This is one of the top ten projects on GitHub, and I've only finished learning some of the features to share some experience
Entire Project connection address: Https://github.com/cuckoosandbox/cuckoo
0x01 debugging to run the learning code is very important is the debugging, so first on the point of debugging Tips
A compiler is the most basic debugging, so first introduce the basic debugging AH
F9: Debug Run, Debug run process, press F9, will go directly to the next breakpoint.
F8: Single-step operation, equivalent to VS F10
F7: It's also a single-step operation, but near-function, equivalent to the F11 of VS
Ctrl+alt+b: Enter function to see the specific inner wing of the function, quite practical, necessary
Ctrl+f: Search for key variable functions, view functions or variables and drag them into the watches to get inside.
0x02 function Explanation article
The first is to read the configuration file information
The first arrow, the absolute path of the composition
The process of reading is very detailed. Debug with profile information
Section = config (filename), Key = Hello_world This class of Keyvalue=on
You can read the profile key information one by one by changing the calendar.
Then set the server's information to a class, configure the server class information, port, IP, the path of the injected file, analyze the type of the package or something
Then determine whether the PE file Exe.sys.dll in one, which belongs to the analysis of PE files together
Next is the same similar steps to configure the information about our virtual machine, the process is similar, here is no code to explain
Then the TCP binding port is used to turn on thread monitoring
Listen to the port, and then you can turn on our XML-RPC build host connection URL = http://192.168.1.10:8000
Since you want to connect people, the construction is good after the connection of course, the following is waiting for the virtual machine connection
A deferred wait function is used, and then the Getsatutau () is determined to get the link status once the connection exits waiting to start the analysis
Then build the path that needs to transfer the files, Traverse, compress, and use Xmlrpclib. Binary (Zip_data.getvalue ())
Transfer the compressed package. Os_walk Traverse Path, compress all files of the analysis directory
Unzip the virtual machine
Once the virtual machine is connected to a file that needs to be analyzed, you can start injecting the analysis
Next, you can build the path to the parsing thread file, subprocess. Popen. Turn on threads, start profiling
And the client is mainly these sentences, using Simplexmlrpcserver, the call to build RPC connection function is on the server
analyzer.py analysis process is not difficult, right, create pipelines, interprocess communication, and then call write good, loadexe.exe,target.exe,dll, inject it OK, most of the injected functions are implemented in C + +, mainly remote injection and APC injection;
Finally attach the successful running result hope to be helpful to the person who learns this malicious analysis system
"Cuckoo sandbox" cuckoo sandbox study notes