"Cuckoo sandbox" cuckoo sandbox study notes

Source: Internet
Author: User

This is one of the top ten projects on GitHub, and I've only finished learning some of the features to share some experience

Entire Project connection address: Https://github.com/cuckoosandbox/cuckoo

0x01 debugging to run the learning code is very important is the debugging, so first on the point of debugging Tips

A compiler is the most basic debugging, so first introduce the basic debugging AH

F9: Debug Run, Debug run process, press F9, will go directly to the next breakpoint.

F8: Single-step operation, equivalent to VS F10

F7: It's also a single-step operation, but near-function, equivalent to the F11 of VS

Ctrl+alt+b: Enter function to see the specific inner wing of the function, quite practical, necessary

Ctrl+f: Search for key variable functions, view functions or variables and drag them into the watches to get inside.

0x02 function Explanation article

The first is to read the configuration file information

The first arrow, the absolute path of the composition

The process of reading is very detailed. Debug with profile information

Section = config (filename), Key = Hello_world This class of Keyvalue=on

You can read the profile key information one by one by changing the calendar.

Then set the server's information to a class, configure the server class information, port, IP, the path of the injected file, analyze the type of the package or something

Then determine whether the PE file Exe.sys.dll in one, which belongs to the analysis of PE files together

Next is the same similar steps to configure the information about our virtual machine, the process is similar, here is no code to explain

Then the TCP binding port is used to turn on thread monitoring

Listen to the port, and then you can turn on our XML-RPC build host connection URL = http://192.168.1.10:8000

Since you want to connect people, the construction is good after the connection of course, the following is waiting for the virtual machine connection

A deferred wait function is used, and then the Getsatutau () is determined to get the link status once the connection exits waiting to start the analysis

Then build the path that needs to transfer the files, Traverse, compress, and use Xmlrpclib. Binary (Zip_data.getvalue ())

Transfer the compressed package. Os_walk Traverse Path, compress all files of the analysis directory

Unzip the virtual machine

Once the virtual machine is connected to a file that needs to be analyzed, you can start injecting the analysis

Next, you can build the path to the parsing thread file, subprocess. Popen. Turn on threads, start profiling

And the client is mainly these sentences, using Simplexmlrpcserver, the call to build RPC connection function is on the server

analyzer.py analysis process is not difficult, right, create pipelines, interprocess communication, and then call write good, loadexe.exe,target.exe,dll, inject it OK, most of the injected functions are implemented in C + +, mainly remote injection and APC injection;

Finally attach the successful running result hope to be helpful to the person who learns this malicious analysis system

"Cuckoo sandbox" cuckoo sandbox study notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.