When working with manual testing/execution of malware. I quickly find myself missing the sandbox reports of changes made to the system which you get if you are using Cuckoo for example.
Sandboxes like Cuckoo are very useful, but I prefer manual work for certain kinds of tests. It's nice to have several methods available.
First of I would like to give some credit to a colleague of mine, for inspiring me to solve my need in the way described below, he did something similar in his setup. So thanks! =)
The script included in this post will mount a virtual image be it Virtualbox or KVM/QEMU images using qemu-tools.
After the image is mounted, Aide which is a file and directory integrity checker
(http://aide.sourceforge.net/). Will identify changes made to the file system. If you like to use Samhain or Tripwire it will most likely work fine as long as you adjust the syntax in the script.
At first run the script will check if the aide.db exist, if not one will be created and this will be the baseline for further checks. You should of course do this on a clean system.
When you have a baseline db and you have executed your malware sample and are happy with the results. Run the script against the image to see which files has been created and/or modified. Changes are also saved in a log file.
Please install the prerequisite and change paths to fit your environment.
--- script start ---
#!/bin/sh
# Detect which files has been changed and/or added to a vm image. Useful for manual malware
# detection in a sandbox environment
# v1.0 - mikael keri / @nsmfoo
# prerequisites: qemu-utils, aide and root access
usage () {
echo "usage: $0 -i image_name (inkl path) -m mount_dir -a <check|update>"
}
image_name=""
mount_dir=""
while getopts ":i:m:h:a:" option; do
case $option in
i) image_name="$OPTARG" ;;
m) mount_dir="$OPTARG" ;;
a) aide="$OPTARG" ;;
h) usage
exit 0
;;
:) echo "Error: requires an argument: $options"
usage
exit 1
;;
?) echo "Error: unknown option: $options"
usage
exit 1
;;
esac
done
if [ -z "$image_name" ]; then
echo "No image defined"
usage
exit 1if [ -z "$mount_dir" ]; then
echo "No mount directory defined"
usage
exit 1
fi
if [ -z "$aide" ]; then
echo "No Aide command defined - valid values are check or update"
usage
exit 1
fi
if [ $aide != "update" -a $aide != "check" ]; then
echo "Valid Aide arguments are either update or check"
usage
exit 1
fi
# remove trailing slash
mount_dir="${mount_dir%/}"
# only load the module once
if [ -z "$(lsmod | grep nbd)" ]; then
echo -n "Loading kernel module.."
modprobe nbd
sleep 5
echo "finished!"
fi
# mount image
echo -n "Mounting image.."
qemu-nbd -c /dev/nbd0 "$image_name"
sleep 5
mount --read-only /dev/nbd0p1 "$mount_dir"
echo "finished!"
# init the aide db if it does not exsist
if [ ! -f /usr/local/etc/aide.db ]; then
echo -n "Aide db does not exist. First run it will take some time .."
aide -c /usr/local/etc/kvm_aide.conf --init
cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
fi
if [ "$aide" = "check" ]; then
# check for changes
echo -n "Check for changes.."
aide -c /usr/local/etc/kvm_aide.conf --check > changes.log
cat changes.log
echo "finished!"
elif [ "$aide" = "update" ]; then
echo -n "Updating Aide db.."
aide -c /usr/local/etc/kvm_aide.conf --update
cp /usr/local/etc/aide.db.new /usr/local/etc/aide.db
echo "finished!"
fi
# umount and unload
echo -n "Cleaning.."
umount "$mount_dir"
qemu-nbd -d /dev/nbd0
echo "finished!"
fi
--- script end ---
Example syntax: ./hash_vm.sh -i /var/lib/libvirt/images/johndoe.qcow2 -m /mnt -a check
/Micke @nsmfoo
Thursday, October 18, 2012
Tuesday, October 2, 2012
Modifying VirtualBox settings for malware analysis part 3
Follow up on my two previous post regarding preparing Virtualbox for malware analysis.
I hope this third post, concludes this research for a while at least ..
Please review the two earlier post before apply the settings below.
Modify the BIOS.
By adding your own DSDT image, you will be able to close a couple of more ways to detect the presence of a virtual machine. And it also makes the guest look a bit more "natural"
Start with generating a DSDT image
sudo dd if=/sys/firmware/acpi/tables/DSDT of=DSDT.bin
Move the DSDT.bin to somewhere you see fit
mv DSDT.bin ../VirtualBox VMs <vm name>
sudo chown <vbox users>.<vbox user> DSDT.bin
Then run the following command to update the config for your guest
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/acpi/0/Config/CustomTable" <path to DSDT.bin>
Virtualbox 4.2 also enables the guest to retrieve a few more values from the host. If not set they will contain strings like "Oracle" and "Virtualbox/VBOX"
Start with retrieving some more information from your physical host:
sudo dmidecode -t2
Sample output:
Base Board Information
Manufacturer: <Vendor>
Product Name: <Product>
Version: Not Available
Serial Number: <Serial>
Asset Tag: Not Specified
Features: None
Location In Chassis: Not Specified
Chassis Handle: <Value>
Type: Unknown
Contained Object Handles: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "<Product>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "Not Available"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Not Specified"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Not Specified"
Then run dmidecode once more:
sudo dmidecode -t3
Chassis Information
Manufacturer: <Vendor>
Type: Notebook
Lock: Not Present
Version: Not Available
Serial Number: <Serial>
Asset Tag: No Asset Information
Boot-up State: Unknown
Power Supply State: Unknown
Thermal State: Unknown
Security Status: Unknown
OEM Information: 0x00000000
Height: Unspecified
Number Of Power Cords: Unspecified
Contained Elements: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Not Availible"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "No Asset Information"
The above settings means that you will have to update the batch script described in previous posts
The script will now look like:
Replace: VENDOR with your hw vendor
--- start script -------
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f
---- end of script ---
I hope this third post, concludes this research for a while at least ..
Please review the two earlier post before apply the settings below.
Modify the BIOS.
By adding your own DSDT image, you will be able to close a couple of more ways to detect the presence of a virtual machine. And it also makes the guest look a bit more "natural"
Start with generating a DSDT image
sudo dd if=/sys/firmware/acpi/tables/DSDT of=DSDT.bin
Move the DSDT.bin to somewhere you see fit
mv DSDT.bin ../VirtualBox VMs <vm name>
sudo chown <vbox users>.<vbox user> DSDT.bin
Then run the following command to update the config for your guest
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/acpi/0/Config/CustomTable" <path to DSDT.bin>
Virtualbox 4.2 also enables the guest to retrieve a few more values from the host. If not set they will contain strings like "Oracle" and "Virtualbox/VBOX"
Start with retrieving some more information from your physical host:
sudo dmidecode -t2
Sample output:
Base Board Information
Manufacturer: <Vendor>
Product Name: <Product>
Version: Not Available
Serial Number: <Serial>
Asset Tag: Not Specified
Features: None
Location In Chassis: Not Specified
Chassis Handle: <Value>
Type: Unknown
Contained Object Handles: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "<Product>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "Not Available"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Not Specified"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Not Specified"
Then run dmidecode once more:
sudo dmidecode -t3
Chassis Information
Manufacturer: <Vendor>
Type: Notebook
Lock: Not Present
Version: Not Available
Serial Number: <Serial>
Asset Tag: No Asset Information
Boot-up State: Unknown
Power Supply State: Unknown
Thermal State: Unknown
Security Status: Unknown
OEM Information: 0x00000000
Height: Unspecified
Number Of Power Cords: Unspecified
Contained Elements: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Not Availible"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "No Asset Information"
The above settings means that you will have to update the batch script described in previous posts
The script will now look like:
Replace: VENDOR with your hw vendor
--- start script -------
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f
---- end of script ---
Subscribe to:
Posts (Atom)