Created
November 18, 2017 16:02
-
-
Save deeso/2ecd824313ab42bc8bfcfa451d330a91 to your computer and use it in GitHub Desktop.
Supporting code for some malware analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # command for running socat on the remote system in a separate terminal or window | |
| # sudo socat -v openssl-listen:443,reuseaddr,cert=$HOME/socat_ssl_server/server.pem,verify=0,fork tcp4:127.0.0.1:6000 | |
| # code for capturing SSL stripped traffic | |
| import socket | |
| host = ('', 6000) | |
| s = socket.socket() | |
| s.bind(host) | |
| s.listen(100) | |
| def get_it(s): | |
| c,a = s.accept() | |
| return c, a, c.recv(2048) | |
| while True: | |
| print get_it(s) | |
| # code for dumping periodic snapshots | |
| import os, time | |
| sleep_time = 3.0 | |
| cnt = 0 | |
| def get_cmd_fmt(): | |
| fname = get_filename() | |
| return "virsh dump --live --bypass-cache --memory-only --domain win7-malware %s"%fname | |
| def get_filename(): | |
| global cnt | |
| cnt = cnt * 3 if cnt > 0 else 1 | |
| fname = "win7-snapshots-%03d.bin"%cnt | |
| return fname | |
| num_iters = 20 | |
| while num_iters > 0: | |
| x = get_cmd_fmt() | |
| print ("Executing: %s"%x) | |
| os.system(x) | |
| time.sleep(sleep_time) | |
| num_iters += -1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment