CUCKOO Sandbox Source Code Analysis(Chapter 1)

in #just3 years ago (edited)

Preface
cuckoo sandbox analysis.

Environment build

1、os: Ubuntu
2、python: python2.7

1、The general architecture of cuckoo is as follows: the host receives the analysis task, then opens the virtual machine client, and transfers the samples and analysis code to the client via http. The code that needs to be uploaded on the client side is mainly some modules to collect data, and some auxiliary analysis module code, for Windows systems: mainly monitor.dll (hook), zer0m0n.sys (kernel module), inject.exe, execsc.exe and so on. Client side through these analysis code to get the behavior of the sample, when the execution time on the client side, the analysis results will be transmitted to the host side, the client side back to the original start-up state.

截屏2020-12-29上午10.47.21.png

Introduction to cuckoo's common command lines
1、cuckoo community --> get some malicious samples of the feature library
2、cuckoo init --> initialize cuckoo
3、cuckoo web --> start web service, you can use browser to upload samples, view reports
4、cuckoo -d --> start the analysis sample service,
5、cuckoo submit --> submit the sample
6、cuckoo clean --> clean the analysis results
cuckoo commands
After installing cuckoo using pip, you can use the cuckoo command:
(venv) aaa@ubuntu:~/Downloads/cuckoo$ which cuckoo
/home/aaa/Downloads/cuckoo/venv/bin/cuckoo

...

截屏2020-12-29上午11.09.53.png

You can see that the cuckoo command is actually a python script, and the final execution code is the main function in the cuckoo module

cuckoo.main function
The main function uses the click module, which makes it easy to build command-line programs.
The core of main is a call to the following two functions:

cuckoo_init(level, ctx) # level --> specifies the level of output (debug or quiet), ctx is an object of click.core.
cuckoo_main(maxcount) # maxcount --> Maxinum number of analyses to process
cuckoo.init function
Functions: Initialize cuckoo, including:

截屏2020-12-29下午12.25.07.png

Create CWD folder
The CWD (Current Working Directory) folder contains the rest of the files except for the running code, which is very important.

├── agent
├── analyzer
├─ conf --> (cuckoo's configuration file)
├─ distributed
├─ elasticsearch
├── init.py
├── log(log)
├─ monitor(hook program)
├─ pidfiles(being)
├─ signatures(sample features)
├── storage(store the sample program, and the results of the analysis)
├─ stuff
├─ supervisord
├─ supervisord.conf
├─ web (some settings for web login)
├── whitelist
└── yara(yara rules for sample analysis, such as: shellcode.yar, vmdetect.yar)

Connection to databases.

cuckoo supports three databases: mysql, sqlite3, postgres, which can be configured in the configuration file. mysql is the most commonly used, and is generally used as a web module to store data.

Tables in mysql database

  • ------------------+
    | Tables_in_cuckoo |
    +------------------+
    | alembic_version |
    | errors |
    | guests | --> Analysis process for performing analysis tasks on virtual machines
    | machines | --> Virtual machine information
    | machines_tags |
    | samples | --> Sample information
    | submit |
    | tags |
    | tasks | --> Analysis task information
    | tasks_tags |
  • ------------------+

[database]
# Specify the database connection string.
# NOTE: If you are using a custom database (different from sqlite), you have to
# use utf-8 encoding when issuing the SQL database creation statement.
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:9000/shitdatabase
# testsql://foo:bar@localhost/shitdatabase
# If empty, defaults to a SQLite3 database at $CWD/cuckoo.db.
connection = testsql://root:toor@localhost/cuckoo

If empty, default is set to 60 seconds. timeout = 60

Initialize cuckoo components.
init_modules()
init_tasks()
init_yara()
init_binaries()
init_rooter()
init_routing() # Initialization of the routing
File: core/startup.py

init_modules
# core.startup.py

截屏2020-12-29上午11.23.12.png

init_tasks

截屏2020-12-29上午11.36.37.png

init_yara

截屏2020-12-29上午11.41.45.png
截屏2020-12-29上午11.41.57.png

init_binaries
截屏2020-12-29上午11.45.27.png

cuckoo_main function
截屏2020-12-29上午11.48.24.png

The key code of this function
# host, because cuckoo uses a cs-like architecture, i.e., the host transmits the agent to the client through the network.
# client, accepts the sample and agent for analysis, and then sends the result back to the host via the network to complete the analysis.
rs = ResultServer()
sched = Scheduler(max_analysis_count) # initialize the class that manages task execution and scheduling
sched.start() # Execute task scheduling

To be continued。。。

#cuckoo
3 years ago in #just by
$39.28
  • Past Payouts $39.28, 0.00 TRX
  • - Author $19.64, 0.00 TRX
  • - Curators $19.64, 0.00 TRX
6 votes
Reply 4
Sort:  
  • Trending
    • [-]
     3 years ago 

    The article is fantastic, thank you for sharing.

    $0.00
      Reply
      [-]
       3 years ago 

      Thank you very much for your votes

      $0.00
        Reply
        [-]
         2 years ago 

        I take it, you never stumbled upon any of my posts...

        $0.00
          Reply

          Coin Marketplace

          STEEM 0.30
          TRX 0.12
          JST 0.032
          BTC 61660.23
          ETH 3056.45
          USDT 1.00
          SBD 3.82