0% found this document useful (0 votes)
32 views16 pages

Lab 13

Uploaded by

Ngô Hải Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
32 views16 pages

Lab 13

Uploaded by

Ngô Hải Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Lab 13: Analysis Automation

Tools
- VirtualBox
- VMWare
- TShark
Automated Malware Analysis VirtualBox
Initial VirtualBoxSetup (previous lab)

- Automation in Python
- Run vmauto.py: specifically designed for automating malware analysis.
- Use vmauto.py for your automated script
- See malwarecookbook/8/vmauto.py (in the tool folder included in the document)
vmauto.py:

#!/usr/bin/python

# Copyright (C) 2010 Michael Ligh

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

#
# [NOTES] -----------------------------------------------------------

# 1) If you're running VirtualBox on Windows, you'll need win32com, which is

# included in the Python Extensions for Windows package

#--------------------------------------------------------------------

import sys, os, time, glob, shutil

from optparse import OptionParser

import subprocess

# -----------------------------------------------------------------------

vm_paths = {

# the standard path on Mac OS X

'/Library/Application Support/VMware Fusion/vmrun': 'fusion',

# the standard path on Linux

'/usr/bin/vmrun': 'ws',

# the standard path on Windows

'C:\\Program Files\\VMware\\VMware Workstation\\vmrun.exe': 'ws',

def pinfo(msg):

print "[INFO] ", msg

def perror(msg):

print "[ERROR] ", msg

# -----------------------------------------------------------------------

class VBoxAuto:

def __init__(self, machine):


self.machine = machine

self.ctx = {}

self.mach = None

def get_mach(self):

return self.ctx['global'].getArray(self.ctx['vb'], 'machines')

def check(self):

try:

from vboxapi import VirtualBoxManager

except ImportError:

perror('You need to install VirtualBox!')

return False

vbm = VirtualBoxManager(None, None)

self.ctx = {'global':vbm,

'const' :vbm.constants,

'vb' :vbm.vbox,

'mgr' :vbm.mgr}

# the machine name or id must be valid

for m in self.get_mach():

if m.name == self.machine or m.id == self.machine:

self.mach = m

break
if self.mach == None:

perror('Cannot find the machine: %s' % self.machine)

return False

pinfo('Using %s (uuid: %s)' % (self.mach.name, self.mach.id))

pinfo('Session state: %s' % self.get_const(

"SessionState", self.mach.sessionState))

pinfo('Machine state: %s' % self.get_const(

"MachineState", self.mach.state))

return True

def get_const(self, enum, elem):

# this lookup fails on Python2.6 - if that happens

# then just return the element number

try:

all = self.ctx['const'].all_values(enum)

for e in all.keys():

if str(elem) == str(all[e]):

return e

except:

return '%d' % elem

def list(self):

try:

for m in self.get_mach():

print "%-12s %s (state:%s/%s)" %(m.name, m.id,

self.get_const("MachineState", m.state),
self.get_const("SessionState", m.sessionState))

except:

perror('No machines. Did you call check() first?')

def start(self, nsecwait=20):

vb = self.ctx['vb']

session = self.ctx['mgr'].getSessionObject(vb)

p = vb.openRemoteSession(session, self.mach.id, 'gui', '')

while not p.completed:

p.waitForCompletion(1000)

self.ctx['global'].waitForEvents(0)

if int(p.resultCode) == 0:

session.close()

else:

perror('Cannot start machine!')

pinfo('Waiting %d seconds to boot...' % nsecwait)

time.sleep(nsecwait)

def opensession(self):

session = self.ctx['global'].openMachineSession(self.mach.id)

mach = session.machine

return (session, mach)

def closesession(self, session):

self.ctx['global'].closeMachineSession(session)

time.sleep(5)
def stop(self):

(session, mach) = self.opensession()

pinfo('Powering down the system')

try:

session.console.powerDown()

time.sleep(5)

self.closesession(session)

except Exception, e:

pinfo(e)

def revert(self, snapname):

# Revert a VM to the specified snapshot

(session, mach) = self.opensession()

pinfo("Reverting to snapshot '%s'" % snapname)

try:

snap = mach.findSnapshot(snapname)

session.console.restoreSnapshot(snap)

time.sleep(5)

self.closesession(session)

except Exception, e:

pinfo(e)

def winexec(self, user, passwd, args):

(session, mach) = self.opensession()

try:

argstr = ' '.join(args[1:])

except:

argstr = ''
pinfo("Executing '%s' with args '%s'" % (args[0], argstr))

pinfo("If this set fails, set up autologin for your user.")

env = []

ret = session.console.guest.executeProcess(

args[0],

0,

args,

env,

user, passwd, 0)

# on Windows, executeProcess returns an IProgress instance

if os.name == "nt":

pid = ret[3]

else:

pid = ret[1]

pinfo('Process ID: %d' % pid)

# -----------------------------------------------------------------------

class VMwareAuto:

def __init__(self, vmx):

self.vmx = vmx

self.vmrun = None

self.vmtype = None

if not os.path.isfile(vmx):

raise 'Cannot find vmx file in ' + vmx

for (path,type) in vm_paths.items():


if os.path.isfile(path):

self.vmrun = path

self.vmtype = type

break

if self.vmrun == None:

raise 'Cannot find vmrun in ' + ','.join(vm_paths.keys())

else:

print 'Found vmrun (running on %s)' % self.vmtype

def setuser(self, user, passwd):

'''

Sets the credentials on the guest machine to

use when copying files to/from the guest and

when executing programs in the guest

'''

self.user = user

self.passwd = passwd

def run_cmd(self, cmd, args=[], guest=False):

'''

Execute a command through vmrun. Additional

parameters for commands can be set with args[]

'''

print 'Executing ' + cmd + ' please wait...'

pargs = [self.vmrun, '-T', self.vmtype]

if guest:

pargs.extend(['-gu', self.user])

pargs.extend(['-gp', self.passwd])
pargs.append(cmd)

pargs.append(self.vmx)

pargs.extend(args)

proc = subprocess.Popen(

pargs,

stdout=subprocess.PIPE,

stderr=subprocess.STDOUT

return proc.communicate()[0]

def list(self):

'''

List the running virtual machines

'''

pargs = [self.vmrun, 'list']

print pargs

proc = subprocess.Popen(

pargs,

stdout=subprocess.PIPE

return proc.communicate()[0]

def start(self):

'''

Start the virtual machine specified by self.vmx

'''

return self.run_cmd('start')
def stop(self):

'''

Stop the virtual machine specified by self.vmx

'''

return self.run_cmd('stop')

def revert(self, snapname):

'''

Revert the virtual machine specified by self.vmx

to the given snapshot

'''

return self.run_cmd('revertToSnapshot', [snapname])

def suspend(self):

'''

Suspend the virtual machine specified by self.vmx.

This is usually done after executing malware in order

freeze the machine's state and obtain its physical

memory sample

'''

return self.run_cmd('suspend')

def scrshot(self, outfile):

'''

Take a screen shot of the guest's desktop and

save it to the file specified by outfile

'''

return self.run_cmd('captureScreen', [outfile], guest=True)


def copytovm(self, src, dst):

'''

Copy the src file (src is a path on the host) to

dst (dst is a path on the guest).

'''

if not os.path.isfile(src):

perror('Cannot locate source file ' + src)

return

return self.run_cmd(

'copyFileFromHostToGuest', [src, dst], guest=True)

def copytohost(self, src, dst):

'''

Copy the src file (src is a path on the guest) to

dst (dst is a path on the host).

'''

return self.run_cmd(

'copyFileFromGuestToHost', [src, dst], guest=True)

def winexec(self, file, args=''):

'''

Execute a command in the guest with supplied arguments.

You can use this to execute malware or existing programs

on the guest machine such as monitoring tools or whatever.

'''

return self.run_cmd(

'runProgramInGuest',

'-noWait',
'-interactive',

'-activeWindow',

file, args

],

guest=True)

def findmem(self):

'''

Find the file on the host machine's file system that

represents the guest's physical memory. This is usually

only available when the guest is suspended

'''

path = os.path.dirname(self.vmx)

mems = glob.glob('%s/*.vmem' % (path))

mems = [m for m in mems if "Snapshot" not in m]

return mems[0] if len(mems) else ''

def main(argv):

print 'Nothing to do. Import me!'

return 0

if __name__ == '__main__':

main(sys.argv)

Automated Malware Analysis VMWARE


Steps: Create script to turn on Windows Sever 2012 virtual machine in Vmware.
Create a script to suspend all virtual machines running on VMware.
Create a script to create snapshots for virtual machines running on VMware.

Create a script to revert all snapshots for virtual machines running on VMware.
Create a script to delete newly created snapshot files from the above script

You might also like