├── .gitignore
├── LICENSE
├── README.md
└── onigiri.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *.back
3 |
4 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 2, June 1991
3 |
4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6 | Everyone is permitted to copy and distribute verbatim copies
7 | of this license document, but changing it is not allowed.
8 |
9 | Preamble
10 |
11 | The licenses for most software are designed to take away your
12 | freedom to share and change it. By contrast, the GNU General Public
13 | License is intended to guarantee your freedom to share and change free
14 | software--to make sure the software is free for all its users. This
15 | General Public License applies to most of the Free Software
16 | Foundation's software and to any other program whose authors commit to
17 | using it. (Some other Free Software Foundation software is covered by
18 | the GNU Lesser General Public License instead.) You can apply it to
19 | your programs, too.
20 |
21 | When we speak of free software, we are referring to freedom, not
22 | price. Our General Public Licenses are designed to make sure that you
23 | have the freedom to distribute copies of free software (and charge for
24 | this service if you wish), that you receive source code or can get it
25 | if you want it, that you can change the software or use pieces of it
26 | in new free programs; and that you know you can do these things.
27 |
28 | To protect your rights, we need to make restrictions that forbid
29 | anyone to deny you these rights or to ask you to surrender the rights.
30 | These restrictions translate to certain responsibilities for you if you
31 | distribute copies of the software, or if you modify it.
32 |
33 | For example, if you distribute copies of such a program, whether
34 | gratis or for a fee, you must give the recipients all the rights that
35 | you have. You must make sure that they, too, receive or can get the
36 | source code. And you must show them these terms so they know their
37 | rights.
38 |
39 | We protect your rights with two steps: (1) copyright the software, and
40 | (2) offer you this license which gives you legal permission to copy,
41 | distribute and/or modify the software.
42 |
43 | Also, for each author's protection and ours, we want to make certain
44 | that everyone understands that there is no warranty for this free
45 | software. If the software is modified by someone else and passed on, we
46 | want its recipients to know that what they have is not the original, so
47 | that any problems introduced by others will not reflect on the original
48 | authors' reputations.
49 |
50 | Finally, any free program is threatened constantly by software
51 | patents. We wish to avoid the danger that redistributors of a free
52 | program will individually obtain patent licenses, in effect making the
53 | program proprietary. To prevent this, we have made it clear that any
54 | patent must be licensed for everyone's free use or not licensed at all.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | GNU GENERAL PUBLIC LICENSE
60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61 |
62 | 0. This License applies to any program or other work which contains
63 | a notice placed by the copyright holder saying it may be distributed
64 | under the terms of this General Public License. The "Program", below,
65 | refers to any such program or work, and a "work based on the Program"
66 | means either the Program or any derivative work under copyright law:
67 | that is to say, a work containing the Program or a portion of it,
68 | either verbatim or with modifications and/or translated into another
69 | language. (Hereinafter, translation is included without limitation in
70 | the term "modification".) Each licensee is addressed as "you".
71 |
72 | Activities other than copying, distribution and modification are not
73 | covered by this License; they are outside its scope. The act of
74 | running the Program is not restricted, and the output from the Program
75 | is covered only if its contents constitute a work based on the
76 | Program (independent of having been made by running the Program).
77 | Whether that is true depends on what the Program does.
78 |
79 | 1. You may copy and distribute verbatim copies of the Program's
80 | source code as you receive it, in any medium, provided that you
81 | conspicuously and appropriately publish on each copy an appropriate
82 | copyright notice and disclaimer of warranty; keep intact all the
83 | notices that refer to this License and to the absence of any warranty;
84 | and give any other recipients of the Program a copy of this License
85 | along with the Program.
86 |
87 | You may charge a fee for the physical act of transferring a copy, and
88 | you may at your option offer warranty protection in exchange for a fee.
89 |
90 | 2. You may modify your copy or copies of the Program or any portion
91 | of it, thus forming a work based on the Program, and copy and
92 | distribute such modifications or work under the terms of Section 1
93 | above, provided that you also meet all of these conditions:
94 |
95 | a) You must cause the modified files to carry prominent notices
96 | stating that you changed the files and the date of any change.
97 |
98 | b) You must cause any work that you distribute or publish, that in
99 | whole or in part contains or is derived from the Program or any
100 | part thereof, to be licensed as a whole at no charge to all third
101 | parties under the terms of this License.
102 |
103 | c) If the modified program normally reads commands interactively
104 | when run, you must cause it, when started running for such
105 | interactive use in the most ordinary way, to print or display an
106 | announcement including an appropriate copyright notice and a
107 | notice that there is no warranty (or else, saying that you provide
108 | a warranty) and that users may redistribute the program under
109 | these conditions, and telling the user how to view a copy of this
110 | License. (Exception: if the Program itself is interactive but
111 | does not normally print such an announcement, your work based on
112 | the Program is not required to print an announcement.)
113 |
114 | These requirements apply to the modified work as a whole. If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works. But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 |
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 |
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 |
134 | 3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 |
138 | a) Accompany it with the complete corresponding machine-readable
139 | source code, which must be distributed under the terms of Sections
140 | 1 and 2 above on a medium customarily used for software interchange; or,
141 |
142 | b) Accompany it with a written offer, valid for at least three
143 | years, to give any third party, for a charge no more than your
144 | cost of physically performing source distribution, a complete
145 | machine-readable copy of the corresponding source code, to be
146 | distributed under the terms of Sections 1 and 2 above on a medium
147 | customarily used for software interchange; or,
148 |
149 | c) Accompany it with the information you received as to the offer
150 | to distribute corresponding source code. (This alternative is
151 | allowed only for noncommercial distribution and only if you
152 | received the program in object code or executable form with such
153 | an offer, in accord with Subsection b above.)
154 |
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it. For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable. However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 |
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 |
172 | 4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License. Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 |
180 | 5. You are not required to accept this License, since you have not
181 | signed it. However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works. These actions are
183 | prohibited by law if you do not accept this License. Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 |
189 | 6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions. You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 |
197 | 7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License. If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all. For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 |
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 |
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices. Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 |
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 |
229 | 8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded. In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 |
237 | 9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time. Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 |
242 | Each version is given a distinguishing version number. If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation. If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 |
250 | 10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission. For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this. Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 |
258 | NO WARRANTY
259 |
260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 |
270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 |
280 | END OF TERMS AND CONDITIONS
281 |
282 | How to Apply These Terms to Your New Programs
283 |
284 | If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 |
288 | To do so, attach the following notices to the program. It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 |
293 | {description}
294 | Copyright (C) {year} {fullname}
295 |
296 | This program is free software; you can redistribute it and/or modify
297 | it under the terms of the GNU General Public License as published by
298 | the Free Software Foundation; either version 2 of the License, or
299 | (at your option) any later version.
300 |
301 | This program is distributed in the hope that it will be useful,
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304 | GNU General Public License for more details.
305 |
306 | You should have received a copy of the GNU General Public License along
307 | with this program; if not, write to the Free Software Foundation, Inc.,
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 |
310 | Also add information on how to contact you by electronic and paper mail.
311 |
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 |
315 | Gnomovision version 69, Copyright (C) year name of author
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 | This is free software, and you are welcome to redistribute it
318 | under certain conditions; type `show c' for details.
319 |
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License. Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 |
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary. Here is a sample; alter the names:
328 |
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 |
332 | {signature of Ty Coon}, 1 April 1989
333 | Ty Coon, President of Vice
334 |
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs. If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library. If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 |
341 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # onigiri
2 | onigiri - remote malware triage script
3 |
4 | Check [my blog](http://takahiroharuyama.github.io/blog/2015/07/03/remote-malware-triage-automation/) about the purpose.
5 |
6 | ## Preparation
7 |
8 | #### Install Python
9 | * You need both of Python x86 (for volatility) / x64 (for F-Response COM DLLs) if installed F-Response binaries are 64-bit
10 | * Set the x86 python path to *g_x86_python_path* or specify -p option
11 |
12 | #### Install the following Python packages
13 | * [Win32 Extensions (win32com)](http://starship.python.net/~skippy/win32/Downloads.html)
14 | * [Requests](http://docs.python-requests.org/en/latest/)
15 | * [python-registry](https://github.com/williballenthin/python-registry)
16 | * [colorama](https://pypi.python.org/pypi/colorama)
17 |
18 | #### Install Volatility Framework and openioc_scan
19 | * [Volatility Installation](https://github.com/volatilityfoundation/volatility/wiki/Installation)
20 | * Set the vol.py/plugins paths to *g_vol_path* and *g_vol_plugins_path* or specify -o and -l options
21 | * [openioc_scan](http://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-using-openioc-scan-volatility-plugin/)
22 |
23 | #### Download FTK Imager CLI version
24 | * [FTK Imager CLI version](http://accessdata.com/product-download)
25 | * Set the path to *g_ftk_path* or specify -t option
26 |
27 | #### Open TCP ports
28 | * examiner: tcp/5681
29 | * victim: tcp/3260-3261 (Consultant), tcp/445 (Consultant+Covert, Enterprise)
30 |
31 | #### Configure F-Response
32 | * Set examinerIP/username/password for iSCSI authentication and enable PhysicalMemory/FlexdiskAPI
33 | * Save fresponse.ini on F-Response Consultant Connector (consultant and Consultant+Covert only)
34 |
35 | ## Usage
36 |
37 | 1. Run F-Response License Manager Monitor on the examiner machine then start it
38 | * Run R-Response agent program on the victim machine then start it using GUI tools (consultant and Consultant+Covert only)
39 | * Run this script and check the result
40 | * Type -h for help
41 | * Specify the folder path including fresponse.ini (consultant and Consultant+Covert only). fresponse.ini should be generated on Consultant Connector, not Enterprise Management Console
42 | * Specify credentials of domain admin or local built-in Administrator account (Enterprise only)
43 |
44 | ## Trouble Shooting
45 |
46 | #### COM Errors
47 |
48 | If any errors about win32com, try following:
49 |
50 | * Check the COM DLL (e.g., FCCCTRLx64.dll, FEMCCTRLx64.dll) architecture. You need x64 python and win32com for x64 DLL.
51 | * Check the COM API CLSIDs in registry (e.g., search FCCCTRL or FEMCCTRL). If not found, register COM Dlls using regsvr32 command. You need x86 regsvr32 (under C:\Windows\SysWOW64) if your COM DLL is 32-bit version.
52 |
53 |
54 | regsvr32 "C:\Program Files\F-Response\FEMCCTRLx64.dll"
55 |
56 | #### Memory Acquisition Failure of Win8.1 x64 machines
57 |
58 | I checked physical memory acquisition through F-Response didn't work on some conditions:
59 | - The target OS is Win8.1 x64
60 | - The RAM size is big (e.g., 8GB or 16GB)
61 |
62 | Specifically, process data structures (\_EPROCESS) become null. I sent the report to F-Response and I'm waiting for the reply.
63 |
64 | If you have [DumpIt commercial version](http://www.moonsols.com/windows-memory-toolkit/), you can use it combined with [PsExec](https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) for secure memory acquisition (specify -a option and more).
65 |
66 | #### Exception when getting "Targets"
67 |
68 | Unless you start GUI application (Consultant Connector or Enterprise Management Console), you may encounter the following exception.
69 |
70 | Traceback (most recent call last):
71 | File "onigiri.py", line 476, in
72 | main()
73 | File "onigiri.py", line 463, in main
74 | fres.acquire(args.ram, file_cats, args.scan, args.alternative)
75 | File "onigiri.py", line 260, in acquire
76 | self.acquire_ram(computer, alternative)
77 | File "onigiri.py", line 53, in acquire_ram
78 | targets = victim.Targets
79 | File "C:\Python27_x64\lib\site-packages\win32com\client\dynamic.py", line 511, in __getattr__
80 | ret = self._oleobj_.Invoke(retEntry.dispid,0,invoke_type,1)
81 | pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, u'FEMCCTRL.Machine.1', u'iSCSI failed with a non-standard error, please contact support and provide the HRESULT code indicated.', None, 0, -268500930), None)
82 |
83 | Please run GUI app before using onigiri.
84 |
85 | ## What's "Onigiri"?
86 |
87 | [Onigiri](https://en.wikipedia.org/wiki/Onigiri) is a Japanese soul food, made with plain rice, wrapped in nori (seaweed), sometimes filled with pickled ume (umeboshi), kombu, tarako, or any other salty or sour ingredient as a natural preservative. Onigiri makes rice portable and easy to eat as well as preserving it. I named this tool after its convenience, inspired by [Noriben](https://github.com/Rurik/Noriben).
88 |
89 | ## License
90 | GNU GPLv2
91 |
--------------------------------------------------------------------------------
/onigiri.py:
--------------------------------------------------------------------------------
1 | # onigiri.py - remote malware triage script using F-Response and openioc_scan
2 | # Copyright (c) 2015 Takahiro Haruyama (@cci_forensics)
3 | # http://takahiroharuyama.github.io/
4 |
5 | g_x86_python_path = r"C:\Python27x86\python.exe"
6 | g_ftk_path = r"D:\Tools\ftkimager\ftkimager.exe"
7 | g_vol_path = r"D:\Tools\volatility\vol.py"
8 | g_vol_plugins_path = r"" # set empty if not needed
9 | g_dumpit_path = r"D:\Tools\MWMT-v2.1-RTM\DumpIt.exe"
10 | g_psexec_path = r"D:\Tools\SysinternalsSuite\PsExec.exe"
11 |
12 | from datetime import datetime
13 | from glob import glob
14 | from time import sleep
15 | from datetime import datetime
16 | import argparse, os, sys, re, subprocess, logging, hashlib, socket, io, mmap
17 |
18 | import win32com.client, requests
19 | from Registry import Registry
20 | import colorama
21 | colorama.init()
22 | from ctypes import *
23 | nt = windll.ntdll
24 |
25 | g_color_term = colorama.Fore.MAGENTA
26 | g_color_detail = colorama.Fore.CYAN
27 |
28 | requests.packages.urllib3.disable_warnings() # for FlexDisk self-signed certificates
29 | IO_BLOCKSIZE = 1024 * 1024 * 100
30 | g_profiles = {
31 | 6000:{'Windows Vista':'VistaSP0'},
32 | 6001:{'Windows Vista':'VistaSP1', 'Windows Server 2008':'Win2008SP1'},
33 | 6002:{'Windows Vista':'VistaSP2', 'Windows Server 2008':'Win2008SP2'},
34 | 7600:{'Client':'Win7SP0', 'Server':'Win2008R2SP0'},
35 | 7601:{'Client':'Win7SP1', 'Server':'Win2008R2SP1'},
36 | 9200:{'Client':'Win8SP0', 'Server':'Win2012'},
37 | 9600:{'Client':'Win8SP1', 'Server':'Win2012R2'}
38 | }
39 | g_all_cats = ['sysreg', 'userreg', 'mft', 'prefetch', 'evtx', 'amcache', 'journal']
40 |
41 | ''' for Python 2.7.10 or later?
42 | from requests.adapters import HTTPAdapter
43 | from requests.packages.urllib3.poolmanager import PoolManager
44 | import ssl
45 | class MyAdapter(HTTPAdapter):
46 | def init_poolmanager(self, connections, maxsize):
47 | self.poolmanager = PoolManager(num_pools=connections,
48 | maxsize=maxsize,
49 | block=block,
50 | ssl_version=ssl.PROTOCOL_TLSv1)
51 |
52 | s = requests.Session()
53 | s.mount('https://', MyAdapter())
54 | #results = s.get(url)
55 | '''
56 |
57 | class FRESbase(object):
58 | def __init__ (self, f, verbose, out_path, skip, ftk_path, psexec_path, dumpit_path, domain, user, password):
59 | self.logger = logging.getLogger(type(self).__name__)
60 | set_logger(self.logger, verbose, out_path, '%(name)s:%(levelname)s: %(message)s')
61 | self.f = f
62 | self.out_path = out_path
63 | self.skip = skip
64 | self.ftk_path = ftk_path
65 | self.psexec_path = psexec_path
66 | self.dumpit_path = dumpit_path
67 | self.domain = domain
68 | self.user = user
69 | self.password = password
70 |
71 | def acquire_ram(self, victim, alternative):
72 | targets = victim.Targets
73 | pm = re.compile(r'.*:pmem$')
74 | self.logger.debug('Issue Discovery Request...')
75 | for target in targets:
76 | if pm.search(target.TargetName):
77 | self.logger.info('Physical Memory found: {0} (DiskType={1})'.format(target.TargetName, target.DiskType))
78 |
79 | dest_path = self.out_path + "\\" + victim.MachineNameOrIP
80 | img_path = dest_path + "\\pmem"
81 | if self.skip and (os.path.exists(img_path + '.dd4.001') or os.path.exists(img_path + '.dmp')):
82 | self.logger.info('the RAM image already exists, so skip the acquisition ({0})'.format(img_path))
83 | continue
84 | if not os.path.exists(dest_path):
85 | os.mkdir(dest_path)
86 |
87 | if alternative:
88 | self.logger.info('acquiring mapped physical memory using PsExec&DumpIt...')
89 | #cmd_listen = [self.dumpit_path, '/l', '/f', img_path + '.dmp.lznt1']
90 | cmd_listen = [self.dumpit_path, '/l', '/f', img_path + '.dmp']
91 | self.logger.debug('DumpIt Listener cmdline: {}'.format(' '.join(cmd_listen)))
92 | proc_listen = subprocess.Popen(cmd_listen, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
93 | for i in range(3):
94 | self.logger.info('trying... {0}'.format(i+1))
95 | dest_host = socket.gethostbyname(socket.gethostname())
96 | cmd_psexec = [self.psexec_path, r'\\' + victim.MachineNameOrIP, '-accepteula', '-c', '-f', '-u', self.domain + '\\' + self.user,
97 | #'-p', self.password, '-r', 'onigiri', self.dumpit_path, '/t', dest_host, '/a', '/d', '/lznt1'] # /lznt1 through network NOT work
98 | '-p', self.password, '-r', 'onigiri', self.dumpit_path, '/t', dest_host, '/a', '/d']
99 | self.logger.debug('PsExec cmdline: {}'.format(' '.join(cmd_psexec)))
100 | proc_psexec = subprocess.Popen(cmd_psexec, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
101 |
102 | #stdout_data, stderr_data = proc_psexec.communicate()
103 | ''' # for Python 3.3
104 | while 1:
105 | try:
106 | outs, errs = proc_psexec.communicate(timeout=5)
107 | break
108 | except subprocess.TimeoutExpired:
109 | size = os.path.getsize(img_path + '.dmp')
110 | sys.stdout.write('\r...{:8d}MB'.format(long(size / (1024 * 1024))))
111 | continue
112 | '''
113 | sleep(2)
114 | while proc_psexec.poll() is None:
115 | sleep(0.1)
116 | #size = os.path.getsize(img_path + '.dmp.lznt1')
117 | try:
118 | size = os.path.getsize(img_path + '.dmp')
119 | sys.stdout.write('\r...{:8d}MB'.format(long(size / (1024 * 1024))))
120 | except WindowsError:
121 | self.logger.debug('WindowsError: os.path.getsize for {}'.format(img_path + '.dmp'))
122 | sleep(1)
123 |
124 | print '\r\t\t ...Done.'
125 |
126 | if proc_psexec.returncode == 0:
127 | break
128 | else:
129 | self.logger.error(stderr_data)
130 | self.logger.error('PsExec&DumpIt failed.')
131 | self.logger.debug('PsExec returncode={0}'.format(proc_psexec.returncode))
132 | if proc_psexec.returncode != 0:
133 | proc_listen.terminate()
134 | self.logger.critical('RAM acquisition failed (PsExec&DumpIt).')
135 | self.logger.error("check with the cmdline: {0}".format(' '.join(cmd_psexec)))
136 | sys.exit(1)
137 | else:
138 | stdout_data, stderr_data = proc_listen.communicate()
139 | self.logger.debug('DumpIt Listener returncode={0}'.format(proc_listen.returncode))
140 | if proc_listen.returncode != 0:
141 | self.logger.error(stderr_data)
142 | self.logger.critical('RAM acquisition failed (DumpIt Listener).')
143 | self.logger.error("check with the cmdline: {0}".format(' '.join(cmd_listen)))
144 | sys.exit(1)
145 | #self.logger.info('RAM crashdump image saved (lznt1 compressed): {0}'.format(img_path + '.dmp.lznt1'))
146 | self.logger.info('RAM crashdump image saved: {0}'.format(img_path + '.dmp'))
147 |
148 | '''
149 | self.logger.info('decompressing...')
150 | cmd_decomp = [self.dumpit_path, '/unpack', img_path + '.dmp.lznt1', img_path + '.dmp']
151 | self.logger.debug('DumpIt unpack cmdline: {}'.format(' '.join(cmd_decomp)))
152 | proc_decomp = subprocess.Popen(cmd_decomp, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
153 | stdout_data, stderr_data = proc_decomp.communicate()
154 | if proc_decomp.returncode != 0:
155 | self.logger.critical('DumpIt decompression failed.')
156 | self.logger.error("check with the cmdline: {0}".format(' '.join(cmd_decomp)))
157 | sys.exit(1)
158 | self.logger.info('Decompressed RAM crashdump image saved: {0}'.format(img_path + '.dmp'))
159 | '''
160 |
161 | else:
162 | try:
163 | self.logger.debug('Login to F-Response Disk...')
164 | target.Login()
165 | except win32com.client.pywintypes.com_error:
166 | self.logger.critical('Login to F-Response Disk failed. Aborted in the previous acquisition? Please check the status on GUI console and logout the pmem manually.')
167 | sys.exit(1)
168 | #login_check = target.PhysicalDiskMapping
169 | #device = target.PhysicalDiskName
170 | if target.PhysicalDiskMapping == -1:
171 | self.logger.critical('PhysicalDiskMapping failed due to timing issue. Simply try again.')
172 | sys.exit(1)
173 | device = r'\\.\PhysicalDrive' + str(target.PhysicalDiskMapping)
174 | self.logger.info('acquiring mapped physical memory using F-Response&FTKImager ({0})...'.format(device))
175 | cmd = [self.ftk_path, device, dest_path + "\\pmem"]
176 |
177 | self.logger.debug('FTKImager cmdline: {}'.format(' '.join(cmd)))
178 | proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, bufsize=-1)
179 | with io.open(proc.stderr.fileno(), closefd=False) as stream: # iter(proc.stdout.readline) doesn't work for '\r'?
180 | for line in stream:
181 | if line.find('MB') != -1 or line.find('complete') != -1:
182 | sys.stdout.write('\r' + line.rstrip('\n'))
183 | print ''
184 | proc.wait()
185 | self.logger.debug('Remove F-Response Disk...')
186 | target.Logout()
187 | self.logger.debug('returncode={0}'.format(proc.returncode))
188 | if proc.returncode != 0:
189 | self.logger.critical('RAM acquisition failed (F-Response&FTKImager).')
190 | self.logger.error("check with the cmdline: {0}".format(' '.join(cmd)))
191 | sys.exit(1)
192 | self.logger.info('RAM raw image saved: {0}'.format(img_path + '.dd4.001'))
193 |
194 | def get_file_uri(self, uri, path, expanded_path):
195 | entry = path.split('\\')[0].lower()
196 | leftover = '\\'.join(path.split('\\')[1:])
197 | node = entry if entry != '*' else ''
198 |
199 | self.logger.debug('traversing URI: {0}'.format(uri))
200 | response = requests.get(uri, auth=(self.iscsi_user, self.iscsi_pwd), verify=False)
201 | results = response.json()['response']['contents']
202 |
203 | for res in results:
204 | if (res['name'].lower() == entry or entry == '*') and res['type'] == 'file' and res['state'] != 'realloc' and leftover == '':
205 | #self.logger.debug('file URI found: {0}'.format(res['uri']))
206 | yield res['uri'], expanded_path + res['name'], long(res['size'])
207 | elif (res['name'].lower() == entry or (entry == '*' and (res['name'] not in ('..', '..-$TXF_DATA')))) and \
208 | res['type'] == 'dir' and res['state'] != 'realloc' and leftover != '' and res['uri'].find('enc=json') != -1:
209 | for child_uri, child_expanded_path, child_size in self.get_file_uri(res['uri'], leftover, expanded_path + res['name'] + '\\'):
210 | #self.logger.debug('walking dir URI: {0}'.format(child_uri))
211 | yield child_uri, child_expanded_path, child_size
212 |
213 | def acquire_file(self, ip, vol_name, vol_uri, path):
214 | for uri, expanded_path, size in self.get_file_uri(vol_uri, path, ''):
215 | self.logger.info('acquiring file: {}'.format(expanded_path))
216 | self.logger.debug('uri="{0}", size={1}'.format(uri, size))
217 |
218 | dest_path = self.out_path + "\\" + ip + "\\" + vol_name + "\\" + expanded_path
219 | if self.skip and os.path.exists(dest_path):
220 | self.logger.info('the file already exists, so skip the acquisition ({0})'.format(dest_path))
221 | continue
222 | dest_folder = os.path.dirname(dest_path)
223 | if not os.path.exists(dest_folder):
224 | os.makedirs(dest_folder)
225 |
226 | response = requests.get(uri, auth=(self.iscsi_user, self.iscsi_pwd), verify=False, stream=True)
227 | with open(dest_path, 'wb') as f:
228 | progress_size = 0
229 | for chunk in response.iter_content(chunk_size=IO_BLOCKSIZE):
230 | if chunk: # filter out keep-alive new chunks
231 | f.write(chunk)
232 | progress_size += len(chunk)
233 | if size == 0: # e.g., $J
234 | sys.stdout.write("\r...{} bytes (cannot get size info, chunk size = {})".format(progress_size, len(chunk)))
235 | else:
236 | percent = int(progress_size * 100 / size)
237 | sys.stdout.write("\r...{}%, {} bytes (chunk size = {})".format(percent, progress_size, len(chunk)))
238 | f.flush()
239 |
240 | print ''
241 | self.logger.info('file saved: {0}'.format(dest_path))
242 |
243 |
244 | def get_tgt(self, uri):
245 | response = requests.get(uri, auth=(self.iscsi_user, self.iscsi_pwd), verify=False)
246 | tgts = response.json()['response']['contents']
247 | for tgt in tgts:
248 | yield tgt['name'], tgt['uri']
249 |
250 | def acquire_category_files(self, victim, file_cats, scan):
251 | ip = victim.MachineNameOrIP
252 | for tgt_name, tgt_uri in self.get_tgt('https://{0}:3261/flexd?enc=json'.format(ip)):
253 | self.logger.debug('volume target={0}'.format(tgt_name))
254 | for cat in file_cats:
255 | if cat == 'sysreg':
256 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\config\SOFTWARE")
257 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\config\SYSTEM")
258 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\config\SAM")
259 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\config\SECURITY")
260 | elif cat == 'userreg':
261 | self.acquire_file(ip, tgt_name, tgt_uri, r"Users\*\NTUSER.DAT")
262 | self.acquire_file(ip, tgt_name, tgt_uri, r"Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat")
263 | elif cat == 'mft':
264 | self.acquire_file(ip, tgt_name, tgt_uri, r"$MFT")
265 | elif cat == 'prefetch':
266 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\Prefetch\*")
267 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\Prefetch\ReadyBoot\*")
268 | elif cat == 'evtx':
269 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\Security.evtx")
270 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\System.evtx")
271 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\Application.evtx")
272 | # RDP logs
273 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx")
274 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx")
275 | # scheduled tasks
276 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx")
277 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\Tasks\SCHEDLGU.TXT")
278 | elif cat == 'amcache':
279 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\AppCompat\Programs\Amcache.hve")
280 | elif cat == 'journal':
281 | self.acquire_file(ip, tgt_name, tgt_uri, r"$LogFile")
282 | self.acquire_file(ip, tgt_name, tgt_uri, r"$Extend\$UsnJrnl") # $J
283 | if 'sysreg' not in file_cats and scan:
284 | # volatility needs the profile from sysreg
285 | self.acquire_file(ip, tgt_name, tgt_uri, r"Windows\System32\config\SOFTWARE")
286 |
287 | class FREScc(FRESbase):
288 | def __init__ (self, f, verbose, out_path, skip, ftk_path, psexec_path, dumpit_path, domain, user, password, conf_path):
289 | super(FREScc, self).__init__(f, verbose, out_path, skip, ftk_path, psexec_path, dumpit_path, domain, user, password)
290 | self.f.FCCConfigureFileLocation = conf_path
291 | self.f.LoadConfig()
292 | self.iscsi_user = self.f.FRESUsername
293 | self.iscsi_pwd = self.f.FRESPassword
294 |
295 | def acquire(self, ram, file_cats, scan, alternative):
296 | activeclients = self.f.ActiveClients
297 | self.logger.debug('Discover F-Response Disks...')
298 | done = []
299 | for ac in activeclients:
300 | if ac.MachineNameOrIP not in done:
301 | self.logger.info('ActiveClient found: {0} (Platform={1})'.format(ac.MachineNameOrIP, ac.Platform))
302 | if ram or scan:
303 | self.logger.info('Starting RAM Acquisition')
304 | self.acquire_ram(ac, alternative)
305 | if len(file_cats) != 0 or scan:
306 | self.logger.info('Starting File Acquisition')
307 | self.acquire_category_files(ac, file_cats, scan)
308 | done.append(ac.MachineNameOrIP)
309 | self.logger.debug('done: {0}'.format(done))
310 |
311 | class FRESemc(FRESbase):
312 | def __init__ (self, f, verbose, out_path, skip, ftk_path, psexec_path, dumpit_path, domain, user, password, machine_list):
313 | super(FRESemc, self).__init__(f, verbose, out_path, skip, ftk_path, psexec_path, dumpit_path, domain, user, password)
314 | self.creds = self.f.Credentials
315 | self.creds.add(user, domain, password)
316 | self.logger.debug('credential added: user={0}, domain={1}, password={2}'.format(user, domain, password))
317 | self.computers = self.f.Machines
318 | for machine in machine_list:
319 | self.computers.add(machine)
320 | self.logger.debug('machine(s) added: {0}'.format(machine_list))
321 | self.iscsi_user = self.f.FRESUsername
322 | self.iscsi_pwd = self.f.FRESPassword
323 |
324 | def acquire(self, ram, file_cats, scan, alternative):
325 | done = []
326 | for computer in self.computers:
327 | if computer.MachineNameOrIP not in done:
328 | if computer.Status != 3:
329 | self.logger.info('Directly-deploying agent into the victim machine: {0} (Status={1})...'.format(computer.MachineNameOrIP, computer.Status))
330 | if computer.Status == 0:
331 | self.logger.critical('Invalid IP or Windows admin auth failed. Please check the account username/password.')
332 | sys.exit(1)
333 | if computer.Status == 1:
334 | self.logger.debug('installing F-Response...')
335 | computer.InstallFResponse()
336 | #self.logger.debug('waiting for the installation (sleep 10sec)...')
337 | #sleep(10)
338 | if computer.Status == 2:
339 | self.logger.debug('starting F-Response...')
340 | computer.StartFResponse()
341 | #self.logger.debug('waiting for the start (sleep 5sec)...')
342 | sleep(5)
343 |
344 | self.logger.info('Agent ready: {0} (Platform={1}, Status={2})'.format(computer.MachineNameOrIP, computer.Platform, computer.Status))
345 | if ram or scan:
346 | self.logger.info('Starting RAM Acquisition')
347 | self.acquire_ram(computer, alternative)
348 | if len(file_cats) != 0 or scan:
349 | self.logger.info('Starting File Acquisition')
350 | self.acquire_category_files(computer, file_cats, scan)
351 |
352 | self.logger.info('stopping/uninstalling agent...')
353 | computer.StopFResponse()
354 | computer.UnInstallFResponse()
355 |
356 | done.append(computer.MachineNameOrIP)
357 | self.logger.debug('done: {0}'.format(done))
358 |
359 | def uninstall(self):
360 | done = []
361 | for computer in self.computers:
362 | if computer.MachineNameOrIP not in done:
363 | if computer.Status == 0:
364 | self.logger.critical('Invalid IP or Windows admin auth failed. Please check the account username/password.')
365 | sys.exit(1)
366 | if computer.Status == 1:
367 | self.logger.critical('agent not installed')
368 | sys.exit(1)
369 | if computer.Status == 3:
370 | self.logger.debug('stopping F-Response...')
371 | computer.StopFResponse()
372 | if computer.Status == 2:
373 | self.logger.debug('uninstalling F-Response...')
374 | computer.UnInstallFResponse()
375 | self.logger.info('agent uninstalled successfully')
376 | done.append(computer.MachineNameOrIP)
377 | self.logger.debug('done: {0}'.format(done))
378 |
379 | def set_logger(logger, verbose, out_path, fmt):
380 | handler = logging.StreamHandler()
381 | file_handler = logging.FileHandler(out_path + '\\output.log', 'a+')
382 | logger.addHandler(handler)
383 | logger.addHandler(file_handler)
384 |
385 | fmt = "%(asctime)s " + fmt
386 | formatter = logging.Formatter(fmt)
387 | #formatter = logging.Formatter('%(name)s:%(levelname)s: %(message)s')
388 | handler.formatter = formatter
389 | file_handler.formatter = formatter
390 |
391 | logger.setLevel(logging.INFO)
392 | handler.setLevel(logging.INFO)
393 | file_handler.setLevel(logging.INFO)
394 | if verbose:
395 | logger.setLevel(logging.DEBUG)
396 | handler.setLevel(logging.DEBUG)
397 | file_handler.setLevel(logging.DEBUG)
398 |
399 | def calculate_hashes(out_path, verbose):
400 | logger = logging.getLogger('calculate_hashes')
401 | set_logger(logger, verbose, out_path, '%(message)s')
402 |
403 | with open(out_path + '\\sha1_hashes.txt', 'w') as lf:
404 | t = datetime.now().strftime('%Y/%m/%d %H:%M:%S')
405 | lf.write('Acquisition Time: {0}\n\n'.format(t))
406 | lf.write('SHA1{0}Size{1}Path\n'.format('\t'*6, '\t'*2))
407 | for root, dirs, files in os.walk(out_path):
408 | for file_ in files:
409 | if file_ == 'sha1_hashes.txt' or file_.find('pmem.') != -1:
410 | continue
411 | full_path = os.path.join(root, file_)
412 | size = os.path.getsize(full_path)
413 | h = hashlib.sha1()
414 | logger.debug('calculating hash: {}'.format(full_path))
415 | progress = ''
416 | with open(full_path, 'rb') as f:
417 | map = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
418 | while True:
419 | data = map.read(IO_BLOCKSIZE)
420 | if data is '':
421 | break
422 | h.update(data)
423 | progress += data
424 | if verbose:
425 | sys.stdout.write('\r...{}%'.format(int(len(progress) * 100 / size)))
426 | if verbose:
427 | print '\r Done\t'
428 | hash_ = h.hexdigest()
429 | lf.write('{0}\t{1:11d}\t{2}\n'.format(hash_, size, full_path))
430 |
431 | def get_profile(build_number, client_server_ident, arch):
432 | os_version = ''
433 | if build_number == 6000:
434 | os_version = g_profiles[6000]['Windows Vista']
435 | elif build_number == 6001 or build_number == 6002:
436 | if client_server_ident.find('Vista') != -1:
437 | os_version = g_profiles[build_number]['Windows Vista']
438 | else:
439 | os_version = g_profiles[build_number]['Windows Server 2008']
440 | else:
441 | os_version = g_profiles[build_number][client_server_ident]
442 |
443 | if arch.find('x86') != -1:
444 | return os_version + 'x86'
445 | else: #amd64
446 | return os_version + 'x64'
447 |
448 | def openioc_scan(out_path, ioc_dir, verbose, python_path, vol_path, plugins_path, pslist):
449 | logger = logging.getLogger('openioc_scan')
450 | set_logger(logger, verbose, out_path, '%(message)s')
451 |
452 | for hostname in os.listdir(out_path):
453 | if os.path.isdir(out_path + '\\' + hostname):
454 | img_path = out_path + '\\' + hostname + '\\pmem'
455 | if os.path.exists(img_path + '.dmp'):
456 | img_path = img_path + '.dmp'
457 | elif os.path.exists(img_path + '.dd4.001'):
458 | img_path = img_path + '.dd4.001'
459 | else:
460 | #logger.critical('Memory image not found in {0}'.format(img_path))
461 | continue
462 |
463 | logger.info('IOC scan target: {0}'.format(hostname))
464 | logger.debug('memory image path: {0}'.format(img_path))
465 | for software_path in glob(out_path + '\\' + hostname + '\\*\\Windows\\System32\\config\\SOFTWARE'):
466 | if os.path.isfile(software_path):
467 | reg = Registry.Registry(software_path)
468 |
469 | try:
470 | BuildLabEx = reg.open("Microsoft\\Windows NT\\CurrentVersion").value('BuildLabEx').value()
471 | build_number, arch = BuildLabEx.split('.')[0], BuildLabEx.split('.')[2]
472 | if int(build_number) < 6000:
473 | logger.critical("The OS is not supported")
474 | return
475 | elif int(build_number) < 7600:
476 | product_name = reg.open("Microsoft\\Windows NT\\CurrentVersion").value('ProductName').value()
477 | logger.debug('identifying profile... (build_number={0}, product_name={1}, arch={2})'.format(build_number, product_name, arch))
478 | profile = get_profile(int(build_number), product_name, arch)
479 | else:
480 | installation_type = reg.open("Microsoft\\Windows NT\\CurrentVersion").value('InstallationType').value()
481 | logger.debug('identifying profile... (build_number={0}, installation_type={1}, arch={2})'.format(build_number, installation_type, arch))
482 | profile = get_profile(int(build_number), installation_type, arch)
483 | except Registry.RegistryValueNotFoundException:
484 | logger.critical("Couldn't get registry values from {0}".format(software_path))
485 | return
486 | logger.info('Profile identified from SOFTWARE registry: {0}'.format(profile))
487 |
488 | arg_profile = '--profile={0}'.format(profile)
489 | arg_ioc_dir = '--ioc_dir={0}'.format(ioc_dir)
490 | if pslist:
491 | cmd = [python_path, vol_path, 'pslist', arg_profile, '-f', img_path]
492 | elif plugins_path == '':
493 | cmd = [python_path, vol_path, 'openioc_scan', arg_profile, arg_ioc_dir, '-f', img_path, '-e']
494 | else:
495 | cmd = [python_path, vol_path, 'openioc_scan', '--plugins={0}'.format(plugins_path), arg_profile, arg_ioc_dir, '-f', img_path, '-e']
496 | logger.info('running volatility...')
497 | logger.info(' '.join(cmd))
498 | #proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
499 | #stdout_data, stderr_data = proc.communicate()
500 | proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
501 | for line in iter(proc.stdout.readline, ''):
502 | if line.find('>>> ') != -1:
503 | line = colorama.Style.BRIGHT + g_color_term + line.rstrip() + colorama.Fore.RESET + colorama.Style.RESET_ALL
504 | elif line.find('matched IOC term detail: ') != -1:
505 | path = ':'.join(line.split(':')[1:])
506 | line = 'matched IOC term detail:' + g_color_detail + path.rstrip() + colorama.Fore.RESET
507 | logger.info(line.rstrip())
508 | proc.stdout.close()
509 | proc.wait()
510 | logger.debug('returncode={0}'.format(proc.returncode))
511 | if proc.returncode == 1:
512 | logger.error("check with the cmdline: {0}".format(cmd))
513 |
514 | def main():
515 | parser = argparse.ArgumentParser(description='onigiri.py - remote malware triage')
516 | parser.add_argument('output', help="folder path saving acquired memory image / files")
517 | parser.add_argument('-r', '--ram', action='store_true', help="acquire RAM")
518 | parser.add_argument('-f', '--files', help="acquire targeted file categories in disk (comma-delimited): {0} or all".format(','.join(g_all_cats)))
519 | parser.add_argument('-s', '--scan', action='store_true', help="acquire RAM then scan volatile IOCs")
520 | parser.add_argument('-i', '--ioc_dir', help="folder path including IOC files for openioc_scan")
521 | parser.add_argument('-p', '--python', help="path to x86 python (python.exe) used by volatility", default=g_x86_python_path)
522 | parser.add_argument('-t', '--ftk', help="path to ftkimager.exe", default=g_ftk_path)
523 | parser.add_argument('-o', '--vol', help="path to vol.py (volatility)", default=g_vol_path)
524 | parser.add_argument('-l', '--plugins', help="path to additional volatility plugins folder", default=g_vol_plugins_path)
525 | parser.add_argument('-a', '--alternative', action='store_true', help="acquire RAM using PsExec&DumpIt instead of F-Response&FTKImager")
526 | parser.add_argument('-e', '--psexec', help="path to PsExec.exe", default=g_psexec_path)
527 | parser.add_argument('-m', '--dumpit', help="path to DumpIt.exe", default=g_dumpit_path)
528 | parser.add_argument('-d', '--domain', default="WORKGROUP", help="domain name the victim machine belongs to")
529 | parser.add_argument('-u', '--user', default="administrator", help="admin user name at the victim machine")
530 | parser.add_argument('-c', '--password', default="forensics", help="the user password at the victim machine")
531 | parser.add_argument('-j', '--pslist', action='store_true', help="run pslist instead of openioc_scan (just check Volatility works)")
532 |
533 | parser.add_argument('-v', '--verbose', action='store_true', help="print verbose messages")
534 | parser.add_argument('--skip', action='store_true', help="skip acquisition if RAM image or files exist")
535 | parser.add_argument('--skiphash', action='store_true', help="skip hash calculation")
536 | parser.add_argument('--version', action='version', version='%(prog)s 0.5')
537 |
538 | subparsers = parser.add_subparsers(dest='edition', help='F-Response editions')
539 | parser_cc = subparsers.add_parser('cc', help='Consultant or Consultant+Covert')
540 | parser_cc.add_argument('config', help="config folder path including fresponse.ini")
541 | parser_emc = subparsers.add_parser('emc', help='Enterprise')
542 | parser_emc.add_argument('machine', help="the victim machine IP address list (comma-delimited)")
543 | parser_emc.add_argument('--uninstall', action='store_true', help="just uninstall the emc agent")
544 |
545 | args = parser.parse_args()
546 | logger = logging.getLogger('main')
547 | set_logger(logger, args.verbose, args.output, '%(name)s:%(levelname)s: %(message)s')
548 | logger.info('onigiri.py - remote malware triage')
549 | logger.debug('args: {0}'.format(args))
550 |
551 | if args.ram is False and args.files is None and args.scan is False:
552 | logger.error('Please specify your action: -r or -f [FILES] or -s')
553 | parser.print_help()
554 | return
555 |
556 | if args.edition == 'cc': # consultant or consultant+covert
557 | try:
558 | fcc = win32com.client.Dispatch("FCCCTRL.FCC")
559 | except win32com.client.pywintypes.com_error:
560 | logger.critical('Cannot access to F-Response Consultant Connector COM API')
561 | return
562 | else:
563 | logger.debug('F-Response Consultant or Consultant+Covert Edition COM API loaded')
564 | if args.config[-1] == '\\':
565 | fres = FREScc(fcc, args.verbose, args.output, args.skip, args.ftk, args.psexec, args.dumpit, args.domain, args.user, args.password, args.config)
566 | else:
567 | fres = FREScc(fcc, args.verbose, args.output, args.skip, args.ftk, args.psexec, args.dumpit, args.domain, args.user, args.password, args.config + '\\') # if not, conf loading will fail
568 | elif args.edition == 'emc': # enterprise
569 | try:
570 | femc = win32com.client.Dispatch("FEMCCTRL.FEMC")
571 | except win32com.client.pywintypes.com_error:
572 | logger.critical('Cannot access to F-Response Enterprise Management Console COM API')
573 | return
574 | else:
575 | logger.debug('F-Response Enterprise Edition COM API loaded')
576 | machine_list = [machine for machine in args.machine.split(',')]
577 | fres = FRESemc(femc, args.verbose, args.output, args.skip, args.ftk, args.psexec, args.dumpit, args.domain, args.user, args.password, machine_list)
578 | logger.debug('Validation: server={0}, port={1}'.format(fres.f.ValidationServer, fres.f.ValidationPort))
579 | if args.uninstall:
580 | logger.debug('switched to emc agent uninstallation...')
581 | fres.uninstall()
582 | return
583 | logger.debug('Configuration for read only iSCSI: user={0}, pass={1}'.format(fres.iscsi_user, fres.iscsi_pwd))
584 |
585 | file_cats = []
586 | if args.files is not None:
587 | try:
588 | file_cats = [cat.lower() for cat in args.files.split(',')]
589 | except ValueError:
590 | logger.error("Invalid disk option {0}".format(args.files))
591 | else:
592 | if 'all' in file_cats:
593 | file_cats = g_all_cats
594 | logger.info('targeted file categories in disk: {0}'.format(file_cats))
595 |
596 | logger.info('########### STEP1: RAM/files Acquisition ############')
597 | fres.acquire(args.ram, file_cats, args.scan, args.alternative)
598 |
599 | if args.skiphash is False:
600 | logger.info('calculating SHA1 hashes of the acquired files...')
601 | calculate_hashes(args.output, args.verbose)
602 |
603 | if args.scan:
604 | logger.info('########### STEP2: Scanning IOCs in RAM ############')
605 | if args.ioc_dir is None:
606 | logger.critical('You should specify the folder including IOCs')
607 | return
608 | openioc_scan(args.output, args.ioc_dir, args.verbose, args.python, args.vol, args.plugins, args.pslist)
609 |
610 | logger.info('onigiri finished\n')
611 |
612 | if __name__ == '__main__':
613 | main()
614 |
--------------------------------------------------------------------------------