epcnt19/auto.py

## auto.py
#coding:utf-8
import re
import sys
import time
import argparse
import subprocess
import commands

dname_to_id = "xl domid %s"
get_pid = "vmi-process-list %s | grep %s"

download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Local Area Connection\\\" static 192.168.1.2 255.255.255.0 192.168.1.1 && netsh interface ip set dns name=\\\"Local Area Connection\\\" static 192.168.1.1 validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'http://192.168.1.1/calc.exe\', \'C:\\\\Users\\\\MrX\\\\Desktop\\\\example.exe\')\\\""

execute = "C:\\\Users\\\MrX\\\Desktop\\\example.exe"
injector = "injector %s %s %s \"%s\""
drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\""


def get_lines(cmd):
	proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
	while True:
		line = proc.stdout.readline()
		if line:
			yield line
		if not line and proc.poll() is not None:
			break


if __name__=='__main__':
	parser = argparse.ArgumentParser()
	parser.add_argument("--dname",help="set doman name")
	parser.add_argument("--pname",help="set process name")
	parser.add_argument("--rekall",help="set rekall profile path")
	parser.add_argument("--tcpip",help="set tcpip.json path")
	args = parser.parse_args()

	dname = args.dname
	pname = args.pname
	rekall = args.rekall
	tcpip = args.tcpip

	did = commands.getoutput(dname_to_id%dname)
	pname = commands.getoutput(get_pid%(dname,pname))
	p = r"\[.*\]"
	pr = re.search(p,pname)
	pid = str(int(pr.group().replace("[","").replace("]","")))

	injector = injector%(rekall,did,pid,download)

	print injector

	for line in get_lines(cmd=injector):
		print line

	time.sleep(10)

	drakvuf = drakvuf%(rekall,did,pid,execute,tcpip)
	print drakvuf

	for line in get_lines(cmd=drakvuf):
		print line
	#coding:utf-8
	import re
	import sys
	import time
	import argparse
	import subprocess
	import commands

	dname_to_id = "xl domid %s"
	get_pid = "vmi-process-list %s \| grep %s"

	download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Local Area Connection\\\" static 192.168.1.2 255.255.255.0 192.168.1.1 && netsh interface ip set dns name=\\\"Local Area Connection\\\" static 192.168.1.1 validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'http://192.168.1.1/calc.exe\', \'C:\\\\Users\\\\MrX\\\\Desktop\\\\example.exe\')\\\""

	execute = "C:\\\Users\\\MrX\\\Desktop\\\example.exe"
	injector = "injector %s %s %s \"%s\""
	drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\""


	def get_lines(cmd):
	proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
	while True:
	line = proc.stdout.readline()
	if line:
	yield line
	if not line and proc.poll() is not None:
	break


	if __name__=='__main__':
	parser = argparse.ArgumentParser()
	parser.add_argument("--dname",help="set doman name")
	parser.add_argument("--pname",help="set process name")
	parser.add_argument("--rekall",help="set rekall profile path")
	parser.add_argument("--tcpip",help="set tcpip.json path")
	args = parser.parse_args()

	dname = args.dname
	pname = args.pname
	rekall = args.rekall
	tcpip = args.tcpip

	did = commands.getoutput(dname_to_id%dname)
	pname = commands.getoutput(get_pid%(dname,pname))
	p = r"\[.*\]"
	pr = re.search(p,pname)
	pid = str(int(pr.group().replace("[","").replace("]","")))

	injector = injector%(rekall,did,pid,download)

	print injector

	for line in get_lines(cmd=injector):
	print line

	time.sleep(10)

	drakvuf = drakvuf%(rekall,did,pid,execute,tcpip)
	print drakvuf

	for line in get_lines(cmd=drakvuf):
	print line