Add GUI actuation

Author: moyix

README.md

@@ -42,6 +42,17 @@ sample IDs with VirusTotal. These periodic tasks are managed by
 Samples become available once per day. The `genindex.sh` just builds the
 (very ugly) web page every 10 minutes.
 
+GUI Analysis
+------------
+
+In order for the GUI analysis and actuation to work, you will need to
+use this branch of PANDA:
+
+https://github.com/moyix/panda/tree/wip/unsafememaccess
+
+And then symlink the `pmemaddressspace.py` script into Volatility's
+`volatility/plugins/addrspaces` subdirectory.
+
 Disclaimer
 ----------
 

scripts/click_buttons.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+import time
+import logging
+import string
+import listwins
+import random
+from mon_util import mon_cmd
+
+clickables = set([
+    "NEXT", "GO", "INSTALL", "YES", "OK", "DONE",
+    "IAGREE", "AGREE", "FINISH", "UPDATE", "IACCEPT",
+    "ACCEPT", "DECLINE", "CONTINUE", "RUN", "SAVE",
+    "DOWNLOAD", "SKIP",
+])
+
+def normalize(s):
+    return ''.join(c for c in s if c in string.letters).upper()
+
+def setup(os, sock):
+    listwins.setup(os, sock)
+
+def move_to(mon, x, y, absolute=True):
+    if absolute:
+        # Reset to top-left
+        mon_cmd("mouse_move -2000 -2000\n", mon)
+        time.sleep(1)
+    mon_cmd("mouse_move {0} {1}\n".format(x, y), mon)
+    time.sleep(.5)
+
+def click(mon):
+    mon_cmd("mouse_button 1\n", mon) # Button 1 down
+    time.sleep(.1)
+    mon_cmd("mouse_button 0\n", mon) # Button 1 up
+
+def match(s, clickables):
+    return s and any((s in c and not abs(len(s)-len(c)) > 10) for c in clickables)
+
+def click_buttons(mon):
+    candidates = []
+    for w in listwins.get_windows():
+        normed = normalize(str(w.strName or ''))
+        if match(normed, clickables):
+            x1, y1, x2, y2 = map(int, w.rcClient.get_tup())
+            clickx, clicky = (x1+x2)/2, (y1+y2)/2
+            # Don't click on things that are near the edges
+            # Edges here means the outer 10% of the screen
+            width, height = 1024, 768
+            if (clickx < width * .10 or clickx > width * .90 or
+                    clicky < height * .10 or clicky > height * .90):
+                continue
+            if not w.Visible: continue
+            candidates.append( (str(w.strName or ''), clickx, clicky) )
+
+    if not candidates: return
+
+    # If we have multiple, just pick one at random
+    (name, clickx, clicky) = random.choice(candidates)
+    logging.info("Clicking on %s at (%d,%d)" % (name, clickx, clicky))
+    move_to(mon, clickx, clicky)
+    click(mon)

scripts/listwins.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+# Volatility setup boilerplate
+import volatility.conf as conf
+import volatility.registry as registry
+registry.PluginImporter()
+config = conf.ConfObject()
+import volatility.commands as commands
+import volatility.addrspace as addrspace
+registry.register_global_options(config, commands.Command)
+registry.register_global_options(config, addrspace.BaseAddressSpace)
+config.parse_options()
+
+import volatility.plugins.gui.windows as windows
+
+main_desktop = None
+def get_windows():
+    global main_desktop, config
+    winlist = []
+    if main_desktop is None:
+        # First time. Do the hard work of finding the desktop list and
+        # pick the one with the most windows as our "main" desktop
+        wplug = windows.Windows(config)
+        desktops = []
+        for winsta, atom_tables in wplug.calculate():
+            for desktop in winsta.desktops():
+                num = 0
+                for wnd, level in desktop.windows(desktop.DeskInfo.spwnd):
+                    num += 1
+                    winlist.append(wnd)
+                desktops.append( (num, desktop) )
+        desktops.sort()
+        main_desktop = desktops[-1][1]
+    else:
+        for wnd, level in main_desktop.windows(main_desktop.DeskInfo.spwnd):
+            winlist.append(wnd)
+    return winlist
+
+def setup(os, loc):
+    global config
+    config.PROFILE = os
+    config.LOCATION = loc
+    # Do one scan to initialize things
+    get_windows()
+
+if __name__ == "__main__":
+    setup("Win7SP1x86", "qemu:///home/moyix/qemu_pmem.0")
+
+    from IPython import embed
+    embed()

scripts/mon_util.py

@@ -0,0 +1,42 @@
+import logging
+import time
+import string
+
+keymap = {
+    '-': 'minus',
+    '=': 'equal',
+    '[': 'bracket_left',
+    ']': 'bracket_right',
+    ';': 'semicolon',
+    '\'': 'apostrophe',
+    '\\': 'backslash',
+    ',': 'comma',
+    '.': 'dot',
+    '/': 'slash',
+    '*': 'asterisk',
+    ' ': 'spc',
+    '_': 'shift-minus',
+    '+': 'shift-equal',
+    '{': 'shift-bracket_left',
+    '}': 'shift-bracket_right',
+    ':': 'shift-semicolon',
+    '"': 'shift-apostrophe',
+    '|': 'shift-backslash',
+    '<': 'shift-comma',
+    '>': 'shift-dot',
+    '?': 'shift-slash',
+    '\n': 'ret',
+}
+
+def mon_cmd(s, mon):
+    mon.write(s)
+    logging.info(mon.read_until("(qemu)"))
+
+def guest_type(s, mon):
+    for c in s:
+        if c in string.ascii_uppercase:
+            key = 'shift-' + c.lower()
+        else:
+            key = keymap.get(c, c)
+        mon_cmd('sendkey {0}\n'.format(key), mon)
+        time.sleep(.1)

scripts/runmal.py

@@ -6,7 +6,6 @@
 import os
 import shutil
 import socket
-import string
 import subprocess
 import sys
 import telnetlib
@@ -16,32 +15,10 @@
 import pefile
 import sqlite3
 import hashlib
-
-keymap = {
-    '-': 'minus',
-    '=': 'equal',
-    '[': 'bracket_left',
-    ']': 'bracket_right',
-    ';': 'semicolon',
-    '\'': 'apostrophe',
-    '\\': 'backslash',
-    ',': 'comma',
-    '.': 'dot',
-    '/': 'slash',
-    '*': 'asterisk',
-    ' ': 'spc',
-    '_': 'shift-minus',
-    '+': 'shift-equal',
-    '{': 'shift-bracket_left',
-    '}': 'shift-bracket_right',
-    ':': 'shift-semicolon',
-    '"': 'shift-apostrophe',
-    '|': 'shift-backslash',
-    '<': 'shift-comma',
-    '>': 'shift-dot',
-    '?': 'shift-slash',
-    '\n': 'ret',
-}
+import tempfile
+import atexit
+from mon_util import mon_cmd, guest_type
+import click_buttons
 
 def md5_for_file(fname, block_size=2**20):
     f = open(fname, 'rb')
@@ -55,18 +32,39 @@ def md5_for_file(fname, block_size=2**20):
     f.close()
     return digest
 
-def mon_cmd(s, mon):
-    mon.write(s)
-    logging.info(mon.read_until("(qemu)"))
+def cleanup():
+    # Move sample to the finished queue
+    logging.info("Moving sample into 'finished' queue.")
+    shutil.move(
+        sample_file,
+        os.path.join(queuedir, 'finished', sample_name)
+    )
+
+    # Cleanup
+    os.unlink(qemu_socket)
+    os.unlink(iso_file)
+    os.unlink(new_qcow)
+    panda_stdout.close()
+    panda_stderr.close()
+
+    # Write to DB
+    conn = sqlite3.connect(database)
+    c = conn.cursor()
+    while True:
+        try:
+            c.execute('INSERT INTO samples VALUES(?,?,?)', (run_id, sample_name, sample_md5))
+            break
+        except sqlite3.OperationalError:
+            pass
+    c.close()
+    conn.commit()
+    conn.close()
+
+    # All done, write the stamp
+    stampfile = os.path.join(logdir, 'stamps', run_id)
+    open(stampfile, 'w').close()
 
-def guest_type(s, mon):
-    for c in s:
-        if c in string.ascii_uppercase:
-            key = 'shift-' + c.lower()
-        else:
-            key = keymap.get(c, c)
-        mon_cmd('sendkey {0}\n'.format(key), mon)
-        time.sleep(.1)
+atexit.register(cleanup)
 
 conf = ConfigParser.ConfigParser()
 conf.read(sys.argv[1])
@@ -194,6 +192,14 @@ def guest_type(s, mon):
 logging.info("Copying file to desktop.")
 guest_type(r"copy D:\{0} C:\Users\qemu\Desktop".format(sample_name) + '\n', mon)
 
+# Create our memory access socket
+qemu_socket = tempfile.mktemp()
+logging.info("Creating memory access socket: {0}".format(qemu_socket))
+mon_cmd("pmemaccess {0}\n".format(qemu_socket), mon)
+
+# Warm up the Volatility part
+click_buttons.setup("Win7SP1x64" if is_64bit else "Win7SP1x86", "qemu://" + qemu_socket)
+
 # Run the sample
 logging.info("Starting sample.")
 # Handle 3 cases: driver, exe, dll
@@ -210,40 +216,15 @@ def guest_type(s, mon):
 
 # Wait
 logging.info("Sleeping for {0} seconds...".format(exec_time))
-time.sleep(exec_time)
+# Every 30 seconds, look for a button
+period = 10
+for _ in range(exec_time / period):
+    time.sleep(period)
+    click_buttons.click_buttons(mon)
 
 # End the record
 logging.info("Ending record.")
 mon_cmd("end_record\n", mon)
 logging.info("Quitting PANDA.")
 mon.write("q\n")
 
-# Move sample to the finished queue
-logging.info("Moving sample into 'finished' queue.")
-shutil.move(
-    sample_file,
-    os.path.join(queuedir, 'finished', sample_name)
-)
-
-# Cleanup
-os.unlink(iso_file)
-os.unlink(new_qcow)
-panda_stdout.close()
-panda_stderr.close()
-
-# Write to DB
-conn = sqlite3.connect(database)
-c = conn.cursor()
-while True:
-    try:
-        c.execute('INSERT INTO samples VALUES(?,?,?)', (run_id, sample_name, sample_md5))
-        break
-    except sqlite3.OperationalError:
-        pass
-c.close()
-conn.commit()
-conn.close()
-
-# All done, write the stamp
-stampfile = os.path.join(logdir, 'stamps', run_id)
-open(stampfile, 'w').close()