kevoreilly · doomedraven · Mar 13, 2024 · Sep 14, 2023 · Oct 5, 2023 · Oct 6, 2023
diff --git a/analyzer/linux/analyzer.py b/analyzer/linux/analyzer.py
@@ -168,7 +168,7 @@ def run(self):
         if not package_class:
             raise Exception("Could not find an appropriate analysis package")
         # Package initialization
-        kwargs = {"options": self.config.options, "timeout": self.config.timeout}
+        kwargs = {"options": self.config.options, "timeout": self.config.timeout, "strace_ouput": PATHS["logs"]}
 
         # Initialize the analysis package.
         # pack = package_class(self.config.get_options())
@@ -306,6 +306,12 @@ def run(self):
                     upload_to_host(package[0], os.path.join("files", package[1]))
         except Exception as e:
             log.warning('The package "%s" package_files function raised an exception: %s', package_class, e)
+        try:
+            # Upload the strace logs to host
+            for file in os.listdir(PATHS["logs"]):
+                upload_to_host(os.path.join(PATHS["logs"], file), os.path.join("logs", file))
+        except Exception as e:
+            log.warning('The strace log failed to transfer:', e)
 
         # Terminate the Auxiliary modules.
         log.info("Stopping auxiliary modules")

diff --git a/analyzer/linux/lib/common/apicalls.py b/analyzer/linux/lib/common/apicalls.py
diff --git a/analyzer/linux/lib/core/packages.py b/analyzer/linux/lib/core/packages.py
@@ -7,10 +7,9 @@
 import logging
 import subprocess
 import timeit
-from os import environ, path, sys, waitpid
+from os import environ, path, sys
 
 from lib.api.process import Process
-from lib.common.apicalls import apicalls
 from lib.common.results import NetlogFile
 
 log = logging.getLogger(__name__)
@@ -97,6 +96,7 @@ def __init__(self, target, **kwargs):
         self.free = self.options.get("free")
         self.proc = None
         self.pids = []
+        self.strace_output = kwargs.get("strace_ouput", "/tmp")
 
     def set_pids(self, pids):
         """Update list of monitored PIDs in the package context.
@@ -118,18 +118,9 @@ def start(self):
             # Remove the trailing slash (if any)
             self.target = filepath.rstrip("/")
         self.prepare()
-        self.normal_analysis()
+        # self.normal_analysis()
+        self.strace_analysis()
         return self.proc.pid
-        """
-        if self.free:
-            self.normal_analysis()
-            return self.proc.pid
-        elif self.method == "apicalls":
-            self.apicalls_analysis()
-            return self.proc.pid
-        else:
-            raise Exception("Unsupported analysis method. Try 'apicalls'")
-        """
 
     def check(self):
         """Check."""
@@ -157,38 +148,36 @@ def finish(self):
     def get_pids(self):
         return []
 
-    def apicalls_analysis(self):
+    def strace_analysis(self):
         kwargs = {"args": self.args, "timeout": self.timeout, "run_as_root": self.run_as_root}
         log.info(self.target)
-        cmd = apicalls(self.target, **kwargs)
-        stap_start = timeit.default_timer()
+
+        target_cmd = f'{self.target}'
+        if "args" in kwargs:
+            target_cmd += f' {" ".join(kwargs["args"])}'
+
+        cmd = f"sudo strace -ttffn -o {self.strace_output}/strace.log {target_cmd}"
         log.info(cmd)
         self.proc = subprocess.Popen(
             cmd, env={"XAUTHORITY": "/root/.Xauthority", "DISPLAY": ":0"}, stderr=subprocess.PIPE, shell=True
         )
-
-        while b"systemtap_module_init() returned 0" not in self.proc.stderr.readline():
-            # log.debug(self.proc.stderr.readline())
-            pass
-
-        stap_stop = timeit.default_timer()
-        log.info("Process startup took %.2f seconds", stap_stop - stap_start)
+        log.info("Process started with strace")
         return True
 
     def normal_analysis(self):
         kwargs = {"args": self.args, "timeout": self.timeout, "run_as_root": self.run_as_root}
 
         # cmd = apicalls(self.target, **kwargs)
         cmd = f"{self.target} {' '.join(kwargs['args'])}"
-        stap_start = timeit.default_timer()
+        process_start = timeit.default_timer()
         self.proc = subprocess.Popen(
             cmd, env={"XAUTHORITY": "/root/.Xauthority", "DISPLAY": ":0"}, stderr=subprocess.PIPE, shell=True
         )
 
         log.debug(self.proc.stderr.readline())
 
-        stap_stop = timeit.default_timer()
-        log.info("Process startup took %.2f seconds", stap_stop - stap_start)
+        process_stop = timeit.default_timer()
+        log.info("Process startup took %.2f seconds", process_start - process_stop)
         return True
 
     @staticmethod
@@ -200,19 +189,6 @@ def _upload_file(local, remote):
                     nf.sock.sendall(chunk)  # dirty direct send, no reconnecting
             nf.close()
 
-    def stop(self):
-        log.info("Package requested stop")
-        try:
-            r = self.proc.poll()
-            log.debug("stap subprocess retval %d", r)
-            self.proc.kill()
-            # subprocess.check_call(["sudo", "kill", str(self.proc.pid)])
-            waitpid(self.proc.pid, 0)
-            self._upload_file("stap.log", "logs/all.stap")
-        except Exception as e:
-            log.warning("Exception uploading log: %s", e)
-
-
 def _string_to_bool(raw):
     if not isinstance(raw, str):
         raise Exception("Unexpected input: not a string :/")

diff --git a/analyzer/linux/modules/auxiliary/filecollector.py b/analyzer/linux/modules/auxiliary/filecollector.py
@@ -129,7 +129,7 @@ def _method_name(self, event):
                     # log.info("Path is a directory or does not exist, ignoring: %s", event.pathname)
                     return
 
-                if os.path.basename(event.pathname) == "stap.log":
+                if "strace.log" in os.path.basename(event.pathname):
                     return
 
                 try:

diff --git a/analyzer/linux/modules/auxiliary/stap.py b/analyzer/linux/modules/auxiliary/stap.py
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,10 @@
 ### [12.03.2024]
 * Monitor update: Initial IPv6 support - thanks @cccs-mog
+* Linux support details can be seen in this [Pull Request](https://github.com/kevoreilly/CAPEv2/pull/2001)
+* We remove all `x.conf` to finish the mess with the configs.
+    * DO NOT EDIT `.conf.default` files. cape2.sh makes a copy of them removing `.default`.
+    * If you don't use `cape2.sh`.
+        * Run: `for filename in conf/default/*.conf.default; do cp -vf "./$filename" "./$(echo "$filename" | sed -e 's/.default//g' | sed -e 's/default//g')";  done`
 
 ### [07.03.2024]
 * Monitor updates:
-Original file line number
+Diff line change
@@ Expand Up / @@ -129,7 +129,7 @@ def _method_name(self, event): @@
                         # log.info("Path is a directory or does not exist, ignoring: %s", event.pathname)
                         return
-                    if os.path.basename(event.pathname) == "stap.log":
+                    if "strace.log" in os.path.basename(event.pathname):
                         return
                     try:
@@ Expand Down @@