When we had suspected about binary file, we’ve had two options:

- First one and not recomendable, running and thinking that it only get “infected” the others

- Second one, to have a Windows system virtualized, run it there while we monitorize it with tools as Filemon, Regmon, wireshark…

Recently, I’ve found one quickly way, and it could help us in some cases.

• VirusTotal - http://www.virustotal.com/es/
• Joebox - http://www.joebox.org/
• Anubis - http://anubis.iseclab.org/

We can analyse files with several antivirus engines at the same time with Virustotal, it will give us a orientation about file types that you use. This web is a Hispasec Systems creation, very good reference from my point of view.

With Joebox, we’ll have a sandbox installed, we can run the executable in a secure virtual environment. It’ll give us traces with information about the behavior. This virtual environment is easy to deploy and with same security guarantees that a virtual machine with independent operating system.

Anubis online service will analyse the binary file, and it will send us a report about its behavior. A good complement to any sandbox, it’ll allow us to contrast the information.

OpenTTD was born as copy of Transport Tycoon Deluxe. A group of people was been able to get the sources with reverse engineering, wow!

Later, the project was growing with the colaboration of more people: new sounds, new music, a lot of new graphs [stations, buses, trucks, roads, buildings, aka. NewGRF], but the best of all are the three available plataforms: GNU/Linux, Mac and Windows. A new multiplayer mode: competitive and collaborative; with or without dedicated server, with own commands. AI ready to go in single player and multiplayer, and a lot of people belonging to the OpenTTD Community.

Don’t think it more, info and download at: www.openttd.org

I will not come to assess whether this method is good or bad, because we should evaluate other factors such as whether the machine is managed by various admins, if a critical server, if it really is documented that nomenclature, etc …

But if I want to mention, and give an example of a methodology that if it is standard, and there is a very high probability of finding it in almost any GNU / Linux: RCS utils.With this system, we have a version control with all its benefits applied to a single file without creating or configure anything extra (or repositories, or demons, or service units), only installing the required package rcs. It is rare that is not installed.

This information has been obtained from RCS Intro – http://www.daemon-systems.org/man/rcsintro.1.html

What operations are usually performed more frequently in a version control system?

• Create new files
• Modify existing file
• Locked to prevent concurrent modifications
• Control versions and add comments to see at a glance this Changelog
• Test differences between versions
• Retrieve all versions
• Control who and when to file an amendment during their life

Based on this short list, put the two commands that allow you to perform them:

co and ci

Read on to see examples …

Examples:

$ vi file1 # edit and save changes

$ ci-u file 1 # With this we create the first review, and we asked to enter a comment with a brief summary of the contents of the file

From this moment, we have two files like: file1 and file1, v. This second file will contain the entire version control is not necessary any more. The -u parameter is not to erase the local copy. In subsequent ci we do, we are asked to enter a comment, but in this case will be referred to the changes we have made.

$ co -l file1 # Perform a checkout, that is get a copy of the latest revision of the file, and also the block by the -l. This means that we can edit now.

From this moment, these two commands are the most frequently used to use RCS on specific file. Then we can use parameters like -r1.24 to tell the review with which to save the file, or obtain the hotfix.

We may use rcsdiff to see the differences between two revisions, or the rlog command to see the whole evolution of the file with your comments. There are many more options, and I got sent to the link in the article that you may prove the most commonly adjusted to you.

1.) stdin
2.) ¿qué stdout/stderr espero?
3.) stdin
4.) ¿qué stdout/stderr espero?
…..

Por ser breve, es un lenguaje pensado casi exclusivamente para convertir sesiones interactivas de ftp, telnet, ssh, etc… en sesiones automáticas. Casi más sorprendente, es que añadiendo el módulo TK, podremos automatizar sesiones de X11, wow!!!!

Pero este artículo no quiere ser un tutorial de expect, ni tampoco una presentación formal, su web es bastante buena para intentar hacer una copia . Pretendo enseñar, y en otros casos recordar, que no es necesario saber nada, o casi nada de expect para poder utilizarlo, gracias a autoexpect.

Este script nos abrirá una sesión de comando “script”, y grabará toda la sesión interactiva. Una vez que salgamos de la sesión con “exit”, creará un script de expect que podremos ejecutar directamente. wow!!!!

Cosas a tener en cuenta:

- Cualquier salida por pantalla variable, tipo fecha, hora, y cosas así, nos obligará a editar el script expect final, y poner expresiones regulares. Genial!
- Seguro que hay más, espero esos comentarios

En la siguiente página incluyo el código del autoexpect, no como referencia, sino como idea general. La recomendación que os hago es visitar la web oficial de expect, descargar las últimas fuentes de expect, descomprimir, y buscar en el directorio example/ el script autoexpect. En la versión que he descargado yo, he tenido que modificarlo para poner la ruta absoluta de expect en la primera línea:

#!/usr/bin/expect
# Name: autoexpect - generate an Expect script from watching a session
#
# Description:
#
# Given a program name, autoexpect will run that program.  Otherwise
# autoexpect will start a shell.  Interact as desired.  When done, exit
# the program or shell.  Autoexpect will create a script that reproduces
# your interactions.  By default, the script is named script.exp.
# See the man page for more info.
#
# Author: Don Libes, NIST
# Date: June 30 1995
# Version: 1.4b                                                         

set filename "script.exp"
set verbose 1
set conservative 0
set promptmode 0
set option_keys ""       

proc check_for_following {type} {
        if {![llength [uplevel set argv]]} {
                puts "autoexpect: [uplevel set flag] requires following $type"
                exit 1
        }
}                                                                             

while {[llength $argv]>0} {
        set flag [lindex $argv 0]
        if {0==[regexp "^-" $flag]} break
        set argv [lrange $argv 1 end]
        switch -- $flag \
          "-c" {
                set conservative 1
        } "-C" {
                check_for_following character
                lappend option_keys [lindex $argv 0] ctoggle
                set argv [lrange $argv 1 end]
        } "-p" {
                set promptmode 1
        } "-P" {
                check_for_following character
                lappend option_keys [lindex $argv 0] ptoggle
                set argv [lrange $argv 1 end]
        } "-Q" {
                check_for_following character
                lappend option_keys [lindex $argv 0] quote
                set argv [lrange $argv 1 end]
        } "-f" {
                check_for_following filename
                set filename [lindex $argv 0]
                set argv [lrange $argv 1 end]
        } "-quiet" {
                set verbose 0
        } default {
                break
        }
}                                                           

#############################################################
# Variables     Descriptions
#############################################################
# userbuf       buffered characters from user
# procbuf       buffered characters from process
# lastkey       last key pressed by user
#               if undefined, last key came from process
# echoing       if the process is echoing
#############################################################

# Handle a character that came from user input (i.e., the keyboard)
proc input {c} {
        global userbuf lastkey                                     

        send -- $c
        append userbuf $lastkey
        set lastkey $c
}                              

# Handle a null character from the keyboard
proc input_null {} {
        global lastkey userbuf procbuf echoing

        send -null

        if {$lastkey == ""} {
                if {$echoing} {
                        sendcmd "$userbuf"
                }
                if {$procbuf != ""} {
                        expcmd "$procbuf"
                }
        } else {
                sendcmd "$userbuf"
                if {$echoing} {
                        expcmd "$procbuf"
                        sendcmd "$lastkey"
                }
        }
        cmd "send -null"
        set userbuf ""
        set procbuf ""
        set lastkey ""
        set echoing 0
}                                         

# Handle a character that came from the process
proc output {s} {
        global lastkey procbuf userbuf echoing 

        send_user -raw -- $s

        if {$lastkey == ""} {
                if {!$echoing} {
                        append procbuf $s
                } else {
                        sendcmd "$userbuf"
                        expcmd "$procbuf"
                        set echoing 0
                        set userbuf ""
                        set procbuf $s
                }
                return
        }                                 

        regexp (.)(.*) $s dummy c tail
        if {$c == $lastkey} {
                if {$echoing} {
                        append userbuf $lastkey
                        set lastkey ""
                } else {
                        if {$procbuf != ""} {
                                expcmd "$procbuf"
                                set procbuf ""
                        }
                        set echoing 1
                }
                append procbuf $s                

                if {[string length $tail]} {
                        sendcmd "$userbuf$lastkey"
                        set userbuf ""
                        set lastkey ""
                        set echoing 0
                }
        } else {
                if {!$echoing} {
                        expcmd "$procbuf"
                }
                sendcmd "$userbuf$lastkey"
                set procbuf $s
                set userbuf ""
                set lastkey ""
                set echoing 0
        }
}                                                 

# rewrite raw strings so that can appear as source code but still reproduce
# themselves.
proc expand {s} {
        regsub -all "\\\\" $s "\\\\\\\\" s
        regsub -all "\r" $s "\\r"  s
        regsub -all "\"" $s "\\\"" s
        regsub -all "\\\[" $s "\\\[" s
        regsub -all "\\\]" $s "\\\]" s
        regsub -all "\\\$" $s "\\\$" s                                     

        return $s
}                

# generate an expect command
proc expcmd {s} {
        global promptmode   

        if {$promptmode} {
                regexp ".*\[\r\n]+(.*)" $s dummy s
        }                                         

        cmd "expect -exact \"[expand $s]\""
}                                          

# generate a send command
proc sendcmd {s} {
        global send_style conservative

        if {$conservative} {
                cmd "sleep .1"
        }                     

        cmd "send$send_style -- \"[expand $s]\""
}                                               

# generate any command
proc cmd {s} {
        global fd
        puts $fd "$s"
}                     

proc verbose_send_user {s} {
        global verbose      

        if {$verbose} {
                send_user -- $s
        }
}                              

proc ctoggle {} {
        global conservative send_style

        if {$conservative} {
                cmd "# conservative mode off - adding no delays"
                verbose_send_user "conservative mode off\n"
                set conservative 0
                set send_style ""
        } else {
                cmd "# prompt mode on - adding delays"
                verbose_send_user "conservative mode on\n"
                set conservative 1
                set send_style " -s"
        }
}                                                               

proc ptoggle {} {
        global promptmode

        if {$promptmode} {
                cmd "# prompt mode off - now looking for complete output"
                verbose_send_user "prompt mode off\n"
                set promptmode 0
        } else {
                cmd "# prompt mode on - now looking only for prompts"
                verbose_send_user "prompt mode on\n"
                set promptmode 1
        }
}                                                                        

# quote the next character from the user
proc quote {} {
        expect_user -re .
        send -- $expect_out(buffer)
}                                       

if {[catch {set fd [open $filename w]} msg]} {
        puts $msg
        exit
}
exec chmod +x $filename
verbose_send_user "autoexpect started, file is $filename\n"

# calculate a reasonable #! line
set expectpath /usr/local/bin           ;# prepare default
foreach dir [split $env(PATH) :] {      ;# now look for real location
        if {[file executable $dir/expect] && ![file isdirectory $dir/expect]} {
                set expectpath $dir
                break
        }
}                                                                              

cmd "#![set expectpath]/expect -f
#
# This Expect script was generated by autoexpect on [timestamp -format %c]
# Expect and autoexpect were both written by Don Libes, NIST."
cmd {#
# Note that autoexpect does not guarantee a working script.  It
# necessarily has to guess about certain things.  Two reasons a script
# might fail are:
#
# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
# etc.) and devices discard or ignore keystrokes that arrive "too
# quickly" after prompts.  If you find your new script hanging up at
# one spot, try adding a short sleep just before the previous send.
# Setting "force_conservative" to 1 (see below) makes Expect do this
# automatically - pausing briefly before sending each character.  This
# pacifies every program I know of.  The -c flag makes the script do
# this in the first place.  The -C flag allows you to define a
# character to toggle this mode off and on.                               

set force_conservative 0  ;# set to 1 to force conservative mode even if
                          ;# script wasn't run conservatively originally
if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
                sleep .1
                exp_send -s -- $arg
        }
}                                                                       

#
# 2) differing output - Some programs produce different output each time
# they run.  The "date" command is an obvious example.  Another is
# ftp, if it produces throughput statistics at the end of a file
# transfer.  If this causes a problem, delete these patterns or replace
# them with wildcards.  An alternative is to use the -p flag (for
# "prompt") which makes Expect only look for the last line of output
# (i.e., the prompt).  The -P flag allows you to define a character to
# toggle this mode off and on.
#
# Read the man page for more info.
#
# -Don

}

cmd "set timeout -1"
if {$conservative} {
        set send_style " -s"
        cmd "set send_slow {1 .1}"
} else {
        set send_style ""
}

if {[llength $argv]>0} {
        eval spawn -noecho $argv
        cmd "spawn $argv"
} else {
        spawn -noecho $env(SHELL)
        cmd "spawn \$env(SHELL)"
}

cmd "match_max 100000"

set lastkey ""
set procbuf ""
set userbuf ""
set echoing 0

remove_nulls 0

eval interact $option_keys {
    -re . {
        input $interact_out(0,string)
    } -o -re .+ {
        output $interact_out(0,string)
    } eof {
        cmd "expect eof"
        return
    }
}

close $fd
verbose_send_user "autoexpect done, file is $filename\n"