# Lets start to interact with workbench, please note there is NO specific client to workbench, # Just use the ZeroRPC Python, Node.js, or CLI interfaces. import zerorpc c = zerorpc.Client(timeout=120) c.connect("tcp://127.0.0.1:4242") # Load in the Memory Image file with open('../data/mem_images/exemplar4.vmem','rb') as f: mem_md5 = c.store_sample(f.read(), 'exemplar4.vmem', 'mem') # Lets look at the workers that we might invoke print c.help_workers() # Now we invoke the mem_meta worker (all memory workers start with mem_) output = c.work_request('mem_meta', mem_md5)['mem_meta'] output # Now we look at the pslist worker (which is just a big blog of python data) output = c.work_request('mem_pslist', mem_md5)['mem_pslist'] str(output)[:50] # Okay that didn't seem very useful, just a gigantic ugly blob of python. # Lets push the pslist info section into a pandas dataframe import pandas as pd df = pd.DataFrame(output['sections']['Info']) df.head() # Now lets use the Pandas groupby methods df['count'] = 1 df.groupby(['PPID','Name','PID']).sum() # Now we look at the connscan worker output = c.work_request('mem_connscan', mem_md5)['mem_connscan'] output # Same as above we'll throw it into a Dataframe and do a group by conn_df = pd.DataFrame(output['sections']['Info']) conn_df['count'] = 1 conn_df.groupby(['Pid','Remote Address']).sum() # Now lets look at the DLL for the various processes output = c.work_request('mem_dlllist', mem_md5)['mem_dlllist'] # Each process has it's own section output['sections'].keys() # Lets look at the process of interest dll_df = pd.DataFrame(output['sections']['svhost_exe pid: 1936']) dll_df # Dump PE Files from all the processes output = c.work_request('mem_procdump', mem_md5)['mem_procdump'] output # Okay nice, now let look deeper out the files with Workbench # First the file that we're pretty sure is naughty c.work_request('view', '0374a3a1689771e93432f8803cc2a09c') # Now smss_exe_516.exe c.work_request('view', 'a11279e7f15a0a9f342e0809d3460e26') # Virus Total Query (on svhost.exe) c.work_request('vt_query', '0374a3a1689771e93432f8803cc2a09c') # Virus Total Query (on smss_exe_516.exe) c.work_request('vt_query', 'a11279e7f15a0a9f342e0809d3460e26')