"Cuckoo sandbox" cuckoo sandbox study notes

This is one of the top ten projects on GitHub, and I've only finished learning some of the features to share some experience

Entire Project connection address: Https://github.com/cuckoosandbox/cuckoo

0x01 debugging to run the learning code is very important is the debugging, so first on the point of debugging Tips

A compiler is the most basic debugging, so first introduce the basic debugging AH

F9: Debug Run, Debug run process, press F9, will go directly to the next breakpoint.

F8: Single-step operation, equivalent to VS F10

F7: It's also a single-step operation, but near-function, equivalent to the F11 of VS

Ctrl+alt+b: Enter function to see the specific inner wing of the function, quite practical, necessary

Ctrl+f: Search for key variable functions, view functions or variables and drag them into the watches to get inside.

0x02 function Explanation article

The first is to read the configuration file information

The first arrow, the absolute path of the composition

The process of reading is very detailed. Debug with profile information

Section = config (filename), Key = Hello_world This class of Keyvalue=on

You can read the profile key information one by one by changing the calendar.

Then set the server's information to a class, configure the server class information, port, IP, the path of the injected file, analyze the type of the package or something

Then determine whether the PE file Exe.sys.dll in one, which belongs to the analysis of PE files together

Next is the same similar steps to configure the information about our virtual machine, the process is similar, here is no code to explain

Then the TCP binding port is used to turn on thread monitoring

Listen to the port, and then you can turn on our XML-RPC build host connection URL = http://192.168.1.10:8000

Since you want to connect people, the construction is good after the connection of course, the following is waiting for the virtual machine connection

A deferred wait function is used, and then the Getsatutau () is determined to get the link status once the connection exits waiting to start the analysis

Then build the path that needs to transfer the files, Traverse, compress, and use Xmlrpclib. Binary (Zip_data.getvalue ())

Transfer the compressed package. Os_walk Traverse Path, compress all files of the analysis directory

Unzip the virtual machine

Once the virtual machine is connected to a file that needs to be analyzed, you can start injecting the analysis

Next, you can build the path to the parsing thread file, subprocess. Popen. Turn on threads, start profiling

And the client is mainly these sentences, using Simplexmlrpcserver, the call to build RPC connection function is on the server

analyzer.py analysis process is not difficult, right, create pipelines, interprocess communication, and then call write good, loadexe.exe,target.exe,dll, inject it OK, most of the injected functions are implemented in C + +, mainly remote injection and APC injection;

Finally attach the successful running result hope to be helpful to the person who learns this malicious analysis system

"Cuckoo sandbox" cuckoo sandbox study notes