Tools_NoribenSandbox
来源:互联网 发布:淘宝网电脑版登陆网址 编辑:程序博客网 时间:2024/06/06 01:46
本篇讲NoribenSandbox的部署.前段时间从freebuf看到篇介绍,遂参照部署了下,期间碰到好多问题,做个小结.
Noriben沙箱:分分钟搞定恶意软件
Git-Rurik/Noriben
0x1.准备工作
其实这是写文章时补的.
-------readme--NewVM_SNAPSHOT Preparatory-----1.Install zipProgram : cd dir ; 7z.exe a -tzip config2.exe i386\*.* -p123-2.Install python2.7 : py ...-3.NewDirector : c:\Malware-4.AddAccount : PC - 110-5.Procmon : copyProcmonToyourDir-5.OpenVmSystemToStart : jump over gu-gp-6.NewVM_SNAPSHOT : %VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%-7.U can set nogui-8.U can find the result.zip in your currentdir,and pwd is 123.
0x2部署bat
@echo offif "%1"=="" goto HELPif not exist "%1" goto HELPset DELAY=80set CWD=%CD%set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"set VMX="D:\Windows XP Professional\Windows XP Professional.vmx"set VM_SNAPSHOT="Virus_sandbox_7"SET VM_USER="PC"set VM_PASS="110"set FILENAME=%~nx1set NORIBEN_PATH="C:\Noriben\Noriben.py"set LOG_PATH="C:\Noriben\Virus_log"set ZIP_PATH="C:\Program Files\7-Zip\7z.exe"echo %VMRUN%::%VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%%VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT% %VMRUN% -T ws start %VMX% %VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromHostToGuest %VMX% %1 "C:\Noriben\Malware\%FILENAME%.exe" %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Noriben\Malware\%FILENAME%.exe" --output %LOG_PATH%if %ERRORLEVEL%==1 goto ERROR1ping -n 3 127.0.0.1 > nul%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% a -tzip C:\NoribenReports.zip %LOG_PATH%\*.* -p123if %ERRORLEVEL%==1 goto ERROR1ping -n 10 127.0.0.1 > nul%VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zip%VMRUN% stop %VMX% softgoto END:ERROR1echo [!] File did not execute in VM correctly.goto END:HELPecho Please provide executable filename as an argument.echo For example:echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7goto END:END
0x3应用
还是老办法,放到右键或sendto中用起来方便.win+r - shell:sendto
0x3.1快速启动虚拟机
顺便简化了一版快速启动虚拟机,保存为vm.bat放在桌面,双击即可.@echo off"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" revertToSnapshot "D:\Windows XP Professional\Windows XP Professional.vmx" Virus_sandbox_7"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" start "D:\Windows XP Professional\Windows XP Professional.vmx"exit(0)
0x4参考
利用vmrun命令简单实现VMware自动化分析
vmrun document
阅读全文
0 0
- Tools_NoribenSandbox
- 4. Median of Two Sorted Arrays
- CentOS安装Docker CE的最新有效方法
- kettle错误:The driver has not received any packets from the server
- PPT压缩软件(PPTMinimizer) v4.0 中文注册版
- Spring Cloud构建微服务架构:Hystrix监控数据聚合
- Tools_NoribenSandbox
- HTML5知识总结
- Android报错MainActivity is not an enclosing class
- SpringMVC框架
- Top 10 Best Practices for Jenkins Pipeline Plugin
- JQuery中append()和after()的区别?
- 15个Android通用流行框架大全
- 解决“org.apache.hadoop.security.AccessControlException”
- Linux Device Model