本篇讲NoribenSandbox的部署.前段时间从freebuf看到篇介绍,遂参照部署了下,期间碰到好多问题,做个小结.
0x1.准备工作
其实这是写文章时补的.
-------readme--NewVM_SNAPSHOT Preparatory----
-1.Install zipProgram : cd dir ; 7z.exe a -tzip config2.exe i386\*.* -p123
-2.Install python2.7 : py ...
-3.NewDirector : c:\Malware
-4.AddAccount : PC - 110
-5.Procmon : copyProcmonToyourDir
-5.OpenVmSystemToStart : jump over gu-gp
-6.NewVM_SNAPSHOT : %VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%
-7.U can set nogui
-8.U can find the result.zip in your currentdir,and pwd is 123.
0x2部署bat
@echo off
if "%1"=="" goto HELP
if not exist "%1" goto HELP
set DELAY=80
set CWD=%CD%
set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"
set VMX="D:\Windows XP Professional\Windows XP Professional.vmx"
set VM_SNAPSHOT="Virus_sandbox_7"
SET VM_USER="PC"
set VM_PASS="110"
set FILENAME=%~nx1
set NORIBEN_PATH="C:\Noriben\Noriben.py"
set LOG_PATH="C:\Noriben\Virus_log"
set ZIP_PATH="C:\Program Files\7-Zip\7z.exe"
echo %VMRUN%
::%VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%
%VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT%
%VMRUN% -T ws start %VMX%
%VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromHostToGuest %VMX% %1 "C:\Noriben\Malware\%FILENAME%.exe"
%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Noriben\Malware\%FILENAME%.exe" --output %LOG_PATH%
if %ERRORLEVEL%==1 goto ERROR1
ping -n 3 127.0.0.1 > nul
%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% a -tzip C:\NoribenReports.zip %LOG_PATH%\*.* -p123
if %ERRORLEVEL%==1 goto ERROR1
ping -n 10 127.0.0.1 > nul
%VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zip
%VMRUN% stop %VMX% soft
goto END
:ERROR1
echo [!] File did not execute in VM correctly.
goto END
:HELP
echo Please provide executable filename as an argument.
echo For example:
echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7
goto END
:END
0x3应用
还是老办法,放到右键或sendto中用起来方便.
win+r - shell:sendto
0x3.1快速启动虚拟机
顺便简化了一版快速启动虚拟机,保存为vm.bat放在桌面,双击即可.
@echo off
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" revertToSnapshot "D:\Windows XP Professional\Windows XP Professional.vmx" Virus_sandbox_7
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" start "D:\Windows XP Professional\Windows XP Professional.vmx"
exit(0)