-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathREADME
90 lines (75 loc) · 3.24 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
{{{
README _
_ __ ___ __ _| |_ ____ _ ___ _ __ ___
| '_ ` _ \ / _` | \ \ /\ / / _` / __| '_ ` _ \
| | | | | | (_| | |\ V V / (_| \__ \ | | | | |
|_| |_| |_|\__,_|_| \_/\_/ \__,_|___/_| |_| |_|
}}}
= Folders =
* conf/malwasm.conf - is the configuration file for malwasm
* core/ - contains malwasm python lib
* cuckoo/ - contains the cuckoo package it need to be copied in your cuckoo install folder
* doc/ - contains some doc
* pin/ - contains the malwpin dll source code and makefile
* utils/ - contains scripts to run analysis and data insertion
* create_db.py - script to force the creation of the database (usefull to reset the db)
* file2db.py - script to insert a sample data into the db
* db2file.py - script to extract sample data from the db
* submit.py - all in one script, to submit sample to cuckoo and insert data into malwasm db
* web/ - contains the webservice python script
* malwasm_web.py - the webservice listening on http://127.0.0.1:5000
= Installation =
== Dependencies ==
* python2.7
* python-psycopg2
* python-argparse
* python-flask
* python-progressbar
* cuckoo
* postgresql
* pintool
== To install python dependencies ==
* sudo apt-get install python-psycopg2 python-flask python-progressbar python-argparse
or
* pip install psycopg2 flask progressbar argparse
== Pintool ==
Pintool can be put directly inside malwasm due to licence issue so you have to download it by yourself.
* http://software.intel.com/sites/landingpage/pintool/downloads/pin-2.12-54730-msvc10-windows.zip
Once downloaded you have to extract all the .dll and .exe files of the subfolder
* /pin-2.12-54730-msvc10-windows/ia32/bin/
to the folder:
* malwasm/cuckoo/analyzer/windows/bin
== Cuckoo part ==
* You need to have a cuckoo correctly setups
* You have to copy files from malwasm/cuckoo/analyzer/windows/ into your cuckoo installation in the subfolder cuckoo/analyzer/windows/
* Your cuckoo VM needs to have a share folder with write permission on it
* Update cuckoo section of conf/malwasm.conf to match your configuration
* Run cuckoo.py
== Database ==
* Run your postgresql database
* The current config in conf/malwasm.conf works with an out of box config of postgresql
* WARNING: if you want to use the create_db scripts, you have to use the default postgres account otherwise you can use the schema available in conf/schema.sql
== Run analysis ==
* You can directly run a sample analysis with utils/submit.py
{{{
# standard analysis of the a binary
utils/submit.py malware/r.exe
# only start record instruction when it pass on adr-start and stop on adr-stop
utils/submit.py --options adr-start=0x401290,adr-stop=0x401384 malware/r.exe
}}}
* If data insertion into malwasm db failed you can re run the insertion with
{{{
utils/file2db -d /tmp/data/13508268572/ # where /tmp/data is the share folder
utils/file2db -d /tmp/data/13508268572/ --pin-param foo # where /tmp/data is the share folder
}}}
* If you want to clean the database you can use
{{{
utils/create_db.py --force
}}}
* PS: data insertion can take some serious time, so just wait!
== Webservice ==
* To see the report you've to run the webservice
{{{
web/malwasm_web.py
}}}
* Go to http://127.0.0.1:5000 and select your sample