-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNtTraceExtractor.py
executable file
·49 lines (37 loc) · 1.41 KB
/
NtTraceExtractor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
__author__ = 'AR'
import json, sys, subprocess, string, os, time
sampleNum = 0
if len(os.sys.argv) < 5:
print "Usage: ./ntTraceextractor -f [imput command file] -o [destination for nttrace files]"
os.sys.exit()
for i in xrange(len(sys.argv)):
if sys.argv[i] == '-f':
inputCmdFile = sys.argv[i + 1]
if sys.argv[i] == '-o':
destPath = sys.argv[i + 1]
########## Execute the command as child process ##########
def executeChildProcess(command):
global sampleNum
modifiedCommand = 'nttrace ' + str(command)
with open(destPath + str(sampleNum).zfill(4) + '.trace', 'a') as f:
sampleNum += 1
ps = subprocess.Popen(modifiedCommand, stderr=subprocess.PIPE, stdout=f, shell=True)
time.sleep(2)
ps.terminate()
def main():
with open(inputCmdFile, 'r') as cmdFile:
cmdList = cmdFile.readlines()
# Specify the path to the benign executables for filesList variable
filesList = os.listdir("C:\Windows\System32\\")
for exeFile in filesList:
if exeFile.endswith(".exe") and not exeFile == "logoff.exe" and not exeFile == "shutdown":
executeChildProcess(exeFile)
for cmd in cmdList:
executeChildProcess(cmd)
if __name__=="__main__":
print '{:*^70}'.format(" Machine Learning and Malware Classification ")
main()
print '{:*^70}'.format('All Strace stored to ' + destPath + ' directory')
print
print '{:*^70}'.format(" EOP ")