Created
October 23, 2018 16:20
-
-
Save epcnt19/1fce9e00b0ae46a12d32eb23ca02455a to your computer and use it in GitHub Desktop.
drakvuf trace script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#coding:utf-8 | |
import re | |
import sys | |
import time | |
import argparse | |
import subprocess | |
import commands | |
dname_to_id = "xl domid %s" | |
get_pid = "vmi-process-list %s | grep %s" | |
download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Local Area Connection\\\" static 192.168.1.2 255.255.255.0 192.168.1.1 && netsh interface ip set dns name=\\\"Local Area Connection\\\" static 192.168.1.1 validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'http://192.168.1.1/calc.exe\', \'C:\\\\Users\\\\MrX\\\\Desktop\\\\example.exe\')\\\"" | |
execute = "C:\\\Users\\\MrX\\\Desktop\\\example.exe" | |
injector = "injector %s %s %s \"%s\"" | |
drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\"" | |
def get_lines(cmd): | |
proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT) | |
while True: | |
line = proc.stdout.readline() | |
if line: | |
yield line | |
if not line and proc.poll() is not None: | |
break | |
if __name__=='__main__': | |
parser = argparse.ArgumentParser() | |
parser.add_argument("--dname",help="set doman name") | |
parser.add_argument("--pname",help="set process name") | |
parser.add_argument("--rekall",help="set rekall profile path") | |
parser.add_argument("--tcpip",help="set tcpip.json path") | |
args = parser.parse_args() | |
dname = args.dname | |
pname = args.pname | |
rekall = args.rekall | |
tcpip = args.tcpip | |
did = commands.getoutput(dname_to_id%dname) | |
pname = commands.getoutput(get_pid%(dname,pname)) | |
p = r"\[.*\]" | |
pr = re.search(p,pname) | |
pid = str(int(pr.group().replace("[","").replace("]",""))) | |
injector = injector%(rekall,did,pid,download) | |
print injector | |
for line in get_lines(cmd=injector): | |
print line | |
time.sleep(10) | |
drakvuf = drakvuf%(rekall,did,pid,execute,tcpip) | |
print drakvuf | |
for line in get_lines(cmd=drakvuf): | |
print line |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment