Shuhei Enomoto epcnt19

## msrmon
root@ubuntu:/usr/local/DRAKBUF/drakvuf# sudo find . \( -name "*.cpp" -o -name "*.h" -o -name "*.ac" -o -name "*.am" \) -print | xargs grep -i "msrmon"
./configure.ac:AC_ARG_ENABLE([plugin_msrmon],
./configure.ac:  [AS_HELP_STRING([--disable-plugin-msrmon],
./configure.ac:    [Enable the MSRMON example plugin @<:@yes@:>@])],
./configure.ac:  [plugin_msrmon="$enableval"],
./configure.ac:  [plugin_msrmon="yes"])
./configure.ac:AM_CONDITIONAL([PLUGIN_MSRMON], [test x$plugin_msrmon = xyes])
./configure.ac:if test x$plugin_msrmon = xyes; then
./configure.ac:  AC_DEFINE_UNQUOTED(ENABLE_PLUGIN_MSRMON, 1, "")
./configure.ac:MSRmon:   $plugin_msrmon

## result.log
DRAKVUF v0.5-a642efc
Socketmon plugin requires the Rekall profile for tcpip.sys!
poolmon,0,0xed1b85e0,notepad.exe,1,usbp,unknown_pool_type,140
poolmon,0,0xed1b85e0,notepad.exe,1,ExTm,unknown_pool_type,144
poolmon,0,0xed1b85e0,notepad.exe,1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x2,,,OUT,PVOID,SystemInformation,0x3c7fc18,,,IN,ULONG,SystemInformationLength,0x158,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,1,0xed1b81e0,svchost.exe,0,NtCreateFile,\??\PhysicalDrive0
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x3c7fa24,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3c7fa58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa30,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,

## auto.py
#coding:utf-8
import time
import argparse
import subprocess
import commands

ip_addr = "10.0.0.2"
netmask = "255.255.255.0"
gateway = "10.0.0.1"
dns_addr = "10.0.0.1"

## checkblocking.py
#coding:utf-8
import time
import socket
from stem import Signal
from stem.control import Controller

password= 'password'
domain = 'torproject.org'
domain_dic = {domain:['138.201.14.197','154.35.132.71']}
correct = 0

## test.py
import requests
import time
import json
from datetime import datetime

slacl_server_url = 'https://slack.com/api/'
camera_server_url = 'http://127.0.0.1:8080'
token = 'slack api token'


## test.txt
''''''',,,,,,,,,,,,,,:c:cccdc;;:lcl:;;;;;;;;;;:;;;;.       .c,oodll.  [37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m    ..''',,
[37m:[0m[37m;[0m',,;,,,,,,,''',,,,,,,,,,;::;:;::cc;;coxkO0KK00Oxd:...    .c,oodll.  [37m [0m                 ...''',,
[37mk[0mx[37mo[0m[37mo[0m[37md[0mdo[37mo[0m[37mo[0mc:[37mc[0m[37ml[0m..;l:::colll;;:::;;;:lxOKKKXXK[37mX[0mXXXNNNNNXXKOxc,;c;dddll.   ....................''',,
[37mk[0mxxxddxxxxxxxdxdddo[37ml[0m[37mc[0m[37ml[0moddo[37ml[0m[37mo[0m[37md[0m[37mx[0m[37mx[0m[37mk[0m[37mO[0m0KKXXXXXXX[37mX[0mX[37mX[0mNNNNNNNNNNNNXK0xkxdol. .............  ......'''',,
[37m,[0m;::;:ccdxxx[37mx[0mxdddddddxxxxxxxkO0KXXXXKKXXXXXXX[37mN[0mNNNNNNNNNNNNNXXK0kkdl.   ...........   .....'''',,
...... .[37ml[0m[37md[0m[37md[0m[37md[0m[37md[0m;'..',,,,:cokkdOKXXX[37mX[0mKKKK[37mX[0m[37mX[0mXXXXXXNNNNNNNNNNNN[37mN[0m[37mN[0mXX

## simple-pt_dmesg.txt
[ 2786.576349] start_pt_with_ioctl is called
[ 2786.576353] val    0
[ 2786.576354] oldval 0
[ 2786.576404] start_pt_with_ioctl is called
[ 2786.576406] start_pt_with_ioctl is called
[ 2786.576408] start_pt_with_ioctl is called
[ 2786.576410] start_pt_with_ioctl is called
[ 2786.576411] start_pt_with_ioctl is called
[ 2786.576412] start_pt_with_ioctl is called
[ 2786.576413] start_pt_with_ioctl is called

## sptdump_result.txt
root@ubuntu:# ../../simple-pt/sptdump
cpu   0 offset      0,     0 KB, writing to ptout.0
cpu   1 offset      0,     0 KB, writing to ptout.1
cpu   2 offset      0,     0 KB, writing to ptout.2
cpu   3 offset   1904,  2048 KB, writing to ptout.3
cpu   4 offset      0,     0 KB, writing to ptout.4
cpu   5 offset      0,     0 KB, writing to ptout.5
cpu   6 offset      0,     0 KB, writing to ptout.6
cpu   7 offset      0,     0 KB, writing to ptout.7
cpu   8 offset      0,     0 KB, writing to ptout.8

## auto.py
#coding:utf-8
import re
import sys
import time
import argparse
import subprocess
import commands

dname_to_id = "xl domid %s"
get_pid = "vmi-process-list %s | grep %s"

## node_drone.js
var RollingSpider = require('rolling-spider');
var temporal = require('temporal');
var keypress = require('keypress');
var record = require('node-record-lpcm16');
var Julius = require('julius-net');
var rollingSpider = new RollingSpider();

keypress(process.stdin);
process.stdin.setRawMode(true);
console.log("[drone event] connecting to rolling spider...");
	root@ubuntu:/usr/local/DRAKBUF/drakvuf# sudo find . \( -name ".cpp" -o -name ".h" -o -name ".ac" -o -name ".am" \) -print \| xargs grep -i "msrmon"
	./configure.ac:AC_ARG_ENABLE([plugin_msrmon],
	./configure.ac: [AS_HELP_STRING([--disable-plugin-msrmon],
	./configure.ac: [Enable the MSRMON example plugin @<:@yes@:>@])],
	./configure.ac: [plugin_msrmon="$enableval"],
	./configure.ac: [plugin_msrmon="yes"])
	./configure.ac:AM_CONDITIONAL([PLUGIN_MSRMON], [test x$plugin_msrmon = xyes])
	./configure.ac:if test x$plugin_msrmon = xyes; then
	./configure.ac: AC_DEFINE_UNQUOTED(ENABLE_PLUGIN_MSRMON, 1, "")
	./configure.ac:MSRmon: $plugin_msrmon
	DRAKVUF v0.5-a642efc
	Socketmon plugin requires the Rekall profile for tcpip.sys!
	poolmon,0,0xed1b85e0,notepad.exe,1,usbp,unknown_pool_type,140
	poolmon,0,0xed1b85e0,notepad.exe,1,ExTm,unknown_pool_type,144
	poolmon,0,0xed1b85e0,notepad.exe,1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
	syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x2,,,OUT,PVOID,SystemInformation,0x3c7fc18,,,IN,ULONG,SystemInformationLength,0x158,,,OUT,PULONG,ReturnLength,0x0,,
	filetracer,1,0xed1b81e0,svchost.exe,0,NtCreateFile,\??\PhysicalDrive0
	syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x3c7fa24,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3c7fa58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa30,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,
	#coding:utf-8
	import time
	import argparse
	import subprocess
	import commands

	ip_addr = "10.0.0.2"
	netmask = "255.255.255.0"
	gateway = "10.0.0.1"
	dns_addr = "10.0.0.1"
	#coding:utf-8
	import time
	import socket
	from stem import Signal
	from stem.control import Controller

	password= 'password'
	domain = 'torproject.org'
	domain_dic = {domain:['138.201.14.197','154.35.132.71']}
	correct = 0
	import requests
	import time
	import json
	from datetime import datetime

	slacl_server_url = 'https://slack.com/api/'
	camera_server_url = 'http://127.0.0.1:8080'
	token = 'slack api token'
	''''''',,,,,,,,,,,,,,:c:cccdc;;:lcl:;;;;;;;;;;:;;;;. .c,oodll. [37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m[37m [0m ..''',,
	[37m:[0m[37m;[0m',,;,,,,,,,''',,,,,,,,,,;::;:;::cc;;coxkO0KK00Oxd:... .c,oodll. [37m [0m ...''',,
	[37mk[0mx[37mo[0m[37mo[0m[37md[0mdo[37mo[0m[37mo[0mc:[37mc[0m[37ml[0m..;l:::colll;;:::;;;:lxOKKKXXK[37mX[0mXXXNNNNNXXKOxc,;c;dddll. ....................''',,
	[37mk[0mxxxddxxxxxxxdxdddo[37ml[0m[37mc[0m[37ml[0moddo[37ml[0m[37mo[0m[37md[0m[37mx[0m[37mx[0m[37mk[0m[37mO[0m0KKXXXXXXX[37mX[0mX[37mX[0mNNNNNNNNNNNNXK0xkxdol. ............. ......'''',,
	[37m,[0m;::;:ccdxxx[37mx[0mxdddddddxxxxxxxkO0KXXXXKKXXXXXXX[37mN[0mNNNNNNNNNNNNNXXK0kkdl. ........... .....'''',,
	...... .[37ml[0m[37md[0m[37md[0m[37md[0m[37md[0m;'..',,,,:cokkdOKXXX[37mX[0mKKKK[37mX[0m[37mX[0mXXXXXXNNNNNNNNNNNN[37mN[0m[37mN[0mXX
	[ 2786.576349] start_pt_with_ioctl is called
	[ 2786.576353] val 0
	[ 2786.576354] oldval 0
	[ 2786.576404] start_pt_with_ioctl is called
	[ 2786.576406] start_pt_with_ioctl is called
	[ 2786.576408] start_pt_with_ioctl is called
	[ 2786.576410] start_pt_with_ioctl is called
	[ 2786.576411] start_pt_with_ioctl is called
	[ 2786.576412] start_pt_with_ioctl is called
	[ 2786.576413] start_pt_with_ioctl is called
	root@ubuntu:# ../../simple-pt/sptdump
	cpu 0 offset 0, 0 KB, writing to ptout.0
	cpu 1 offset 0, 0 KB, writing to ptout.1
	cpu 2 offset 0, 0 KB, writing to ptout.2
	cpu 3 offset 1904, 2048 KB, writing to ptout.3
	cpu 4 offset 0, 0 KB, writing to ptout.4
	cpu 5 offset 0, 0 KB, writing to ptout.5
	cpu 6 offset 0, 0 KB, writing to ptout.6
	cpu 7 offset 0, 0 KB, writing to ptout.7
	cpu 8 offset 0, 0 KB, writing to ptout.8
	#coding:utf-8
	import re
	import sys
	import time
	import argparse
	import subprocess
	import commands

	dname_to_id = "xl domid %s"
	get_pid = "vmi-process-list %s \| grep %s"
	var RollingSpider = require('rolling-spider');
	var temporal = require('temporal');
	var keypress = require('keypress');
	var record = require('node-record-lpcm16');
	var Julius = require('julius-net');
	var rollingSpider = new RollingSpider();

	keypress(process.stdin);
	process.stdin.setRawMode(true);
	console.log("[drone event] connecting to rolling spider...");