#!/bin/bash function EchoStatus { printf "\033[33;5m$1\033[0m\n" } function EchoWarn { printf "\033[31;5m$1\033[0m\n" } if [[ "$EUID" -ne 0 ]]; then EchoWarn "Please run as root... exiting" exit 1 fi if [[ ! $(pwd | grep -E ".cuckoo/storage/analyses/[0-9]{1,}") ]] && [[ -z "$SKIP_CHECKS" ]]; then echo "This script is intended to be called while you are in ~/.cuckoo/storage/analyses/{n}" exit 1 fi if ! command -v docker >/dev/null; then EchoWarn "Please ensure Docker is installed" fi EchoStatus "Creating /opt/latex-gen" mkdir -p /opt/latex-gen EchoStatus "Generating Memory Profile" mem_profile=${mem_profile:-$(volatility -f $1 imageinfo 2>/dev/null | grep "Suggested Profile(s)" | tr -s " " | cut -d " " -f 5 | sed 's/,$//')} ## Psxview Section EchoStatus "Generating psxview report" psxview_report=$(volatility -f "$1" --profile="$mem_profile" psxview 2>/dev/null | tail -n +3 | tr -s " " | sed 's/ / \& /g;s/$/ \\\\/g') ## Svcscan Section EchoStatus "Generating svcscan report" svcscan_scan=$(volatility -f "$1" --profile="$mem_profile" svcscan 2>/dev/null) declare -a svcscan_array=() x=0 while IFS= read -r line; do if [[ -z $line ]]; then x=$(( $x + 1 )) else svcscan_array[$x]="${svcscan_array[$x]}$line " fi done <<< $svcscan_scan ## Dlllist Section EchoStatus "Generating dlllist report" dlllist_scan=$(volatility -f "$1" --profile="$mem_profile" dlllist 2>/dev/null) declare -a dlllist_array=() x=0 while IFS= read -r line; do if [[ $line == "************************************************************************" ]]; then x=$(( $x + 1 )) else dlllist_array[$x]="${dlllist_array[$x]}$line|" fi done <<< $dlllist_scan ## Hash Dump Section EchoStatus "Generating hashdump report" hashdump_scan=$(volatility -f "$1" --profile="$mem_profile" hashdump 2>/dev/null) ## Envars Section EchoStatus "Generating envars report" envars_scan=$(volatility -f "$1" --profile="$mem_profile" envars 2>/dev/null | tail -n +3 | sed -E 's|[ ]{2,}| \& |g;s|(.*)(0x[0-9a-fA-F]{1,})(.*)|\1\2 \&\3|;s|( \& [0-9]{1,})|\1 \&|;s|\\|\\textbackslash{}|g;s/^ \& //g;s/$/ \\\\/g;s|\$|\\\$|g;s|_|\\_|g') ## Json Report Data EchoStatus "Generating general run information" report_started=$(date -d@$(jq .info.started reports/report.json)) run_options=$(jq .info.options reports/report.json) run_score=$(jq .info.score reports/report.json) run_log=$(jq -r .debug.log reports/report.json | tail -n +2 | head -n -1 | sed -E 's/[ ]{1,}"//g;s/\\n"[,]{0,1}$//g') # Set file var EchoStatus "Generating /opt/latex-gen/main.tex" tex_file="/opt/latex-gen/main.tex" EchoStatus "Generating LaTeX Doc" # Empty Temp File echo "" > $tex_file # Generate file header echo "\documentclass[12pt]{article} \usepackage[margin=1in]{geometry} % Set margin to 1in \usepackage{tgtermes} % Times Font \usepackage{setspace} % Set spacing to 1.5 \onehalfspacing \usepackage{graphicx} % Include Graphicx \graphicspath{{./images}} \usepackage{hyperref} \usepackage{float} \usepackage{listings} \usepackage{tabularx} \usepackage{ltablex} \usepackage{multicol} \newcolumntype{s}{>{\hsize=.45\hsize}X} \newcolumntype{m}{>{\hsize=.95\hsize}X} \newcolumntype{b}{>{\hsize=1.5\hsize}X} \lstset{ basicstyle=\small\ttfamily, columns=flexible, breaklines=true } \title{Cuckoo Report for: $(basename $(jq -r .target task.json))} \author{Report generated with analysis.sh} \date{\today} \begin{document} \maketitle \newpage \tableofcontents \newpage " >> $tex_file # Basic info section echo "\section{Basic Information}" >> $tex_file echo "\begin{lstlisting}[ basicstyle=\small ] Run Started: $report_started Memory Profile Used: $mem_profile Run Options: $run_options Run Score: $run_score Executable Name: $(basename $(jq -r .target task.json)) Cuckoo Run ID: $(jq -r .id task.json) \end{lstlisting} " >> $tex_file # Generate psxview section echo " \section{Psxview Log} \tiny \begin{tabularx}{\linewidth}{ |b|m|s|s|s|s|s|s|s|s|s|s|s| } \hline Offset & Name & PID & pslist & psscan & thrdproc & pspcid & csrss & session & deskthrd & Exit Date & Exit Time & Exit Zone \\\\ \hline" >> $tex_file echo "$psxview_report" >> $tex_file echo " \hline \end{tabularx} " >> $tex_file # Svcscan Section echo "\section{Svcscan Section}" >> $tex_file echo "\begin{multicols}{2} \begin{lstlisting}[ basicstyle=\tiny ] " >> $tex_file echo "$svcscan_scan" >> $tex_file echo "\end{lstlisting} \end{multicols}" >> $tex_file # Generate run log section echo "\section{Run Log} " >> $tex_file echo "\begin{lstlisting}[ basicstyle=\tiny ] " >> $tex_file echo "$run_log" >> $tex_file echo "\end{lstlisting} " >> $tex_file # User HashDump Section echo "\section{Hash Dump} \begin{lstlisting}[ basicstyle=\small ] " >> $tex_file echo "$hashdump_scan" >> $tex_file echo "\end{lstlisting} " >> $tex_file # Envar Section echo " \section{Envars} \tiny \begin{tabularx}{\linewidth}{ |s|s|m|m|b| } \hline Pid & Process Name & Offset & Var & Value \\\\ \hline" >> $tex_file echo "$envars_scan" >> $tex_file echo " \hline \end{tabularx} " >> $tex_file # Dlllist Section echo "\section{Dlllist} \begin{lstlisting}[ basicstyle=\tiny ] " >> $tex_file echo "$dlllist_scan" >> $tex_file echo "\end{lstlisting} " >> $tex_file # Generate file end echo "\end{document} " >> $tex_file ## Docker Setup EchoStatus "Ensureing docker image is present" docker pull blang/latex >/dev/null EchoStatus "Typesetting LaTeX Doc" docker run -it --rm -v /opt/latex-gen:/mnt blang/latex pdflatex -halt-on-error -output-directory=/mnt /mnt/main.tex >/dev/null && EchoStatus "/opt/latex-gen/main.pdf has been created" || EchoWarn "There was an issue generating main.pdf"