Merge pull request #2001 from winson0123/linux-support

Linux support
kevoreilly · Mar 13, 2024 · d46b28e · d46b28e
2 parents 0b9167d + 2581393
commit d46b28e
Show file tree

Hide file tree

Showing 92 changed files with 7,181 additions and 3,351 deletions.
diff --git a/analyzer/linux/analyzer.py b/analyzer/linux/analyzer.py
@@ -168,7 +168,7 @@ def run(self):
  if not package_class:
  raise Exception("Could not find an appropriate analysis package")
  # Package initialization
- kwargs = {"options": self.config.options, "timeout": self.config.timeout}
+ kwargs = {"options": self.config.options, "timeout": self.config.timeout, "strace_ouput": PATHS["logs"]}
 
  # Initialize the analysis package.
  # pack = package_class(self.config.get_options())
@@ -306,6 +306,12 @@ def run(self):
  upload_to_host(package[0], os.path.join("files", package[1]))
  except Exception as e:
  log.warning('The package "%s" package_files function raised an exception: %s', package_class, e)
+ try:
+ # Upload the strace logs to host
+ for file in os.listdir(PATHS["logs"]):
+ upload_to_host(os.path.join(PATHS["logs"], file), os.path.join("logs", file))
+ except Exception as e:
+ log.warning('The strace log failed to transfer:', e)
 
  # Terminate the Auxiliary modules.
  log.info("Stopping auxiliary modules")

diff --git a/analyzer/linux/lib/common/apicalls.py b/analyzer/linux/lib/common/apicalls.py
diff --git a/analyzer/linux/lib/core/packages.py b/analyzer/linux/lib/core/packages.py
@@ -7,10 +7,9 @@
 import logging
 import subprocess
 import timeit
-from os import environ, path, sys, waitpid
+from os import environ, path, sys
 
 from lib.api.process import Process
-from lib.common.apicalls import apicalls
 from lib.common.results import NetlogFile
 
 log = logging.getLogger(__name__)
@@ -97,6 +96,7 @@ def __init__(self, target, **kwargs):
  self.free = self.options.get("free")
  self.proc = None
  self.pids = []
+ self.strace_output = kwargs.get("strace_ouput", "/tmp")
 
  def set_pids(self, pids):
  """Update list of monitored PIDs in the package context.
@@ -118,18 +118,9 @@ def start(self):
  # Remove the trailing slash (if any)
  self.target = filepath.rstrip("/")
  self.prepare()
- self.normal_analysis()
+ # self.normal_analysis()
+ self.strace_analysis()
  return self.proc.pid
- """
- if self.free:
- self.normal_analysis()
- return self.proc.pid
- elif self.method == "apicalls":
- self.apicalls_analysis()
- return self.proc.pid
- else:
- raise Exception("Unsupported analysis method. Try 'apicalls'")
- """
 
  def check(self):
  """Check."""
@@ -157,38 +148,36 @@ def finish(self):
  def get_pids(self):
  return []
 
- def apicalls_analysis(self):
+ def strace_analysis(self):
  kwargs = {"args": self.args, "timeout": self.timeout, "run_as_root": self.run_as_root}
  log.info(self.target)
- cmd = apicalls(self.target, **kwargs)
- stap_start = timeit.default_timer()
+
+ target_cmd = f'{self.target}'
+ if "args" in kwargs:
+ target_cmd += f' {" ".join(kwargs["args"])}'
+
+ cmd = f"sudo strace -ttffn -o {self.strace_output}/strace.log {target_cmd}"
  log.info(cmd)
  self.proc = subprocess.Popen(
  cmd, env={"XAUTHORITY": "/root/.Xauthority", "DISPLAY": ":0"}, stderr=subprocess.PIPE, shell=True
  )
-
- while b"systemtap_module_init() returned 0" not in self.proc.stderr.readline():
- # log.debug(self.proc.stderr.readline())
- pass
-
- stap_stop = timeit.default_timer()
- log.info("Process startup took %.2f seconds", stap_stop - stap_start)
+ log.info("Process started with strace")
  return True
 
  def normal_analysis(self):
  kwargs = {"args": self.args, "timeout": self.timeout, "run_as_root": self.run_as_root}
 
  # cmd = apicalls(self.target, **kwargs)
  cmd = f"{self.target} {' '.join(kwargs['args'])}"
- stap_start = timeit.default_timer()
+ process_start = timeit.default_timer()
  self.proc = subprocess.Popen(
  cmd, env={"XAUTHORITY": "/root/.Xauthority", "DISPLAY": ":0"}, stderr=subprocess.PIPE, shell=True
  )
 
  log.debug(self.proc.stderr.readline())
 
- stap_stop = timeit.default_timer()
- log.info("Process startup took %.2f seconds", stap_stop - stap_start)
+ process_stop = timeit.default_timer()
+ log.info("Process startup took %.2f seconds", process_start - process_stop)
  return True
 
  @staticmethod
@@ -200,19 +189,6 @@ def _upload_file(local, remote):
  nf.sock.sendall(chunk) # dirty direct send, no reconnecting
  nf.close()
 
- def stop(self):
- log.info("Package requested stop")
- try:
- r = self.proc.poll()
- log.debug("stap subprocess retval %d", r)
- self.proc.kill()
- # subprocess.check_call(["sudo", "kill", str(self.proc.pid)])
- waitpid(self.proc.pid, 0)
- self._upload_file("stap.log", "logs/all.stap")
- except Exception as e:
- log.warning("Exception uploading log: %s", e)
-
-
 def _string_to_bool(raw):
  if not isinstance(raw, str):
  raise Exception("Unexpected input: not a string :/")

diff --git a/analyzer/linux/modules/auxiliary/filecollector.py b/analyzer/linux/modules/auxiliary/filecollector.py
@@ -129,7 +129,7 @@ def _method_name(self, event):
  # log.info("Path is a directory or does not exist, ignoring: %s", event.pathname)
  return
 
- if os.path.basename(event.pathname) == "stap.log":
+ if "strace.log" in os.path.basename(event.pathname):
  return
 
  try:

diff --git a/analyzer/linux/modules/auxiliary/stap.py b/analyzer/linux/modules/auxiliary/stap.py
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,10 @@
 ### [12.03.2024]
 * Monitor update: Initial IPv6 support - thanks @cccs-mog
+* Linux support details can be seen in this [Pull Request](https://github.com/kevoreilly/CAPEv2/pull/2001)
+* We remove all `x.conf` to finish the mess with the configs.
+ * DO NOT EDIT `.conf.default` files. cape2.sh makes a copy of them removing `.default`.
+ * If you don't use `cape2.sh`.
+ * Run: `for filename in conf/default/*.conf.default; do cp -vf "./$filename" "./$(echo "$filename" | sed -e 's/.default//g' | sed -e 's/default//g')"; done`
 
 ### [07.03.2024]
 * Monitor updates: