Linux ProcMaps, Lsof, TtyCheck, Elfs plugin integration

noname1007 · Jun 13, 2022 · bc16ff3 · bc16ff3
1 parent 76bc133
commit bc16ff3
Show file tree

Hide file tree

Showing 16 changed files with 410 additions and 7 deletions.
diff --git a/dashboard/static/css/styles.css b/dashboard/static/css/styles.css
@@ -25,10 +25,8 @@ a {
 body {
   height: 100%;
   padding: 0;
-  background-image: url("../images/bg.svg");
-  background-color: #ffffffdd;
-  background-size: cover;
-  background-repeat: repeat;
+  background: url("../images/bg.svg") repeat fixed;
+  background-size: contain;
 }
 
 

diff --git a/dashboard/static/js/linux.js b/dashboard/static/js/linux.js
@@ -8,6 +8,26 @@
       }
     });
 
+    $('#processMapsTable').on('click', 'tbody tr', function(event) {
+      var table = $(this);
+      if (table.hasClass("highlight")){
+        table.removeClass("highlight");
+      }
+      else{
+        table.addClass("highlight");
+      }
+    });
+
+    $('#TtyCheckTable').on('click', 'tbody tr', function(event) {
+      var table = $(this);
+      if (table.hasClass("highlight")){
+        table.removeClass("highlight");
+      }
+      else{
+        table.addClass("highlight");
+      }
+    });
+
     $('#BashTable').on('click', 'tbody tr', function(event) {
       var table = $(this);
       if (table.hasClass("highlight")){
@@ -18,6 +38,36 @@
       }
     });
 
+    $('#ElfsTable').on('click', 'tbody tr', function(event) {
+      var table = $(this);
+      if (table.hasClass("highlight")){
+        table.removeClass("highlight");
+      }
+      else{
+        table.addClass("highlight");
+      }
+    });
+
+    $('#LsofTable').on('click', 'tbody tr', function(event) {
+      var table = $(this);
+      if (table.hasClass("highlight")){
+        table.removeClass("highlight");
+      }
+      else{
+        table.addClass("highlight");
+      }
+    });
+
+    $('#TtyCheck').on('click', 'tbody tr', function(event) {
+      var table = $(this);
+      if (table.hasClass("highlight")){
+        table.removeClass("highlight");
+      }
+      else{
+        table.addClass("highlight");
+      }
+    });
+
       $("#searchProcessList").on("keyup", function() {
         var value = $(this).val().toLowerCase();
         $("#processList tr").filter(function() {
@@ -31,6 +81,35 @@
           $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
         });
       });
+
+      $("#searchProcessMaps").on("keyup", function() {
+        var value = $(this).val().toLowerCase();
+        $("#processMaps tr").filter(function() {
+          $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
+        });
+      });
+
+      $("#searchLsof").on("keyup", function() {
+        var value = $(this).val().toLowerCase();
+        $("#Lsof tr").filter(function() {
+          $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
+        });
+      });
+
+      $("#searchTtyCheck").on("keyup", function() {
+        var value = $(this).val().toLowerCase();
+        $("#TtyCheck tr").filter(function() {
+          $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
+        });
+      });
+
+      $("#searchElfs").on("keyup", function() {
+        var value = $(this).val().toLowerCase();
+        $("#Elfs tr").filter(function() {
+          $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
+        });
+      });
+
       //Process Scan Search function
       $(document).ready(function(){
         $('.container').show();
@@ -62,4 +141,25 @@
         $('.plugin').hide();
         $('.Bash').show();
       });
+
+      $("#ProcMapsLink").on("click", function(){
+        $('.plugin').hide();
+        $('.ProcMaps').show();
+      });
+
+      $("#LsofLink").on("click", function(){
+        $('.plugin').hide();
+        $('.Lsof').show();
+      });
+
+      $("#TtyCheckLink").on("click", function(){
+        $('.plugin').hide();
+        $('.TtyCheck').show();
+      });
+
+      $("#ElfsLink").on("click", function(){
+        $('.plugin').hide();
+        $('.Elfs').show();
+      });
+
     });
diff --git a/investigations/templates/investigations/linux/ma_artifacts/lsof.html b/investigations/templates/investigations/linux/ma_artifacts/lsof.html
@@ -0,0 +1,26 @@
+<div class="mt-5 Lsof plugin">
+  <h6 class="h6">List of openned files</h6>
+  <div class="d-inline">
+    <input class="form-control mb-3" id="searchLsof" type="text" placeholder="Search..">
+  </div>
+  <table id="LsofTable" class="table table-light  card-font Lsof">
+    <thead>
+      <tr>
+        <th scope="col">FD</th>
+        <th scope="col">PID</th>
+        <th scope="col">Path</th>
+        <th scope="col">Process</th>
+      </tr>
+    </thead>
+    <tbody id="Lsof">
+      {% for entry in Lsof %}
+      <tr>
+        <td>{{entry.FD}}</td>
+        <td>{{entry.PID}}</td>
+        <td>{{entry.Path}}</td>
+        <td>{{entry.Process}}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
diff --git a/investigations/templates/investigations/linux/ma_artifacts/tty_check.html b/investigations/templates/investigations/linux/ma_artifacts/tty_check.html
@@ -0,0 +1,26 @@
+<div class="mt-5 TtyCheck plugin">
+  <h6 class="h6">List of openned files</h6>
+  <div class="d-inline">
+    <input class="form-control mb-3" id="searchTtyCheck" type="text" placeholder="Search..">
+  </div>
+  <table id="TtyCheckTable" class="table table-light  card-font TtyCheck">
+    <thead>
+      <tr>
+        <th scope="col">Address</th>
+        <th scope="col">Module</th>
+        <th scope="col">Name</th>
+        <th scope="col">Symbol</th>
+      </tr>
+    </thead>
+    <tbody id="TtyCheck">
+      {% for entry in TtyCheck %}
+      <tr>
+        <td>{{entry.Address}}</td>
+        <td>{{entry.Module}}</td>
+        <td>{{entry.Name}}</td>
+        <td>{{entry.Symbol}}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
diff --git a/investigations/templates/investigations/linux/process_artifacts/elfs.html b/investigations/templates/investigations/linux/process_artifacts/elfs.html
@@ -0,0 +1,28 @@
+<div class="mt-5 Elfs plugin">
+  <h6 class="h6">Process ELF files</h6>
+  <div class="d-inline">
+    <input class="form-control mb-3" id="searchElfs" type="text" placeholder="Search..">
+  </div>
+  <table id="ElfsTable" class="table table-light  card-font Elfs">
+    <thead>
+      <tr>
+        <th scope="col">Start</th>
+        <th scope="col">End</th>
+        <th scope="col">File Path</th>
+        <th scope="col">Process</th>
+        <th scope="col">PID</th>
+      </tr>
+    </thead>
+    <tbody id="Elfs">
+      {% for process in ProcMaps %}
+      <tr>
+        <td>{{process.Start}}</td>
+        <td>{{process.End}}</td>
+        <td>{{process.FilePath}}</td>
+        <td>{{process.Process}}</td>
+        <td>{{process.PID}}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
diff --git a/investigations/templates/investigations/linux/process_artifacts/process_list.html b/investigations/templates/investigations/linux/process_artifacts/process_list.html
@@ -11,7 +11,7 @@ <h6 class="h6">Process List</h6>
         <th scope="col">COMM</th>
       </tr>
     </thead>
-    <tbody id="processScan">
+    <tbody id="processList">
       {% for process in PsList %}
       <tr>
         <td>{{process.PID}}</td>

diff --git a/investigations/templates/investigations/linux/process_artifacts/process_maps.html b/investigations/templates/investigations/linux/process_artifacts/process_maps.html
@@ -0,0 +1,38 @@
+<div class="mt-5 ProcMaps plugin">
+  <h6 class="h6">Process Maps</h6>
+  <div class="d-inline">
+    <input class="form-control mb-3" id="searchProcessMaps" type="text" placeholder="Search..">
+  </div>
+  <table id="processMapsTable" class="table table-light  card-font processmaps">
+    <thead>
+      <tr>
+        <th scope="col">Start</th>
+        <th scope="col">End</th>
+        <th scope="col">File Path</th>
+        <th scope="col">Flags</th>
+        <th scope="col">Inode</th>
+        <th scope="col">Major</th>
+        <th scope="col">Minor</th>
+        <th scope="col">PID</th>
+        <th scope="col">PgOff</th>
+        <th scope="col">Process</th>
+      </tr>
+    </thead>
+    <tbody id="processMaps">
+      {% for process in ProcMaps %}
+      <tr>
+        <td>{{process.Start}}</td>
+        <td>{{process.End}}</td>
+        <td>{{process.FilePath}}</td>
+        <td>{{process.Flags}}</td>
+        <td>{{process.Inode}}</td>
+        <td>{{process.Major}}</td>
+        <td>{{process.Minor}}</td>
+        <td>{{process.PID}}</td>
+        <td>{{process.PgOff}}</td>
+        <td>{{process.Process}}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
diff --git a/investigations/templates/investigations/linux/sidebar.html b/investigations/templates/investigations/linux/sidebar.html
@@ -8,6 +8,9 @@
               <ul class="list-group-item bg-light">
                 <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="PsListLink" href="#" class="text-dark">PsList</a></li>
                 <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="PsTreeLink" href="#" class="text-dark">PsTree</a></li>
+                <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="ProcMapsLink" href="#" class="text-dark">ProcMaps</a></li>
+                <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="ElfsLink" href="#" class="text-dark">Elfs</a></li>
+
               <ul>
             </div>
 
@@ -42,6 +45,8 @@
             <div class="collapse show" id="collapseMalware">
               <ul class="list-group-item bg-light">
                 <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="BashLink" href="#" class="text-dark">Bash</a></li>
+                <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="LsofLink" href="#" class="text-dark">Lsof</a></li>
+                <li class="bg-light list-group-horizontal-md text-truncate" data-bs-parent="#sidebar"><i class="text-dark bi bi bi-box"></i> <a id="TtyCheckLink" href="#" class="text-dark">TtyCheck</a></li>
               <ul>
             </div>
 

diff --git a/investigations/templates/investigations/reviewinvest.html b/investigations/templates/investigations/reviewinvest.html
@@ -85,8 +85,17 @@
 
             <!-- Process Artifacts -->
             {% include "investigations/linux/process_artifacts/process_list.html" %}
+            {% include "investigations/linux/process_artifacts/process_maps.html" %}
             {% include "investigations/linux/process_artifacts/process_graph.html" %}
+            {% include "investigations/linux/process_artifacts/elfs.html" %}
+
+            <!-- Malware analysis Artifacts -->
             {% include "investigations/linux/ma_artifacts/bash.html" %}
+            {% include "investigations/linux/ma_artifacts/lsof.html" %}
+            {% include "investigations/linux/ma_artifacts/tty_check.html" %}
+
+
+
 
 
         </main>

diff --git a/investigations/views.py b/investigations/views.py
@@ -292,7 +292,11 @@ def reviewinvest(request):
                     'ImageSignature' : ImageSignature.objects.get(investigation_id = id),
                     'PsList':linux_engine.PsList.objects.filter(investigation_id = id),
                     'PsTree': linux_engine.PsTree.objects.get(investigation_id = id),
-                    'Bash': linux_engine.Bash.objects.filter(investigation_id = id)
+                    'Bash': linux_engine.Bash.objects.filter(investigation_id = id),
+                    'ProcMaps': linux_engine.ProcMaps.objects.filter(investigation_id = id),
+                    'Lsof': linux_engine.Lsof.objects.filter(investigation_id = id),
+                    'TtyCheck': linux_engine.TtyCheck.objects.filter(investigation_id = id),
+                    'Elfs': linux_engine.Elfs.objects.filter(investigation_id = id),
                 }
                 context.update(models)
             return render(request, 'investigations/reviewinvest.html',context)

diff --git a/linux_engine/migrations/0004_procmaps.py b/linux_engine/migrations/0004_procmaps.py
@@ -0,0 +1,33 @@
+# Generated by Django 3.2.13 on 2022-06-13 08:06
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('investigations', '0001_initial'),
+        ('linux_engine', '0003_bash'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ProcMaps',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('End', models.BigIntegerField(null=True)),
+                ('FilePath', models.CharField(max_length=255, null=True)),
+                ('Flags', models.CharField(max_length=20, null=True)),
+                ('Command', models.CharField(max_length=500, null=True)),
+                ('Inode', models.BigIntegerField(null=True)),
+                ('Major', models.BigIntegerField(null=True)),
+                ('Minor', models.BigIntegerField(null=True)),
+                ('PID', models.BigIntegerField(null=True)),
+                ('PgOff', models.BigIntegerField(null=True)),
+                ('Process', models.CharField(max_length=255, null=True)),
+                ('Start', models.BigIntegerField(null=True)),
+                ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='linux_procmaps_investigation', to='investigations.uploadinvestigation')),
+            ],
+        ),
+    ]
diff --git a/linux_engine/migrations/0005_lsof.py b/linux_engine/migrations/0005_lsof.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.2.13 on 2022-06-13 12:14
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('investigations', '0001_initial'),
+        ('linux_engine', '0004_procmaps'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Lsof',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('FD', models.BigIntegerField(null=True)),
+                ('PID', models.BigIntegerField(null=True)),
+                ('Path', models.CharField(max_length=255, null=True)),
+                ('Process', models.CharField(max_length=500, null=True)),
+                ('investigation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='linux_lsof_investigation', to='investigations.uploadinvestigation')),
+            ],
+        ),
+    ]