-
Notifications
You must be signed in to change notification settings - Fork 2
Writing Reporters
bobbystacksmash edited this page Nov 15, 2018
·
1 revision
As the Construct Virtual Machine (CVM) runs a given JScript program, it captures events about this program. These events are sent in the order they are generated to a reporter. This reporter may then consume only the events it cares about (filesystem, network, registry, etc) and perform any kind of processing that is desired before returning some output verdict.
TODO
function DumpExec () {
this.events = [];
return {
meta: {
name: "dumpexec",
description: "Extracts and dumps various execution indicators."
},
report: (event, done) => {
if (event.meta && event.meta === "runtime.api.call") {
if (/wshshell/i.test(event.target) && /^(?:run|exec)$/i.test(event.property.normalised)) {
this.events.push(event.args[0].value);
}
else if (/ShellApplication/i.test(event.target) && /shellexecute/i.test(event.property.normalised)) {
this.events.push(event.args[0].value);
}
}
else if (event.meta && event.meta === "finished") {
done(null, this.events);
}
}
};
};
module.exports = DumpExec;