00 - pyrebox安装和使用

测试pyrebox能否完整支持volatility的功能

PyREBox是一个Python可脚本化逆向工程沙箱。它基于QEMU,其目标是通过从不同角度提供动态分析和调试功能,从而协助逆向工程。

PyREBox允许用python创建简单的脚本来自动化任何类型的分析,从而检查正在运行中的QEMU VM,修改其内存或寄存器,并指示其执行。QEMU (作为一个完整的系统仿真器工作时) 模拟完整的系统 (CPU,内存,设备……)。通过使用VMI技术,它并不需要对客户机操作系统进行任何的修改,因为它可以在运行时从其内存中检索信息。

1. Build PyREBox

给基于Debian的发行版安装依赖,Ubuntu是Debian的一个分支,所以可以在Ubuntu上使用:

apt-get install build-essential zlib1g-dev pkg-config libglib2.0-dev binutils-dev libboost-all-dev autoconf libtool libssl-dev libpixman-1-dev libpython-dev python-pip python-capstone virtualenv

需要的python包有这些:

ipython>=5,<6 sphinx sphinx-autobuild prettytable pefile capstone distorm3 pycrypto pytz

官方建议使用虚拟环境安装python依赖。如果本地已经安装了volatility,它会干扰PyreBox使用的volatility包。

创建一个虚拟环境:

virtualenv pyrebox_venv

一旦创建好了虚拟环境后,激活环境来安装python的依赖

每次使用PyreBox前别忘了激活虚拟环境:

source pyrebox_venv/bin/activate

为了安装python的依赖,可以使用pip:

pip install -r requirements.txt

进入虚拟环境后用git clone下pyrebox:

git clone https://github.com/Cisco-Talos/pyrebox.git

cd pyrebox,进行项目配置和build:

./build.sh

当出现了Done, enjoy!的时候就是build完成

2. 为PyreBox创建虚拟镜像

目前,PyREBox支持Volatility支持的任何Windows映像(32位和64位)。

可以使用KVM创建自己的镜像文件。为了避免兼容性问题,最好使用pyrebox二进制文件而不是系统安装qemu二进制文件:

先执行:

sudo apt-get install qemu-utils

需要创建一个qcow2格式的虚拟机文件,接着执行

qemu-img create -f qcow2 -o compat=0.10 images/xpsp3.qcow2 4G

执行后,提示:

Formatting 'images/xpsp3.qcow2', fmt=qcow2 size=4294967296 compat=0.10 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16

cd pyrebox,后执行:

./pyrebox-i386 -m 256 -monitor stdio -usb -drive file=images/xpsp3.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -cdrom images/WinXP.iso -boot d -enable-kvm

会报错:

Could not initialize pyrebox, conf file 'pyrebox.conf' missing!

可以先执行以下./start_x86_64.sh,就会有了上面的配置文件,不会报错了

接着执行上面的命令后就会得到

(qemu) VNC server running on 127.0.0.1:5900

下载ubuntu版本的vnc viewer的deb安装包并安装:

sudo dpkg -i VNC-Viewer-6.17.1113-Linux-x64.deb

就可以使用VNC Viewer新建连接,连上上面的地址,就可以按提示在虚拟机上安装XP系统

继续安装,然后使用网络启动(不要使用-net none)和usb支持(-usb),并插入usb(请参阅加载USB映像)。让系统安装所有驱动程序

./pyrebox-i386 -m 256 -monitor stdio -usb -drive file=images/xpsp3.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -netdev user,id=network0 -device rtl8139,netdev=network0

以后启动就可以直接使用./pyrebox-i386脚本启动虚拟机,不过要指定qcow2文件的位置

基本QEMU使用文档

PyREBox基于QEMU,为了在PyREBox中启动VM,需要像启动QEMU VM一样运行它。官方提供了几个示例脚本:start_i386.shstart_x86_64.sh,可以将它们用作示例。

目前支持的唯一QEMU监视器选项是stdio(-monitor stdio)

一些有用的QEMU参数如下:

  • 内存,以兆字节为单位:

    -m 256
  • 在标准输入/输出上启动提示以与qemu监视器交互:

    -monitor stdio
  • 启用USB支持:

    -usb
  • 可以指定具有不安全缓存的主图像文件,不安全的缓存将使快照速度更快:

    -drive file=images/xpsp3.qcow,index=0,media=disk,format=qcow2,cache=unsafe
  • 禁用网络接口

    -net none
  • 在第一个快照启动vm

    -loadvm 1

3. 基本的PyREBox用法

启动VM后,将有一个(qemu)提示符,可以在其中运行所有QEMU命令。

PyREBox将首先读取其配置文件(pyrebox.conf)。

[MODULES]
scripts.script_example.py: True
scripts.volatility_example: False

[VOL]
profile: WinXPSP3x86

[MODULES]部分包含一个python模块列表(可以使用标准python表示法(使用点)指定包和子包)。可以根据需要启用或禁用脚本。这些脚本将自动加载。

[VOL]部分包含volatility配置。需要根据操作系统版本调整配置文件。

PyREBox命令允许加载/卸载脚本:

  • 导入模块并初始化它

    (qemu) import_module scripts.my_plugin
  • 列出加载的模块

    (qemu) list_modules
  • 通过模块句柄重新加载模块(可以通过列出已加载的模块来获取此句柄)

    (qemu) reload_module 1
  • 通过模块句柄卸载模块(可以通过列出已加载的模块来获取此句柄)

    (qemu) unload_module 1
  • 启动PyREBox shell

    (qemu) sh

4. IPython Shell

启动shell之后,用list_commands可以列出PyreBox提供的一套可以观察和修改正在运行的虚拟机状态的命令

对于volatility可以用list_vol_commands来列出支持的所有的volatility命令,它也会显示自己安装在PyreBox中的volatility的插件

目前支持的有:

Supported volatility commands:

    amcache         Print AmCache information
    apihooks        Detect API hooks in process and kernel memory
    atoms           Print session and window station atom tables
    atomscan        Pool scanner for atom tables
    auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
    bigpools        Dump the big page pools using BigPagePoolScanner
    bioskbd         Reads the keyboard buffer from Real Mode memory
    cachedump       Dumps cached domain hashes from memory
    callbacks       Print system-wide notification routines
    clipboard       Extract the contents of the windows clipboard
    cmdline         Display process command-line arguments
    cmdscan         Extract command history by scanning for _COMMAND_HISTORY
    consoles        Extract command history by scanning for _CONSOLE_INFORMATION
    crashinfo       Dump crash-dump information
    deskscan        Poolscaner for tagDESKTOP (desktops)
    devicetree      Show device tree
    dlldump         Dump DLLs from a process address space
    dlllist         Print list of loaded dlls for each process
    driverirp       Driver IRP hook detection
    drivermodule    Associate driver objects to kernel modules
    driverscan      Pool scanner for driver objects
    dumpcerts       Dump RSA private and public SSL keys
    dumpfiles       Extract memory mapped and cached files
    dumpregistry    Dumps registry files out to disk 
    editbox         Displays information about Edit controls. (Listbox experimental.)
    envars          Display process environment variables
    eventhooks      Print details on windows event hooks
    filescan        Pool scanner for file objects
    gahti           Dump the USER handle type information
    gditimers       Print installed GDI timers and callbacks
    getservicesids  Get the names of services in the Registry and return Calculated SID
    getsids         Print the SIDs owning each process
    handles         Print list of open handles for each process
    hashdump        Dumps passwords hashes (LM/NTLM) from memory
    hibinfo         Dump hibernation file information
    hivedump        Prints out a hive
    hivelist        Print list of registry hives.
    hivescan        Pool scanner for registry hives
    hpakextract     Extract physical memory from an HPAK file
    hpakinfo        Info on an HPAK file
    iehistory       Reconstruct Internet Explorer cache / history
    imagecopy       Copies a physical address space out as a raw DD image
    imageinfo       Identify information for the image 
    impscan         Scan for calls to imported functions
    joblinks        Print process job link information
    kdbgscan        Search for and dump potential KDBG values
    kpcrscan        Search for and dump potential KPCR values
    ldrmodules      Detect unlinked DLLs
    lsadump         Dump (decrypted) LSA secrets from the registry
    machoinfo       Dump Mach-O file format information
    malfind         Find hidden and injected code
    mbrparser       Scans for and parses potential Master Boot Records (MBRs) 
    memdump         Dump the addressable memory for a process
    memmap          Print the memory map
    messagehooks    List desktop and thread window message hooks
    mftparser       Scans for and parses potential MFT entries 
    moddump         Dump a kernel driver to an executable file sample
    modscan         Pool scanner for kernel modules
    modules         Print list of loaded modules
    multiscan       Scan for various objects at once
    mutantscan      Pool scanner for mutex objects
    netscan         Scan a Vista (or later) image for connections and sockets
    objtypescan     Scan for Windows object type objects
    patcher         Patches memory based on page scans
    poolpeek        Configurable pool scanner plugin
    pooltracker     Show a summary of pool tag usage
    printkey        Print a registry key, and its subkeys and values
    privs           Display process privileges
    procdump        Dump a process to an executable file sample
    pslist          Print all running processes by following the EPROCESS lists 
    psscan          Pool scanner for process objects
    pstree          Print process list as a tree
    psxview         Find hidden processes with various process listings
    qemuinfo        Dump Qemu information
    raw2dmp         Converts a physical memory sample to a windbg crash dump
    screenshot      Save a pseudo-screenshot based on GDI windows
    sessions        List details on _MM_SESSION_SPACE (user logon sessions)
    shellbags       Prints ShellBags info
    shimcache       Parses the Application Compatibility Shim Cache registry key
    shutdowntime    Print ShutdownTime of machine from registry
    ssdt            Display SSDT entries
    strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
    svcscan         Scan for Windows services
    symlinkscan     Pool scanner for symlink objects
    thrdscan        Pool scanner for thread objects
    threads         Investigate _ETHREAD and _KTHREADs
    timeliner       Creates a timeline from various artifacts in memory 
    timers          Print kernel timers and associated module DPCs
    truecryptmaster Recover TrueCrypt 7.1a Master Keys
    truecryptpassphrase TrueCrypt Cached Passphrase Finder
    truecryptsummary    TrueCrypt Summary
    unloadedmodules Print list of unloaded modules
    userassist      Print userassist registry keys and information
    userhandles     Dump the USER handle tables
    vaddump         Dumps out the vad sections to a file
    vadinfo         Dump the VAD info
    vadtree         Walk the VAD tree and display in tree format
    vadwalk         Walk the VAD tree
    vboxinfo        Dump virtualbox information
    verinfo         Prints out the version information from PE images
    vmwareinfo      Dump VMware VMSS/VMSN information
    volshell        Shell in the memory image
    windows         Print Desktop Windows (verbose details)
    wintree         Print Z-Order Desktop Windows Tree
    wndscan         Pool scanner for window stations
    yarascan        Scan process or kernel memory with Yara signatures

要使用这些命令,直接使用vol加上对应的volatility命令即可,比如vol pslist

经过实际测试,PyreBox对volatility的支持还是比较好的。

你可能感兴趣的:(安全)