Tools_NoribenSandbox

本文详细介绍Noriben沙箱的部署过程,包括安装配置、批处理脚本编写及虚拟机快速启动方法,帮助读者轻松搭建恶意软件分析环境。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

本篇讲NoribenSandbox的部署.前段时间从freebuf看到篇介绍,遂参照部署了下,期间碰到好多问题,做个小结.

Noriben沙箱:分分钟搞定恶意软件

Git-Rurik/Noriben

0x1.准备工作

其实这是写文章时补的.
-------readme--NewVM_SNAPSHOT Preparatory----
-1.Install zipProgram   : cd dir  ; 7z.exe a -tzip config2.exe i386\*.* -p123
-2.Install python2.7    : py ...
-3.NewDirector          : c:\Malware
-4.AddAccount           : PC - 110
-5.Procmon              : copyProcmonToyourDir
-5.OpenVmSystemToStart  : jump over gu-gp
-6.NewVM_SNAPSHOT       : %VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%
-7.U can set nogui
-8.U can find the result.zip in your currentdir,and pwd is 123.

0x2部署bat

@echo off

if "%1"=="" goto HELP
if not exist "%1" goto HELP

set DELAY=80
set CWD=%CD%
set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"
set VMX="D:\Windows XP Professional\Windows XP Professional.vmx"
set VM_SNAPSHOT="Virus_sandbox_7"
SET VM_USER="PC"
set VM_PASS="110"
set FILENAME=%~nx1
set NORIBEN_PATH="C:\Noriben\Noriben.py"
set LOG_PATH="C:\Noriben\Virus_log"
set ZIP_PATH="C:\Program Files\7-Zip\7z.exe"

echo %VMRUN%

::%VMRUN% -T ws snapshot %VMX% %VM_SNAPSHOT%
%VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT% 
%VMRUN% -T ws  start %VMX% 
%VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromHostToGuest %VMX% %1 "C:\Noriben\Malware\%FILENAME%.exe" 

%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Noriben\Malware\%FILENAME%.exe" --output %LOG_PATH%
if %ERRORLEVEL%==1 goto ERROR1
ping -n 3 127.0.0.1 > nul
%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% a -tzip C:\NoribenReports.zip %LOG_PATH%\*.* -p123
if %ERRORLEVEL%==1 goto ERROR1
ping -n 10 127.0.0.1 > nul
%VMRUN% -gu %VM_USER%  -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zip
%VMRUN% stop %VMX% soft
goto END

:ERROR1
echo [!] File did not execute in VM correctly.
goto END

:HELP

echo Please provide executable filename as an argument.
echo For example:
echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7
goto END

:END

0x3应用

还是老办法,放到右键或sendto中用起来方便.
win+r - shell:sendto

0x3.1快速启动虚拟机

顺便简化了一版快速启动虚拟机,保存为vm.bat放在桌面,双击即可.
@echo off
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" revertToSnapshot "D:\Windows XP Professional\Windows XP Professional.vmx" Virus_sandbox_7
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" start "D:\Windows XP Professional\Windows XP Professional.vmx"
exit(0)

0x4参考

利用vmrun命令简单实现VMware自动化分析

vmrun document

评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值