├── .codeclimate.yml
├── .gitignore
├── .travis.yml
├── LICENSE
├── README.md
├── analyzer
    ├── __init__.py
    └── darwin
    │   ├── __init__.py
    │   ├── analyzer.py
    │   ├── lib
    │       ├── __init__.py
    │       ├── common
    │       │   ├── __init__.py
    │       │   ├── config.py
    │       │   ├── hashing.py
    │       │   ├── rand.py
    │       │   └── results.py
    │       ├── core
    │       │   ├── __init__.py
    │       │   ├── constants.py
    │       │   ├── data
    │       │   │   ├── signatures.yml
    │       │   │   └── types.yml
    │       │   ├── filetimes.py
    │       │   ├── host.py
    │       │   ├── osx.py
    │       │   └── packages.py
    │       └── dtrace
    │       │   ├── __init__.py
    │       │   ├── apicalls.d
    │       │   ├── apicalls.py
    │       │   ├── autoprobes.py
    │       │   ├── common.py
    │       │   ├── dtruss.py
    │       │   ├── dtruss.sh
    │       │   ├── follow_children.d
    │       │   ├── ipconnections.d
    │       │   └── ipconnections.py
    │   └── modules
    │       ├── __init__.py
    │       └── packages
    │           ├── __init__.py
    │           ├── app.py
    │           ├── bash.py
    │           ├── macho.py
    │           └── zip.py
├── config
    ├── signatures.yml
    └── types.yml
├── requirements.txt
├── scripts
    ├── bootstrap_guest.sh
    └── bootstrap_host.sh
└── tests
    ├── assets
        ├── probes
        │   └── test_probes_integration.d.reference
        ├── test_apicalls_basic.c
        ├── test_apicalls_children.c
        ├── test_apicalls_children_root.c
        ├── test_apicalls_errno.c
        ├── test_apicalls_errno_root.c
        ├── test_apicalls_from_dynamic_library.c
        ├── test_apicalls_from_dynamic_library_root.c
        ├── test_apicalls_root.c
        ├── test_apicalls_timeout.c
        ├── test_apicalls_timeout_root.c
        ├── test_apicalls_with_args.c
        ├── test_apicalls_with_args_root.c
        ├── test_apicalls_without_target.c
        ├── test_cuckoo_dropped_files
        ├── test_cuckoo_dropped_files.c
        ├── test_cuckoo_parents_and_children
        ├── test_cuckoo_parents_and_children.c
        ├── test_dtruss_children.c
        ├── test_dtruss_helloworld.c
        ├── test_dtruss_non_root.c
        ├── test_dtruss_root.c
        ├── test_dtruss_specific_syscall.c
        ├── test_dtruss_timeout.c
        ├── test_dtruss_with_args.c
        ├── test_dtruss_without_target.c
        ├── test_ipconnections_empty.c
        ├── test_ipconnections_target_with_args.c
        ├── test_ipconnections_tcp.c
        ├── test_ipconnections_tcp_with_timeout.c
        └── test_ipconnections_udp.c
    ├── common.py
    ├── test_analyzer.py
    ├── test_apicalls.py
    ├── test_cuckoo.py
    ├── test_dtruss.py
    ├── test_ipconnections.py
    ├── test_packages.py
    └── test_probesgenerator.py


/.codeclimate.yml:
--------------------------------------------------------------------------------
1 | languages:
2 |   Python: true
3 | exclude_paths:
4 | - "tests/*"
5 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Byte-compiled / optimized / DLL files
 2 | __pycache__/
 3 | *.py[cod]
 4 | 
 5 | # C extensions
 6 | *.so
 7 | 
 8 | # Distribution / packaging
 9 | .Python
10 | env/
11 | build/
12 | develop-eggs/
13 | dist/
14 | downloads/
15 | eggs/
16 | .eggs/
17 | lib64/
18 | parts/
19 | sdist/
20 | var/
21 | *.egg-info/
22 | .installed.cfg
23 | *.egg
24 | 
25 | # PyInstaller
26 | #  Usually these files are written by a python script from a template
27 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
28 | *.manifest
29 | *.spec
30 | 
31 | # Installer logs
32 | pip-log.txt
33 | pip-delete-this-directory.txt
34 | 
35 | # Unit test / coverage reports
36 | htmlcov/
37 | .tox/
38 | .coverage
39 | .coverage.*
40 | .cache
41 | nosetests.xml
42 | coverage.xml
43 | *,cover
44 | .noseids
45 | 
46 | # Translations
47 | *.mo
48 | *.pot
49 | 
50 | # Django stuff:
51 | *.log
52 | 
53 | # Sphinx documentation
54 | docs/_build/
55 | 
56 | # PyBuilder
57 | target/
58 | 
59 | # PyCharm
60 | .idea/
61 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language:
 2 | - objective-c # make it run on OS X workers *only*
 3 | notifications:
 4 |   email:
 5 |     on_success: never
 6 |     on_failure: always
 7 | install:
 8 |     - brew install python
 9 |     - brew link --overwrite python
10 |     - brew install shellcheck
11 |     - pip install -r requirements.txt
12 | script:
13 |     - nosetests ./tests/test_dtruss.py || echo "Temporary workaround for dtruss tests failing without a reason. See issue 23"
14 |     - nosetests ./tests/test_apicalls.py
15 |     - nosetests ./tests/test_ipconnections.py
16 |     - nosetests ./tests/test_analyzer.py
17 |     - nosetests ./tests/test_packages.py
18 |     - nosetests ./tests/test_probesgenerator.py
19 |     - nosetests ./tests/test_cuckoo.py
20 |     - shellcheck ./scripts/*
21 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Dmitry Rodionov
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # cuckoo-osx-analyzer
  2 | [![Build Status](https://travis-ci.org/rodionovd/cuckoo-osx-analyzer.svg?branch=master)](https://travis-ci.org/rodionovd/cuckoo-osx-analyzer) [![GitHub version](https://badge.fury.io/gh/rodionovd%2Fcuckoo-osx-analyzer.svg)](http://badge.fury.io/gh/rodionovd%2Fcuckoo-osx-analyzer) [![Code Climate](https://codeclimate.com/github/rodionovd/cuckoo-osx-analyzer/badges/gpa.svg)](https://codeclimate.com/github/rodionovd/cuckoo-osx-analyzer)
  3 | My [GSoC project](http://www.google-melange.com/gsoc/project/details/google/gsoc2015/rodionovd/5649050225344512) aiming at building an OS X analyzer for [Cuckoo Sandbox](http://www.cuckoosandbox.org/) project.  
  4 | 
  5 | :warning: **WIP** :warning:  
  6 | ----
  7 | 
  8 | ### Usage
  9 | 
 10 | > See also: [`bootstrap_host.sh`](./scripts/bootstrap_host.sh) and [`bootstrap_guest.sh`](./scripts/bootstrap_guest.sh)
 11 | 
 12 | ##### Guest machine setup
 13 | 
 14 |  0. Install `pt_deny_attach` kernel extension suggested by @phretor. That's an optional step, see [this comment](https://github.com/rodionovd/cuckoo-osx-analyzer/issues/6#issuecomment-101322097) for more details.
 15 | 
 16 |  1. Since this analyser uses some utilities that require additional privileges to run, you may want to enable passwordless `sudo` for them. This may be accomplished by modifying `/etc/sudoers` file:  
 17 | 
 18 |   ```diff
 19 | --- a/etc/sudoers
 20 | +++ b/etc/sudoers
 21 | @@ -43,3 +43,5 @@ root  ALL=(ALL) ALL
 22 |  # Samples
 23 |  # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
 24 |  # %users  localhost=/sbin/shutdown -h now
 25 | +
 26 | + username   ALL=(root) NOPASSWD: /usr/sbin/dtrace
 27 | + username   ALL=(root) NOPASSWD: /bin/date
 28 |   ```
 29 |   (replace `username` above with an actual user name).  
 30 | 
 31 |  2. Set the network settings: IP address, subnet mask, router address and DNS servers:  
 32 |   ```bash
 33 |   $ sudo networksetup -setmanual Ethernet 192.168.56.101 255.255.255.0 192.168.56.1
 34 |   $ sudo networksetup -setdnsservers Ethernet 8.8.8.8 8.8.4.4
 35 |   ```
 36 | 
 37 |  > Also, if you're using VirtualBox: don't forget to setup your host-only internet adapter and attach it to the guest machine.
 38 | 
 39 |  3. Download and launch Cuckoo's `agent.py`:  
 40 | 
 41 |   ```bash
 42 | $ curl -o /Users/Shared/agent.py https://raw.githubusercontent.com/cuckoobox/cuckoo/master/agent/agent.py
 43 | $ python /Users/Shared/agent.py
 44 |   ```
 45 | 
 46 |  4. Take a VM snapshot. It's <kbd>cmd+T</kbd> for VirtualBox.
 47 | 
 48 | ##### On the host side (OS X)
 49 | 
 50 |  0. Setup internet traffic forwarding to and from your guest machine. Here's an example of using `pfctl` to forward traffic to and from `vboxnet0` interface:
 51 | 
 52 |   ```shell
 53 |   $ sudo sysctl -w net.inet.ip.forwarding=1
 54 | 
 55 |   $ rules="nat on en1 from vboxnet0:network to any -> (en1)
 56 |   pass inet proto icmp all
 57 |   pass in on vboxnet0 proto udp from any to any port domain keep state
 58 |   pass quick on en1 proto udp from any to any port domain keep state"
 59 | 
 60 |   $ echo "$rules" > ./pfrules
 61 |   $ sudo pfctl -e -f ./pfrules
 62 |   $ rm -f ./pfrules
 63 |   ```
 64 | 
 65 |   > **Note that you'll have to re-enable traffic forwarding every time you reboot the host machine.**  
 66 | 
 67 |  1. Clone this repository:  
 68 | 
 69 |   ```shell
 70 | $ git clone https://github.com/rodionovd/cuckoo-osx-analyzer.git ~/cuckoo-osx-analyzer
 71 | # Or (if you prefer SSH):
 72 | # $ git clone git@github.com:rodionovd/cuckoo-osx-analyzer.git cuckoo-osx-analyzer
 73 |   ```
 74 | 
 75 |  2. Symlink `analyzer/darwin` directory from this repository to your own copy of [Cuckoo Sandbox](https://github.com/cuckoobox/cuckoo/):
 76 | 
 77 |   ```shell
 78 | $ cd /path/to/cuckoo/sandbox/
 79 | $ cd ./analyzer
 80 | $ ln -s ~/cuckoo-osx-analyzer/analyzer/darwin darwin
 81 | 
 82 |   ```
 83 | 
 84 |  3. Submit an analysis job:
 85 | 
 86 |   ```bash
 87 | $ ./utils/submit.py --platform darwin ~/bin/sample
 88 |   ```
 89 | 
 90 | ### Adding custom API signatures
 91 | You can add custom API signatures and define data types in [`signatures.json`](./cuckoo-osx-analyzer/analyzer/darwin/lib/core/data/signatures.yml) and [`types.yml`](./cuckoo-osx-analyzer/analyzer/darwin/lib/core/data/types.yml) files.
 92 | 
 93 | ### Tests
 94 | 
 95 | You can run the test suite with `nose`:  
 96 | 
 97 | ```bash
 98 | $ cd ./cuckoo-osx-analyzer
 99 | $ sudo -H pip install -r requirements.txt
100 | $ nosetests
101 | ```
102 | 
103 | > NOTE: Running [Cuckoo integration tests](https://github.com/rodionovd/cuckoo-osx-analyzer/blob/master/tests/test_cuckoo.py) requires Cuckoo to be installed in the same directory as the analyzer itself:
104 | > ```
105 | $ ls
106 | cuckoo cuckoo-osx-analyzer
107 | ```
108 | 
109 | See also: [`.travis.yml`](https://github.com/rodionovd/cuckoo-osx-analyzer/blob/master/.travis.yml) and [Travis CI project](https://travis-ci.org/rodionovd/cuckoo-osx-analyzer).
110 | 
111 | 
112 | ### Roadmap, issues and reports  
113 | 
114 | See my [weekly reports](https://github.com/rodionovd/cuckoo-osx-analyzer/wiki/GSoC-weekly-reports) and [Issues](https://github.com/rodionovd/cuckoo-osx-analyzer/issues).
115 | 
116 | 
117 | -----
118 | 
119 | Dmitry Rodionov, i.am.rodionovd@gmail.com  
120 | 2015
121 | 


--------------------------------------------------------------------------------
/analyzer/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/analyzer.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import logging
  7 | from sys import stderr
  8 | from hashlib import sha256
  9 | from xmlrpclib import Server
 10 | from traceback import format_exc
 11 | from os import path, getcwd, makedirs
 12 | 
 13 | from lib.common.config import Config
 14 | from lib.common.hashing import hash_file
 15 | from lib.common.results import NetlogHandler, upload_to_host
 16 | from lib.core.constants import PATHS
 17 | from lib.core.packages import choose_package_class
 18 | from lib.core.osx import set_wallclock
 19 | from lib.core.host import CuckooHost
 20 | 
 21 | class Macalyzer(object):
 22 |     """Cuckoo OS X analyser.
 23 |     """
 24 | 
 25 |     log = logging.getLogger()
 26 |     target = None
 27 | 
 28 |     files_to_upload = []
 29 |     uploaded_hashes = []
 30 | 
 31 |     def __init__(self, host, configuration=None):
 32 |         self.config = configuration
 33 |         self.host = host
 34 | 
 35 |     def bootstrap(self):
 36 |         _create_result_folders()
 37 |         _setup_logging()
 38 |         self._detect_target()
 39 | 
 40 |     def run(self):
 41 |         """Run analysis.
 42 |         """
 43 |         self.bootstrap()
 44 | 
 45 |         self.log.debug("Starting analyzer from %s", getcwd())
 46 |         self.log.debug("Storing results at: %s", PATHS["root"])
 47 | 
 48 |         package = self._setup_analysis_package()
 49 | 
 50 |         if self.config.clock:
 51 |             set_wallclock(self.config.clock)
 52 |         self._analysis(package)
 53 | 
 54 |         return self._complete()
 55 | 
 56 |     def _complete(self):
 57 |         for f in self.files_to_upload:
 58 |             self._upload_file(f)
 59 |         return True
 60 | 
 61 |     #
 62 |     # Implementation details
 63 |     #
 64 | 
 65 |     def _detect_target(self):
 66 |         if self.config.category == "file":
 67 |             self.target = path.join("/tmp/", str(self.config.file_name))
 68 |         else: # It's not a file, but a URL
 69 |             self.target = self.config.target
 70 | 
 71 |     def _setup_analysis_package(self):
 72 |         # Do we have a suggestion about an analysis package?
 73 |         if self.config.package:
 74 |             suggestion = self.config.package
 75 |         elif self.config.category != "file":
 76 |             suggestion = "url"
 77 |         else:
 78 |             suggestion = None
 79 |         # Try to figure out what analysis package to use with this target
 80 |         kwargs = {"suggestion" : suggestion}
 81 |         package_class = choose_package_class(self.config.file_type,
 82 |                                              self.config.file_name, **kwargs)
 83 |         if not package_class:
 84 |             raise Exception("Could not find an appropriate analysis package")
 85 |         # Package initialization
 86 |         kwargs = {
 87 |             "options" : self.config.get_options(),
 88 |             "timeout" : self.config.timeout
 89 |         }
 90 |         return package_class(self.target, self.host, **kwargs)
 91 | 
 92 |     def _analysis(self, package):
 93 |         package.start()
 94 |         self.files_to_upload = package.touched_files
 95 | 
 96 |     def _upload_file(self, filepath):
 97 |         if not path.isfile(filepath):
 98 |             return
 99 |         # Check whether we've already dumped this file - in that case skip it
100 |         try:
101 |             hashsum = hash_file(sha256, filepath)
102 |             if sha256 in self.uploaded_hashes:
103 |                 return
104 |         except IOError as e:
105 |             self.log.info("Error dumping file from path \"%s\": %s", filepath, e)
106 |             return
107 |         filename = "%s_%s" % (hashsum[:16], path.basename(filepath))
108 |         upload_path = path.join("files", filename)
109 | 
110 |         try:
111 |             upload_to_host(filepath, upload_path)
112 |             self.uploaded_hashes.append(hashsum)
113 |         except IOError as e:
114 |             self.log.error("Unable to upload dropped file at path \"%s\": %s", filepath, e)
115 | 
116 | def _create_result_folders():
117 |     for _, folder in PATHS.items():
118 |         if path.exists(folder):
119 |             continue
120 |         try:
121 |             makedirs(folder)
122 |         except OSError:
123 |             pass
124 | 
125 | 
126 | def _setup_logging():
127 |     """ Initialize logger. """
128 |     logger = logging.getLogger()
129 |     formatter = logging.Formatter("%(asctime)s [%(name)s] %(levelname)s: %(message)s")
130 | 
131 |     stream = logging.StreamHandler()
132 |     stream.setFormatter(formatter)
133 |     logger.addHandler(stream)
134 | 
135 |     netlog = NetlogHandler()
136 |     netlog.setFormatter(formatter)
137 |     logger.addHandler(netlog)
138 |     logger.setLevel(logging.DEBUG)
139 | 
140 | 
141 | 
142 | if __name__ == "__main__":
143 |     success = False
144 |     error = ""
145 | 
146 |     try:
147 |         config = Config(cfg="analysis.conf")
148 |         cuckoo = CuckooHost(config.ip, config.port)
149 |         analyzer = Macalyzer(cuckoo, config)
150 |         success = analyzer.run()
151 | 
152 |     except KeyboardInterrupt:
153 |         error = "Keyboard Interrupt"
154 | 
155 |     except Exception as err:
156 |         error_exc = format_exc()
157 |         error = str(err)
158 |         if len(analyzer.log.handlers):
159 |             analyzer.log.exception(error_exc)
160 |         else:
161 |             stderr.write("{0}\n".format(error_exc))
162 |     # Once the analysis is completed or terminated for any reason, we report
163 |     # back to the agent, notifying that it can report back to the host.
164 |     finally:
165 |         # Establish connection with the agent XMLRPC server.
166 |         server = Server("http://127.0.0.1:8000")
167 |         server.complete(success, error, PATHS["root"])
168 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/lib/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/lib/common/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2010-2015 Cuckoo Foundation.
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/common/config.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2010-2015 Cuckoo Foundation.
 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 3 | # See the file 'docs/LICENSE' for copying permission.
 4 | 
 5 | import ConfigParser
 6 | 
 7 | class Config:
 8 |     def __init__(self, cfg):
 9 |         """@param cfg: configuration file."""
10 |         config = ConfigParser.ConfigParser(allow_no_value=True)
11 |         config.read(cfg)
12 | 
13 |         for section in config.sections():
14 |             for name, raw_value in config.items(section):
15 |                 if name == "file_name":
16 |                     value = config.get(section, name)
17 |                 else:
18 |                     try:
19 |                         value = config.getboolean(section, name)
20 |                     except ValueError:
21 |                         try:
22 |                             value = config.getint(section, name)
23 |                         except ValueError:
24 |                             value = config.get(section, name)
25 |                 setattr(self, name, value)
26 | 
27 |     def get_options(self):
28 |         """Get analysis options.
29 |         @return: options dict.
30 |         """
31 |         # The analysis package can be provided with some options in the
32 |         # following format:
33 |         #   option1=value1,option2=value2,option3=value3
34 |         #
35 |         # Here we parse such options and provide a dictionary that will be made
36 |         # accessible to the analysis package.
37 |         options = {}
38 |         if hasattr(self, "options") and len(self.options) > 0:
39 |             try:
40 |                 # Split the options by comma.
41 |                 fields = self.options.split(",")
42 |             except ValueError:
43 |                 pass
44 |             else:
45 |                 for field in fields:
46 |                     # Split the name and the value of the option.
47 |                     try:
48 |                         # Sometimes, we have a key without a value (i.e. it's a
49 |                         # command line argument), so we can't use the
50 |                         # `key, value = field.split("=", 1)` style here
51 |                         parts = field.split("=", 1)
52 |                     except ValueError:
53 |                         pass
54 |                     else:
55 |                         key = parts[0].strip()
56 |                         arg_prefix = "arg-"
57 |                         if not key.startswith(arg_prefix):
58 |                             # If the parsing went good, we add the option to the
59 |                             # dictionary.
60 |                             value = parts[1].strip()
61 |                             options[key] = value
62 |                         elif len(key) > len(arg_prefix):
63 |                             # Remove "arg-" prefix from the key
64 |                             key = key[4:]; parts[0] = key
65 |                             # Add this key (with a value maybe) to the args
66 |                             if "args" not in options: options["args"] = []
67 |                             options["args"] += parts
68 |         return options
69 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/common/hashing.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2010-2015 Cuckoo Foundation.
 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 3 | # See the file 'docs/LICENSE' for copying permission.
 4 | 
 5 | BUFSIZE = 1024*1024
 6 | 
 7 | 
 8 | def hash_file(method, path):
 9 |     """Calculates an hash on a file by path.
10 |     @param method: callable hashing method
11 |     @param path: file path
12 |     @return: computed hash string
13 |     """
14 |     f = open(path, "rb")
15 |     h = method()
16 |     while True:
17 |         buf = f.read(BUFSIZE)
18 |         if not buf:
19 |             break
20 |         h.update(buf)
21 |     return h.hexdigest()
22 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/common/rand.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import string
 3 | 
 4 | def random_string(minimum, maximum=None):
 5 |     if maximum is None:
 6 |         maximum = minimum
 7 | 
 8 |     count = random.randint(minimum, maximum)
 9 |     return "".join(random.choice(string.ascii_letters) for x in xrange(count))
10 | 
11 | def random_integer(digits):
12 |     start = 10 ** (digits - 1)
13 |     end = (10 ** digits) - 1
14 |     return random.randint(start, end)
15 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/common/results.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2010-2015 Cuckoo Foundation.
 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 3 | # See the file 'docs/LICENSE' for copying permission.
 4 | 
 5 | import time
 6 | import socket
 7 | import logging
 8 | from config import Config
 9 | 
10 | log = logging.getLogger(__name__)
11 | 
12 | BUFSIZE = 1024*1024
13 | 
14 | def upload_to_host(file_path, dump_path):
15 |     nc = infd = None
16 |     try:
17 |         nc = NetlogFile(dump_path)
18 | 
19 |         infd = open(file_path, "rb")
20 |         buf = infd.read(BUFSIZE)
21 |         while buf:
22 |             nc.send(buf, retry=False)
23 |             buf = infd.read(BUFSIZE)
24 |     except Exception as e:
25 |         log.error("Exception uploading file %s to host: %s", file_path, e)
26 |     finally:
27 |         if infd:
28 |             infd.close()
29 |         if nc:
30 |             nc.close()
31 | 
32 | class NetlogConnection(object):
33 |     def __init__(self, proto=""):
34 |         config = Config(cfg="analysis.conf")
35 |         self.hostip, self.hostport = config.ip, config.port
36 |         self.sock, self.file = None, None
37 |         self.proto = proto
38 | 
39 |     def connect(self):
40 |         i = 1
41 |         # this can loop forever, if we can't connect the whole analysis is useless anyways
42 |         while True:
43 |             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
44 |             try:
45 |                 s.connect((self.hostip, self.hostport))
46 |                 s.sendall(self.proto)
47 |             except:
48 |                 time.sleep(i)
49 |                 i = min(i + 1, 60)
50 |             else:
51 |                 self.sock = s
52 |                 self.file = s.makefile()
53 |                 break
54 | 
55 |     def send(self, data, retry=True):
56 |         if not self.sock: self.connect()
57 | 
58 |         try:
59 |             self.sock.sendall(data)
60 |         except socket.error as e:
61 |             if retry:
62 |                 self.connect()
63 |                 self.send(data, retry=False)
64 |             else:
65 |                 raise
66 |         except Exception as e:
67 |             log.error("Unhandled exception in NetlogConnection: %s", str(e))
68 |             # We really have nowhere to log this, if the netlog connection
69 |             # does not work, we can assume that any logging won't work either.
70 |             # So we just fail silently.
71 |             self.close()
72 | 
73 |     def close(self):
74 |         try:
75 |             self.file.close()
76 |             self.sock.close()
77 |         except Exception:
78 |             pass
79 | 
80 | class NetlogFile(NetlogConnection):
81 |     def __init__(self, filepath):
82 |         self.filepath = filepath
83 |         NetlogConnection.__init__(self, proto="FILE\n{0}\n".format(self.filepath))
84 |         self.connect()
85 | 
86 | class NetlogHandler(logging.Handler, NetlogConnection):
87 |     def __init__(self):
88 |         logging.Handler.__init__(self)
89 |         NetlogConnection.__init__(self, proto="LOG\n")
90 |         self.connect()
91 | 
92 |     def emit(self, record):
93 |         msg = self.format(record)
94 |         self.send("{0}\n".format(msg))
95 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/lib/core/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/constants.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2010-2015 Cuckoo Foundation.
 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 3 | # See the file 'docs/LICENSE' for copying permission.
 4 | 
 5 | import os
 6 | from tempfile import gettempdir
 7 | from ..common.rand import random_string
 8 | 
 9 | ROOT = os.path.join(gettempdir() + os.sep, random_string(6, 10))
10 | 
11 | PATHS = {
12 |     "root"   : ROOT,
13 |     "logs"   : os.path.join(ROOT, "logs"),
14 |     "files"  : os.path.join(ROOT, "files"),
15 |     "shots"  : os.path.join(ROOT, "shots"),
16 |     "memory" : os.path.join(ROOT, "memory"),
17 |     "drop"   : os.path.join(ROOT, "drop")
18 | }
19 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/data/signatures.yml:
--------------------------------------------------------------------------------
  1 | system:
  2 |     is_success_condition: "retval == 0"
  3 |     args:
  4 |       - {name: "command", type: "char *"}
  5 |     retval_type: "int"
  6 |     category: "foobar"
  7 | 
  8 | printf:
  9 |     is_success_condition: "retval > 0"
 10 |     args:
 11 |       - {name: "format", type: "char *"}
 12 |     retval_type: "int"
 13 |     category: "foobar"
 14 | 
 15 | dlopen:
 16 |     is_success_condition: "retval > 0"
 17 |     args:
 18 |       - {name: "path", type: "char *"}
 19 |       - {name: "mode", type: "int"}
 20 |     retval_type: "void *"
 21 |     category: "foobar"
 22 |     library: "libdyld"
 23 | 
 24 | dlsym:
 25 |     is_success_condition: "retval > 0"
 26 |     args:
 27 |       - {name: "handle", type: "void *"}
 28 |       - {name: "symbol", type: "char *"}
 29 |     retval_type: "void *"
 30 |     category: "foobar"
 31 |     library: "libdyld"
 32 | 
 33 | fprintf:
 34 |     is_success_condition: "retval > 0"
 35 |     args:
 36 |       - {name: "stream", type: "void *"}
 37 |       - {name: "format", type: "char *"}
 38 |     retval_type: "int"
 39 |     category: "foobar"
 40 | 
 41 | open:
 42 |     is_success_condition: "retval > 0"
 43 |     args:
 44 |       - {name: "path",  type: "char *"}
 45 |       - {name: "oflag", type: "int"}
 46 |     retval_type: "int"
 47 |     category: "file"
 48 | 
 49 | fopen:
 50 |     is_success_condition: "retval > 0"
 51 |     args:
 52 |       - {name: "filename", type: "char *"}
 53 |       - {name: "mode",     type: "char *"}
 54 |     retval_type: "void *"
 55 |     category: "file"
 56 | 
 57 | freopen:
 58 |     is_success_condition: "retval > 0"
 59 |     args:
 60 |       - {name: "filename", type: "char *"}
 61 |       - {name: "mode",     type: "char *"}
 62 |       - {name: "stream",   type: "void *"}
 63 |     retval_type: "void *"
 64 |     category: "file"
 65 | 
 66 | rename:
 67 |     is_success_condition: "retval == 0"
 68 |     args:
 69 |       - {name: "old",   type: "char *"}
 70 |       - {name: "new",   type: "char *"}
 71 |       - {name: "state", type: "void *"}
 72 |       - {name: "flags", type: "uint64_t"}
 73 |     retval_type: "int"
 74 |     category: "file"
 75 | 
 76 | copyfile:
 77 |     is_success_condition: "retval == 0"
 78 |     args:
 79 |       - {name: "from",  type: "char *"}
 80 |       - {name: "to",    type: "char *"}
 81 |       - {name: "state", type: "void *"}
 82 |       - {name: "flags", type: "uint32_t"}
 83 |     retval_type: "int"
 84 |     category: "file"
 85 | 
 86 | remove:
 87 |     is_success_condition: "retval == 0"
 88 |     args:
 89 |       - {name: "path", type: "char *"}
 90 |     retval_type: "int"
 91 |     category: "file"
 92 | 
 93 | unlink:
 94 |     is_success_condition: "retval == 0"
 95 |     args:
 96 |       - {name: "path", type: "char *"}
 97 |     retval_type: "int"
 98 |     category: "file"
 99 | 
100 | execve:
101 |     is_success_condition: "retval != -1"
102 |     args:
103 |       - {name: "path", type: "char *"}
104 |       - {name: "argv", type: "void *"}
105 |       - {name: "envp", type: "void *"}
106 |     retval_type: "int"
107 |     category: "process"
108 |     __ignore__: true
109 | 
110 | fork:
111 |     is_success_condition: "retval >= 0"
112 |     args: []
113 |     retval_type: "int"
114 |     category: "process"
115 | 
116 | socket:
117 |     is_success_condition: "retval > 0"
118 |     args:
119 |       - {name: "domain",   type: "int"}
120 |       - {name: "type",     type: "int"}
121 |       - {name: "protocol", type: "int"}
122 |     retval_type: "int"
123 |     category: "network"
124 | 
125 | # Signatures for tests.
126 | # Please don't remove them. Thanks!
127 | 
128 | rb_isalpha:
129 |     is_success_condition: "retval != 0"
130 |     args:
131 |       - {name: "character", type: "char"}
132 |     retval_type: "int"
133 |     category: "foobar"
134 | 
135 | atoi:
136 |     is_success_condition: "1==1"
137 |     args:
138 |       - {name: "str", type: "char *"}
139 |     retval_type: "int"
140 |     category: "foobar"
141 |     library: "libsystem_c"
142 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/data/types.yml:
--------------------------------------------------------------------------------
  1 | # ===============================================
  2 | # Basic types
  3 | #
  4 | int: &int
  5 |     # We will print it with something like printf("%d", value)
  6 |     printf_specifier: "%d"
  7 |     # Is it a native C type (on OS X)?
  8 |     native: Yes
  9 | # Alternative name for backward compatibility
 10 | integer: *int
 11 | 
 12 | unsigned int: &unsigned-int
 13 |     printf_specifier: "%ld"
 14 |     native: Yes
 15 | 
 16 | long: &long
 17 |     printf_specifier: "%l"
 18 |     native: Yes
 19 | 
 20 | unsigned long: &unsigned-long
 21 |     printf_specifier: "%lu"
 22 |     native: Yes
 23 | 
 24 | unsigned long long: &unsigned-long-long
 25 |     printf_specifier: "%llu"
 26 |     native: Yes
 27 | 
 28 | size_t: *unsigned-long
 29 | 
 30 | char: &char
 31 |     printf_specifier: '"%c"'
 32 |     native: Yes
 33 | 
 34 | float: &float
 35 |     printf_specifier: "%f"
 36 |     native: Yes
 37 | 
 38 | double: &double
 39 |     printf_specifier: "%f"
 40 |     native: Yes
 41 | #
 42 | # Raw pointers: just dump their values (in *decimal* since dtrace will output
 43 | # JSON that doesn't accept hex values)
 44 | #
 45 | "void *":
 46 |     <<: *unsigned-long-long
 47 |     cast: "unsigned long long"
 48 | #
 49 | # Strings
 50 | #
 51 | "char *": &char-pointer
 52 |     printf_specifier: '"%S"'
 53 |     native: No
 54 |     template: |-
 55 |         !!(${ARG}) ? copyinstr((uint64_t)${ARG}) : "<NULL>"
 56 | #
 57 | # Arbitrary buffers
 58 | #
 59 | #buffer: &buffer
 60 | #    printf_specifier: '"%S"'
 61 | #    native: No
 62 | #    template: |-
 63 | #        ${ARG} != (int64_t)NULL ? stringof(copyin(${ARG}, ${SIZE_ARG})) : "<NULL>"
 64 | #
 65 | # Fixed length C types
 66 | #
 67 | int8_t: &int8_t
 68 |     printf_specifier: "%d"
 69 |     native: Yes
 70 | 
 71 | uint8_t: &uint8_t
 72 |     printf_specifier: "%u"
 73 |     native: Yes
 74 | 
 75 | int16_t: &int16_t
 76 |     printf_specifier: "%d"
 77 |     native: Yes
 78 | 
 79 | uint16_t: &uint16_t
 80 |     printf_specifier: "%u"
 81 |     native: Yes
 82 | 
 83 | int32_t: &int32_t
 84 |     printf_specifier: "%d"
 85 |     native: Yes
 86 | 
 87 | uint32_t: &uint32_t
 88 |     printf_specifier: "%u"
 89 |     native: Yes
 90 | 
 91 | int64_t: &int64_t
 92 |     printf_specifier: "%lld"
 93 |     native: Yes
 94 | 
 95 | uint64_t: &uint64_t
 96 |     printf_specifier: "%llu"
 97 |     native: Yes
 98 | 
 99 | #
100 | # Structures for tests.
101 | # Please don't remove them. Thanks!
102 | #
103 | 
104 | test_t:
105 |     native: No
106 |     struct:
107 |          hash: "int"
108 |          base: "test_internal_t *"
109 |          description: "char *"
110 | 
111 | test_internal_t:
112 |     native: No
113 |     struct:
114 |         abc: "double *"
115 |         hfa: "size_t"
116 |         sss: "char *"
117 | 
118 | test_extra_t:
119 |     native: No
120 |     struct:
121 |         foo: int
122 |         bar: uint64_t
123 | 
124 | #
125 | # Your custom data types
126 | #
127 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/filetimes.py:
--------------------------------------------------------------------------------
 1 | # Copyright (c) 2009, David Buxton <david@gasmark6.com>
 2 | # All rights reserved.
 3 | #
 4 | # Redistribution and use in source and binary forms, with or without
 5 | # modification, are permitted provided that the following conditions are
 6 | # met:
 7 | #
 8 | #     * Redistributions of source code must retain the above copyright
 9 | # notice, this list of conditions and the following disclaimer.
10 | #     * Redistributions in binary form must reproduce the above copyright
11 | # notice, this list of conditions and the following disclaimer in the
12 | # documentation and/or other materials provided with the distribution.
13 | #
14 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
15 | # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
17 | # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 | # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
20 | # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21 | # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
22 | # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
23 | # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
24 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 | """Tools to convert between Python datetime instances and Microsoft times.
26 | """
27 | from calendar import timegm
28 | 
29 | 
30 | # http://support.microsoft.com/kb/167296
31 | # How To Convert a UNIX time_t to a Win32 FILETIME or SYSTEMTIME
32 | EPOCH_AS_FILETIME = 116444736000000000  # January 1, 1970 as MS file time
33 | HUNDREDS_OF_NANOSECONDS = 10000000
34 | 
35 | 
36 | def dt_to_filetime(dt, delta_from_utc):
37 |     """Converts a datetime to Microsoft filetime format.
38 | 
39 |     >>> "%.0f" % dt_to_filetime(datetime(2009, 7, 25, 23, 0))
40 |     '128930364000000000'
41 | 
42 |     >>> "%.0f" % dt_to_filetime(datetime(1970, 1, 1, 0, 0, tzinfo=utc))
43 |     '116444736000000000'
44 | 
45 |     >>> "%.0f" % dt_to_filetime(datetime(1970, 1, 1, 0, 0))
46 |     '116444736000000000'
47 | 
48 |     >>> dt_to_filetime(datetime(2009, 7, 25, 23, 0, 0, 100))
49 |     128930364000001000
50 |     """
51 |     dt += delta_from_utc
52 |     ft = EPOCH_AS_FILETIME + (timegm(dt.timetuple()) * HUNDREDS_OF_NANOSECONDS)
53 |     return ft + (dt.microsecond * 10)
54 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/host.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import yaml
  7 | import socket
  8 | import logging
  9 | from os import path
 10 | from bson import BSON
 11 | from datetime import datetime
 12 | from subprocess import check_output, CalledProcessError
 13 | 
 14 | from filetimes import dt_to_filetime
 15 | 
 16 | log = logging.getLogger(__name__)
 17 | 
 18 | def signatures_path():
 19 |     return path.join(path.dirname(path.abspath(__file__)), "data", "signatures.yml")
 20 | 
 21 | class CuckooHost(object):
 22 |     """ Sending analysis results back to the Cuckoo Host.
 23 | 
 24 |     Currently it only supports sending results about API calls via send_api(),
 25 |     see `apicalls` module.
 26 |     """
 27 |     sockets = {
 28 |         # Each target process has its own results server on the host, so
 29 |         # we setup as many sockets as we have targets to analyse.
 30 |     }
 31 |     descriptions = {
 32 |         # We don't want to explain APIs every single time they're about to be
 33 |         # send to the host, so we explain them once and then just refer to them
 34 |         # via an unique ID.
 35 |     }
 36 |     launch_times = {
 37 |         # Since Cuckoo host expects us to send relative times, we remember when
 38 |         # every target was launched.
 39 |     }
 40 |     human_readable_info = {
 41 |         # Here goes all the additional information about APIs like category,
 42 |         # arguments names and so on. See date/apis.json for more details.
 43 |     }
 44 | 
 45 |     def __init__(self, host_ip, host_port):
 46 |         self.address = host_ip
 47 |         self.port = host_port
 48 |         self._load_human_readable_info()
 49 | 
 50 |     def send_api(self, thing):
 51 |         """ Sends a new API notification to the Cuckoo host """
 52 |         pid = thing.pid
 53 |         api = thing.api
 54 | 
 55 |         # We're required to report results of tracing a target process to
 56 |         # *its own* result server. So create a communication socket...
 57 |         if pid not in self.sockets:
 58 |             self.sockets[pid] = self._create_socket()
 59 |             if not self.sockets[pid]:
 60 |                 raise Exception("CuckooHost error: could not create socket.")
 61 |             # ... and don't forget to explain every single API call again
 62 |             self.descriptions.setdefault(pid, ["__process__", "__thread__"])
 63 |             self._send_new_process(thing)
 64 |         try:
 65 |             lookup_idx = self.descriptions[pid].index(api)
 66 |         except ValueError:
 67 |             self.descriptions[pid].append(api)
 68 |             lookup_idx = len(self.descriptions[pid]) - 1
 69 |             self._send_api_description(lookup_idx, thing)
 70 | 
 71 |         # Here's an api object:
 72 |         # {
 73 |         #     "I"    : (int)<index in the API lookup table>,
 74 |         #     "T"    : (int)<caller thread id>,
 75 |         #     "t"    : (int)<time (in milliseconds) since a process launch>,
 76 |         #     "args" : [
 77 |         #         (int)<1 if this API call was successfull, 0 otherwise>,
 78 |         #         (int)<return value>,
 79 |         #         (any)<value the first argument>,
 80 |         #         (any)<value the second argument>,
 81 |         #                       ...
 82 |         #         (any)<value the n-th argument>,
 83 |         #     ]
 84 |         # }
 85 |         time_offset_ms = int(1000*thing.timestamp - 1000*self.launch_times[pid])
 86 |         self.sockets[pid].sendall(BSON.encode({
 87 |             "I"    : lookup_idx,
 88 |             "T"    : thing.tid,
 89 |             "t"    : time_offset_ms,
 90 |             "args" : self._prepare_args(thing)
 91 |         }))
 92 | 
 93 |     def _create_socket(self):
 94 |         """ Allocates a new socket and prepares it for communicating with the host """
 95 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 96 |         sock.connect((self.address, self.port))
 97 |         # Prepare the result server to accept data in BSON format
 98 |         sock.sendall("BSON\n")
 99 |         return sock
100 | 
101 |     def _send_api_description(self, lookup_idx, thing):
102 |         """ Describes the given API call to the host """
103 |         # Here's an api description object:
104 |         # {
105 |         #     "I"        : (string)<index in the API lookup table>,
106 |         #     "name"     : (string)<API name>,
107 |         #     "type"     : "info",
108 |         #     "category" : (string)<an API category (e.g. "memory" or "network")>
109 |         #     "args"     : [
110 |         #         "is_success",
111 |         #         "retval",
112 |         #         (string)<description of the first argument>,
113 |         #         (string)<description of the second argument>,
114 |         #                       ...
115 |         #         (string)<description of the n-th argument>,
116 |         #     ]
117 |         # }
118 |         self.sockets[thing.pid].sendall(BSON.encode({
119 |             "I"        : lookup_idx,
120 |             "name"     : thing.api,
121 |             "type"     : "info",
122 |             "category" : self._api_category(thing),
123 |             "args"     : self._api_args_description(thing)
124 |         }))
125 | 
126 |     def _send_new_process(self, thing):
127 |         """ Sends a notification about a new target process out there """
128 |         pid = thing.pid
129 |         lookup_idx = self.descriptions[pid].index("__process__")
130 | 
131 |         # Remember when this process was born
132 |         self.launch_times[pid] = thing.timestamp
133 |         # Describe the __process__ notification
134 |         self.sockets[pid].sendall(BSON.encode({
135 |             "I"        : lookup_idx,
136 |             "name"     : "__process__",
137 |             "type"     : "info",
138 |             "category" : "unknown",
139 |             "args"     : [
140 |                 "is_success",
141 |                 "retval",
142 |                 "TimeLow", "TimeHigh",
143 |                 "ProcessIdentifier", "ParentProcessIdentifier",
144 |                 "ModulePath"
145 |             ]
146 |         }))
147 |         # Convert our unix timestamp into Windows's FILETIME because Cuckoo
148 |         # result server expect timestamps to be in this format
149 |         filetime = _filetime_from_timestamp(thing.timestamp)
150 |         # Get process name (aka module path)
151 |         module = _proc_name_from_pid(pid)
152 |         self.sockets[pid].sendall(BSON.encode({
153 |             "I"    : lookup_idx,
154 |             "T"    : thing.tid,
155 |             "t"    : 0,
156 |             "args" : [
157 |                 1,
158 |                 0,
159 |                 # TimeLow (first 32bits) and TimeHigh (last 32bits)
160 |                 filetime & 0xffffffff, filetime >> 32,
161 |                 thing.pid, thing.ppid,
162 |                 # ModulePath
163 |                 module
164 |             ]
165 |         }))
166 | 
167 |     def _prepare_args(self, thing):
168 |         # First two "arguments" are always is_success and retval
169 |         result = [
170 |             self._verify_is_success(thing),
171 |             thing.retval
172 |         ]
173 |         return result + thing.args
174 | 
175 |     def _verify_is_success(self, thing):
176 |         retval = thing.retval
177 |         errno = thing.errno
178 |         if thing.api not in self.human_readable_info: # fallback to success
179 |             return 1
180 | 
181 |         condition = self.human_readable_info[thing.api]["is_success_condition"]
182 |         result = eval(condition, {"__builtins__" : None}, {
183 |             "retval" : retval,
184 |             "errno"  : errno
185 |         })
186 |         return 1 if result else 0
187 | 
188 |     def _api_category(self, thing):
189 |         api = thing.api
190 |         if api not in self.human_readable_info: # fallback
191 |             return "unknown"
192 |         return self.human_readable_info[api]["category"]
193 | 
194 |     def _api_args_description(self, thing):
195 |         api = thing.api
196 |         # First two "arguments" are always these
197 |         description = ["is_success", "retval"]
198 |         # Try to parse argument names for known APIs
199 |         if api in self.human_readable_info:
200 |             args = self.human_readable_info[api]["args"]
201 |             description += [x["name"] for x in args]
202 |         else: # fallback to arg0, arg1, ..., argN
203 |             for arg_idx in range(0, len(thing.args)):
204 |                 description += ["arg%d" % arg_idx]
205 |         return description
206 | 
207 |     def _load_human_readable_info(self):
208 |         signatures = signatures_path()
209 |         try:
210 |             with open(signatures, "r") as infile:
211 |                 self.human_readable_info = yaml.safe_load(infile)
212 |         except IOError:
213 |             log.exception("Could not open %s", path.basename(signatures))
214 |         except ValueError:
215 |             log.exception("Invalid YAML file %s", path.basename(signatures))
216 | 
217 | 
218 | def _proc_name_from_pid(pid):
219 |     """ Parses `ps -o comm` output for the given PID """
220 |     try:
221 |         ps_output = check_output(["/bin/ps", "-p", str(pid), "-o", "comm"])
222 |         # The first line of an output is reserved for `ps` headers and the
223 |         # second one contains a process path
224 |         return ps_output.split("\n")[1]
225 |     except CalledProcessError:
226 |         return "unknown"
227 | 
228 | 
229 | def _filetime_from_timestamp(timestamp):
230 |     """ See filetimes.py for details """
231 |     # Timezones are hard, sorry
232 |     moment = datetime.fromtimestamp(timestamp)
233 |     delta_from_utc = moment - datetime.utcfromtimestamp(timestamp)
234 |     return dt_to_filetime(moment, delta_from_utc)
235 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/osx.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | from os import system
 7 | from datetime import datetime
 8 | 
 9 | def set_wallclock(clock_str, **kwargs):
10 |     clock = datetime.strptime(clock_str, "%Y%m%dT%H:%M:%S")
11 |     # NOTE: On OS X there's `date` utility that accepts
12 |     # new date/time as a string of the folowing format:
13 |     # {month}{day}{hour}{minutes}{year}.{seconds}
14 |     # where every {x} is a 2 digit number.
15 |     cmd = "sudo date {0}".format(clock.strftime("%m%d%H%M%y.%S"))
16 | 
17 |     if "just_testing" in kwargs:
18 |         return cmd
19 |     else:
20 |         system(cmd)
21 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/core/packages.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | from ..dtrace.apicalls import apicalls
  7 | 
  8 | import inspect
  9 | from sets import Set
 10 | from os import sys, path
 11 | 
 12 | def choose_package_class(file_type, file_name, suggestion=None):
 13 |     if suggestion is not None:
 14 |         name = suggestion
 15 |     else:
 16 |         name = _guess_package_name(file_type, file_name)
 17 |         if not name:
 18 |             return None
 19 | 
 20 |     full_name = "modules.packages.%s" % name
 21 |     try:
 22 |         # FIXME(rodionovd):
 23 |         # I couldn't figure out how to make __import__ import anything from
 24 |         # the (grand)parent package, so here I just patch the PATH
 25 |         sys.path.append(path.abspath(path.join(path.dirname(__file__), '..', '..')))
 26 |         # Since we don't know the package class yet, we'll just import everything
 27 |         # from this module and then try to figure out the required member class
 28 |         module = __import__(full_name, globals(), locals(), ['*'])
 29 |     except ImportError:
 30 |         raise Exception("Unable to import package \"{0}\": it does not "
 31 |                         "exist.".format(name))
 32 |     try:
 33 |         pkg_class = _found_target_class(module, name)
 34 |     except IndexError as err:
 35 |         raise Exception("Unable to select package class (package={0}): "
 36 |                         "{1}".format(full_name, err))
 37 |     return pkg_class
 38 | 
 39 | 
 40 | def _found_target_class(module, name):
 41 |     """ Searches for a class with the specific name: it should be
 42 |     equal to capitalized $name.
 43 |     """
 44 |     members = inspect.getmembers(module, inspect.isclass)
 45 |     return [x[1] for x in members if x[0] == name.capitalize()][0]
 46 | 
 47 | 
 48 | def _guess_package_name(file_type, file_name):
 49 |     if "Bourne-Again" in file_type or "bash" in file_type:
 50 |         return "bash"
 51 |     elif "Mach-O" in file_type and "executable" in file_type:
 52 |         return "macho"
 53 |     elif "directory" in file_type and (file_name.endswith(".app") or file_name.endswith(".app/")):
 54 |         return "app"
 55 |     elif "Zip archive" in file_type and file_name.endswith(".zip"):
 56 |         return "zip"
 57 |     else:
 58 |         return None
 59 | 
 60 | 
 61 | class Package(object):
 62 |     """ Base analysis package """
 63 | 
 64 |     # Our target may touch some files; keep an eye on them
 65 |     touched_files = Set()
 66 | 
 67 |     def __init__(self, target, host, **kwargs):
 68 |         if not target or not host:
 69 |             raise Exception("Package(): `target` and `host` arguments are required")
 70 | 
 71 |         self.host = host
 72 |         self.target = target
 73 |         # Any analysis options?
 74 |         self.options = kwargs.get("options", {})
 75 |         # A timeout for analysis
 76 |         self.timeout = kwargs.get("timeout", None)
 77 |         # Command-line arguments for the target.
 78 |         self.args = self.options.get("args", [])
 79 |         # Choose an analysis method (or fallback to apicalls)
 80 |         self.method = self.options.get("method", "apicalls")
 81 |         # Should our target be launched as root or not
 82 |         self.run_as_root = _string_to_bool(self.options.get("run_as_root", "False"))
 83 | 
 84 |     def prepare(self):
 85 |         """ Preparation routine. Do anything you want here. """
 86 |         pass
 87 | 
 88 |     def start(self):
 89 |         """ Runs an analysis process.
 90 |         This function is a generator.
 91 |         """
 92 |         self.prepare()
 93 | 
 94 |         if self.method == "apicalls":
 95 |             self.apicalls_analysis()
 96 |         else:
 97 |             raise Exception("Unsupported analysis method. Try `apicalls`.")
 98 | 
 99 |     def apicalls_analysis(self):
100 |         kwargs = {
101 |             'args': self.args,
102 |             'timeout': self.timeout,
103 |             'run_as_root': self.run_as_root
104 |         }
105 |         for call in apicalls(self.target, **kwargs):
106 |             # Send this API to Cuckoo host
107 |             self.host.send_api(call)
108 |             # Handle file IO APIs
109 |             self.handle_files(call)
110 | 
111 |     def handle_files(self, call):
112 |         """ Remember what files our target has been working with during the analysis"""
113 |         def makeabs(filepath):
114 |             # Is it a relative path? Suppose it's relative to our dtrace working directory
115 |             if not path.isfile(filepath):
116 |                 filepath = path.join(path.dirname(__file__), "..", "dtrace", filepath)
117 |             return filepath
118 |         if call.api in ["fopen", "freopen", "open"]:
119 |             self.open_file(makeabs(call.args[0]))
120 |         if call.api in ["rename"]:
121 |             self.move_file(makeabs(call.args[0]), makeabs(call.args[1]))
122 |         if call.api in ["copyfile"]:
123 |             self.copy_file(makeabs(call.args[0]), makeabs(call.args[1]))
124 |         if call.api in ["remove", "unlink"]:
125 |             self.remove_file(makeabs(call.args[0]))
126 | 
127 |     def open_file(self, filepath):
128 |         self.touched_files.add(filepath)
129 | 
130 |     def move_file(self, frompath, topath):
131 |         # Remove old reference if needed
132 |         if frompath in self.touched_files:
133 |             self.touched_files.remove(frompath)
134 |         self.touched_files.add(topath)
135 | 
136 |     def copy_file(self, frompath, topath):
137 |         # Add both files to the watch list
138 |         self.touched_files.update([frompath, topath])
139 | 
140 |     def remove_file(self, filepath):
141 |         # TODO(rodionovd): we're actually unable to dump this file
142 |         # because well, it was removed
143 |         self.touched_files.add(filepath)
144 | 
145 | def _string_to_bool(raw):
146 |     if not isinstance(raw, basestring):
147 |         raise Exception("Unexpected input: not a string :/")
148 |     return raw.lower() in ("yes", "true", "t", "1")
149 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/lib/dtrace/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/apicalls.d:
--------------------------------------------------------------------------------
 1 | #pragma D option destructive
 2 | #pragma D option quiet
 3 | #pragma D option switchrate=10hz
 4 | /* apicalls.d
 5 |  *
 6 |  * Copyright (C) 2015 Dmitry Rodionov
 7 |  * This software may be modified and distributed under the terms
 8 |  * of the MIT license. See the LICENSE file for details.
 9 |  *
10 |  * This script prints results in JSON format, each log entry is a dictionary:
11 |  * {
12 |  *     api         : string,            // e.g. "fprintf"
13 |  *     args        : array,             // e.g. [1489124712123, "Hello\n!"]
14 |  *     retval      : string OR integer, // e.g. "kkk"
15 |  *     timestamp   : integer,           // e.g. 1433765405
16 |  *     pid         : integer,           // e.g. 9213
17 |  *     ppid        : integer,           // e.g. 9210
18 |  *     tid         : integer,           // e.g. 269040
19 |  *     errno       : integer            // e.g. 22
20 |  * }
21 |  *
22 |  */
23 | #define SCRIPT_NAME "apicalls.d"
24 | 
25 | #ifndef ANALYSIS_TIMEOUT
26 |     #define ANALYSIS_TIMEOUT (-1)
27 | #endif
28 | 
29 | dtrace:::BEGIN
30 | {
31 |     countdown = ANALYSIS_TIMEOUT;
32 | 
33 |     self->deeplevel = 0;
34 |     self->arg0  = (int64_t)0;
35 |     self->arg1  = (int64_t)0;
36 |     self->arg2  = (int64_t)0;
37 |     self->arg3  = (int64_t)0;
38 |     self->arg4  = (int64_t)0;
39 |     self->arg5  = (int64_t)0;
40 |     self->arg6  = (int64_t)0;
41 |     self->arg7  = (int64_t)0;
42 |     self->arg8  = (int64_t)0;
43 |     self->arg9  = (int64_t)0;
44 |     self->arg10 = (int64_t)0;
45 |     self->arg11 = (int64_t)0;
46 | }
47 | 
48 | profile:::tick-1sec
49 | / countdown > 0 /
50 | {
51 |     --countdown;
52 | }
53 | 
54 | profile:::tick-1sec
55 | / countdown == 0 /
56 | {
57 |     exit(0);
58 | }
59 | 
60 | #pragma mark - Following children
61 | #include "follow_children.d"
62 | 
63 | /* We may use `sudo -u` to drop (root) privileges before running a target.
64 |  * If this were the case, we wouldn't care about API calls of sudo itself, thus
65 |  * no probes.
66 |  */
67 | #ifndef SUDO
68 | 
69 | /* ******* **************************** ******* */
70 | self int64_t arguments_stack[unsigned long, string];
71 | self deeplevel;
72 | /* ******* **************************** ******* */
73 | 
74 | #pragma mark - Probes
75 | #include "probes.d"
76 | 
77 | /* exec* probes are special: they don't return on success; so catch them early */
78 | pid$target::execve:entry
79 | {
80 |     this->retval = 0;
81 |     this->timestamp_ms = walltimestamp/1000000;
82 | 
83 |     printf("{\"api\":\"%s\", \"args\":[\"%S\", %llu, %llu], \"retval\":%d, \"timestamp\":%lld, \"pid\":%d, \"ppid\":%d, \"tid\":%d, \"errno\":%d}\n",
84 |         probefunc,
85 |         arg0 != (int64_t)NULL ? copyinstr(arg0) : "<NULL>", (unsigned long long)arg1, (unsigned long long)arg2,
86 |         (int)this->retval,
87 |         (int64_t)this->timestamp_ms, pid, ppid, tid, errno);
88 | }
89 | 
90 | #endif /* not SUDO */
91 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/apicalls.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import os
  7 | import json
  8 | from getpass import getuser
  9 | from subprocess import Popen
 10 | from collections import namedtuple
 11 | from tempfile import NamedTemporaryFile
 12 | 
 13 | from autoprobes import generate_probes
 14 | from common import sanitize_path, path_for_script, filelines, current_directory
 15 | 
 16 | apicall = namedtuple("apicall", "api args retval timestamp pid ppid tid errno")
 17 | 
 18 | 
 19 | def apicalls(target, **kwargs):
 20 |     """
 21 |     """
 22 |     if not target:
 23 |         raise Exception("Invalid target for apicalls()")
 24 | 
 25 |     output_file = NamedTemporaryFile()
 26 |     kwargs.update({"output_file" : output_file})
 27 |     cmd = _dtrace_command_line(target, **kwargs)
 28 | 
 29 |     # Generate dtrace probes for analysis
 30 |     definitions = os.path.abspath(os.path.join(__file__, "../../core/data/signatures.yml"))
 31 |     probes_file = os.path.join(os.path.dirname(os.path.abspath(__file__)), "probes.d")
 32 |     generate_probes(definitions, probes_file, overwrite=True)
 33 | 
 34 |     # The dtrace script will take care of timeout itself, so we just launch
 35 |     # it asynchronously
 36 |     with open(os.devnull, "w") as null:
 37 |         _ = Popen(cmd, stdout=null, stderr=null, cwd=current_directory())
 38 | 
 39 |     for entry in filelines(output_file):
 40 |         value = entry.strip()
 41 |         if "## apicalls.d done ##" in value:
 42 |             break
 43 |         if len(value) == 0:
 44 |             continue
 45 |         yield _parse_entry(value)
 46 |     output_file.close()
 47 |     os.remove(probes_file)
 48 | 
 49 | 
 50 | def _dtrace_command_line(target, **kwargs):
 51 |     # dtrace must be run as root on OS X
 52 |     cmd = ["sudo", "/usr/sbin/dtrace"]
 53 |     # Use -C for running clang's C preprocessor over the script
 54 |     cmd += ["-C"]
 55 |     # Use -I for adding a current directory to the search path for #includes
 56 |     cmd += ["-I./"]
 57 |     # Use -Z to allow probe descriptions that match zero probes in a target
 58 |     cmd += ["-Z"]
 59 |     cmd += ["-DANALYSIS_TIMEOUT=%d" % kwargs.get("timeout", -1)]
 60 |     cmd += ["-s", path_for_script("apicalls.d")]
 61 |     cmd += ["-DTOPLEVELSCRIPT=1"]
 62 |     output_file = kwargs["output_file"]
 63 |     cmd += ["-o", output_file.name]
 64 |     cmd += ["-DOUTPUT_FILE=\"%s\"" % output_file.name]
 65 | 
 66 |     run_as_root = kwargs.get("run_as_root", False)
 67 | 
 68 |     if "args" in kwargs:
 69 |         target_cmd = "%s %s" % (sanitize_path(target), " ".join(kwargs["args"]))
 70 |     else:
 71 |         target_cmd = sanitize_path(target)
 72 |     # When we don't want to run the target as root, we have to drop privileges
 73 |     # with `sudo -u current_user` right before calling the target.
 74 |     if not run_as_root:
 75 |         target_cmd = "sudo -u %s %s" % (getuser(), target_cmd)
 76 |         cmd += ["-DSUDO=1"]
 77 |     cmd += ["-c", target_cmd]
 78 |     return cmd
 79 | 
 80 | 
 81 | def _parse_entry(entry):
 82 |     parsed = json.loads(entry.replace("\\0", ""))
 83 |     api       = parsed['api']
 84 |     args      = _stringify_args(parsed['args'])
 85 |     retval    = parsed['retval']
 86 |     # Convert milliseconds to floating point seconds
 87 |     timestamp = float(parsed['timestamp']) / 1000
 88 |     pid       = parsed['pid']
 89 |     ppid      = parsed['ppid']
 90 |     tid       = parsed['tid']
 91 |     errno     = parsed['errno']
 92 |     return apicall(api, args, retval, timestamp, pid, ppid, tid, errno)
 93 | 
 94 | 
 95 | def _stringify_args(args):
 96 |     """ Converts each argument into a string.
 97 |     In case of integers, it's a hex string. Other types are converted with str() """
 98 |     new_args = []
 99 |     for item in args:
100 |         if isinstance(item, (int, long)):
101 |             new_args.append("%#lx" % item)
102 |         else:
103 |             new_args.append(str(item))
104 |     return new_args
105 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/autoprobes.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import yaml
  7 | from os import path
  8 | from string import Template
  9 | from sets import Set
 10 | 
 11 | def generate_probes(definitions, output_path, overwrite=True):
 12 |     """ TBD """
 13 |     if not overwrite and path.isfile(output_path):
 14 |         pass
 15 |     if isinstance(definitions, list):
 16 |         defs = definitions
 17 |     else:
 18 |         defs = read_definitions(definitions)
 19 | 
 20 |     types = read_types(path.abspath(path.join(__file__, "../../core/data/types.yml")))
 21 |     # Generate the .d script contents: with headers, type definitions and probes
 22 |     contents = [HEADER] + typedefs_for_custom_structs(defs, types)
 23 |     contents += [probe_from_definition(x, types) for x in defs]
 24 |     # and write it to an output file
 25 |     dump_probes(contents, output_path)
 26 | 
 27 | # FILE IO
 28 | 
 29 | def read_definitions(fromfile):
 30 |     """ Read API signatures from a file. """
 31 |     with open(fromfile, "r") as stream:
 32 |         contents = yaml.safe_load(stream)
 33 |         # Now convert the root dictionary to an array of dictionaries where
 34 |         # original keys become values for the "api" key.
 35 |         return [dict({'api': k}, **v) for k, v in contents.iteritems()]
 36 | 
 37 | def read_types(infile):
 38 |     """ Reads types definitions from a file. """
 39 |     with open(infile, "r") as stream:
 40 |         return yaml.safe_load(stream)
 41 | 
 42 | def dump_probes(probes, tofile):
 43 |     """ Writes the given list of dtrace probes to a file. If the file
 44 |     already exists, it's truncated."""
 45 |     with open(tofile, "w") as stream:
 46 |         stream.writelines(probes)
 47 | 
 48 | # GENERATION
 49 | 
 50 | def probe_from_definition(definition, types):
 51 |     """ Maps the given API definition to an actual dtrace probe(s). """
 52 |     if definition.get('__ignore__', False):
 53 |         return ""
 54 |     # We only need entry probes to save arguments
 55 |     elif len(definition['args']) == 0:
 56 |         return return_probe_from_definition(definition, types)
 57 |     else:
 58 |         entry_probe  = entry_probe_from_definition(definition)
 59 |         return_probe = return_probe_from_definition(definition, types)
 60 |         return entry_probe + return_probe
 61 | 
 62 | def entry_probe_from_definition(df):
 63 |     """ Generates an entry dtrace probe from the given API definition. """
 64 |     template = Template(ENTRY_PROBE_TEMPLATE)
 65 |     mapping = {
 66 |         "__LIBRARY__": df.get("library", ""),
 67 |         "__NAME__"   : df["api"],
 68 |         "__ARGUMENTS_PUSH_ON_STACK__": push_on_stack_section(df["args"])
 69 |     }
 70 |     return template.substitute(mapping)
 71 | 
 72 | def return_probe_from_definition(df, types):
 73 |     """ Generates a return dtrace probe from the given API definition. """
 74 |     args = df["args"]
 75 |     retval_type = df["retval_type"]
 76 |     printf_specifier = type_description(retval_type, types)["printf_specifier"]
 77 | 
 78 |     template = Template(RETURN_PROBE_TEMPLATE)
 79 |     mapping = {
 80 |         "__LIBRARY__": df.get("library", ""),
 81 |         "__NAME__"   : df["api"],
 82 |         "__ARGS_FORMAT_STRING__"      : arguments_format_string(args, types),
 83 |         "__RETVAL_FORMAT_SPECIFIER__" : printf_specifier,
 84 |         "__ARGUMENTS__"               : arguments_section(args, types),
 85 |         "__RETVAL__"                  : retval_section(retval_type, types),
 86 |         "__ARGUMENTS_POP_FROM_STACK__": pop_from_stack_section(args)
 87 |     }
 88 |     return template.substitute(mapping)
 89 | 
 90 | def typedefs_for_custom_structs(defs, types):
 91 |     """ Returns a list of typedef statements for custom structures
 92 |     defined in `types.yml`."""
 93 |     def deep_search_types(parent, types):
 94 |         result = Set()
 95 |         for t in parent:
 96 |             description = type_description(t, types)
 97 |             if "struct" in description:
 98 |                 result |= deep_search_types(description["struct"].values(), types)
 99 |             result.add(dereference_type(t))
100 |         return result
101 |     # We will only generate typedefs for struct that are actually in use
102 |     obviously_used_types = [x["type"] for x in flatten([y["args"] for y in defs])]
103 |     all_used_types = deep_search_types(obviously_used_types, types)
104 | 
105 |     struct_types = {
106 |         k:v for (k, v) in types.iteritems() if "struct" in v and k in all_used_types
107 |     }
108 |     typedefs = []
109 |     for (name, description) in struct_types.iteritems():
110 |         fields = []
111 |         for (f, t) in description["struct"].iteritems():
112 |             fields.append("%s %s;" % (t, f))
113 |         template = "typedef struct {\n\t%s\n} %s;\n\n"
114 |         typedefs.append(template % ("\n\t".join(fields), name))
115 |     return typedefs
116 | 
117 | # -----------------------------------------------------------------------
118 | 
119 | def arguments_section(args, types):
120 |     """ Returns a serialization statement for accessing values of
121 |     the given arguments. """
122 |     if len(args) == 0:
123 |         return ""
124 |     def serialize_arg(idx):
125 |         return serialize_argument_at_idx(idx, args, "self->arg%d" % idx, types)
126 |     parts = [serialize_arg(i) for i in xrange(len(args))]
127 |     return "\n\t\t" + ", ".join(parts) + ","
128 | 
129 | def arguments_format_string(args, types):
130 |     """ Returns a format string for printing the given arguments
131 |     with printf(). """
132 |     if len(args) == 0:
133 |         return ""
134 |     parts = [printf_format_for_type(x["type"], types) for x in args]
135 |     return ", ".join(parts)
136 | 
137 | def retval_section(retval_type, types):
138 |     """ Returns a serialization stetement for a return value of
139 |     the given type. """
140 |     return serialize_type(retval_type, "this->retval", types)
141 | 
142 | # -------------------------------
143 | 
144 | def printf_format_for_type(t, types):
145 |     """ Returns a format string for printing the given type
146 |     (either atomic or struct). """
147 |     description = type_description(t, types)
148 |     if "struct" in description:
149 |         specifer = printf_format_for_struct(t, types)
150 |     else:
151 |         specifer = description["printf_specifier"]
152 |     return specifer.replace("\"", "\\\"")
153 | 
154 | def printf_format_for_struct(t, types):
155 |     """ Returns a format string for printing the given struct type. """
156 |     fields = []
157 |     for (name, argtype) in type_description(t, types)["struct"].items():
158 |         printf_specifier = type_description(argtype, types).get("printf_specifier", None)
159 |         if printf_specifier != None:
160 |             fields.append("\""+name +"\"" + " : " + printf_specifier)
161 |         else:
162 |             # Yay, recursion!
163 |             struct_format = printf_format_for_struct(argtype, types)
164 |             fields.append("\""+name +"\"" + " : " + struct_format)
165 |     return "{%s}" % ", ".join(fields)
166 | 
167 | def serialize_argument_at_idx(idx, all_args, accessor, types):
168 |     """ For an argument at the given index, returns a serialization
169 |     statement for it's value. """
170 |     type_name = all_args[idx]["type"]
171 |     return serialize_type(type_name, accessor, types)
172 | 
173 | def serialize_type(name, accessor, types):
174 |     """ Returns a serialization statement for the given type. """
175 |     name = name.strip()
176 |     description = type_description(name, types)
177 |     if "struct" in description:
178 |         return serialize_struct_type(name, accessor, types)
179 |     elif "template" in description:
180 |         return serialize_type_with_template(name, accessor, types)
181 |     else:
182 |         cast = description.get("cast", dereference_type(name))
183 |         return serialize_atomic_type(name, cast, accessor)
184 | 
185 | def serialize_atomic_type(argtype, cast, accessor):
186 |     """ Returns a serialization statement for the given atomic type.
187 |     In case of pointers, values they're referencing will be used instead
188 |     (see `dereference_type()` for exceptions). """
189 |     # Do we need to dereference this argument and copy it to the userspace?
190 |     if dereference_type(argtype) == argtype:
191 |         # Nope: it's a value type
192 |         return "(%s)(%s)" % (cast, accessor)
193 |     else:
194 |         # Yep: it's a reference type
195 |         real_type = dereference_type(argtype)
196 |         t = (accessor, cast, real_type, accessor, real_type)
197 |         return "!!(%s) ? (%s)0 : *(%s *)copyin((uint64_t)%s, sizeof(%s))" % t
198 | 
199 | def serialize_struct_type(struct_type, accessor, types):
200 |     """ Returns a serialization statement for the given structure type. """
201 |     fields = []
202 |     if struct_type == dereference_type(struct_type):
203 |         memeber_operator = "."
204 |     else:
205 |         memeber_operator = "->"
206 |     structure = type_description(struct_type, types)["struct"]
207 |     for (field_name, field_type) in structure.iteritems():
208 |         fields.append(serialize_type(
209 |             field_type,
210 |             "((%s)(%s))" % (struct_type, accessor) + memeber_operator + field_name,
211 |             types
212 |         ))
213 |     return ", ".join(fields)
214 | 
215 | def serialize_type_with_template(oftype, accessor, types):
216 |     """ Returns a serialization template for the given type
217 |     with all placeholders replaced with the actual values. """
218 |     template = Template(type_description(oftype, types)["template"])
219 |     mapping = {"ARG" : accessor}
220 |     # TODO(rodionovd): add support for buffers (ARG_SIZE)
221 |     return template.substitute(mapping)
222 | 
223 | # -------------------------------
224 | 
225 | def dereference_type(t):
226 |     """ Removes everything after the last star character in a type string,
227 |     except for 'void *' and 'char *`. """
228 |     if t.strip() in ["void *", "char *"]:
229 |         return t.strip()
230 |     try:
231 |         return t[:t.rindex("*")].strip()
232 |     except:
233 |         return t.strip()
234 | 
235 | def type_description(name, types):
236 |     """ Returns a dictionary description the given type. See `types.yml`
237 |     for more information about keys and values there. """
238 |     return types[dereference_type(name)]
239 | 
240 | # -----------------------------------------------------------------------
241 | 
242 | def push_on_stack_section(args):
243 |     """ Composes a "push arguments on stack" section of
244 |     an entry PID dtrace probe. """
245 |     if len(args) == 0:
246 |         return ""
247 |     parts = ["self->deeplevel++;"]
248 |     for idx in xrange(len(args)):
249 |         parts.append('self->arguments_stack[self->deeplevel, "arg%d"] = self->arg%d;' % (idx, idx))
250 |         parts.append("self->arg%d = arg%d;" % (idx, idx))
251 |     return "\n\t".join(parts)
252 | 
253 | 
254 | def pop_from_stack_section(args):
255 |     """ Composes a "pop arguments from stack" section of
256 |     a return PID dtrace probe. """
257 |     if len(args) == 0:
258 |         return ""
259 |     parts = []
260 |     for idx in xrange(len(args)):
261 |         parts.append("""self->arg%d = self->arguments_stack[self->deeplevel, \"arg%d\"];
262 | \tself->arguments_stack[self->deeplevel, \"arg%d\"] = 0;""" % (idx, idx, idx))
263 |     parts.append("--self->deeplevel;")
264 |     return "\n\t" + "\n\t".join(parts)
265 | 
266 | 
267 | def flatten(list_of_lists):
268 |     return sum(list_of_lists, [])
269 | 
270 | ENTRY_PROBE_TEMPLATE = """pid$$target:${__LIBRARY__}:${__NAME__}:entry
271 | {
272 | \t${__ARGUMENTS_PUSH_ON_STACK__}
273 | }\n"""
274 | 
275 | RETURN_PROBE_TEMPLATE = """pid$$target:${__LIBRARY__}:${__NAME__}:return
276 | {
277 | \tthis->retval = arg1;
278 | \tthis->timestamp_ms = walltimestamp/1000000;
279 | \tprintf("{\\\"api\\\":\\\"%s\\\", \\\"args\\\":[${__ARGS_FORMAT_STRING__}], \\\"retval\\\":${__RETVAL_FORMAT_SPECIFIER__}, \\\"timestamp\\\":%lld, \\\"pid\\\":%d, \\\"ppid\\\":%d, \\\"tid\\":%d, \\\"errno\\\":%d}\\n",
280 | \t\tprobefunc,${__ARGUMENTS__}
281 | \t\t${__RETVAL__},
282 | \t\t(int64_t)this->timestamp_ms, pid, ppid, tid, errno);${__ARGUMENTS_POP_FROM_STACK__}
283 | }\n"""
284 | 
285 | HEADER = """/* For some reason either dtrace or clang preprocessor refuses to identify standard
286 |  * C integer types like int64_t or uint8_t. Thus we must include stdint.h with the
287 |  * following patches.
288 |  */
289 | /* (1) fix sys/_types/_int8_t.h */
290 | #define __signed signed
291 | /* (2) cdefs.h throws "Unsupported compiler detected" warning, ignore it */
292 | #pragma clang diagnostic push
293 | #pragma clang diagnostic ignored "-W#warnings"
294 | #include <stdint.h>
295 | #include <stddef.h>
296 | #pragma clang diagnostic pop
297 | \n
298 | """
299 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | from os import path
 7 | from time import sleep
 8 | 
 9 | def sanitize_path(raw_path):
10 |     """ Replace spaces with backslashes+spaces """
11 |     return raw_path.replace(" ", "\\ ")
12 | 
13 | def path_for_script(script):
14 |     """ Return the full path for the given script """
15 |     return path.join(current_directory(), script)
16 | 
17 | def current_directory():
18 |     return path.dirname(path.abspath(__file__))
19 | 
20 | def filelines(source_file):
21 |     """ A generator that returns lines of the file.
22 |     If there're no new lines it waits until the file is updated.
23 |     """
24 |     # Go to the end of the file
25 |     source_file.seek(0, 2)
26 |     while True:
27 |         line = source_file.readline()
28 |         if not line:
29 |             # Sleep briefly
30 |             sleep(0.1)
31 |             continue
32 |         yield line
33 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/dtruss.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import os
  7 | import json
  8 | from getpass import getuser
  9 | from time import sleep
 10 | from sys import argv
 11 | from collections import namedtuple
 12 | from subprocess import Popen
 13 | from tempfile import NamedTemporaryFile
 14 | 
 15 | from common import *
 16 | 
 17 | syscall = namedtuple("syscall", "name args result errno timestamp pid")
 18 | 
 19 | 
 20 | def dtruss(target, **kwargs):
 21 |     """Returns a list of syscalls made by a target.
 22 | 
 23 |     Every syscall is a named tuple with the following properties:
 24 |     name (string), args (list), result (int), errno (int),
 25 |     timestamp(int) and pid(int).
 26 |     """
 27 | 
 28 |     if not target:
 29 |         raise Exception("Invalid target for dtruss()")
 30 | 
 31 |     output_file = NamedTemporaryFile()
 32 | 
 33 |     cmd = ["/bin/bash", path_for_script("dtruss.sh"), "-W", output_file.name, "-f"]
 34 |     # Add timeout
 35 |     if ("timeout" in kwargs) and (kwargs["timeout"] is not None):
 36 |         cmd += ["-K", str(kwargs["timeout"])]
 37 |     # Watch for a specific syscall only
 38 |     if "syscall" in kwargs:
 39 |         watch_specific_syscall = True
 40 |         cmd += ["-t", kwargs["syscall"]]
 41 |     else:
 42 |         watch_specific_syscall = False
 43 | 
 44 |     if "run_as_root" in kwargs:
 45 |         run_as_root = kwargs["run_as_root"]
 46 |     else:
 47 |         run_as_root = False
 48 | 
 49 |     # When we don't want to run the target as root, we have to drop privileges
 50 |     # with `sudo -u current_user` right before calling the target.
 51 |     if not run_as_root:
 52 |         cmd += ["sudo", "-u", getuser()]
 53 |     # Add target path
 54 |     cmd += [sanitize_path(target)]
 55 |     # Arguments for the target
 56 |     if "args" in kwargs:
 57 |         cmd += kwargs["args"]
 58 | 
 59 |     # The dtrace script will take care of timeout itself, so we just launch
 60 |     # it asynchronously
 61 |     with open(os.devnull, "w") as f:
 62 |         handle = Popen(cmd, stdout=f, stderr=f)
 63 | 
 64 |     # If we use `sudo -u` for dropping root privileges, we also have to
 65 |     # exclude it's output from the results
 66 |     sudo_pid = None
 67 | 
 68 |     for entry in filelines(output_file):
 69 |         if "## dtruss.sh done ##" in entry.strip():
 70 |             break
 71 |         syscall = _parse_syscall(entry.strip())
 72 |         if syscall is None:
 73 |             continue
 74 | 
 75 |         # sudo's syscalls will be the first ones, so remember its pid
 76 |         if not run_as_root and sudo_pid is None and not watch_specific_syscall:
 77 |             sudo_pid = syscall.pid
 78 |         elif syscall.pid != sudo_pid:
 79 |             yield syscall
 80 | 
 81 |     output_file.close()
 82 | 
 83 | 
 84 | #
 85 | # Parsing implementation details
 86 | #
 87 | 
 88 | def _parse_syscall(string):
 89 |     string = string.replace("\\0", "")
 90 |     try:
 91 |         parsed = json.loads(string)
 92 |     except:
 93 |         return None
 94 | 
 95 |     name = parsed["syscall"]
 96 |     args = parsed["args"]
 97 |     result = parsed["retval"]
 98 |     errno = parsed["errno"]
 99 |     pid = parsed["pid"]
100 |     timestamp = parsed["timestamp"]
101 | 
102 |     return syscall(name=name, args=args, result=result, errno=errno, pid=pid,
103 |                    timestamp=timestamp)
104 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/dtruss.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | # #!/usr/bin/sh
  3 | #
  4 | # dtruss - print process system call time details.
  5 | #          Written using DTrace (Solaris 10 3/05).
  6 | #
  7 | # 17-Jun-2005, ver 0.80         (check for newer versions)
  8 | #
  9 | # USAGE: dtruss [-acdeflhoLs] [-t syscall] { -p PID | -n name | command }
 10 | #
 11 | #          -p PID          # examine this PID
 12 | #          -n name         # examine this process name
 13 | #          -t syscall      # examine this syscall only
 14 | #          -a              # print all details
 15 | #          -c              # print system call counts
 16 | #          -d              # print relative timestamps (us)
 17 | #          -e              # print elapsed times (us)
 18 | #          -f              # follow children as they are forked
 19 | #          -l              # force printing of pid/lwpid per line
 20 | #          -o              # print on cpu times (us)
 21 | #          -s              # print stack backtraces
 22 | #          -L              # don't print pid/lwpid per line
 23 | #          -b bufsize      # dynamic variable buf size (default is "4m")
 24 | #          -K timeout      # timeout of analysis
 25 | #          -W file         # redirect all output to a specified file
 26 | #  eg,
 27 | #       dtruss df -h       # run and examine the "df -h" command
 28 | #       dtruss -p 1871     # examine PID 1871
 29 | #       dtruss -n tar      # examine all processes called "tar"
 30 | #       dtruss -f test.sh  # run test.sh and follow children
 31 | #
 32 | # The elapsed times are interesting, to help identify syscalls that take
 33 | #  some time to complete (during which the process may have context
 34 | #  switched off the CPU).
 35 | #
 36 | # SEE ALSO: procsystime    # DTraceToolkit
 37 | #           dapptrace      # DTraceToolkit
 38 | #           truss
 39 | #
 40 | # COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
 41 | #
 42 | # CDDL HEADER START
 43 | #
 44 | #  The contents of this file are subject to the terms of the
 45 | #  Common Development and Distribution License, Version 1.0 only
 46 | #  (the "License").  You may not use this file except in compliance
 47 | #  with the License.
 48 | #
 49 | #  You can obtain a copy of the license at Docs/cddl1.txt
 50 | #  or http://www.opensolaris.org/os/licensing.
 51 | #  See the License for the specific language governing permissions
 52 | #  and limitations under the License.
 53 | #
 54 | # CDDL HEADER END
 55 | #
 56 | # Author: Brendan Gregg  [Sydney, Australia]
 57 | #
 58 | # TODO: Track signals, more output formatting.
 59 | #
 60 | # 29-Apr-2005   Brendan Gregg   Created this.
 61 | # 09-May-2005      "      " 	Fixed evaltime (thanks Adam L.)
 62 | # 16-May-2005	   "      "	Added -t syscall tracing.
 63 | # 17-Jun-2005	   "      "	Added -s stack backtraces.
 64 | #
 65 | 
 66 | 
 67 | ##############################
 68 | # --- Process Arguments ---
 69 | #
 70 | 
 71 | ### Default variables
 72 | opt_pid=0; opt_name=0; pid=0; pname="."
 73 | opt_elapsed=0; opt_cpu=0; opt_counts=0;
 74 | opt_relative=0; opt_printid=0; opt_follow=0
 75 | opt_command=0; command=""; opt_buf=0; buf="4m"
 76 | opt_trace=0; trace="."; opt_stack=0;
 77 | opt_timeout=0; timeout=-1; output_file="/dev/stderr"
 78 | 
 79 | ### Process options
 80 | while getopts ab:cdefhln:op:st:K:W:L name
 81 | do
 82 |         case $name in
 83 | 	b)	opt_buf=1; buf=$OPTARG ;;
 84 |         p)      opt_pid=1; pid=$OPTARG ;;
 85 |         n)      opt_name=1; pname=$OPTARG ;;
 86 |         t)      opt_trace=1; trace=$OPTARG ;;
 87 | 	a)	opt_counts=1; opt_relative=1; opt_elapsed=1; opt_follow=1
 88 | 		opt_printid=1; opt_cpu=1 ;;
 89 | 	c)	opt_counts=1 ;;
 90 | 	d)	opt_relative=1 ;;
 91 | 	e)	opt_elapsed=1 ;;
 92 | 	f)	opt_follow=1 ;;
 93 | 	l)	opt_printid=1 ;;
 94 | 	o)	opt_cpu=1 ;;
 95 | 	L)	opt_printid=-1 ;;
 96 | 	s)	opt_stack=-1 ;;
 97 |     K)  opt_timeout=1; timeout=$OPTARG ;;
 98 |     W)  output_file=$OPTARG ;;
 99 |         h|?)    cat <<-END >&2
100 | 		USAGE: dtruss [-acdefholLs] [-t syscall] { -p PID | -n name | command }
101 | 
102 | 		          -p PID          # examine this PID
103 | 		          -n name         # examine this process name
104 | 		          -t syscall      # examine this syscall only
105 | 		          -a              # print all details
106 | 		          -c              # print syscall counts
107 | 		          -d              # print relative times (us)
108 | 		          -e              # print elapsed times (us)
109 | 		          -f              # follow children
110 | 		          -l              # force printing pid/lwpid
111 | 		          -o              # print on cpu times
112 | 		          -s              # print stack backtraces
113 | 		          -L              # don't print pid/lwpid
114 | 		          -b bufsize      # dynamic variable buf size
115 | 		   eg,
116 | 		       dtruss df -h       # run and examine "df -h"
117 | 		       dtruss -p 1871     # examine PID 1871
118 | 		       dtruss -n tar      # examine all processes called "tar"
119 | 		       dtruss -f test.sh  # run test.sh and follow children
120 | 		END
121 | 		exit 1
122 |         esac
123 | done
124 | shift `expr $OPTIND - 1`
125 | 
126 | ### Option logic
127 | if [ $opt_pid -eq 0 -a $opt_name -eq 0 ]; then
128 | 	opt_command=1
129 | 	if [ "$*" = "" ]; then
130 | 		$0 -h
131 | 		exit
132 | 	fi
133 | 	command="$*"	# yes, I meant $*!
134 | fi
135 | if [ $opt_follow -eq 1 -o $opt_name -eq 1 ]; then
136 | 	if [ $opt_printid -ne -1 ]; then
137 | 		opt_printid=1
138 | 	else
139 | 		opt_printid=0
140 | 	fi
141 | fi
142 | 
143 | ### Option translation
144 | ## if [ "$trace" = "exec" ]; then trace="exece"; fi
145 | if [ "$trace" = "exec" ]; then trace="execve"; fi
146 | 
147 | 
148 | #################################
149 | # --- Main Program, DTrace ---
150 | #
151 | 
152 | ### Define D Script
153 | dtrace='
154 |  #pragma D option quiet
155 | 
156 |  /*
157 |   * Command line arguments
158 |   */
159 |  inline int OPT_command   = '$opt_command';
160 |  inline int OPT_follow    = '$opt_follow';
161 |  inline int OPT_printid   = '$opt_printid';
162 |  inline int OPT_relative  = '$opt_relative';
163 |  inline int OPT_elapsed   = '$opt_elapsed';
164 |  inline int OPT_cpu       = '$opt_cpu';
165 |  inline int OPT_counts    = '$opt_counts';
166 |  inline int OPT_pid       = '$opt_pid';
167 |  inline int OPT_name      = '$opt_name';
168 |  inline int OPT_trace     = '$opt_trace';
169 |  inline int OPT_stack     = '$opt_stack';
170 |  inline int OPT_timeout   = '$opt_timeout';
171 |  inline int PID           = '$pid';
172 |  inline string NAME       = "'$pname'";
173 |  inline string TRACE      = "'$trace'";
174 | 
175 |  dtrace:::BEGIN
176 |  {
177 | 	/* print header */
178 | 	/* OPT_printid  ? printf("%-8s  ","PID/LWP") : 1; */
179 | 	/*OPT_printid  ? printf("\t%-8s  ","PID/THRD") : 1;
180 | 	OPT_relative ? printf("%8s ","RELATIVE") : 1;
181 | 	OPT_elapsed  ? printf("%7s ","ELAPSD") : 1;
182 | 	OPT_cpu      ? printf("%6s ","CPU") : 1;*/
183 | 	/*printf("SYSCALL(args) \t\t = return\n");*/
184 | 
185 | 	/* globals */
186 | 	trackedpid[pid] = 0;
187 | 	self->child = 0;
188 | 	this->type = 0;
189 |     TIMEOUT = '$timeout';
190 |  }
191 | 
192 |  /*
193 |   * Save syscall entry info
194 |   */
195 | 
196 |  /* MacOS X: notice first appearance of child from fork. Its parent
197 |     fires syscall::*fork:return in the ususal way (see below) */
198 |  syscall:::entry
199 |  /OPT_follow && trackedpid[ppid] == -1 && 0 == self->child/
200 |  {
201 | 	/* set as child */
202 | 	self->child = 1;
203 | 
204 | 	/* print output */
205 | 	self->code = errno == 0 ? "" : "Err#";
206 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
207 | 	OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
208 | 	OPT_relative ? printf("%8d:  ",vtimestamp/1000) : 1;
209 | 	OPT_elapsed  ? printf("%7d:  ",0) : 1;
210 | 	OPT_cpu      ? printf("%6d ",0) : 1;
211 | 
212 |     /*
213 |     printf("%s()\t\t = %d %s%d\n","fork",
214 | 	    0,self->code,(int)errno);
215 |     */
216 | 
217 |     this->timestamp = walltimestamp / 1000000000;
218 |     printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
219 |         "fork", 0, (int)errno, this->timestamp, pid);
220 |  }
221 | 
222 |  /* MacOS X: notice first appearance of child and parent from vfork */
223 |  syscall:::entry
224 |  /OPT_follow && trackedpid[ppid] > 0 && 0 == self->child/
225 |  {
226 | 	/* set as child */
227 | 	this->vforking_tid = trackedpid[ppid];
228 | 	self->child = (this->vforking_tid == tid) ? 0 : 1;
229 | 
230 | 	/* print output */
231 | 	self->code = errno == 0 ? "" : "Err#";
232 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
233 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",(this->vforking_tid == tid) ? ppid : pid,tid) : 1;
234 | 	OPT_relative ? printf("%8d:  ",vtimestamp/1000) : 1;
235 | 	OPT_elapsed  ? printf("%7d:  ",0) : 1;
236 | 	OPT_cpu      ? printf("%6d ",0) : 1;*/
237 | 
238 |     /*
239 | 	printf("%s()\t\t = %d %s%d\n","vfork",
240 | 	    (this->vforking_tid == tid) ? pid : 0,self->code,(int)errno);
241 |     */
242 | 
243 |     this->timestamp = walltimestamp / 1000000000;
244 |     printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
245 |         "vfork",
246 |         (this->vforking_tid == tid) ? pid : 0,
247 |         (int)errno,
248 |         this->timestamp, pid);
249 |  }
250 | 
251 |  syscall:::entry
252 |  /(OPT_command && pid == $target) ||
253 |   (OPT_pid && pid == PID) ||
254 |   (OPT_name && NAME == strstr(NAME, execname)) ||
255 |   (OPT_name && execname == strstr(execname, NAME)) ||
256 |   (self->child)/
257 |  {
258 | 	/* set start details */
259 | 	self->start = timestamp;
260 | 	self->vstart = vtimestamp;
261 | 	self->arg0 = arg0;
262 | 	self->arg1 = arg1;
263 | 	self->arg2 = arg2;
264 | 
265 | 	/* count occurances */
266 | 	OPT_counts == 1 ? @Counts[probefunc] = count() : 1;
267 |  }
268 | 
269 | /* 5 and 6 arguments */
270 |  syscall::select:entry,
271 |  syscall::mmap:entry,
272 |  syscall::pwrite:entry,
273 |  syscall::pread:entry
274 |  /(OPT_command && pid == $target) ||
275 |   (OPT_pid && pid == PID) ||
276 |   (OPT_name && NAME == strstr(NAME, execname)) ||
277 |   (OPT_name && execname == strstr(execname, NAME)) ||
278 |   (self->child)/
279 |  {
280 | 	self->arg3 = arg3;
281 | 	self->arg4 = arg4;
282 | 	self->arg5 = arg5;
283 |  }
284 | 
285 |  /*
286 |   * Follow children
287 |   */
288 |  syscall::fork:entry
289 |  /OPT_follow && self->start/
290 |  {
291 | 	/* track this parent process */
292 | 	trackedpid[pid] = -1;
293 |  }
294 | 
295 |  syscall::vfork:entry
296 |  /OPT_follow && self->start/
297 |  {
298 | 	/* track this parent process */
299 | 	trackedpid[pid] = tid;
300 |  }
301 | 
302 |  /* syscall::rexit:entry */
303 |  syscall::exit:entry
304 |  {
305 | 	/* forget child */
306 | 	self->child = 0;
307 | 	trackedpid[pid] = 0;
308 |  }
309 | 
310 |  /*
311 |   * Check for syscall tracing
312 |   */
313 |  syscall:::entry
314 |  /OPT_trace && probefunc != TRACE/
315 |  {
316 | 	/* drop info */
317 | 	self->start = 0;
318 | 	self->vstart = 0;
319 | 	self->arg0 = 0;
320 | 	self->arg1 = 0;
321 | 	self->arg2 = 0;
322 | 	self->arg3 = 0;
323 | 	self->arg4 = 0;
324 | 	self->arg5 = 0;
325 |  }
326 | 
327 |  /*
328 |   * Print return data
329 |   */
330 | 
331 |  /*
332 |   * NOTE:
333 |   *  The following code is written in an intentionally repetetive way.
334 |   *  The first versions had no code redundancies, but performed badly during
335 |   *  benchmarking. The priority here is speed, not cleverness. I know there
336 |   *  are many obvious shortcuts to this code, Ive tried them. This style has
337 |   *  shown in benchmarks to be the fastest (fewest probes, fewest actions).
338 |   */
339 | 
340 |  /* print 3 args, return as hex */
341 |  syscall::sigprocmask:return
342 |  /self->start/
343 |  {
344 | 	/* calculate elapsed time */
345 | 	this->elapsed = timestamp - self->start;
346 | 	self->start = 0;
347 | 	this->cpu = vtimestamp - self->vstart;
348 | 	self->vstart = 0;
349 | 	self->code = errno == 0 ? "" : "Err#";
350 | 
351 | 	/* print optional fields */
352 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
353 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
354 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
355 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
356 | 	OPT_cpu ? printf("%6d ",this->cpu/1000) : 1;*/
357 | 
358 | 	/* print main data */
359 | 
360 |     /*
361 | 	printf("%s(0x%X, 0x%X, 0x%X)\t\t = 0x%X %s%d\n",probefunc,
362 | 	    (int)self->arg0,self->arg1,self->arg2,(int)arg0,
363 | 	    self->code,(int)errno);
364 |     */
365 | 
366 |     this->timestamp = walltimestamp / 1000000000;
367 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
368 |         probefunc,
369 |         (int)self->arg0, self->arg1, self->arg2,
370 |         (int)arg0,
371 |         (int)errno,
372 |         this->timestamp, pid);
373 | 
374 | 	OPT_stack ? ustack()    : 1;
375 | 	OPT_stack ? trace("\n") : 1;
376 | 	self->arg0 = 0;
377 | 	self->arg1 = 0;
378 | 	self->arg2 = 0;
379 |  }
380 | 
381 |  /* print 3 args, arg0 as a string */
382 |  syscall::execve:return,
383 |  syscall::stat:return,
384 |  syscall::stat64:return,
385 |  syscall::lstat:return,
386 |  syscall::lstat64:return,
387 |  syscall::access:return,
388 |  syscall::mkdir:return,
389 |  syscall::chdir:return,
390 |  syscall::chroot:return,
391 |  syscall::getattrlist:return, /* XXX 5 arguments */
392 |  syscall::chown:return,
393 |  syscall::lchown:return,
394 |  syscall::chflags:return,
395 |  syscall::readlink:return,
396 |  syscall::utimes:return,
397 |  syscall::pathconf:return,
398 |  syscall::truncate:return,
399 |  syscall::getxattr:return,
400 |  syscall::setxattr:return,
401 |  syscall::removexattr:return,
402 |  syscall::unlink:return,
403 |  syscall::open:return,
404 |  syscall::open_nocancel:return
405 |  /self->start/
406 |  {
407 | 	/* calculate elapsed time */
408 | 	this->elapsed = timestamp - self->start;
409 | 	self->start = 0;
410 | 	this->cpu = vtimestamp - self->vstart;
411 | 	self->vstart = 0;
412 | 	self->code = errno == 0 ? "" : "Err#";
413 | 
414 | 	/* print optional fields */
415 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
416 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
417 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
418 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
419 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
420 | 
421 | 	/* print main data */
422 |     /*
423 | 	printf("%s(\"%S\", 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,
424 | 	    copyinstr(self->arg0),self->arg1,self->arg2,(int)arg0,
425 | 	    self->code,(int)errno);
426 |     */
427 | 
428 |     this->timestamp = walltimestamp / 1000000000;
429 |     printf("{\"syscall\":\"%s\", \"args\":[\"%S\", %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
430 |         probefunc,
431 |         copyinstr(self->arg0), self->arg1, self->arg2,
432 |         (int)arg0,
433 |         (int)errno,
434 |         this->timestamp, pid);
435 | 
436 | 	OPT_stack ? ustack()    : 1;
437 | 	OPT_stack ? trace("\n") : 1;
438 | 	self->arg0 = 0;
439 | 	self->arg1 = 0;
440 | 	self->arg2 = 0;
441 |  }
442 | 
443 |  /* print 3 args, arg1 as a string */
444 |  syscall::write:return,
445 |  syscall::write_nocancel:return,
446 |  syscall::read:return,
447 |  syscall::read_nocancel:return
448 |  /self->start/
449 |  {
450 | 	/* calculate elapsed time */
451 | 	this->elapsed = timestamp - self->start;
452 | 	self->start = 0;
453 | 	this->cpu = vtimestamp - self->vstart;
454 | 	self->vstart = 0;
455 | 	self->code = errno == 0 ? "" : "Err#";
456 | 
457 | 	/* print optional fields */
458 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
459 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
460 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
461 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
462 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
463 | 
464 | 	/* print main data */
465 | 
466 |     /*
467 | 	printf("%s(0x%X, \"%S\", 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
468 | 	    arg0 == -1 ? "" : stringof(copyin(self->arg1,arg0)),self->arg2,(int)arg0,
469 | 	    self->code,(int)errno);
470 | 
471 |     */
472 | 
473 |     this->timestamp = walltimestamp / 1000000000;
474 |     printf("{\"syscall\":\"%s\", \"args\":[%u, \"%S\", %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
475 |         probefunc,
476 |         self->arg0, arg0 == -1 ? "" : stringof(copyin(self->arg1,arg0)), self->arg2,
477 |         (int)arg0,
478 |         (int)errno,
479 |         this->timestamp, pid);
480 | 
481 | 
482 | 	OPT_stack ? ustack()    : 1;
483 | 	OPT_stack ? trace("\n") : 1;
484 | 	self->arg0 = 0;
485 | 	self->arg1 = 0;
486 | 	self->arg2 = 0;
487 |  }
488 | 
489 |  /* print 2 args, arg0 and arg1 as strings */
490 |  syscall::rename:return,
491 |  syscall::symlink:return,
492 |  syscall::link:return
493 |  /self->start/
494 |  {
495 | 	/* calculate elapsed time */
496 | 	this->elapsed = timestamp - self->start;
497 | 	self->start = 0;
498 | 	this->cpu = vtimestamp - self->vstart;
499 | 	self->vstart = 0;
500 | 	self->code = errno == 0 ? "" : "Err#";
501 | 
502 | 	/* print optional fields */
503 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
504 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
505 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
506 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
507 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
508 | 
509 | 	/* print main data */
510 | 	/*
511 |     printf("%s(\"%S\", \"%S\")\t\t = %d %s%d\n",probefunc,
512 | 	    copyinstr(self->arg0), copyinstr(self->arg1),
513 | 	    (int)arg0,self->code,(int)errno);
514 |     */
515 | 
516 |     this->timestamp = walltimestamp / 1000000000;
517 |     printf("{\"syscall\":\"%s\", \"args\":[\"%S\", \"%S\"], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
518 |         probefunc,
519 |         copyinstr(self->arg0), copyinstr(self->arg1),
520 |         (int)arg0,
521 |         (int)errno,
522 |         this->timestamp, pid);
523 | 
524 | 
525 | 
526 | 	OPT_stack ? ustack()    : 1;
527 | 	OPT_stack ? trace("\n") : 1;
528 | 	self->arg0 = 0;
529 | 	self->arg1 = 0;
530 | 	self->arg2 = 0;
531 |  }
532 | 
533 |  /* print 0 arg output */
534 |  syscall::*fork:return
535 |  /self->start/
536 |  {
537 | 	/* calculate elapsed time */
538 | 	this->elapsed = timestamp - self->start;
539 | 	self->start = 0;
540 | 	this->cpu = vtimestamp - self->vstart;
541 | 	self->vstart = 0;
542 | 	self->code = errno == 0 ? "" : "Err#";
543 | 
544 | 	/* print optional fields */
545 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
546 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
547 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
548 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
549 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
550 | 
551 | 	/* print main data */
552 |     /*
553 | 	printf("%s()\t\t = %d %s%d\n",probefunc,
554 | 	    (int)arg0,self->code,(int)errno);
555 | 
556 |     */
557 | 
558 |     this->timestamp = walltimestamp / 1000000000;
559 |     printf("{\"syscall\":\"%s\", \"args\":[], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
560 |         probefunc,
561 |         (int)arg0,
562 |         (int)errno,
563 |         this->timestamp, pid);
564 | 
565 | 
566 | 	OPT_stack ? ustack()    : 1;
567 | 	OPT_stack ? trace("\n") : 1;
568 | 	self->arg0 = 0;
569 | 	self->arg1 = 0;
570 | 	self->arg2 = 0;
571 |  }
572 | 
573 |  /* print 1 arg output */
574 |  syscall::close:return,
575 |  syscall::close_nocancel:return
576 |  /self->start/
577 |  {
578 | 	/* calculate elapsed time */
579 | 	this->elapsed = timestamp - self->start;
580 | 	self->start = 0;
581 | 	this->cpu = vtimestamp - self->vstart;
582 | 	self->vstart = 0;
583 | 	self->code = errno == 0 ? "" : "Err#";
584 | 
585 | 	/* print optional fields */
586 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
587 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
588 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
589 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
590 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
591 | 
592 | 	/* print main data */
593 |     /*
594 | 	printf("%s(0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
595 | 	    (int)arg0,self->code,(int)errno);
596 |     */
597 | 
598 |     this->timestamp = walltimestamp / 1000000000;
599 |     printf("{\"syscall\":\"%s\", \"args\":[%u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
600 |         probefunc,
601 |         self->arg0,
602 |         (int)arg0,
603 |         (int)errno,
604 |         this->timestamp, pid);
605 | 
606 | 
607 | 	OPT_stack ? ustack()    : 1;
608 | 	OPT_stack ? trace("\n") : 1;
609 | 	self->arg0 = 0;
610 | 	self->arg1 = 0;
611 | 	self->arg2 = 0;
612 |  }
613 | 
614 |  /* print 2 arg output */
615 |  syscall::utimes:return,
616 |  syscall::munmap:return
617 |  /self->start/
618 |  {
619 | 	/* calculate elapsed time */
620 | 	this->elapsed = timestamp - self->start;
621 | 	self->start = 0;
622 | 	this->cpu = vtimestamp - self->vstart;
623 | 	self->vstart = 0;
624 | 	self->code = errno == 0 ? "" : "Err#";
625 | 
626 | 	/* print optional fields */
627 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
628 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
629 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
630 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
631 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
632 | 
633 | 	/* print main data */
634 |     /*
635 | 	printf("%s(0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
636 | 	    self->arg1,(int)arg0,self->code,(int)errno);
637 |     */
638 | 
639 |     this->timestamp = walltimestamp / 1000000000;
640 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
641 |         probefunc,
642 |         self->arg0, self->arg1,
643 |         (int)arg0,
644 |         (int)errno,
645 |         this->timestamp, pid);
646 | 
647 | 
648 | 	OPT_stack ? ustack()    : 1;
649 | 	OPT_stack ? trace("\n") : 1;
650 | 	self->arg0 = 0;
651 | 	self->arg1 = 0;
652 | 	self->arg2 = 0;
653 |  }
654 | 
655 |  /* print pread/pwrite with 4 arguments */
656 |  syscall::pread*:return,
657 |  syscall::pwrite*:return
658 |  /self->start/
659 |  {
660 | 	/* calculate elapsed time */
661 | 	this->elapsed = timestamp - self->start;
662 | 	self->start = 0;
663 | 	this->cpu = vtimestamp - self->vstart;
664 | 	self->vstart = 0;
665 | 	self->code = errno == 0 ? "" : "Err#";
666 | 
667 | 	/* print optional fields */
668 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
669 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
670 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
671 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
672 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
673 | 
674 | 	/* print main data */
675 |     /*
676 | 	printf("%s(0x%X, \"%S\", 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
677 | 	    stringof(copyin(self->arg1,self->arg2)),self->arg2,self->arg3,(int)arg0,self->code,(int)errno);
678 |     */
679 | 
680 |     this->timestamp = walltimestamp / 1000000000;
681 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
682 |         probefunc,
683 |         self->arg0, self->arg1, self->arg2, self->arg3,
684 |         (int)arg0,
685 |         (int)errno,
686 |         this->timestamp, pid);
687 | 
688 | 	OPT_stack ? ustack()    : 1;
689 | 	OPT_stack ? trace("\n") : 1;
690 | 	self->arg0 = 0;
691 | 	self->arg1 = 0;
692 | 	self->arg2 = 0;
693 | 	self->arg3 = 0;
694 |  }
695 | 
696 |  /* print select with 5 arguments */
697 |  syscall::select:return
698 |  /self->start/
699 |  {
700 | 	/* calculate elapsed time */
701 | 	this->elapsed = timestamp - self->start;
702 | 	self->start = 0;
703 | 	this->cpu = vtimestamp - self->vstart;
704 | 	self->vstart = 0;
705 | 	self->code = errno == 0 ? "" : "Err#";
706 | 
707 | 	/* print optional fields */
708 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
709 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
710 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
711 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
712 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
713 | 
714 | 	/* print main data */
715 |     /*
716 | 	printf("%s(0x%X, 0x%X, 0x%X, 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
717 | 	    self->arg1,self->arg2,self->arg3,self->arg4,(int)arg0,self->code,(int)errno);
718 |     */
719 | 
720 | 
721 |     this->timestamp = walltimestamp / 1000000000;
722 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
723 |         probefunc,
724 |         self->arg0, self->arg1,self->arg2,self->arg3,self->arg4,
725 |         (int)arg0,
726 |         (int)errno,
727 |         this->timestamp, pid);
728 | 
729 | 	OPT_stack ? ustack()    : 1;
730 | 	OPT_stack ? trace("\n") : 1;
731 | 	self->arg0 = 0;
732 | 	self->arg1 = 0;
733 | 	self->arg2 = 0;
734 | 	self->arg3 = 0;
735 | 	self->arg4 = 0;
736 |  }
737 | 
738 |  /* mmap has 6 arguments */
739 |  syscall::mmap:return
740 |  /self->start/
741 |  {
742 | 	/* calculate elapsed time */
743 | 	this->elapsed = timestamp - self->start;
744 | 	self->start = 0;
745 | 	this->cpu = vtimestamp - self->vstart;
746 | 	self->vstart = 0;
747 | 	self->code = errno == 0 ? "" : "Err#";
748 | 
749 | 	/* print optional fields */
750 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
751 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
752 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
753 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
754 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
755 | 
756 | 	/* print main data */
757 |     /*
758 | 	printf("%s(0x%X, 0x%X, 0x%X, 0x%X, 0x%X, 0x%X)\t\t = 0x%X %s%d\n",probefunc,self->arg0,
759 | 	    self->arg1,self->arg2,self->arg3,self->arg4,self->arg5, arg0,self->code,(int)errno);
760 |     */
761 | 
762 | 
763 |     this->timestamp = walltimestamp / 1000000000;
764 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u, %u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
765 |         probefunc,
766 |         self->arg0, self->arg1, self->arg2, self->arg3, self->arg4, self->arg5,
767 |         (int)arg0,
768 |         (int)errno,
769 |         this->timestamp, pid);
770 | 
771 | 
772 | 	OPT_stack ? ustack()    : 1;
773 | 	OPT_stack ? trace("\n") : 1;
774 | 	self->arg0 = 0;
775 | 	self->arg1 = 0;
776 | 	self->arg2 = 0;
777 | 	self->arg3 = 0;
778 | 	self->arg4 = 0;
779 | 	self->arg5 = 0;
780 |  }
781 | 
782 |  /* print 3 arg output - default */
783 |  syscall:::return
784 |  /self->start/
785 |  {
786 | 	/* calculate elapsed time */
787 | 	this->elapsed = timestamp - self->start;
788 | 	self->start = 0;
789 | 	this->cpu = vtimestamp - self->vstart;
790 | 	self->vstart = 0;
791 | 	self->code = errno == 0 ? "" : "Err#";
792 | 
793 | 	/* print optional fields */
794 | 	/* OPT_printid  ? printf("%5d/%d:  ",pid,tid) : 1; */
795 | 	/*OPT_printid  ? printf("%5d/0x%x:  ",pid,tid) : 1;
796 | 	OPT_relative ? printf("%8d ",vtimestamp/1000) : 1;
797 | 	OPT_elapsed  ? printf("%7d ",this->elapsed/1000) : 1;
798 | 	OPT_cpu      ? printf("%6d ",this->cpu/1000) : 1;*/
799 | 
800 | 	/* print main data */
801 |     /*
802 | 	printf("%s(0x%X, 0x%X, 0x%X)\t\t = %d %s%d\n",probefunc,self->arg0,
803 | 	    self->arg1,self->arg2,(int)arg0,self->code,(int)errno);
804 |     */
805 | 
806 |     this->timestamp = walltimestamp / 1000000000;
807 |     printf("{\"syscall\":\"%s\", \"args\":[%u, %u, %u], \"retval\":%d, \"errno\":%d, \"timestamp\":%d, \"pid\":%d}\n",
808 |         probefunc,
809 |         self->arg0, self->arg1, self->arg2,
810 |         (int)arg0,
811 |         (int)errno,
812 |         this->timestamp, pid);
813 | 
814 | 	OPT_stack ? ustack()    : 1;
815 | 	OPT_stack ? trace("\n") : 1;
816 | 	self->arg0 = 0;
817 | 	self->arg1 = 0;
818 | 	self->arg2 = 0;
819 |  }
820 | 
821 |  profile:::tick-1sec
822 |  /OPT_timeout && TIMEOUT > 0/
823 |  {
824 |      --TIMEOUT;
825 |  }
826 | 
827 |  profile:::tick-1sec
828 |  /OPT_timeout && TIMEOUT == 0/
829 |  {
830 |      exit(0);
831 |  }
832 | 
833 |  /* print counts */
834 |  dtrace:::END
835 |  {
836 | 	OPT_counts == 1 ? printf("\n%-32s %16s\n","CALL","COUNT") : 1;
837 | 	OPT_counts == 1 ? printa("%-32s %@16d\n",@Counts) : 1;
838 |     printf("## dtruss.sh done ##");
839 |  }
840 | '
841 | 
842 | ### Run DTrace
843 | #if [ $opt_command -eq 1 ]; then
844 | #	/usr/sbin/dtrace -x dynvarsize=$buf -x evaltime=exec -n "$dtrace" \
845 | #	    -c "$command" >&2
846 | #else
847 | #	/usr/sbin/dtrace -x dynvarsize=$buf -n "$dtrace" >&2
848 | #fi
849 | 
850 | ### Run DTrace (Mac OS X)
851 | if [ $opt_command -eq 1 ]; then
852 |     sudo /usr/sbin/dtrace -x dynvarsize=$buf -x evaltime=exec -n "$dtrace" \
853 |     -o "$output_file" -c "$command"
854 | else
855 | 	sudo /usr/sbin/dtrace -x dynvarsize=$buf -n "$dtrace" >&2 -o "$output_file"
856 | fi
857 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/follow_children.d:
--------------------------------------------------------------------------------
 1 | /* apicalls.d
 2 | *
 3 | * Copyright (C) 2015 Dmitry Rodionov
 4 | * This software may be modified and distributed under the terms
 5 | * of the MIT license. See the LICENSE file for details.
 6 | *
 7 | *
 8 | * Usage:
 9 | *  1) `SCRIPT_NAME` and `OUTPUT_FILE` macros must be set in a master script;
10 | *  2) Global integer variable `countdown` must exist;
11 | */
12 | 
13 | /* Preprocessor magic: stringification */
14 | #define str(s) str0(s)
15 | #define str0(s) #s
16 | /* Since there's no built-in way to get an output file of the current script,
17 | * we have to inject it into the source code with preprocessor. */
18 | #if !defined(OUTPUT_FILE)
19 | #error Please, specify the output file (e.g. "-DOUTPUT_FILE=./foo.log")
20 | #endif
21 | 
22 | #ifdef CHILD
23 | dtrace:::BEGIN
24 | {
25 |     pidresume($target);
26 | #ifdef WAS_EXECED
27 |     /* Since (1) we have now dtrace scripts attached to both
28 |     * parent and child processes and (2) they both have *the same* PID,
29 |     * we'll get the same results from both these scripts.
30 |     * To fix this, I just stop tracing the child here. */
31 |     exit(0);
32 | #endif /* WAS_EXECED */
33 | }
34 | 
35 | /* TODO(rodionovd): it looks like there's a bug in Apple dtrace that keeps
36 | * dtrace running even when its target (specified via -p) was already terminated.
37 | * Maybe I'm doing something wrong, but here's a temporary workaround.
38 | */
39 | syscall::exit:entry
40 | / pid == $target/
41 | {
42 |     exit(0);
43 | }
44 | #endif /* CHILD */
45 | 
46 | /* FORK */
47 | proc:::create
48 | / pid == $target /
49 | {
50 |     tracked[args[0]->pr_pid] = 1;
51 | }
52 | 
53 | /* Attach a new instance of dtrace to the new child process.
54 |  * Note that we pause the process before attaching dtrace to it, so we'll even
55 |  * catch short-lived ones.
56 |  */
57 | proc:::start
58 | / tracked[pid] == 1 /
59 | {
60 |     tracked[pid] = 0;
61 |     stop();
62 |     system("sudo dtrace -Z -I./ -C -DCHILD=1 -DANALYSIS_TIMEOUT=%d -DSCRIPT_PATH=./%s -DOUTPUT_FILE=%s -s ./%s -o %s -p %d &",
63 |     countdown, SCRIPT_NAME, str(OUTPUT_FILE), SCRIPT_NAME, str(OUTPUT_FILE), pid);
64 | }
65 | 
66 | /* EXEC */
67 | proc:::exec
68 | / pid == $target /
69 | {
70 |     tracked[pid] = 2;
71 | }
72 | 
73 | /* Well, we were exec*(), now what?
74 |  * Since a new image does contain different symbols and also may require different
75 |  * shared libraries -- and we really want to be able to install probes on them -- we
76 |  * must re-attach dtrace to this process again so it can see these new stuff.
77 |  *
78 |  * We wait some time to make sure that all shared libraries are loaded, stop()
79 |  * (actually, pause) the process and then spawn a new instance of dtrace attached
80 |  * to this process.
81 |  * Why start64("/AppleInternal")? This syscall happens at the end of a programm
82 |  * initialization process, so it's a great place to do our thing.
83 |  */
84 | syscall::stat64:entry
85 | / tracked[pid] == 2 && copyinstr(arg0) == "/AppleInternal\0" /
86 | {
87 |     tracked[pid] = 0;
88 |     stop();
89 |     system("sudo dtrace -Z -I./ -C -DCHILD=1 -DWAS_EXECED=1 -DANALYSIS_TIMEOUT=%d -DSCRIPT_PATH=./%s -DOUTPUT_FILE=%s -s ./%s -o %s -p %d &",
90 |     countdown, SCRIPT_NAME, str(OUTPUT_FILE), SCRIPT_NAME, str(OUTPUT_FILE), pid);
91 | }
92 | 
93 | dtrace:::END
94 | {
95 | #ifdef TOPLEVELSCRIPT
96 |     system("sleep 1.5 && echo \"## %s done ##\" >> \"%s\"", SCRIPT_NAME, str(OUTPUT_FILE));
97 | #endif
98 | }
99 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/ipconnections.d:
--------------------------------------------------------------------------------
 1 | #!/usr/sbin/dtrace -C -s
 2 | #pragma D option quiet
 3 | /* ipconnections.d
 4 |  *
 5 |  * Copyright (C) 2015 Dmitry Rodionov
 6 |  * This software may be modified and distributed under the terms
 7 |  * of the MIT license. See the LICENSE file for details.
 8 |  *
 9 |  *
10 |  * This script prints results in JSON format, where each entry is a dictionary:
11 |  * {
12 |  *     host        : string, // e.g. "192.168.0.1"
13 |  *     host_port   : int,    // e.g. 49812
14 |  *     remote      : string, // e.g. "8.8.8.8"
15 |  *     remote_port : int,    // e.g. 80
16 |  *     protocol    : string, // e.g. "TCP"
17 |  *     timestamp   : int,    // e.g. 1433765405
18 |  *     pid         : int     // e.g. 9213
19 |  * }
20 |  *
21 |  */
22 | #ifndef ANALYSIS_TIMEOUT
23 |     #define ANALYSIS_TIMEOUT -1
24 | #endif
25 | 
26 | dtrace:::BEGIN
27 | {
28 |     countdown = ANALYSIS_TIMEOUT;
29 | }
30 | 
31 | ip:::receive
32 | /pid == $target/
33 | {
34 |         this->protocol = args[2]->ip_ver == 4 ? args[4]->ipv4_protostr : args[5]->ipv6_nextstr;
35 |         this->host = args[2]->ip_daddr;
36 |         this->remote = args[2]->ip_saddr;
37 |         /* Since the second argument (csinfo_t) is always filled with zeros [0],
38 |          * the only way to get host and remote ports is to treat the third argument
39 |          * as a raw pointer to struct ip and access stuff from there.
40 |          *
41 |          * Thanks to Quinn "The Eskimo!" from Apple DTS team for this trick!
42 |          *
43 |          * [0]:
44 |          * From http://www.opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/netinet/ip_output.c:
45 |          * ------------------------------------------
46 |          * DTRACE_IP6(send, struct mbuf *, m, struct inpcb *, NULL,
47 | 	     * struct ip *, ip, struct ifnet *, ifp,
48 | 	     * struct ip *, ip, struct ip6_hdr *, NULL);
49 |          * ------------------------------------------
50 |          * Note the NULL passed as a value for struct inpcb* (it will become
51 |          * csinfo_t in dtrace).
52 |          */
53 |         this->host_port = ntohs(*(uint16_t *)(arg2 + 22));
54 |         this->remote_port = ntohs(*(uint16_t *)(arg2 + 20));
55 |         /* Convert walltimestamp to unix timestamp */
56 |         this->timestamp = walltimestamp / 1000000000;
57 | 
58 |         printf("{\"host\":\"%s\", \"host_port\":%d, \"remote\":\"%s\", \"remote_port\":%d, \"protocol\":\"%s\", \"timestamp\": %d, \"pid\":%d}\n",
59 |             this->host, this->host_port, this->remote, this->remote_port, this->protocol, this->timestamp, pid);
60 | }
61 | ip:::send
62 | /pid == $target/
63 | {
64 |     this->protocol = args[2]->ip_ver == 4 ? args[4]->ipv4_protostr : args[5]->ipv6_nextstr;
65 |     this->host = args[2]->ip_saddr;
66 |     this->remote = args[2]->ip_daddr;
67 |     this->host_port = ntohs(*(uint16_t *)(arg2 + 20));
68 |     this->remote_port = ntohs(*(uint16_t *)(arg2 + 22));
69 |     this->timestamp = walltimestamp / 1000000000;
70 | 
71 |     printf("{\"host\":\"%s\", \"host_port\":%d, \"remote\":\"%s\", \"remote_port\":%d, \"protocol\":\"%s\", \"timestamp\": %d, \"pid\":%d}\n",
72 |         this->host, this->host_port, this->remote, this->remote_port, this->protocol, this->timestamp, pid);
73 | }
74 | 
75 | profile:::tick-1sec
76 | /countdown > 0/
77 | {
78 |     --countdown;
79 | }
80 | 
81 | profile:::tick-1sec
82 | / countdown == 0 /
83 | {
84 |     exit(0);
85 | }
86 | 
87 | dtrace:::END
88 | {
89 |     printf("## ipconnections.d done ##");
90 | }
91 | 


--------------------------------------------------------------------------------
/analyzer/darwin/lib/dtrace/ipconnections.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | import os
 7 | import json
 8 | from common import *
 9 | from subprocess import Popen
10 | from collections import namedtuple
11 | from tempfile import NamedTemporaryFile
12 | 
13 | connection = namedtuple("connection",
14 |                         "host host_port remote remote_port protocol timestamp, pid")
15 | 
16 | 
17 | def ipconnections(target, **kwargs):
18 |     """Returns a list of ip connections made by the target.
19 | 
20 |     A connection is a named tuple with the following properties:
21 |     host (string), host_port (int), remote_port (string), protocol (string),
22 |     timestamp(int).
23 |     """
24 |     if not target:
25 |         raise Exception("Invalid target for ipconnections()")
26 | 
27 |     output_file = NamedTemporaryFile()
28 |     cmd = ["sudo", "/usr/sbin/dtrace", "-C"]
29 |     if "timeout" in kwargs:
30 |         cmd += ["-DANALYSIS_TIMEOUT=%d" % kwargs["timeout"]]
31 |     cmd += ["-s", path_for_script("ipconnections.d")]
32 |     cmd += ["-o", output_file.name]
33 |     if "args" in kwargs:
34 |         line = "%s %s" % (sanitize_path(target), " ".join(kwargs["args"]))
35 |         cmd += ["-c", line]
36 |     else:
37 |         cmd += ["-c", sanitize_path(target)]
38 | 
39 |     # The dtrace script will take care of timeout itself, so we just launch
40 |     # it asynchronously
41 |     with open(os.devnull, "w") as f:
42 |         handler = Popen(cmd, stdout=f, stderr=f)
43 | 
44 |     for entry in filelines(output_file):
45 |         if "## ipconnections.d done ##" in entry.strip():
46 |             break
47 |         yield _parse_single_entry(entry.strip())
48 |     output_file.close()
49 | 
50 | 
51 | #
52 | # Parsing implementation details
53 | #
54 | 
55 | def _parse_single_entry(entry):
56 |     entry = entry.replace("\\0", "")
57 |     parsed = json.loads(entry)
58 | 
59 |     host = parsed['host']
60 |     host_port = parsed['host_port']
61 |     remote = parsed['remote']
62 |     remote_port = parsed['remote_port']
63 |     protocol = parsed['protocol']
64 |     timestamp = parsed['timestamp']
65 |     pid = parsed['pid']
66 |     return connection(host, host_port, remote, remote_port, protocol, timestamp, pid)
67 | 


--------------------------------------------------------------------------------
/analyzer/darwin/modules/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/modules/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/modules/packages/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/analyzer/darwin/modules/packages/__init__.py


--------------------------------------------------------------------------------
/analyzer/darwin/modules/packages/app.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | from os import system, path
 7 | from plistlib import readPlist
 8 | from lib.core.packages import Package
 9 | 
10 | class App(Package):
11 |     """ OS X application analysys package. """
12 | 
13 |     def prepare(self):
14 |         # We'll launch an executable file of this .app directly,
15 |         # but we need to know what it is, don't we?
16 |         info = readPlist(path.join(self.target, "Contents", "Info.plist"))
17 |         exe_name = info.get("CFBundleExecutable")
18 |         if not exe_name:
19 |             raise Exception("Could not locate an executable of the app bundle")
20 | 
21 |         self.target = path.join(self.target, "Contents", "MacOS", exe_name)
22 |         # Make sure that our target is executable
23 |         system("/bin/chmod +x \"%s\"" % self.target)
24 | 


--------------------------------------------------------------------------------
/analyzer/darwin/modules/packages/bash.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | from lib.core.packages import Package
 7 | 
 8 | class Bash(Package):
 9 |     """ Bash shell script analysys package. """
10 | 
11 |     def prepare(self):
12 |         self.args = [self.target] + self.args
13 |         self.target = "/bin/bash"
14 | 


--------------------------------------------------------------------------------
/analyzer/darwin/modules/packages/macho.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | from os import system
 7 | from lib.core.packages import Package
 8 | 
 9 | class Macho(Package):
10 |     """ Mach-O executable analysys package. """
11 | 
12 |     def prepare(self):
13 |         # Make sure that our target is executable
14 |         system("/bin/chmod +x \"%s\"" % self.target)
15 | 


--------------------------------------------------------------------------------
/analyzer/darwin/modules/packages/zip.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import logging
  7 | from shutil import move
  8 | from os import path, environ
  9 | from random import SystemRandom
 10 | from string import ascii_letters
 11 | from subprocess import check_output
 12 | from zipfile import ZipFile, BadZipfile
 13 | from lib.core.packages import Package, choose_package_class
 14 | 
 15 | log = logging.getLogger(__name__)
 16 | 
 17 | class Zip(Package):
 18 | 
 19 |     real_package = None
 20 | 
 21 |     def prepare(self):
 22 |         password = self.options.get("password")
 23 |         files = self._extract(self.target, password)
 24 |         if not files or len(files) == 0:
 25 |             raise Exception("Invalid (or empty) zip archive: %s" % self.target)
 26 |         # Look for a file to analyse
 27 |         target_name = self.options.get("file")
 28 |         if not target_name:
 29 |             # If no file name is provided via option, take the first file
 30 |             target_name = files[0]
 31 |             log.debug("Missing file option, auto executing: %s", target_name)
 32 | 
 33 |         filepath = path.join(environ.get("TEMP", "/tmp"), target_name)
 34 |         # Remove the trailing slash (if any)
 35 |         if filepath.endswith("/"):
 36 |             self.target = filepath[:-1]
 37 |         else:
 38 |             self.target = filepath
 39 | 
 40 |         # Since we don't know what kind of file we're going to analyse, let's
 41 |         # detect it automatically and create an appropriate analysis package
 42 |         # for this file
 43 |         file_info = _fileinfo(self.target)
 44 |         pkg_class = choose_package_class(file_info, target_name)
 45 | 
 46 |         if not pkg_class:
 47 |             raise Exception("Unable to detect analysis package for the file %s" % target_name)
 48 |         else:
 49 |             log.debug("Analysing file \"%s\" using package \"%s\"", target_name, pkg_class.__name__)
 50 | 
 51 |         kwargs = {
 52 |             "options" : self.options,
 53 |             "timeout" : self.timeout
 54 |         }
 55 |         # We'll forward start() method invocation to the proper package later
 56 |         self.real_package = pkg_class(self.target, self.host, **kwargs)
 57 | 
 58 |     def start(self):
 59 |         # We have nothing to do here; let the proper package do it's job
 60 |         self.prepare()
 61 |         if not self.real_package:
 62 |             raise Exception("Invalid analysis package, aborting")
 63 |         self.real_package.start()
 64 | 
 65 |     def _extract(self, filename, password):
 66 |         archive_path = _prepare_archive_at_path(filename)
 67 |         if not archive_path:
 68 |             return None
 69 |         # Extraction.
 70 |         extract_path = environ.get("TEMP", "/tmp")
 71 |         with ZipFile(archive_path, "r") as archive:
 72 |             try:
 73 |                 archive.extractall(path=extract_path, pwd=password)
 74 |             except BadZipfile:
 75 |                 raise Exception("Invalid Zip file")
 76 |             # Try to extract it again, but with a default password
 77 |             except RuntimeError:
 78 |                 try:
 79 |                     archive.extractall(path=extract_path, pwd="infected")
 80 |                 except RuntimeError as err:
 81 |                     raise Exception("Unable to extract Zip file: %s" % err)
 82 |             finally:
 83 |                 self._extract_nested_archives(archive, extract_path, password)
 84 |         return archive.namelist()
 85 | 
 86 |     def _extract_nested_archives(self, archive, where, password):
 87 |         for name in archive.namelist():
 88 |             if name.endswith(".zip"):
 89 |                 self._extract(path.join(where, name), password)
 90 | 
 91 | 
 92 | def _prepare_archive_at_path(filename):
 93 |     """ Verifies that there's a readable zip archive at the given path.
 94 | 
 95 |     This function returns a new name for the archive (for most cases it's
 96 |     the same as the original one; but if an archive named "foo.zip" contains
 97 |     a file named "foo" this archive will be renamed to avoid being overwrite.
 98 |     """
 99 |     # Verify that the archive is actually readable
100 |     try:
101 |         with ZipFile(filename, "r") as archive:
102 |             archive.close()
103 |     except BadZipfile:
104 |         return None
105 |     # Test if zip file contains a file named as itself
106 |     if _is_overwritten(filename):
107 |         log.debug("ZIP file contains a file with the same name, original is \
108 |         going to be overwrite")
109 |         # In this case we just change the file name
110 |         new_zip_path = filename + _random_extension()
111 |         move(filename, new_zip_path)
112 |         filename = new_zip_path
113 |     return filename
114 | 
115 | 
116 | def _is_overwritten(zip_path):
117 |     archive = ZipFile(zip_path, "r")
118 |     try:
119 |         # Test if zip file contains a file named as itself
120 |         return any(n == path.basename(zip_path) for n in archive.namelist())
121 |     except BadZipfile:
122 |         raise Exception("Invalid Zip file")
123 | 
124 | 
125 | def _random_extension(length=5):
126 |     return '.' + ''.join(SystemRandom().choice(ascii_letters) for _ in range(length))
127 | 
128 | 
129 | def _fileinfo(target):
130 |     raw = check_output(["file", target])
131 |     # The utility has the following output format: "%filename%: %description%",
132 |     # so we just skip everything before the actual description
133 |     return raw[raw.index(":")+2:]
134 | 


--------------------------------------------------------------------------------
/config/signatures.yml:
--------------------------------------------------------------------------------
1 | ../analyzer/darwin/lib/core/data/signatures.yml


--------------------------------------------------------------------------------
/config/types.yml:
--------------------------------------------------------------------------------
1 | ../analyzer/darwin/lib/core/data/types.yml


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pymongo
2 | pyyaml
3 | nose
4 | 


--------------------------------------------------------------------------------
/scripts/bootstrap_guest.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | # Abstract
 7 | # ---------
 8 | # This is a bootstrap script for an OS X guest machine. It's able to:
 9 | #   0) Update network settings (Ethernet)
10 | #   1) Install the anti-antitracing kernel module (aka `pt_deny_attach` kext)
11 | #   2) Patch /etc/sudoers to allow the user to launch `dtrace` and `date`
12 | #      without a password
13 | #   3) Load and launch the Cuckoo guest agent (agent.py)
14 | #
15 | # Usage
16 | # ---------
17 | # The first two steps are optional, so by default this script will only download
18 | # and execute the arent.py. To install the kernel module or to patch the sudoers
19 | # file, use -k and -s flags respectively:
20 | #
21 | # ./bootstrap_guest.sh -k      -- for loading the kext
22 | # ./bootstrap_guest.sh -s      -- for patching /etc/sudoers
23 | # ./bootstrap_guest.sh -k -s   -- for both actions
24 | #
25 | 
26 | # Network settings
27 | IP_ADDRESS="192.168.56.101"
28 | SUBNET_MASK="255.255.255.0"
29 | ROUTER_ADDRESS="192.168.56.1"
30 | DNS_SERVERS=("208.67.220.220" "208.67.222.222")
31 | # Cuckoo agent locations
32 | AGENT_DIR="/Users/Shared"
33 | AGENT_URL="https://raw.githubusercontent.com/cuckoobox/cuckoo/master/agent/agent.py"
34 | 
35 | opt_patch_sudoers=false; opt_install_kext=false;
36 | while getopts ":sk" opt; do
37 |   case $opt in
38 |     s) opt_patch_sudoers=true ;;
39 |     k) opt_install_kext=true ;;
40 |     \?) echo "Invalid option -$OPTARG" >&2 ;;
41 |   esac
42 | done
43 | 
44 | # [0] Setup network
45 | sudo networksetup -setmanual Ethernet $IP_ADDRESS $SUBNET_MASK $ROUTER_ADDRESS
46 | sudo networksetup -setdnsservers Ethernet "${DNS_SERVERS[@]}"
47 | 
48 | # [1] Install `pt_deny_attach` kext.
49 | if [ "$opt_install_kext" == true ]; then
50 |     # echo "[INFO]: Downloading 'pt_deny_attach' kext"
51 |     # echo "[INFO]: Loading the kext into the kernel"
52 |     # TODO(rodionovd): download and load the kext
53 |     echo "[WARNING]: pt_deny_attach kext loading is not implemented yet."
54 | fi
55 | 
56 | # [2] Patch /etc/sudoers to enable passwordless sudo for `dtrace` and `date`
57 | if [ "$opt_patch_sudoers" == true ]; then
58 |     echo "[INFO]: Patching /etc/sudoers to enable passwordless dtrace for current user"
59 |     user=$(whoami)
60 |     if [ -z "$user" ]; then
61 |         echo "[ERROR]: $(whoami) failed. /etc/sudoers wasn't patched."
62 |     else
63 |         # Since `>>` redirect is done by the shell itself and it drops all privileges,
64 |         # we must run this command in a subshell.
65 |         sudo sh -c "echo \"$user\tALL=(root) NOPASSWD: /usr/sbin/dtrace\" >> /etc/sudoers"
66 |         sudo sh -c "echo \"$user\tALL=(root) NOPASSWD: /bin/date\" >> /etc/sudoers"
67 |     fi
68 | fi
69 | 
70 | # [3] Download agent.py into /Users/Shared
71 | echo "[INFO]: Downloading the Cuckoo guest agent"
72 | curl -o "$AGENT_DIR"/agent.py "$AGENT_URL"
73 | # [3.1] Install dependencies
74 | sudo easy_install pip
75 | (cd "$(dirname "$0")/.." && sudo -H pip install -r requirements.txt)
76 | # [4] and run it
77 | echo "[INFO]: Launching the Cuckoo guest agent"
78 | python "$AGENT_DIR"/agent.py
79 | 


--------------------------------------------------------------------------------
/scripts/bootstrap_host.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | # Abstract
 7 | # ---------
 8 | # A bootstrap script for an OS X host.
 9 | #
10 | # Usage
11 | # ---------
12 | # Launch this script with -i flag to create a host-only network interface
13 | # and assign it to the given VirtualBox guest machine:
14 | # ./bootstrap_host.sh -i MyOSXVirtualMachine
15 | #
16 | # Or just launch it without any arguments to enable traffic forwarding
17 | # for vboxnet0 host-only interface:
18 | # ./bootstrap_host.sh
19 | 
20 | GUEST_IP="192.168.56.1"
21 | INTERFACE="vboxnet0"
22 | 
23 | opt_create_interface=false; vmname="";
24 | while getopts ":i:" opt; do
25 |     case $opt in
26 |         i) opt_create_interface=true; vmname="$OPTARG" ;;
27 |         \?) echo "Invalid option -$OPTARG" >&2 ;;
28 |     esac
29 | done
30 | 
31 | # [1] Setup a host-only network interface (vboxnet0)
32 | if [ "$opt_create_interface" == true ]; then
33 |     if [[ ! -f $(which vboxmanage) ]]; then
34 |     	echo -e "[Error] Could not locate vboxmanage. Please, install Virtual Box first."
35 |     	exit 1
36 |     fi
37 |     # Let's also verify that a VM with this name actually exists
38 |     # Note: `vboxmanage list vms` outputs data in the following format:
39 |     # 	"SandboxXP" {2b96015e-42e0-4662-b792-c738c2de155f}
40 |     vm_exists=$(vboxmanage list vms | grep -c "\"$vmname\" {[0-9a-z\-]*}")
41 |     if [ "$vm_exists" -ne 1 ]; then
42 |     	echo -e "[Error] Could not find a VM named \"$vmname\"."
43 |     	exit 1
44 |     fi
45 |     vboxmanage hostonlyif create
46 |     # 192.168.56.1 is the default IP from `cuckoo.conf`
47 |     vboxmanage hostonlyif ipconfig $INTERFACE --ip $GUEST_IP
48 |     vboxmanage modifyvm "$vmname" --hostonlyadapter1 $INTERFACE
49 |     vboxmanage modifyvm "$vmname" --nic1 hostonly
50 | fi
51 | 
52 | # [2.1] Make sure vboxnet0 is up before doing anything with it
53 | vboxmanage hostonlyif ipconfig $INTERFACE --ip $GUEST_IP
54 | if [ "$(uname -s)" != "Darwin" ]; then
55 |     echo "I can't setup traffic forwarding for your OS, sorry :("
56 | else
57 |     # [2.2] Enable traffic forwarding for vboxnet0 interface (for OS X only)
58 |     sudo sysctl -w net.inet.ip.forwarding=1 &> /dev/null
59 |     rules="nat on en1 from vboxnet0:network to any -> (en1)
60 |     pass inet proto icmp all
61 |     pass in on vboxnet0 proto udp from any to any port domain keep state
62 |     pass quick on en1 proto udp from any to any port domain keep state"
63 |     echo "$rules" > ./pfrules
64 |     sudo pfctl -e -f ./pfrules
65 |     rm -f ./pfrules
66 | fi
67 | 


--------------------------------------------------------------------------------
/tests/assets/probes/test_probes_integration.d.reference:
--------------------------------------------------------------------------------
 1 | /* For some reason either dtrace or clang preprocessor refuses to identify standard
 2 |  * C integer types like int64_t or uint8_t. Thus we must include stdint.h with the
 3 |  * following patches.
 4 |  */
 5 | /* (1) fix sys/_types/_int8_t.h */
 6 | #define __signed signed
 7 | /* (2) cdefs.h throws "Unsupported compiler detected" warning, ignore it */
 8 | #pragma clang diagnostic push
 9 | #pragma clang diagnostic ignored "-W#warnings"
10 | #include <stdint.h>
11 | #include <stddef.h>
12 | #pragma clang diagnostic pop
13 | 
14 | 
15 | typedef struct {
16 | 	size_t hfa;
17 | 	double * abc;
18 | 	char * sss;
19 | } test_internal_t;
20 | 
21 | typedef struct {
22 | 	test_internal_t * base;
23 | 	int hash;
24 | 	char * description;
25 | } test_t;
26 | 
27 | pid$target::system:entry
28 | {
29 | 	self->deeplevel++;
30 | 	self->arguments_stack[self->deeplevel, "arg0"] = self->arg0;
31 | 	self->arg0 = arg0;
32 | }
33 | pid$target::system:return
34 | {
35 | 	this->retval = arg1;
36 | 	this->timestamp_ms = walltimestamp/1000000;
37 | 	printf("{\"api\":\"%s\", \"args\":[\"%S\"], \"retval\":%d, \"timestamp\":%lld, \"pid\":%d, \"ppid\":%d, \"tid\":%d, \"errno\":%d}\n",
38 | 		probefunc,
39 | 		!!(self->arg0) ? copyinstr((uint64_t)self->arg0) : "<NULL>",
40 | 		(int)(this->retval),
41 | 		(int64_t)this->timestamp_ms, pid, ppid, tid, errno);
42 | 	self->arg0 = self->arguments_stack[self->deeplevel, "arg0"];
43 | 	self->arguments_stack[self->deeplevel, "arg0"] = 0;
44 | 	--self->deeplevel;
45 | }
46 | pid$target::socket:entry
47 | {
48 | 	self->deeplevel++;
49 | 	self->arguments_stack[self->deeplevel, "arg0"] = self->arg0;
50 | 	self->arg0 = arg0;
51 | 	self->arguments_stack[self->deeplevel, "arg1"] = self->arg1;
52 | 	self->arg1 = arg1;
53 | 	self->arguments_stack[self->deeplevel, "arg2"] = self->arg2;
54 | 	self->arg2 = arg2;
55 | }
56 | pid$target::socket:return
57 | {
58 | 	this->retval = arg1;
59 | 	this->timestamp_ms = walltimestamp/1000000;
60 | 	printf("{\"api\":\"%s\", \"args\":[%d, %f, {\"base\" : {\"hfa\" : %lu, \"abc\" : %f, \"sss\" : \"%S\"}, \"hash\" : %d, \"description\" : \"%S\"}], \"retval\":%lu, \"timestamp\":%lld, \"pid\":%d, \"ppid\":%d, \"tid\":%d, \"errno\":%d}\n",
61 | 		probefunc,
62 | 		(int)(self->arg0), (double)(self->arg1), (size_t)(((test_internal_t *)(((test_t *)(self->arg2))->base))->hfa), !!(((test_internal_t *)(((test_t *)(self->arg2))->base))->abc) ? (double)0 : *(double *)copyin((uint64_t)((test_internal_t *)(((test_t *)(self->arg2))->base))->abc, sizeof(double)), !!(((test_internal_t *)(((test_t *)(self->arg2))->base))->sss) ? copyinstr((uint64_t)((test_internal_t *)(((test_t *)(self->arg2))->base))->sss) : "<NULL>", (int)(((test_t *)(self->arg2))->hash), !!(((test_t *)(self->arg2))->description) ? copyinstr((uint64_t)((test_t *)(self->arg2))->description) : "<NULL>",
63 | 		(size_t)(this->retval),
64 | 		(int64_t)this->timestamp_ms, pid, ppid, tid, errno);
65 | 	self->arg0 = self->arguments_stack[self->deeplevel, "arg0"];
66 | 	self->arguments_stack[self->deeplevel, "arg0"] = 0;
67 | 	self->arg1 = self->arguments_stack[self->deeplevel, "arg1"];
68 | 	self->arguments_stack[self->deeplevel, "arg1"] = 0;
69 | 	self->arg2 = self->arguments_stack[self->deeplevel, "arg2"];
70 | 	self->arguments_stack[self->deeplevel, "arg2"] = 0;
71 | 	--self->deeplevel;
72 | }
73 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_basic.c:
--------------------------------------------------------------------------------
1 | #include <stdlib.h>
2 | 
3 | int main(int argc, char *argv[])
4 | {
5 | 	system("whoami");
6 |     return 0;
7 | }
8 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_children.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <sys/types.h>
 3 | #include <errno.h>
 4 | #include <stdio.h>
 5 | #include <sys/wait.h>
 6 | #include <stdlib.h>
 7 | #include <unistd.h>
 8 | #include <assert.h>
 9 | 
10 | 
11 | void grandchild(void)
12 | {
13 | 	printf("grandchild started\n");
14 | 	int a = atoi("1337");
15 | 	a = atoi("1341");
16 | 	a = atoi("6243");
17 | 	a = atoi("21");
18 | 	a = atoi("1337");
19 | 	a = atoi("1341");
20 | 	a = atoi("6243");
21 | 	a = atoi("21");
22 | 	sleep(1);
23 | 	a = atoi("87162");
24 | 	a = atoi("1337");
25 | 	a = atoi("1341");
26 | 	a = atoi("6243");
27 | 	a = atoi("21");
28 | 	a = atoi("87162");
29 | 	a = atoi("87162");
30 | 	fprintf(stdout, "grandchild done\n");
31 | }
32 | 
33 | int main(int argc, char *argv[])
34 | {
35 | 	if (argc > 1) {
36 | 		grandchild();
37 | 		return 0;
38 | 	}
39 | 	printf("parent started\n");
40 | 
41 | 	pid_t child = fork();
42 | 	assert(child >= 0);
43 | 
44 | 	if (child == 0) {
45 | 		printf("child started\n");
46 | 		// pretend to do smth
47 | 		// sleep(2);
48 | 		char *const new_args[] = {argv[0], "yep", NULL};
49 | 		execve(new_args[0], (char *const *)&new_args, NULL);
50 | 		printf("CHILED FAILED\n");
51 | 	} else {
52 | 		int status;
53 | 		wait(&status);
54 | 		printf("Parent done\n");
55 | 	}
56 | 
57 | 	return 0;
58 | }
59 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_children_root.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <sys/types.h>
 3 | #include <errno.h>
 4 | #include <stdio.h>
 5 | #include <sys/wait.h>
 6 | #include <stdlib.h>
 7 | #include <unistd.h>
 8 | #include <assert.h>
 9 | 
10 | 
11 | void grandchild(void)
12 | {
13 | 	printf("grandchild started\n");
14 | 	int a = atoi("1337");
15 | 	a = atoi("1341");
16 | 	a = atoi("6243");
17 | 	a = atoi("21");
18 | 	a = atoi("1337");
19 | 	a = atoi("1341");
20 | 	a = atoi("6243");
21 | 	a = atoi("21");
22 | 	sleep(1);
23 | 	a = atoi("87162");
24 | 	a = atoi("1337");
25 | 	a = atoi("1341");
26 | 	a = atoi("6243");
27 | 	a = atoi("21");
28 | 	a = atoi("87162");
29 | 	a = atoi("87162");
30 | 	fprintf(stdout, "grandchild done\n");
31 | }
32 | 
33 | int main(int argc, char *argv[])
34 | {
35 | 	if (argc > 1) {
36 | 		grandchild();
37 | 		return 0;
38 | 	}
39 | 	printf("parent started\n");
40 | 
41 | 	pid_t child = fork();
42 | 	assert(child >= 0);
43 | 
44 | 	if (child == 0) {
45 | 		printf("child started\n");
46 | 		char *const new_args[] = {argv[0], "yep", NULL};
47 | 		execve(new_args[0], (char *const *)&new_args, NULL);
48 | 		fprintf(stderr, "CHILD FAILED\n");
49 | 	} else {
50 | 		int status;
51 | 		wait(&status);
52 | 		printf("parent done\n");
53 | 	}
54 | 
55 | 	return 0;
56 | }
57 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_errno.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <errno.h>
 4 | 
 5 | int main(int argc, char const *argv[])
 6 | {
 7 | 	errno = 0;
 8 | 	fopen("doesn't matter", "invalid mode");
 9 | 	// errno = EINVAL = 22
10 | 	return 0;
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_errno_root.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <errno.h>
 4 | 
 5 | int main(int argc, char const *argv[])
 6 | {
 7 | 	errno = 0;
 8 | 	fopen("doesn't matter", "r");
 9 | 	// errno = EINVAL = 22
10 | 	return 0;
11 | }
12 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_from_dynamic_library.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <dlfcn.h>
 4 | 
 5 | int main(int argc, char const *argv[])
 6 | {
 7 |     void *h = dlopen("libruby.dylib", RTLD_LAZY);
 8 |     if (h == NULL) {
 9 |         return EXIT_FAILURE;
10 |     } else {
11 |         int (*rb_isalpha)(int) = dlsym(h, "rb_isalpha");
12 |         int char_a = 0x61;
13 |         return rb_isalpha(char_a) ? EXIT_SUCCESS : EXIT_FAILURE;
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_from_dynamic_library_root.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <dlfcn.h>
 4 | 
 5 | int main(int argc, char const *argv[])
 6 | {
 7 |     void *h = dlopen("libruby.dylib", RTLD_LAZY);
 8 |     if (h == NULL) {
 9 |         return EXIT_FAILURE;
10 |     } else {
11 |         int (*rb_isalpha)(int) = dlsym(h, "rb_isalpha");
12 |         int char_a = 0x61;
13 |         return rb_isalpha(char_a) ? EXIT_SUCCESS : EXIT_FAILURE;
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_root.c:
--------------------------------------------------------------------------------
 1 | #include <pwd.h>
 2 | #include <unistd.h>
 3 | #include <stdio.h>
 4 | #include <string.h>
 5 | #include <assert.h>
 6 | 
 7 | int main(int argc, char *argv[])
 8 | {
 9 | 	struct passwd *pw = getpwuid(geteuid());
10 | 	assert(pw != NULL);
11 | 	if (strcmp("root", pw->pw_name) == 0) {
12 | 		printf("I'm root!\n");
13 | 	} else {
14 | 		printf("I'm user!\n");
15 | 	}
16 | 
17 | 	return 0;
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_timeout.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <unistd.h>
 3 | 
 4 | int main(int argc, char *argv[])
 5 | {
 6 | 	system("whoami");
 7 | 	sleep(10);
 8 | 	system("whoami");
 9 |     return 0;
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_timeout_root.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <unistd.h>
 3 | 
 4 | int main(int argc, char *argv[])
 5 | {
 6 | 	system("whoami");
 7 | 	sleep(10);
 8 | 	system("whoami");
 9 |     return 0;
10 | }
11 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_with_args.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdlib.h>
3 | 
4 | int main(int argc, char *argv[])
5 | {
6 | 	printf("%d\n", atoi(argv[1]));
7 | }
8 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_with_args_root.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | #include <stdlib.h>
3 | 
4 | int main(int argc, char *argv[])
5 | {
6 | 	printf("%d\n", atoi(argv[1]));
7 | }
8 | 


--------------------------------------------------------------------------------
/tests/assets/test_apicalls_without_target.c:
--------------------------------------------------------------------------------
1 | int main(int argc, char *argv[])
2 | {
3 | }
4 | 


--------------------------------------------------------------------------------
/tests/assets/test_cuckoo_dropped_files:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/tests/assets/test_cuckoo_dropped_files


--------------------------------------------------------------------------------
/tests/assets/test_cuckoo_dropped_files.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <unistd.h>
 4 | 
 5 | int main(int argc, char const *argv[])
 6 | {
 7 | 	FILE *f = fopen("something.txt", "w");
 8 | 	if (f == NULL) {
 9 | 		return EXIT_FAILURE;
10 | 	}
11 | 	fprintf(f, "HERE YOU ARE\n");
12 | 	fclose(f);
13 | 	return EXIT_SUCCESS;
14 | }
15 | 


--------------------------------------------------------------------------------
/tests/assets/test_cuckoo_parents_and_children:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rodionovd/cuckoo-osx-analyzer/fabbbe86e59bc39f9054d4ed35299d5f6a1f2b01/tests/assets/test_cuckoo_parents_and_children


--------------------------------------------------------------------------------
/tests/assets/test_cuckoo_parents_and_children.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <sys/types.h>
 3 | #include <errno.h>
 4 | #include <stdio.h>
 5 | #include <sys/wait.h>
 6 | #include <stdlib.h>
 7 | #include <unistd.h>
 8 | #include <assert.h>
 9 | 
10 | 
11 | void grandchild(void)
12 | {
13 | 	printf("grandchild started\n");
14 | 	int a = atoi("1337");
15 | 	a = atoi("1341");
16 | 	a = atoi("6243");
17 | 	a = atoi("21");
18 | 	a = atoi("1337");
19 | 	a = atoi("1341");
20 | 	a = atoi("6243");
21 | 	a = atoi("21");
22 | 	sleep(1);
23 | 	a = atoi("87162");
24 | 	a = atoi("1337");
25 | 	a = atoi("1341");
26 | 	a = atoi("6243");
27 | 	a = atoi("21");
28 | 	a = atoi("87162");
29 | 	a = atoi("87162");
30 | 	fprintf(stdout, "grandchild done\n");
31 | }
32 | 
33 | int main(int argc, char *argv[])
34 | {
35 | 	if (argc > 1) {
36 | 		grandchild();
37 | 		return 0;
38 | 	}
39 | 	printf("parent started\n");
40 | 
41 | 	pid_t child = fork();
42 | 	assert(child >= 0);
43 | 
44 | 	if (child == 0) {
45 | 		printf("child started\n");
46 | 		// pretend to do smth
47 | 		// sleep(2);
48 | 		char *const new_args[] = {argv[0], "yep", NULL};
49 | 		execve(new_args[0], (char *const *)&new_args, NULL);
50 | 		printf("CHILED FAILED\n");
51 | 	} else {
52 | 		int status;
53 | 		wait(&status);
54 | 		printf("Parent done\n");
55 | 	}
56 | 
57 | 	return 0;
58 | }
59 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_children.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <sys/types.h>
 3 | #include <errno.h>
 4 | #include <stdio.h>
 5 | #include <sys/wait.h>
 6 | #include <stdlib.h>
 7 | #include <assert.h>
 8 | 
 9 | int main(int argc, char *argv[])
10 | {
11 | 	write(1, "Hello, I'm parent!", 18);
12 | 
13 | 	pid_t child = fork();
14 | 	assert(child >= 0);
15 | 
16 | 	if (child == 0) {
17 | 		// child
18 | 		write(1, "Hello from child!", 17);
19 | 	} else {
20 | 		// parent
21 | 		printf("Hello again from the parent! My child is %d\n", child);
22 | 		int status;
23 | 		wait(&status);
24 | 	}
25 | 
26 | 
27 | 	return 0;
28 | }
29 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_helloworld.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main(int argc, char *argv[])
4 | {
5 | 	printf("Hello, world!\n");
6 | }
7 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_non_root.c:
--------------------------------------------------------------------------------
 1 | #include <pwd.h>
 2 | #include <unistd.h>
 3 | #include <stdio.h>
 4 | #include <string.h>
 5 | #include <assert.h>
 6 | 
 7 | int main(int argc, char *argv[])
 8 | {
 9 | 	struct passwd *pw = getpwuid(geteuid());
10 | 	assert(pw != NULL);
11 | 	if (strcmp("root", pw->pw_name) == 0) {
12 | 		printf("Hello, r00t!\n");
13 | 	} else {
14 | 		printf("Hello, user!\n");
15 | 	}
16 | 
17 | 	return 0;
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_root.c:
--------------------------------------------------------------------------------
 1 | #include <pwd.h>
 2 | #include <unistd.h>
 3 | #include <stdio.h>
 4 | #include <string.h>
 5 | #include <assert.h>
 6 | 
 7 | int main(int argc, char *argv[])
 8 | {
 9 | 	struct passwd *pw = getpwuid(geteuid());
10 | 	assert(pw != NULL);
11 | 	if (strcmp("root", pw->pw_name) == 0) {
12 | 		printf("Hello, r00t!\n");
13 | 	} else {
14 | 		printf("Hello, user!\n");
15 | 	}
16 | 
17 | 	return 0;
18 | }
19 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_specific_syscall.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main(int argc, char *argv[])
4 | {
5 | 	fprintf(stdout, "Hello, dtruss!\n");
6 | }
7 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_timeout.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <unistd.h>
 3 | 
 4 | int main(int argc, char *argv[])
 5 | {
 6 | 	write(1, "Hello, world!\n", 0xE);
 7 | 	sleep(5);
 8 | 	write(1, "Hello, world!\n", 0xE);
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_with_args.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main(int argc, char *argv[])
4 | {
5 | 	printf("Hello, %s!\n", argv[1]);
6 | }
7 | 


--------------------------------------------------------------------------------
/tests/assets/test_dtruss_without_target.c:
--------------------------------------------------------------------------------
1 | int main(int argc, char *argv[])
2 | {
3 | }
4 | 


--------------------------------------------------------------------------------
/tests/assets/test_ipconnections_empty.c:
--------------------------------------------------------------------------------
1 | int main(int argc, char **argv)
2 | {
3 |     return 0;
4 | }
5 | 


--------------------------------------------------------------------------------
/tests/assets/test_ipconnections_target_with_args.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <string.h>
 3 | #include <assert.h>
 4 | #include <arpa/inet.h>
 5 | #include <sys/socket.h>
 6 | 
 7 | void send_tcp(const char *remote, const int port)
 8 | {
 9 |     int sd = socket(AF_INET, SOCK_STREAM, 0);
10 |     assert(sd > 0);
11 | 
12 |     struct sockaddr_in addr;
13 |     memset(&addr, 0, sizeof(addr));
14 |     addr.sin_family = AF_INET;
15 |     addr.sin_addr.s_addr = inet_addr(remote);
16 |     addr.sin_port = htons(port);
17 | 
18 |     connect(sd, (struct sockaddr *)&addr , sizeof(addr));
19 |     close(sd);
20 | }
21 | 
22 | int main(int argc, char *argv[])
23 | {
24 |     send_tcp(argv[1], 80);
25 |     return 0;
26 | }
27 | 


--------------------------------------------------------------------------------
/tests/assets/test_ipconnections_tcp.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <string.h>
 3 | #include <assert.h>
 4 | #include <arpa/inet.h>
 5 | #include <sys/socket.h>
 6 | 
 7 | int main(int argc, char *argv[])
 8 | {
 9 |     int sd = socket(AF_INET, SOCK_STREAM, 0);
10 |     assert(sd > 0);
11 | 
12 |     struct sockaddr_in addr;
13 |     memset(&addr, 0, sizeof(addr));
14 |     addr.sin_family = AF_INET;
15 |     addr.sin_addr.s_addr = inet_addr("127.0.0.1");
16 |     addr.sin_port = htons(80);
17 | 
18 |     int ret = connect(sd, (struct sockaddr *)&addr , sizeof(addr));
19 | 
20 |     return close(sd) && ret == 0;
21 | }
22 | 


--------------------------------------------------------------------------------
/tests/assets/test_ipconnections_tcp_with_timeout.c:
--------------------------------------------------------------------------------
 1 | #include <unistd.h>
 2 | #include <string.h>
 3 | #include <assert.h>
 4 | #include <arpa/inet.h>
 5 | #include <sys/socket.h>
 6 | 
 7 | void send_tcp(const char *remote, const int port)
 8 | {
 9 |     int sd = socket(AF_INET, SOCK_STREAM, 0);
10 |     assert(sd > 0);
11 | 
12 |     struct sockaddr_in addr;
13 |     memset(&addr, 0, sizeof(addr));
14 |     addr.sin_family = AF_INET;
15 |     addr.sin_addr.s_addr = inet_addr(remote);
16 |     addr.sin_port = htons(port);
17 | 
18 |     connect(sd, (struct sockaddr *)&addr , sizeof(addr));
19 |     close(sd);
20 | }
21 | 
22 | int main(int argc, char *argv[])
23 | {
24 |     send_tcp("127.0.0.1", 80);
25 |     sleep(5);
26 |     send_tcp("127.0.0.1", 80);
27 | 
28 |     return 0;
29 | }
30 | 


--------------------------------------------------------------------------------
/tests/assets/test_ipconnections_udp.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <unistd.h>
 3 | #include <string.h>
 4 | #include <assert.h>
 5 | #include <stdlib.h>
 6 | #include <arpa/inet.h>
 7 | #include <netinet/in.h>
 8 | #include <sys/socket.h>
 9 | 
10 | int main(int argc, char *argv[])
11 | {
12 |     int sd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
13 |     assert(sd > 0);
14 | 
15 |     struct sockaddr_in addr;
16 |     memset(&addr, 0, sizeof(addr));
17 |     addr.sin_family = AF_INET;
18 |     inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr);
19 |     addr.sin_port = htons(53);
20 | 
21 |     char *request = "hi, i like you";
22 |     int ret = sendto(sd, request, strlen(request), 0, (struct sockaddr*)&addr, sizeof(addr));
23 |     assert(ret >= 0);
24 | 
25 |     close(sd);
26 | 
27 |     return EXIT_SUCCESS;
28 | }
29 | 


--------------------------------------------------------------------------------
/tests/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | import os
 7 | import unittest
 8 | import platform
 9 | import subprocess
10 | 
11 | TESTS_DIR = os.path.dirname(os.path.abspath(__file__))
12 | 
13 | 
14 | class DtraceTestCase(unittest.TestCase):
15 | 
16 |     @classmethod
17 |     def setUpClass(cls):
18 |         if platform.system() != "Darwin":
19 |             raise Exception("%s: dtrace-based test suites must be run on OS X" % cls.__name__)
20 | 
21 |     def setUp(self):
22 |         build_target(self._testMethodName)
23 | 
24 |     def tearDown(self):
25 |         cleanup_target(self._testMethodName)
26 | 
27 |     def current_target(self):
28 |         return TESTS_DIR + "/assets/" + self._testMethodName
29 | 
30 | 
31 | def build_target(target):
32 |     # clang -arch x86_64 -o $target_name $target_name.c
33 |     output = executable_name_for_target(target)
34 |     source = sourcefile_name_for_target(target)
35 |     subprocess.check_call(["clang", "-arch", "x86_64", "-O0", "-o", output, source])
36 | 
37 | 
38 | def cleanup_target(target):
39 |     os.remove(executable_name_for_target(target))
40 | 
41 | 
42 | def sourcefile_name_for_target(target):
43 |     return "%s/assets/%s.c" % (TESTS_DIR, target)
44 | 
45 | 
46 | def executable_name_for_target(target):
47 |     return "%s/assets/%s" % (TESTS_DIR, target)
48 | 


--------------------------------------------------------------------------------
/tests/test_analyzer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | import unittest
 7 | from analyzer.darwin.lib.core.osx import set_wallclock
 8 | 
 9 | class TestAnalyzer(unittest.TestCase):
10 | 
11 |     def test_set_wallclock(self):
12 |         # given
13 |         clock_str = "20151203T15:23:43"
14 |         # when
15 |         result = set_wallclock(clock_str, just_testing=True)
16 |         # then
17 |         self.assertEqual(result, "sudo date 1203152315.43")
18 | 


--------------------------------------------------------------------------------
/tests/test_apicalls.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import unittest
  7 | from sets import Set
  8 | from nose.tools import timed
  9 | 
 10 | from common import DtraceTestCase
 11 | from analyzer.darwin.lib.dtrace.apicalls import *
 12 | 
 13 | class TestAPICalls(DtraceTestCase):
 14 | 
 15 |     @timed(15)
 16 |     def test_apicalls_basic(self):
 17 |         # given
 18 |         expected_api = ("system", ["whoami"], 0)
 19 |         output = []
 20 |         # when
 21 |         for call in apicalls(self.current_target()):
 22 |             output.append(call)
 23 |         # then
 24 |         matched = [x for x in output if (x.api, x.args, x.retval) == expected_api]
 25 |         self.assertEqual(len(matched), 1)
 26 | 
 27 |     @timed(5)
 28 |     def test_apicalls_root(self):
 29 |         # given
 30 |         expected_api = ("printf", ["I'm root!\n"], 10)
 31 |         output = []
 32 |         # when
 33 |         for call in apicalls(self.current_target(), run_as_root=True):
 34 |             output.append(call)
 35 |         # then
 36 |         matched = [x for x in output if (x.api, x.args, x.retval) == expected_api]
 37 |         self.assertEqual(len(matched), 1)
 38 | 
 39 |     @timed(2)
 40 |     def test_apicalls_without_target(self):
 41 |         with self.assertRaisesRegexp(Exception, "Invalid target for apicalls()"):
 42 |             for call in apicalls(None):
 43 |                 pass
 44 | 
 45 |     @timed(5)
 46 |     def test_apicalls_with_args_root(self):
 47 |         # given
 48 |         expected_api = ("atoi", ["666"])
 49 |         args = ["666", "-k", "bar"]
 50 |         output = []
 51 |         # when
 52 |         for call in apicalls(self.current_target(), args=args, run_as_root=True):
 53 |             output.append(call)
 54 |         # then
 55 |         matched = [x for x in output if (x.api, x.args) == expected_api]
 56 |         self.assertEqual(len(matched), 1)
 57 | 
 58 |     @timed(15)
 59 |     def test_apicalls_with_args(self):
 60 |         # given
 61 |         expected_api = ("atoi", ["666"])
 62 |         args = ["666", "-k", "bar"]
 63 |         output = []
 64 |         # when
 65 |         for call in apicalls(self.current_target(), args=args):
 66 |             output.append(call)
 67 |         # then
 68 |         matched = [x for x in output if (x.api, x.args) == expected_api]
 69 |         self.assertEqual(len(matched), 1)
 70 | 
 71 |     @timed(20)
 72 |     def test_apicalls_children(self):
 73 |         # given
 74 |         expected_grandchild_api = ("printf", ["grandchild started\n"], 19)
 75 |         expected_child_api = ("printf", ["child started\n"], 14)
 76 |         expected_parent_api = ("printf", ["parent started\n"], 15)
 77 |         pids = Set()
 78 |         output = []
 79 |         # when
 80 |         for call in apicalls(self.current_target(), run_as_root=False):
 81 |             output.append(call)
 82 |             pids.add(call.pid)
 83 | 
 84 |         matched_grandchild = [x for x in output if (x.api, x.args, x.retval) == expected_grandchild_api]
 85 |         matched_child = [x for x in output if (x.api, x.args, x.retval) == expected_child_api]
 86 |         matched_parent = [x for x in output if (x.api, x.args, x.retval) == expected_parent_api]
 87 |         # then
 88 |         self.assertEqual(len(matched_grandchild), 1)
 89 |         self.assertEqual(len(matched_child), 1)
 90 |         self.assertEqual(len(matched_parent), 1)
 91 | 
 92 |     @timed(15)
 93 |     def test_apicalls_children_root(self):
 94 |         # given
 95 |         expected_grandchild_api = ("printf", ["grandchild started\n"], 19)
 96 |         expected_child_api = ("printf", ["child started\n"], 14)
 97 |         expected_parent_api = ("printf", ["parent started\n"], 15)
 98 |         pids = Set()
 99 |         output = []
100 |         # when
101 |         for call in apicalls(self.current_target(), run_as_root=True):
102 |             output.append(call)
103 |             pids.add(call.pid)
104 | 
105 |         matched_grandchild = [x for x in output if (x.api, x.args, x.retval) == expected_grandchild_api]
106 |         matched_child = [x for x in output if (x.api, x.args, x.retval) == expected_child_api]
107 |         matched_parent = [x for x in output if (x.api, x.args, x.retval) == expected_parent_api]
108 |         # then
109 |         self.assertEqual(len(matched_grandchild), 1)
110 |         self.assertEqual(len(matched_child), 1)
111 |         self.assertEqual(len(matched_parent), 1)
112 | 
113 |     @timed(15)
114 |     def test_apicalls_from_dynamic_library(self):
115 |         # given
116 |         expected_api = ("rb_isalpha", ["a"], 1)
117 |         # when
118 |         output = []
119 |         for call in apicalls(self.current_target()):
120 |             output.append(call)
121 |         matched = [x for x in output if (x.api, x.args, x.retval) == expected_api]
122 |         # then
123 |         self.assertEqual(len(matched), 1)
124 | 
125 |     @timed(5)
126 |     def test_apicalls_from_dynamic_library_root(self):
127 |         # given
128 |         expected_api = ("rb_isalpha", ["a"], 1)
129 |         # when
130 |         output = []
131 |         for call in apicalls(self.current_target(), run_as_root=True):
132 |             output.append(call)
133 |         matched = [x for x in output if (x.api, x.args, x.retval) == expected_api]
134 |         # then
135 |         self.assertEqual(len(matched), 1)
136 | 
137 |     @timed(15)
138 |     def test_apicalls_errno(self):
139 |         # given
140 |         expected_api = ("fopen", ["doesn't matter", "invalid mode"], 0, 22)
141 |         # when
142 |         output = []
143 |         for call in apicalls(self.current_target()):
144 |             output.append(call)
145 |         matched = [x for x in output if (x.api, x.args, x.retval, x.errno) == expected_api]
146 |         # then
147 |         self.assertEqual(len(matched), 1)
148 | 
149 |     @timed(5)
150 |     def test_apicalls_errno_root(self):
151 |         # given
152 |         expected_api = ("fopen", ["doesn't matter", "r"], 0, 2)
153 |         # when
154 |         output = []
155 |         for call in apicalls(self.current_target(), run_as_root=True):
156 |             output.append(call)
157 |         matched = [x for x in output if (x.api, x.args, x.retval, x.errno) == expected_api]
158 |         # then
159 |         self.assertEqual(len(matched), 1)
160 | 


--------------------------------------------------------------------------------
/tests/test_cuckoo.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import re
  7 | import json
  8 | import unittest
  9 | import platform
 10 | import subprocess
 11 | from time import sleep
 12 | from os import path, symlink, listdir
 13 | 
 14 | TESTS_DIR = path.dirname(path.abspath(__file__))
 15 | ANALYZER_ROOT = path.dirname(TESTS_DIR)
 16 | 
 17 | def cuckoo_root():
 18 |     """ It's ../../cuckoo """
 19 |     # ./
 20 |     return path.join(path.dirname(ANALYZER_ROOT), "cuckoo")
 21 | 
 22 | 
 23 | def submit_job(target, options):
 24 |     # Force using OS X machines for running targets
 25 |     options.update({"platform" : "darwin"})
 26 |     # Too lazy to re-implement this stuff myself, so use an existing tool
 27 |     submit_py = path.join(cuckoo_root(), "utils", "submit.py")
 28 |     cmd = ["python", submit_py]
 29 |     # Transform options into --options and compose a command line args string
 30 |     def dummy_flatten(list_of_lists):
 31 |         return sum(list_of_lists, [])
 32 |     cmd += dummy_flatten([["--"+x, y] for (x, y) in options.items()])
 33 |     cmd += [target]
 34 |     subprocess.check_call(cmd)
 35 | 
 36 | 
 37 | def latest_analysis_results():
 38 |     storage_dir = path.realpath(path.join(cuckoo_root(), "storage", "analyses", "latest"))
 39 |     with open(path.join(storage_dir, "reports", "report.json"), "r") as report_file:
 40 |         report = json.load(report_file)
 41 |     return {
 42 |         "report": report,
 43 |         "files" : listdir(path.join(storage_dir, "files")),
 44 |         "logs"  : listdir(path.join(storage_dir, "logs")),
 45 |         "analysis_log" : path.join(storage_dir, "analysis.log")
 46 |     }
 47 | 
 48 | 
 49 | def cuckoo_analysis(target, options):
 50 |     """ Returns a dictionary with the following keys:
 51 |     :report       => dictionary contents of report.json,
 52 |     :files        => list of dropped files (full local paths),
 53 |     :logs         => list of log files (full local paths),
 54 |     :analysis_log => analysis.log full path
 55 |     """
 56 |     # Add new analysis job to the Cuckoo database
 57 |     submit_job(target, options)
 58 |     # then try to read it's output and get analysis results from there
 59 |     def read_cuckoo_output():
 60 |         return CuckooTests.cuckoo.stderr.readline().rstrip()
 61 |     def is_completion(line):
 62 |         return None != re.search(r'.*Task #[0-9]{3}: analysis .* completed', line)
 63 |     def is_error(line):
 64 |         # Nah, don't even care about returning anything on error
 65 |         if re.search(r'.*ERROR: Analysis failed:', line) != None:
 66 |             raise Exception("Cuckoo analysis failed")
 67 |     line = read_cuckoo_output()
 68 |     while (not is_completion(line)) and (not is_error(line)):
 69 |         line = read_cuckoo_output()
 70 |     # Now go to the results directory and parse all the data
 71 |     return latest_analysis_results()
 72 | 
 73 | def build_target(target_name):
 74 |     # Try to build a target when on OS X
 75 |     if platform.system() == "Darwin":
 76 |         source = target_name + ".c"
 77 |         output = target_name
 78 |         subprocess.check_call(["clang", "-arch", "x86_64", "-O0", "-o", output, source])
 79 |     # Or try to use the pre-built one otherwise
 80 |     elif not path.exists(target_name):
 81 |         raise Exception("Unable to build OS X targets on non-darwin machine")
 82 | 
 83 | 
 84 | @unittest.skipUnless(path.exists(cuckoo_root()), "Unable to locate Cuckoo")
 85 | class CuckooTests(unittest.TestCase):
 86 | 
 87 |     cuckoo = None
 88 | 
 89 |     @classmethod
 90 |     def setUpClass(cls):
 91 |         # Symlink the darwin analyzer into Cuckoo's analyzer directory
 92 |         source = path.join(ANALYZER_ROOT, "analyzer", "darwin")
 93 |         destination = path.join(cuckoo_root(), "analyzer", "darwin")
 94 |         # setUpClass() is called even when @unittest.skipUnless skips
 95 |         # all the tests, so we verify it again...
 96 |         if path.exists(cuckoo_root()):
 97 |             if not path.exists(destination):
 98 |                 symlink(source, destination)
 99 |             # Initialize Cuckoo Host
100 |             cls.launch_cuckoo()
101 | 
102 |     @classmethod
103 |     def tearDownClass(cls):
104 |         if path.exists(cuckoo_root()):
105 |             cls.terminate_cuckoo()
106 | 
107 |     def current_target(self):
108 |         return path.join(TESTS_DIR, "assets", self._testMethodName)
109 | 
110 |     def setUp(self):
111 |         # We won't delete compiled targets after tests, so they can be reused
112 |         # on platforms other than OS X (cross compilation is a hell of work, you know)
113 |         build_target(self.current_target())
114 | 
115 |     #-#-#-#-#-#-#-# #-#-#-#-#-#-#-# #-#-#-#-#-#-#-#
116 |     # Cuckoo management
117 |     #-#-#-#-#-#-#-# #-#-#-#-#-#-#-# #-#-#-#-#-#-#-#
118 | 
119 |     @classmethod
120 |     def launch_cuckoo(cls):
121 |         # Let's hope Python *is* in PATH
122 |         cmd = ["python", path.join(cuckoo_root(), "cuckoo.py")]
123 |         cls.cuckoo = subprocess.Popen(cmd, stderr=subprocess.PIPE)
124 |         # Now see if it launched successfully.
125 |         # Basically, what we do here is reading Cuckoo's output until we hit the
126 |         # success message *OR* the whole thing is terminated due to an error
127 |         isalive = (lambda x: x.poll() == None)
128 |         while isalive(cls.cuckoo):
129 |             if "Waiting for analysis tasks" in cls.cuckoo.stderr.readline().rstrip():
130 |                 break
131 |             sleep(0.1)
132 |         # so if Cuckoo is dead at this moment, something bad has happend
133 |         if not isalive(cls.cuckoo):
134 |             raise Exception("Cuckoo failed to launch. Try scripts/bootstrap_host.sh")
135 | 
136 |     @classmethod
137 |     def terminate_cuckoo(cls):
138 |         try:
139 |             cls.cuckoo.terminate()
140 |         except OSError as _:
141 |             pass # it's likely to be already terminated
142 | 
143 |     #-#-#-#-#-#-#-# #-#-#-#-#-#-#-# #-#-#-#-#-#-#-#
144 |     # Test cases
145 |     #-#-#-#-#-#-#-# #-#-#-#-#-#-#-# #-#-#-#-#-#-#-#
146 | 
147 |     def test_cuckoo_dropped_files(self):
148 |         # given
149 |         target = self.current_target()
150 |         options = {
151 |         }
152 |         # when
153 |         results = cuckoo_analysis(target, options)
154 |         # then
155 |         self.assertTrue(1 == len([x for x in results["files"] if x.endswith("something.txt")]))
156 | 
157 |     def test_cuckoo_parents_and_children(self):
158 |         # given
159 |         target = self.current_target()
160 |         options = {
161 |         }
162 |         # when
163 |         results = cuckoo_analysis(target, options)
164 |         # then
165 |         # We have a separate log file for each target: one for the parent process
166 |         # and one for the child
167 |         self.assertTrue(len(results["logs"]) == 2)
168 | 


--------------------------------------------------------------------------------
/tests/test_dtruss.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import unittest
  7 | from sets import Set
  8 | 
  9 | from common import DtraceTestCase
 10 | from analyzer.darwin.lib.dtrace.dtruss import *
 11 | 
 12 | 
 13 | class TestDtruss(DtraceTestCase):
 14 |     def test_dtruss_helloworld(self):
 15 |         # given
 16 |         expected_syscall = 'write_nocancel'
 17 |         expected_args = [1, 'Hello, world!\n', 0xE]
 18 |         expected_result = 14
 19 |         expected_errno = 0
 20 |         output = []
 21 |         # when
 22 |         for call in dtruss(self.current_target()):
 23 |             output.append(call)
 24 |         # then
 25 |         matched = [x for x in output if
 26 |                    x.name == expected_syscall and x.args == expected_args and x.result == expected_result and x.errno == expected_errno]
 27 | 
 28 |         self.assertEqual(len(matched), 1)
 29 | 
 30 |     def test_dtruss_without_target(self):
 31 |         with self.assertRaisesRegexp(Exception, "Invalid target for dtruss()"):
 32 |             for call in dtruss(None):
 33 |                 pass
 34 | 
 35 |     def test_dtruss_specific_syscall(self):
 36 |         # given
 37 |         expected_syscall = 'write_nocancel'
 38 |         expected_args = [1, 'Hello, dtruss!\n', 0xF]
 39 |         expected_result = 15
 40 |         expected_errno = 0
 41 |         output = []
 42 |         # when
 43 |         for call in dtruss(self.current_target(), syscall="write_nocancel", run_as_root=False):
 44 |             output.append(call)
 45 |         # then
 46 |         matched = [x for x in output if
 47 |                    x.name == expected_syscall and x.args == expected_args and x.result == expected_result and x.errno == expected_errno]
 48 | 
 49 |         self.assertEqual(len(matched), 1)
 50 | 
 51 |     def test_dtruss_timeout(self):
 52 |         # given
 53 |         expected_syscall = 'write'
 54 |         expected_args = [1, 'Hello, world!\n', 0xE]
 55 |         expected_result = 14
 56 |         expected_errno = 0
 57 |         output = []
 58 |         # when
 59 |         for call in dtruss(self.current_target(), timeout=2, run_as_root=True):
 60 |             output.append(call)
 61 |         # then
 62 |         matched = [x for x in output if
 63 |                    x.name == expected_syscall and x.args == expected_args and x.result == expected_result and x.errno == expected_errno]
 64 | 
 65 |         self.assertEqual(len(matched), 1)
 66 |         self.assertEqual(sum(x.name == "write" for x in output), 1)
 67 | 
 68 |     def test_dtruss_with_args(self):
 69 |         # given
 70 |         expected_syscall = 'write_nocancel'
 71 |         expected_args = [1, 'Hello, WoR1D!\n', 0xE]
 72 |         expected_result = 14
 73 |         expected_errno = 0
 74 |         args = ["WoR1D", "-k", "foobar"]
 75 |         output = []
 76 |         # when
 77 |         for call in dtruss(self.current_target(), args=args):
 78 |             output.append(call)
 79 |         # then
 80 |         matched = [x for x in output if
 81 |                    x.name == expected_syscall and x.args == expected_args and x.result == expected_result and x.errno == expected_errno]
 82 | 
 83 |         self.assertEqual(len(matched), 1)
 84 | 
 85 |     def test_dtruss_root(self):
 86 |         # given
 87 |         expected_syscall = 'write_nocancel'
 88 |         expected_args = [1, 'Hello, r00t!\n', 0xD]
 89 |         expected_result = 0xD
 90 |         expected_errno = 0
 91 |         pids = Set()
 92 |         output = []
 93 |         # when
 94 |         for call in dtruss(self.current_target(), run_as_root=True):
 95 |             output.append(call)
 96 |             pids.add(call.pid)
 97 |         # then
 98 |         self.assertEqual(len(pids), 1)
 99 | 
100 |         matched = [x for x in output if
101 |                    x.name == expected_syscall and x.args == expected_args and x.result == expected_result and x.errno == expected_errno]
102 |         self.assertEqual(len(matched), 1)
103 | 
104 |     def test_dtruss_non_root(self):
105 |         # given
106 |         expected_syscall = ('write_nocancel', [1, 'Hello, user!\n', 0xD], 0xD, 0)
107 |         pids = Set()
108 |         output = []
109 |         # when
110 |         for call in dtruss(self.current_target()):
111 |             output.append(call)
112 |             pids.add(call.pid)
113 |         # then
114 |         matched = [x for x in output if (x.name, x.args, x.result, x.errno) == expected_syscall]
115 |         self.assertEqual(len(matched), 1)
116 | 
117 |     def test_dtruss_children(self):
118 |         # given
119 |         expected_child_syscall = ("write", [1, "Hello from child!", 17], 17)
120 |         expected_parent_syscall = ("write", [1, "Hello, I'm parent!", 18], 18)
121 |         pids = Set()
122 |         output = []
123 |         # when
124 |         for call in dtruss(self.current_target()):
125 |             output.append(call)
126 |             pids.add(call.pid)
127 |         # then
128 |         matched_child = [x for x in output if (x.name, x.args, x.result) == expected_child_syscall]
129 |         matched_parent = [x for x in output if (x.name, x.args, x.result) == expected_parent_syscall]
130 | 
131 |         self.assertEqual(len(matched_child), 1)
132 |         self.assertEqual(len(matched_parent), 1)
133 |         self.assertLess(matched_parent[0].pid, matched_child[0].pid)
134 | 


--------------------------------------------------------------------------------
/tests/test_ipconnections.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | import unittest
 7 | from sets import Set
 8 | 
 9 | from common import DtraceTestCase
10 | from analyzer.darwin.lib.dtrace.ipconnections import *
11 | 
12 | class TestIpconnections(DtraceTestCase):
13 | 
14 | 	def test_ipconnections_udp(self):
15 | 		# given
16 | 		expected = ('127.0.0.1', # host
17 | 		            53,          # port
18 | 		            'UDP')       # protocol
19 | 		output = []
20 | 		# when
21 | 		for connection in ipconnections(self.current_target()):
22 | 			output.append(connection)
23 | 		# then
24 | 		assert len(output) == 1
25 | 		matched = [x for x in output if
26 | 			(x.remote, x.remote_port, x.protocol) == expected]
27 | 		assert len(matched) == 1
28 | 
29 | 	def test_ipconnections_tcp(self):
30 | 		# given
31 | 		expected = ('127.0.0.1', # host
32 | 		            80,          # port
33 | 		            'TCP')       # protocol
34 | 		output = []
35 | 		# when
36 | 		for connection in ipconnections(self.current_target()):
37 | 			output.append(connection)
38 | 		# then
39 | 		assert len(output) == 1
40 | 		matched = [x for x in output if
41 | 			(x.remote, x.remote_port, x.protocol) == expected]
42 | 		assert len(matched) == 1
43 | 
44 | 	def test_ipconnections_tcp_with_timeout(self):
45 | 		# given
46 | 		expected = ('127.0.0.1', # host
47 | 		            80,          # port
48 | 		            'TCP')       # protocol
49 | 		pids = Set()
50 | 		output = []
51 | 		# when
52 | 		for connection in ipconnections(self.current_target(), timeout=1):
53 | 			output.append(connection)
54 | 			pids.add(connection.pid)
55 | 		# then
56 | 		assert len(pids) == 1
57 | 		assert len(output) == 1
58 | 		matched = [x for x in output if
59 | 			(x.remote, x.remote_port, x.protocol) == expected]
60 | 		assert len(matched) == 1
61 | 
62 | 	def test_ipconnections_empty(self):
63 | 		# given
64 | 		output = []
65 | 		# when
66 | 		for connection in ipconnections(self.current_target()):
67 | 			output.append(connection)
68 | 		# then
69 | 		assert len(output) == 0
70 | 
71 | 	def test_ipconnections_target_with_args(self):
72 | 		# given
73 | 		expected = ('127.0.0.1', # host
74 | 		            80,          # port
75 | 		            'TCP')       # protocol
76 | 		args = ["127.0.0.1"]
77 | 		output = []
78 | 		# when
79 | 		for connection in ipconnections(self.current_target(), args=args):
80 | 			output.append(connection)
81 | 		# then
82 | 		assert len(output) == 1
83 | 		matched = [x for x in output if
84 | 			(x.remote, x.remote_port, x.protocol) == expected]
85 | 		assert len(matched) == 1
86 | 
87 | if __name__ == '__main__':
88 | 	unittest.main()
89 | 


--------------------------------------------------------------------------------
/tests/test_packages.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Copyright (C) 2015 Dmitry Rodionov
 3 | # This software may be modified and distributed under the terms
 4 | # of the MIT license. See the LICENSE file for details.
 5 | 
 6 | import unittest
 7 | 
 8 | from analyzer.darwin.lib.core.packages import *
 9 | 
10 | class PackagesTestCase(unittest.TestCase):
11 | 
12 |     def test_bash_package(self):
13 |         # given
14 |         file_type = "a bash script text executable"
15 |         file_name = "foo.sh"
16 |         # when
17 |         pkg_class = choose_package_class(file_type, file_name)
18 |         # then
19 |         self.assertEqual(pkg_class.__name__, "Bash")
20 | 
21 |     def test_macho_package(self):
22 |         # given
23 |         file_type = "Mach-O 64-bit executable x86_64"
24 |         file_name = "codesign"
25 |         # when
26 |         pkg_class = choose_package_class(file_type, file_name)
27 |         # then
28 |         self.assertEqual(pkg_class.__name__, "Macho")
29 | 
30 |     def test_macho_package_alt(self):
31 |         # given
32 |         file_type = "Mach-O 32-bit executable i386"
33 |         file_name = "foobar"
34 |         # when
35 |         pkg_class = choose_package_class(file_type, file_name)
36 |         # then
37 |         self.assertEqual(pkg_class.__name__, "Macho")
38 | 
39 |     def test_zip_package(self):
40 |         # given
41 |         file_type = "Zip archive data, at least v1.0 to extract"
42 |         file_name = "foobar.zip"
43 |         # when
44 |         pkg_class = choose_package_class(file_type, file_name)
45 |         # then
46 |         self.assertEqual(pkg_class.__name__, "Zip")
47 | 
48 |     def test_app_package(self):
49 |         # given
50 |         file_type = "directory"
51 |         file_name = "Installer.app"
52 |         # when
53 |         pkg_class = choose_package_class(file_type, file_name)
54 |         # then
55 |         self.assertEqual(pkg_class.__name__, "App")
56 | 


--------------------------------------------------------------------------------
/tests/test_probesgenerator.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Copyright (C) 2015 Dmitry Rodionov
  3 | # This software may be modified and distributed under the terms
  4 | # of the MIT license. See the LICENSE file for details.
  5 | 
  6 | import filecmp
  7 | import unittest
  8 | from os import remove, path
  9 | from common import TESTS_DIR
 10 | from difflib import unified_diff
 11 | from subprocess import check_call
 12 | 
 13 | from analyzer.darwin.lib.dtrace.autoprobes import generate_probes
 14 | from analyzer.darwin.lib.dtrace.autoprobes import dereference_type
 15 | from analyzer.darwin.lib.dtrace.autoprobes import serialize_atomic_type
 16 | from analyzer.darwin.lib.dtrace.autoprobes import serialize_struct_type
 17 | from analyzer.darwin.lib.dtrace.autoprobes import serialize_type_with_template
 18 | 
 19 | SIGNATURES_FILE = path.join(TESTS_DIR, "..", "config", "signatures.yml")
 20 | 
 21 | class ProbesGeneratorTestCase(unittest.TestCase):
 22 | 
 23 |     def result_file(self):
 24 |         return path.join(TESTS_DIR, "assets", "probes", self._testMethodName + ".d")
 25 | 
 26 |     def reference_file(self):
 27 |         return path.join(TESTS_DIR, "assets", "probes", self._testMethodName + ".d.reference")
 28 | 
 29 |     def tearDown(self):
 30 |         if path.isfile(self.result_file()):
 31 |             remove(self.result_file())
 32 | 
 33 |     def assertEmptyDiff(self, diff):
 34 |         if len(diff) > 0:
 35 |             self.fail("Diff is not empty:\n" + diff)
 36 | 
 37 |     def assertDtraceCompiles(self, script_file):
 38 |         # Define the required stuff (see apicalls.d)
 39 |         decl = """self int64_t arguments_stack[unsigned long, string];self deeplevel;dtrace:::BEGIN{self->deeplevel = 0;self->arg0  = (int64_t)0;self->arg1  = (int64_t)0;self->arg2  = (int64_t)0;self->arg3  = (int64_t)0;self->arg4  = (int64_t)0;self->arg5  = (int64_t)0;self->arg6  = (int64_t)0;self->arg7  = (int64_t)0;self->arg8  = (int64_t)0;self->arg9  = (int64_t)0;self->arg10 = (int64_t)0;self->arg11 = (int64_t)0;}"""
 40 |         with open(script_file, "r+") as outfile:
 41 |             contents = outfile.read()
 42 |             outfile.seek(0, 0)
 43 |             outfile.write(decl + "\n" + contents)
 44 |         check_call(["sudo", "dtrace", "-e", "-C", "-s", script_file, "-c", "date"])
 45 | 
 46 |     # UNIT TESTS
 47 | 
 48 |     def test_probes_dereference_value_type(self):
 49 |         # given
 50 |         type = "scalar_t"
 51 |         # when
 52 |         output = dereference_type(type)
 53 |         # then
 54 |         self.assertEqual("scalar_t", output)
 55 | 
 56 |     def test_probes_dereference_reference_type(self):
 57 |         # given
 58 |         type = "foo *"
 59 |         # when
 60 |         output = dereference_type(type)
 61 |         # then
 62 |         self.assertEqual("foo", output)
 63 | 
 64 |     def test_probes_dereference_reference_type_with_random_spaces(self):
 65 |         # given
 66 |         type = "foo      *  "
 67 |         # when
 68 |         output = dereference_type(type)
 69 |         # then
 70 |         self.assertEqual("foo", output)
 71 | 
 72 |     def test_probes_dereference_types_that_must_not_be_dereferenced(self):
 73 |         # given
 74 |         type_string  = "char *"
 75 |         type_pointer = "void *"
 76 |         # when
 77 |         output_string  = dereference_type(type_string)
 78 |         output_pointer = dereference_type(type_pointer)
 79 |         # then
 80 |         self.assertEqual("char *", output_string)
 81 |         self.assertEqual("void *", output_pointer)
 82 | 
 83 |     def test_probes_atomic_type_serialization(self):
 84 |         # given
 85 |         type = "float"
 86 |         accessor = "self->arg0"
 87 |         # when
 88 |         output = serialize_atomic_type(type, type, accessor)
 89 |         # then
 90 |         self.assertEqual("(float)(self->arg0)", output)
 91 | 
 92 |     def test_probes_atomic_pointer_type_serialization(self):
 93 |         # given
 94 |         type = "int *"
 95 |         accessor = "self->arg0"
 96 |         # when
 97 |         output = serialize_atomic_type(type, "int", accessor)
 98 |         # then
 99 |         self.assertEqual(
100 |             "!!(self->arg0) ? (int)0 : *(int *)copyin((uint64_t)self->arg0, sizeof(int))",
101 |             output
102 |         )
103 | 
104 |     def test_probes_struct_type_serialization(self):
105 |         # given
106 |         type = "foo_t"
107 |         accessor = "self->arg0"
108 |         types = {
109 |             "float": {
110 |                 "printf_specifier": "%f",
111 |                 "native": True
112 |             },
113 |             "char *": {
114 |                 "printf_specifier": '"%S"',
115 |                 "native": True,
116 |                 "template":
117 |                     '!!(${ARG}) ? copyinstr((uint64_t)${ARG}) : "<NULL>"'
118 |             },
119 |             "foo_t": {
120 |                 "native": False,
121 |                 "struct": {
122 |                     "value_f":   "float",
123 |                     "value_str": "char *"
124 |                 }
125 |             }
126 |         }
127 |         # when
128 |         output = serialize_struct_type(type, accessor, types)
129 |         # then
130 |         self.assertEqual(
131 |             '(float)(((foo_t)(self->arg0)).value_f), !!(((foo_t)(self->arg0)).value_str) ? copyinstr((uint64_t)((foo_t)(self->arg0)).value_str) : "<NULL>"',
132 |             output
133 |         )
134 | 
135 |     def test_probes_struct_pointer_type_serialization(self):
136 |         # given
137 |         type = "foo_t *"
138 |         accessor = "self->arg0"
139 |         types = {
140 |             "float": {
141 |                 "printf_specifier": "%f",
142 |                 "native": True
143 |             },
144 |             "int": {
145 |                 "printf_specifier": "%f",
146 |                 "native": True
147 |             },
148 |             "foo_t": {
149 |                 "native": False,
150 |                 "struct": {
151 |                     "value_f":   "float",
152 |                     "value_int": "int *"
153 |                 }
154 |             }
155 |         }
156 |         # when
157 |         output = serialize_struct_type(type, accessor, types)
158 |         # then
159 |         self.assertEqual(
160 |             "!!(((foo_t *)(self->arg0))->value_int) ? (int)0 : *(int *)copyin((uint64_t)((foo_t *)(self->arg0))->value_int, sizeof(int)), (float)(((foo_t *)(self->arg0))->value_f)",
161 |             output
162 |         )
163 | 
164 |     def test_probes_template_type_serialization(self):
165 |         # given
166 |         type = "string"
167 |         accessor = "self->arg0"
168 |         types = {
169 |             "string": {
170 |                 "printf_specifier": '"%S"',
171 |                 "native": False,
172 |                 "template": '!!(${ARG}) ? copyinstr((uint64_t)${ARG}) : "<NULL>"'
173 |             }
174 |         }
175 |         # when
176 |         output = serialize_type_with_template(type, accessor, types)
177 |         # then
178 |         self.assertEqual(
179 |             '!!(self->arg0) ? copyinstr((uint64_t)self->arg0) : "<NULL>"',
180 |             output
181 |         )
182 | 
183 |     def test_probes_integration(self):
184 |         # given
185 |         source = [{
186 |             "api": "system",
187 |             "is_success_condition": "retval == 0",
188 |             "args": [
189 |                 {"name": "command", "type": "char *"}
190 |             ],
191 |             "retval_type": "int",
192 |             "category": "foobar"
193 |         },
194 |         {
195 |             "api": "socket",
196 |             "is_success_condition": "retval > 0",
197 |             "args": [
198 |                 {"name": "domain",   "type": "int"},
199 |                 {"name": "type",     "type": "double"},
200 |                 {"name": "protocol", "type": "test_t *"}
201 |             ],
202 |             "retval_type": "size_t",
203 |             "category": "network"
204 |         }]
205 |         destination = self.result_file()
206 |         # when
207 |         generate_probes(source, destination)
208 |         # then
209 |         self.assertEmptyDiff(file_diff(self.reference_file(), destination))
210 |         self.assertDtraceCompiles(destination)
211 | 
212 | def file_diff(a, b):
213 |     with open(a, 'r') as astream, open(b, 'r') as bstream:
214 |         return "".join(unified_diff(
215 |             astream.readlines(),
216 |             bstream.readlines(),
217 |             path.basename(a), path.basename(b),
218 |             n=0
219 |         ))
220 | 


--------------------------------------------------------------------------------