To make things less hardcoded in the Karton service itself, let's move analysis process to the separate module called "analyzer"
Analyzer is parametrized by AnalysisOptions object that is composed from configuration file values and task parameters. analyzer.analyze_sample and AnalysisOptions interface is used both by DrakrunKarton and new CLI tool called drakstart that allows to run raw analysis process directly from CLI. It will be useful tool for setup and further development and debugging.
List of things implemented a bit different than in the original code:
Sample is downloaded to /tmp/drakrun/vm-<N>/sample instead of /tmp/drakrun/vm-<N>/<target_name>. The target file name (which is usually malwar.exe) is used only when writing file to the target VM.
metadata.json includes dumps_metadata
Network setup is done always at the beginning of the analysis instead of at the start of Karton. Network is also wiped at the end of the analysis, see analyzer.run_vm. It sounds a bit cleaner to me as user may change out_interface/dns_server/net_enable settings and we need to setup network accordingly.
Analysis is not retried only when "retryable" error occurs
Logging setup is changed, I do it in setup_logger and bind handlers to the root logger. It should fix the "double logging" problem.
To make things less hardcoded in the Karton service itself, let's move analysis process to the separate module called "analyzer"
Analyzer is parametrized by
AnalysisOptions
object that is composed from configuration file values and task parameters.analyzer.analyze_sample
andAnalysisOptions
interface is used both by DrakrunKarton and new CLI tool calleddrakstart
that allows to run raw analysis process directly from CLI. It will be useful tool for setup and further development and debugging.List of things implemented a bit different than in the original code:
/tmp/drakrun/vm-<N>/sample
instead of/tmp/drakrun/vm-<N>/<target_name>
. The target file name (which is usuallymalwar.exe
) is used only when writing file to the target VM.metadata.json
includesdumps_metadata
analyzer.run_vm
. It sounds a bit cleaner to me as user may changeout_interface
/dns_server
/net_enable
settings and we need to setup network accordingly.