Class: RCS::Backdoor::Backdoor

Inherits:

Object

• Object
• RCS::Backdoor::Backdoor

Includes:

Tracer

Defined in:

lib/rcs-backdoor/backdoor.rb

Instance Attribute Summary

• #conf_key ⇒ Object readonly

  Returns the value of attribute conf_key.

• #deviceid ⇒ Object readonly

  Returns the value of attribute deviceid.

• #evidence_key ⇒ Object readonly

  Returns the value of attribute evidence_key.

• #evidences ⇒ Object readonly

  Returns the value of attribute evidences.

• #id ⇒ Object readonly

  Returns the value of attribute id.

• #instance ⇒ Object readonly

  Returns the value of attribute instance.

• #scout ⇒ Object

  Returns the value of attribute scout.

• #signature ⇒ Object readonly

  Returns the value of attribute signature.

• #soldier ⇒ Object

  Returns the value of attribute soldier.

• #sourceid ⇒ Object readonly

  Returns the value of attribute sourceid.

• #type ⇒ Object readonly

  Returns the value of attribute type.

• #userid ⇒ Object readonly

  Returns the value of attribute userid.

• #version ⇒ Object readonly

  Returns the value of attribute version.

Instance Method Summary

• #create_evidences(num, type = :RANDOM) ⇒ Object

  create some evidences.

• #initialize(binary_file, ident_file, options = {}) ⇒ Backdoor constructor

  setup all the backdoor parameters.

• #load_yaml(path) ⇒ Object
• #sync(host, delete_evidence = true) ⇒ Object

  perform the synchronization with the server.

Constructor Details

#initialize(binary_file, ident_file, options = {}) ⇒ Backdoor

setup all the backdoor parameters

# File 'lib/rcs-backdoor/backdoor.rb', line 51

def initialize(binary_file, ident_file, options = {})
  @options = options

  # parse the parameters from the binary patched constants
  trace :debug, "Parsing binary data..."
  binary = load_yaml(binary_file)

  # instantiate le empty log queue
  @evidences = []
  
  # plain string 'RCS_000000000x'
  @id = binary['BACKDOOR_ID']
  
  # the subtype of the backdoor (eg: WIN32, BLACKBERRY...)
  @type = binary['BACKDOOR_TYPE']
  
  # the conf key is passed as a string taken from the db
  # we need to calculate the MD5 and use it in binary form
  @conf_key = Digest::MD5.digest binary['CONF_KEY']
  
  # the log key is passed as a string taken from the db
  # we need to calculate the MD5 and use it in binary form
  @evidence_key = Digest::MD5.digest binary['EVIDENCE_KEY']
  
  # the backdoor signature is passed as a string taken from the db
  # we need to calculate the MD5 and use it in binary form
  @signature = Digest::MD5.digest binary['SIGNATURE']
  
  # the backdoor version
  @version = binary['VERSION']
  
  ident = load_yaml(ident_file)
  ident['INSTANCE_ID'] = ident['INSTANCE_ID'][0..-((@options[:tag].size)+2)]+"_"+@options[:tag] if @options[:tag]
  # the instance is passed as a string taken from the db
  # we need to convert to binary
  @instance = [ident['INSTANCE_ID']].pack('H*')

  # directory where evidence files are be stored
  @evidence_dir = File.join(Dir.pwd, 'evidence', ident['INSTANCE_ID'])
  
  @userid = ident['USERID'] || ''
  @deviceid = ident['DEVICEID'] || ''
  @sourceid = ident['SOURCEID'] || ''

  @info = { :device_id => @deviceid, :user_id => @userid, :source_id => @sourceid }

  trace :debug, "Backdoor instantiated: " << @id << @instance.unpack('H*').to_s
  trace :debug, "Backdoor ident: [#{@userid}] [#{@deviceid}] [#{@sourceid}]"

  @scout = false

  begin
    # instantiate the sync object with the protocol to be used
    # and a reference to the backdoor
    @sync = Sync.new(:REST, self)
  rescue Exception => detail
    trace :fatal, "ERROR: " << detail.to_s
    raise
  end
end

Instance Attribute Details

#conf_key ⇒ Object (readonly)

Returns the value of attribute conf_key.

# File 'lib/rcs-backdoor/backdoor.rb', line 36

def conf_key
  @conf_key
end

#deviceid ⇒ Object (readonly)

Returns the value of attribute deviceid.

# File 'lib/rcs-backdoor/backdoor.rb', line 42

def deviceid
  @deviceid
end

#evidence_key ⇒ Object (readonly)

Returns the value of attribute evidence_key.

# File 'lib/rcs-backdoor/backdoor.rb', line 37

def evidence_key
  @evidence_key
end

#evidences ⇒ Object (readonly)

Returns the value of attribute evidences.

# File 'lib/rcs-backdoor/backdoor.rb', line 45

def evidences
  @evidences
end

#id ⇒ Object (readonly)

Returns the value of attribute id.

# File 'lib/rcs-backdoor/backdoor.rb', line 33

def id
  @id
end

#instance ⇒ Object (readonly)

Returns the value of attribute instance.

# File 'lib/rcs-backdoor/backdoor.rb', line 34

def instance
  @instance
end

#scout ⇒ Object

Returns the value of attribute scout.

# File 'lib/rcs-backdoor/backdoor.rb', line 47

def scout
  @scout
end

#signature ⇒ Object (readonly)

Returns the value of attribute signature.

# File 'lib/rcs-backdoor/backdoor.rb', line 38

def signature
  @signature
end

#soldier ⇒ Object

Returns the value of attribute soldier.

# File 'lib/rcs-backdoor/backdoor.rb', line 48

def soldier
  @soldier
end

#sourceid ⇒ Object (readonly)

Returns the value of attribute sourceid.

# File 'lib/rcs-backdoor/backdoor.rb', line 43

def sourceid
  @sourceid
end

#type ⇒ Object (readonly)

Returns the value of attribute type.

# File 'lib/rcs-backdoor/backdoor.rb', line 35

def type
  @type
end

#userid ⇒ Object (readonly)

Returns the value of attribute userid.

# File 'lib/rcs-backdoor/backdoor.rb', line 41

def userid
  @userid
end

#version ⇒ Object (readonly)

Returns the value of attribute version.

# File 'lib/rcs-backdoor/backdoor.rb', line 39

def version
  @version
end

Instance Method Details

#create_evidences(num, type = :RANDOM) ⇒ Object

create some evidences

# File 'lib/rcs-backdoor/backdoor.rb', line 149

def create_evidences(num, type = :RANDOM)
  # ensure the directory is created

  FileUtils.rm_rf(@evidence_dir)

  FileUtils.mkpath(@evidence_dir) if not File.directory?(@evidence_dir)
  
  real_type = type
  
  # generate the evidence
  num.times do
    #real_type = RCS::EVIDENCE_TYPES.values.sample if type == :RANDOM
    real_type = [:APPLICATION, :DEVICE, :CHAT, :CLIPBOARD, :CAMERA, :INFO, :KEYLOG, :SCREENSHOT, :MOUSE, :FILEOPEN, :FILECAP].sample if type == :RANDOM
    Evidence.new(@evidence_key).generate(real_type, @info).dump_to_file(@evidence_dir)
  end
end

#load_yaml(path) ⇒ Object

# File 'lib/rcs-backdoor/backdoor.rb', line 112

def load_yaml(path)
  File.open(path, "r") do |f|
    hash = YAML.load(f.read)
    is_single_config = hash.keys.include?("INSTANCE_ID")
    return hash if is_single_config
    config_name = @options[:config_name] || "default"
    hash[config_name] || raise("Unable to find configuration #{config_name.inspect} in file #{File.basename(path)}")
    return hash[config_name]
  end
rescue Exception => ex
  trace :fatal, "Cannot load yaml file #{File.basename(path)}: #{ex.message}"
  exit(1)
end

#sync(host, delete_evidence = true) ⇒ Object

perform the synchronization with the server

# File 'lib/rcs-backdoor/backdoor.rb', line 127

def sync(host, delete_evidence = true)
  trace :debug, "Loading evidences in memory ..."
  # retrieve the evidence from the local dir
  Dir["#{@evidence_dir}/*"].each do |f|
    @evidences << Evidence.new(@evidence_key).load_from_file(f)
  end

  trace :debug, "Synchronizing ..."
  # perform the sync
  @sync.perform host

  if delete_evidence
    trace :debug, "Deleting evidences ..."
    # delete all evidence sent
    Dir["#{@evidence_dir}/*"].each do |f|
      File.delete(f)
    end
  end

end