
license => 'http://opensource.org/licenses/BSD-3-Clause', |
18
|
|
|
|
|
|
|
attributes => { |
19
|
|
|
|
|
|
|
datadir => [ qw(datadir) ], |
20
|
|
|
|
|
|
|
es_nodes => [ qw(nodes) ], |
21
|
|
|
|
|
|
|
es_indices => [ qw(indices) ], |
22
|
|
|
|
|
|
|
win_host => [ qw(host) ], |
23
|
|
|
|
|
|
|
win_user => [ qw(user) ], |
24
|
|
|
|
|
|
|
win_password => [ qw(password) ], |
25
|
|
|
|
|
|
|
vm_id => [ qw(id) ], |
26
|
|
|
|
|
|
|
vm_snapshot_name => [ qw(name) ], |
27
|
|
|
|
|
|
|
use_regex_match => [ qw(0|1) ], |
28
|
|
|
|
|
|
|
_client => [ qw(INTERNAL) ], |
29
|
|
|
|
|
|
|
_ci => [ qw(INTERNAL) ], |
30
|
|
|
|
|
|
|
_em => [ qw(INTERNAL) ], |
31
|
|
|
|
|
|
|
_fb => [ qw(INTERNAL) ], |
32
|
|
|
|
|
|
|
_sf => [ qw(INTERNAL) ], |
33
|
|
|
|
|
|
|
_fr => [ qw(INTERNAL) ], |
34
|
|
|
|
|
|
|
_cs => [ qw(INTERNAL) ], |
35
|
|
|
|
|
|
|
_ce => [ qw(INTERNAL) ], |
36
|
|
|
|
|
|
|
_rs => [ qw(INTERNAL) ], |
37
|
|
|
|
|
|
|
_rw => [ qw(INTERNAL) ], |
38
|
|
|
|
|
|
|
_rwd => [ qw(INTERNAL) ], |
39
|
|
|
|
|
|
|
_sv => [ qw(INTERNAL) ], |
40
|
|
|
|
|
|
|
_fs => [ qw(INTERNAL) ], |
41
|
|
|
|
|
|
|
}, |
42
|
|
|
|
|
|
|
attributes_default => { |
43
|
|
|
|
|
|
|
es_nodes => [ qw(http://localhost:9200) ], |
44
|
|
|
|
|
|
|
es_indices => 'winlogbeat-*', |
45
|
|
|
|
|
|
|
vm_snapshot_name => '666_before_malware', |
46
|
|
|
|
|
|
|
use_regex_match => 0, |
47
|
|
|
|
|
|
|
}, |
48
|
|
|
|
|
|
|
commands => { |
49
|
|
|
|
|
|
|
create_client => [ ], |
50
|
|
|
|
|
|
|
save_elasticsearch_state => [ qw(name|OPTIONAL) ], |
51
|
|
|
|
|
|
|
restore_elasticsearch_state => [ ], |
52
|
|
|
|
|
|
|
restart_sysmon_collector => [ ], |
53
|
|
|
|
|
|
|
upload_and_execute => [ qw(file) ], |
54
|
|
|
|
|
|
|
diff_ps_state => [ qw(processes|OPTIONAL) ], |
55
|
|
|
|
|
|
|
diff_ps_network_connections => [ qw(processes|OPTIONAL) ], |
56
|
|
|
|
|
|
|
diff_ps_target_filename_created => [ qw(processes|OPTIONAL) ], |
57
|
|
|
|
|
|
|
diff_ps_registry_value_set => [ qw(processes|OPTIONAL) ], |
58
|
|
|
|
|
|
|
diff_ps_registry_object_added_or_deleted => [ qw(processes|OPTIONAL) ], |
59
|
|
|
|
|
|
|
diff_ps_target_process_accessed => [ qw(processes|OPTIONAL) ], |
60
|
|
|
|
|
|
|
loop_and_download_created_files => [ qw(processes|OPTIONAL) ], |
61
|
|
|
|
|
|
|
memdump_as_volatility => [ qw(output|OPTIONAL) ], |
62
|
|
|
|
|
|
|
stop_vm => [ ], |
63
|
|
|
|
|
|
|
restore_vm => [ ], |
64
|
|
|
|
|
|
|
}, |
65
|
|
|
|
|
|
|
require_modules => { |
66
|
|
|
|
|
|
|
'Metabrik::System::File' => [ ], |
67
|
|
|
|
|
|
|
'Metabrik::String::Password' => [ ], |
68
|
|
|
|
|
|
|
'Metabrik::Client::Smbclient' => [ ], |
69
|
|
|
|
|
|
|
'Metabrik::Client::Elasticsearch' => [ ], |
70
|
|
|
|
|
|
|
'Metabrik::Remote::Sysmon' => [ ], |
71
|
|
|
|
|
|
|
'Metabrik::Remote::Winsvc' => [ ], |
72
|
|
|
|
|
|
|
'Metabrik::Remote::Windefend' => [ ], |
73
|
|
|
|
|
|
|
'Metabrik::System::Virtualbox' => [ ], |
74
|
|
|
|
|
|
|
'Metabrik::Forensic::Sysmon' => [ ], |
75
|
|
|
|
|
|
|
}, |
76
|
|
|
|
|
|
|
require_binaries => { |
77
|
|
|
|
|
|
|
}, |
78
|
|
|
|
|
|
|
optional_binaries => { |
79
|
|
|
|
|
|
|
}, |
80
|
|
|
|
|
|
|
need_packages => { |
81
|
|
|
|
|
|
|
}, |
82
|
|
|
|
|
|
|
}; |
83
|
|
|
|
|
|
|
} |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
sub brik_use_properties { |
86
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
return { |
89
|
0
|
|
|
|
|
|
attributes_default => { |
90
|
|
|
|
|
|
|
}, |
91
|
|
|
|
|
|
|
}; |
92
|
|
|
|
|
|
|
} |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
sub brik_preinit { |
95
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
# Do your preinit here, return 0 on error. |
98
|
|
|
|
|
|
|
|
99
|
0
|
|
|
|
|
|
return $self->SUPER::brik_preinit; |
100
|
|
|
|
|
|
|
} |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
sub brik_init { |
103
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
# Do your init here, return 0 on error. |
106
|
|
|
|
|
|
|
|
107
|
0
|
|
|
|
|
|
return $self->SUPER::brik_init; |
108
|
|
|
|
|
|
|
} |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
sub create_client { |
111
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
112
|
|
|
|
|
|
|
|
113
|
0
|
0
|
|
|
|
|
if ($self->_client) { |
114
|
0
|
|
|
|
|
|
return 1; |
115
|
|
|
|
|
|
|
} |
116
|
|
|
|
|
|
|
|
117
|
0
|
|
|
|
|
|
my $win_user = $self->win_user; |
118
|
0
|
|
|
|
|
|
my $win_host = $self->win_host; |
119
|
0
|
|
|
|
|
|
my $win_password = $self->win_password; |
120
|
0
|
|
|
|
|
|
my $es_nodes = $self->es_nodes; |
121
|
0
|
|
|
|
|
|
my $vm_id = $self->vm_id; |
122
|
0
|
0
|
|
|
|
|
$self->brik_help_set_undef_arg('win_user', $win_user) or return; |
123
|
0
|
0
|
|
|
|
|
$self->brik_help_set_undef_arg('win_host', $win_host) or return; |
124
|
0
|
0
|
|
|
|
|
$self->brik_help_set_undef_arg('vm_id', $vm_id) or return; |
125
|
|
|
|
|
|
|
|
126
|
0
|
0
|
|
|
|
|
if (! defined($win_password)) { |
127
|
0
|
0
|
|
|
|
|
my $sp = Metabrik::String::Password->new_from_brik_init($self) or return; |
128
|
0
|
0
|
|
|
|
|
$win_password = $sp->prompt or return; |
129
|
|
|
|
|
|
|
} |
130
|
|
|
|
|
|
|
|
131
|
0
|
|
|
|
|
|
$self->host($win_host); |
132
|
0
|
|
|
|
|
|
$self->user($win_user); |
133
|
0
|
|
|
|
|
|
$self->password($win_password); |
134
|
|
|
|
|
|
|
|
135
|
0
|
0
|
|
|
|
|
my $cs = Metabrik::Client::Smbclient->new_from_brik_init($self) or return; |
136
|
0
|
|
|
|
|
|
$cs->host($win_host); |
137
|
0
|
|
|
|
|
|
$cs->user($win_user); |
138
|
0
|
|
|
|
|
|
$cs->password($win_password); |
139
|
|
|
|
|
|
|
|
140
|
0
|
0
|
|
|
|
|
my $ce = Metabrik::Client::Elasticsearch->new_from_brik_init($self) or return; |
141
|
0
|
|
|
|
|
|
$ce->nodes($es_nodes); |
142
|
0
|
0
|
|
|
|
|
$ce->open or return; |
143
|
|
|
|
|
|
|
|
144
|
0
|
0
|
|
|
|
|
my $rs = Metabrik::Remote::Sysmon->new_from_brik_init($self) or return; |
145
|
0
|
|
|
|
|
|
$rs->host($win_host); |
146
|
0
|
|
|
|
|
|
$rs->user($win_user); |
147
|
0
|
|
|
|
|
|
$rs->password($win_password); |
148
|
|
|
|
|
|
|
|
149
|
0
|
0
|
|
|
|
|
my $rw = Metabrik::Remote::Winsvc->new_from_brik_init($self) or return; |
150
|
0
|
|
|
|
|
|
$rw->host($win_host); |
151
|
0
|
|
|
|
|
|
$rw->user($win_user); |
152
|
0
|
|
|
|
|
|
$rw->password($win_password); |
153
|
|
|
|
|
|
|
|
154
|
0
|
0
|
|
|
|
|
my $rwd = Metabrik::Remote::Windefend->new_from_brik_init($self) or return; |
155
|
0
|
|
|
|
|
|
$rwd->host($win_host); |
156
|
0
|
|
|
|
|
|
$rwd->user($win_user); |
157
|
0
|
|
|
|
|
|
$rwd->password($win_password); |
158
|
|
|
|
|
|
|
|
159
|
0
|
0
|
|
|
|
|
my $sv = Metabrik::System::Virtualbox->new_from_brik_init($self) or return; |
160
|
0
|
|
|
|
|
|
$sv->type('gui'); |
161
|
|
|
|
|
|
|
|
162
|
0
|
0
|
|
|
|
|
my $fs = Metabrik::Forensic::Sysmon->new_from_brik_init($self) or return; |
163
|
0
|
|
|
|
|
|
$fs->use_regex_match($self->use_regex_match); |
164
|
|
|
|
|
|
|
|
165
|
0
|
|
|
|
|
|
$self->_cs($cs); |
166
|
0
|
|
|
|
|
|
$self->_ce($ce); |
167
|
0
|
|
|
|
|
|
$self->_rs($rs); |
168
|
0
|
|
|
|
|
|
$self->_rw($rw); |
169
|
0
|
|
|
|
|
|
$self->_rwd($rwd); |
170
|
0
|
|
|
|
|
|
$self->_sv($sv); |
171
|
0
|
|
|
|
|
|
$self->_fs($fs); |
172
|
|
|
|
|
|
|
|
173
|
0
|
|
|
|
|
|
return $self->_client(1); |
174
|
|
|
|
|
|
|
} |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
sub save_elasticsearch_state { |
177
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
178
|
0
|
|
|
|
|
|
my ($name) = @_; |
179
|
|
|
|
|
|
|
|
180
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
181
|
|
|
|
|
|
|
|
182
|
0
|
|
|
|
|
|
my $ce = $self->_ce; |
183
|
0
|
|
|
|
|
|
my $indices = $self->es_indices; |
184
|
|
|
|
|
|
|
|
185
|
0
|
|
|
|
|
|
return $ce->create_snapshot_for_indices($indices, $name); |
186
|
|
|
|
|
|
|
} |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
sub restore_elasticsearch_state { |
189
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
190
|
|
|
|
|
|
|
|
191
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
192
|
|
|
|
|
|
|
|
193
|
0
|
|
|
|
|
|
my $ce = $self->_ce; |
194
|
|
|
|
|
|
|
|
195
|
0
|
|
|
|
|
|
my $indices = $self->es_indices; |
196
|
|
|
|
|
|
|
|
197
|
0
|
0
|
|
|
|
|
$ce->delete_index($indices) or return; |
198
|
|
|
|
|
|
|
|
199
|
0
|
|
|
|
|
|
$ce->restore_snapshot_for_indices($indices); |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
# Waiting for restoration to complete. |
202
|
0
|
|
|
|
|
|
while (! $ce->get_snapshot_state) { |
203
|
0
|
|
|
|
|
|
sleep(1); |
204
|
|
|
|
|
|
|
} |
205
|
|
|
|
|
|
|
|
206
|
0
|
|
|
|
|
|
return 1; |
207
|
|
|
|
|
|
|
} |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
sub restart_sysmon_collector { |
210
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
211
|
|
|
|
|
|
|
|
212
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
213
|
|
|
|
|
|
|
|
214
|
0
|
|
|
|
|
|
my $rs = $self->_rs; |
215
|
0
|
0
|
|
|
|
|
$rs->generate_conf or return; |
216
|
0
|
0
|
|
|
|
|
$rs->update_conf or return; |
217
|
0
|
0
|
|
|
|
|
$rs->redeploy or return; |
218
|
|
|
|
|
|
|
|
219
|
0
|
|
|
|
|
|
my $rw = $self->_rw; |
220
|
0
|
0
|
|
|
|
|
$rs->restart('winlogbeat') or return; |
221
|
|
|
|
|
|
|
|
222
|
0
|
|
|
|
|
|
return 1; |
223
|
|
|
|
|
|
|
} |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
sub upload_and_execute { |
226
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
227
|
0
|
|
|
|
|
|
my ($file) = @_; |
228
|
|
|
|
|
|
|
|
229
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
230
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('upload_and_execute', $file) or return; |
231
|
0
|
0
|
|
|
|
|
$self->brik_help_run_file_not_found('upload_and_execute', $file) or return; |
232
|
|
|
|
|
|
|
|
233
|
0
|
|
|
|
|
|
my $ce = $self->_ce; |
234
|
0
|
|
|
|
|
|
my $sv = $self->_sv; |
235
|
0
|
|
|
|
|
|
my $cs = $self->_cs; |
236
|
0
|
|
|
|
|
|
my $rwd = $self->_rwd; |
237
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
238
|
|
|
|
|
|
|
|
239
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: restoring Elasticsearch state..."); |
240
|
0
|
0
|
|
|
|
|
$self->restore_elasticsearch_state or return; |
241
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
# We create a restore point if none exists yet. |
244
|
|
|
|
|
|
|
# Or we restore the previous one. |
245
|
0
|
0
|
|
|
|
|
my $list = $sv->snapshot_list($self->vm_id) or return; |
246
|
0
|
|
|
|
|
|
my $found = 0; |
247
|
0
|
|
|
|
|
|
for my $this (@$list) { |
248
|
0
|
0
|
|
|
|
|
if ($this->{name} eq $self->vm_snapshot_name) { |
249
|
0
|
|
|
|
|
|
$found = 1; |
250
|
0
|
|
|
|
|
|
last; |
251
|
|
|
|
|
|
|
} |
252
|
|
|
|
|
|
|
} |
253
|
0
|
0
|
|
|
|
|
if (! $found) { |
254
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: snapshoting VM state..."); |
255
|
0
|
0
|
|
|
|
|
$sv->snapshot_live($self->vm_id, $self->vm_snapshot_name) or return; |
256
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
257
|
|
|
|
|
|
|
} |
258
|
|
|
|
|
|
|
else { |
259
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: restoring VM state..."); |
260
|
0
|
|
|
|
|
|
$sv->stop($self->vm_id); |
261
|
0
|
0
|
|
|
|
|
$sv->snapshot_restore($self->vm_id, $self->vm_snapshot_name) or return; |
262
|
0
|
0
|
|
|
|
|
$sv->start($self->vm_id) or return; |
263
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
264
|
|
|
|
|
|
|
} |
265
|
|
|
|
|
|
|
|
266
|
0
|
|
|
|
|
|
sleep(5); # Waiting for VM to start. |
267
|
|
|
|
|
|
|
|
268
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: disabling Windows Defender..."); |
269
|
0
|
0
|
|
|
|
|
$rwd->disable or return; |
270
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
271
|
|
|
|
|
|
|
|
272
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: uploading file..."); |
273
|
0
|
0
|
|
|
|
|
$cs->upload($file) or return; |
274
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
275
|
|
|
|
|
|
|
|
276
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: saving sysmon state..."); |
277
|
0
|
0
|
|
|
|
|
$fs->save_state or return; |
278
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
279
|
|
|
|
|
|
|
|
280
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: executing malware..."); |
281
|
0
|
|
|
|
|
|
$self->execute('"c:\\windows\\temp\\'.$file.'"'); |
282
|
0
|
|
|
|
|
|
$self->log->info("upload_and_execute: done."); |
283
|
|
|
|
|
|
|
|
284
|
0
|
|
|
|
|
|
return 1; |
285
|
|
|
|
|
|
|
} |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
sub diff_ps_state { |
288
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
289
|
0
|
|
|
|
|
|
my ($processes) = @_; |
290
|
|
|
|
|
|
|
|
291
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
292
|
|
|
|
|
|
|
|
293
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
294
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_state', |
295
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
296
|
|
|
|
|
|
|
} |
297
|
|
|
|
|
|
|
|
298
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
299
|
|
|
|
|
|
|
|
300
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps', $processes); |
301
|
|
|
|
|
|
|
} |
302
|
|
|
|
|
|
|
|
303
|
|
|
|
|
|
|
sub diff_ps_network_connections { |
304
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
305
|
0
|
|
|
|
|
|
my ($processes) = @_; |
306
|
|
|
|
|
|
|
|
307
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
308
|
|
|
|
|
|
|
|
309
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
310
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_network_connections', |
311
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
312
|
|
|
|
|
|
|
} |
313
|
|
|
|
|
|
|
|
314
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
315
|
|
|
|
|
|
|
|
316
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps_network_connections', $processes); |
317
|
|
|
|
|
|
|
} |
318
|
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
sub diff_ps_target_filename_created { |
320
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
321
|
0
|
|
|
|
|
|
my ($processes) = @_; |
322
|
|
|
|
|
|
|
|
323
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
324
|
|
|
|
|
|
|
|
325
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
326
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_target_filename_created', |
327
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
328
|
|
|
|
|
|
|
} |
329
|
|
|
|
|
|
|
|
330
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
331
|
|
|
|
|
|
|
|
332
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps_target_filename_created', $processes); |
333
|
|
|
|
|
|
|
} |
334
|
|
|
|
|
|
|
|
335
|
|
|
|
|
|
|
sub diff_ps_registry_value_set { |
336
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
337
|
0
|
|
|
|
|
|
my ($processes) = @_; |
338
|
|
|
|
|
|
|
|
339
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
340
|
|
|
|
|
|
|
|
341
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
342
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_registry_value_set', |
343
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
344
|
|
|
|
|
|
|
} |
345
|
|
|
|
|
|
|
|
346
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
347
|
|
|
|
|
|
|
|
348
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps_registry_value_set', $processes); |
349
|
|
|
|
|
|
|
} |
350
|
|
|
|
|
|
|
|
351
|
|
|
|
|
|
|
sub diff_ps_registry_object_added_or_deleted { |
352
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
353
|
0
|
|
|
|
|
|
my ($processes) = @_; |
354
|
|
|
|
|
|
|
|
355
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
356
|
|
|
|
|
|
|
|
357
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
358
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_registry_object_added_or_deleted', |
359
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
360
|
|
|
|
|
|
|
} |
361
|
|
|
|
|
|
|
|
362
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
363
|
|
|
|
|
|
|
|
364
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps_registry_object_added_or_deleted', $processes); |
365
|
|
|
|
|
|
|
} |
366
|
|
|
|
|
|
|
|
367
|
|
|
|
|
|
|
sub diff_ps_target_process_accessed { |
368
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
369
|
0
|
|
|
|
|
|
my ($processes) = @_; |
370
|
|
|
|
|
|
|
|
371
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
372
|
|
|
|
|
|
|
|
373
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
374
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('diff_ps_target_process_accessed', |
375
|
|
|
|
|
|
|
$processes, 'ARRAY') or return; |
376
|
|
|
|
|
|
|
} |
377
|
|
|
|
|
|
|
|
378
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
379
|
|
|
|
|
|
|
|
380
|
0
|
|
|
|
|
|
return $fs->diff_current_state('ps_target_process_accessed', $processes); |
381
|
|
|
|
|
|
|
} |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
sub loop_and_download_created_files { |
384
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
385
|
0
|
|
|
|
|
|
my ($processes, $output_dir) = @_; |
386
|
|
|
|
|
|
|
|
387
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
388
|
|
|
|
|
|
|
|
389
|
0
|
|
0
|
|
|
|
$output_dir ||= defined($self->shell) && $self->shell->full_pwd || '/tmp'; |
|
|
|
0
|
|
|
|
|
390
|
|
|
|
|
|
|
|
391
|
0
|
0
|
|
|
|
|
if (defined($processes)) { |
392
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('loop_and_download_created_files', $processes) |
393
|
|
|
|
|
|
|
or return; |
394
|
0
|
0
|
|
|
|
|
$self->brik_help_run_invalid_arg('loop_and_download_created_files', $processes, |
395
|
|
|
|
|
|
|
'ARRAY', 'SCALAR') or return; |
396
|
|
|
|
|
|
|
} |
397
|
|
|
|
|
|
|
|
398
|
0
|
|
|
|
|
|
my $cs = $self->_cs; |
399
|
0
|
|
|
|
|
|
my $fs = $self->_fs; |
400
|
|
|
|
|
|
|
|
401
|
0
|
|
|
|
|
|
$output_dir .= "/download"; |
402
|
0
|
0
|
|
|
|
|
my $sf = Metabrik::System::File->new_from_brik_init($self) or return; |
403
|
0
|
0
|
|
|
|
|
$sf->mkdir($output_dir) or return; |
404
|
|
|
|
|
|
|
|
405
|
0
|
|
|
|
|
|
while (1) { |
406
|
0
|
0
|
|
|
|
|
my $diff = $fs->diff_current_state('ps_target_filename_created', $processes) |
407
|
|
|
|
|
|
|
or return; |
408
|
|
|
|
|
|
|
|
409
|
0
|
0
|
|
|
|
|
if (exists($diff->{ps_target_filename_created})) { |
410
|
0
|
|
|
|
|
|
my $created = $diff->{ps_target_filename_created}; |
411
|
0
|
|
|
|
|
|
for my $process (keys %$created) { |
412
|
0
|
|
|
|
|
|
for my $file (@{$created->{$process}}) { |
|
0
|
|
|
|
|
|
|
413
|
0
|
|
|
|
|
|
$self->log->info("loop_and_download_created_files: ". |
414
|
|
|
|
|
|
|
"downloading file [$file]"); |
415
|
0
|
|
|
|
|
|
$cs->download_in_background($file, $output_dir); |
416
|
|
|
|
|
|
|
} |
417
|
|
|
|
|
|
|
} |
418
|
|
|
|
|
|
|
} |
419
|
|
|
|
|
|
|
} |
420
|
|
|
|
|
|
|
|
421
|
0
|
|
|
|
|
|
return 1; |
422
|
|
|
|
|
|
|
} |
423
|
|
|
|
|
|
|
|
424
|
|
|
|
|
|
|
sub memdump_as_volatility { |
425
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
426
|
|
|
|
|
|
|
|
427
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
428
|
|
|
|
|
|
|
|
429
|
0
|
|
|
|
|
|
my $vm_id = $self->vm_id; |
430
|
0
|
|
|
|
|
|
my $sv = $self->_sv; |
431
|
|
|
|
|
|
|
|
432
|
0
|
0
|
|
|
|
|
my $output = $sv->dumpvmcore($vm_id) or return; |
433
|
|
|
|
|
|
|
|
434
|
0
|
|
|
|
|
|
return $sv->extract_memdump_from_dumpguestcore($output); |
435
|
|
|
|
|
|
|
} |
436
|
|
|
|
|
|
|
|
437
|
|
|
|
|
|
|
sub stop_vm { |
438
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
439
|
|
|
|
|
|
|
|
440
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
441
|
|
|
|
|
|
|
|
442
|
0
|
|
|
|
|
|
my $vm_id = $self->vm_id; |
443
|
0
|
|
|
|
|
|
my $sv = $self->_sv; |
444
|
|
|
|
|
|
|
|
445
|
0
|
|
|
|
|
|
return $sv->stop($vm_id); |
446
|
|
|
|
|
|
|
} |
447
|
|
|
|
|
|
|
|
448
|
|
|
|
|
|
|
sub restore_vm { |
449
|
0
|
|
|
0
|
0
|
|
my $self = shift; |
450
|
|
|
|
|
|
|
|
451
|
0
|
0
|
|
|
|
|
$self->brik_help_run_undef_arg('create_client', $self->_client) or return; |
452
|
|
|
|
|
|
|
|
453
|
0
|
|
|
|
|
|
my $vm_id = $self->vm_id; |
454
|
0
|
|
|
|
|
|
my $sv = $self->_sv; |
455
|
|
|
|
|
|
|
|
456
|
0
|
|
|
|
|
|
$sv->stop($vm_id); |
457
|
|
|
|
|
|
|
|
458
|
0
|
|
|
|
|
|
return $sv->snapshot_restore($self->vm_id, $self->vm_snapshot_name); |
459
|
|
|
|
|
|
|
} |
460
|
|
|
|
|
|
|
|
461
|
|
|
|
|
|
|
sub brik_fini { |
462
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
463
|
|
|
|
|
|
|
|
464
|
|
|
|
|
|
|
# Do your fini here, return 0 on error. |
465
|
|
|
|
|
|
|
|
466
|
0
|
|
|
|
|
|
return $self->SUPER::brik_fini; |
467
|
|
|
|
|
|
|
} |
468
|
|
|
|
|
|
|
|
469
|
|
|
|
|
|
|
1; |
470
|
|
|
|
|
|
|
|
471
|
|
|
|
|
|
|
__END__ |