atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>☂ 木瓜</title>
  
  <subtitle>木头一样的瓜皮男孩</subtitle>
  <link href="/atom.xml" rel="self"/>
  
  <link href="http://mu0gua.github.io/"/>
  <updated>2019-04-21T01:17:14.108Z</updated>
  <id>http://mu0gua.github.io/</id>
  
  <generator uri="http://hexo.io/">Hexo</generator>
  
  <entry>
    <title>cuckoo搭建之virtualbox</title>
    <link href="http://mu0gua.github.io/2019/04/20/cuckoo-vbox/"/>
    <id>http://mu0gua.github.io/2019/04/20/cuckoo-vbox/</id>
    <published>2019-04-20T05:46:17.000Z</published>
    <updated>2019-04-21T01:17:14.108Z</updated>
    
    <content type="html"><![CDATA[<h1 id="cuckoo搭建之virtualbox"><a href="#cuckoo搭建之virtualbox" class="headerlink" title="cuckoo搭建之virtualbox"></a>cuckoo搭建之virtualbox</h1><p><em>搭建完以后敲的，有误留言，谢谢。</em></p><hr><h4 id="初始环境准备"><a href="#初始环境准备" class="headerlink" title="初始环境准备"></a>初始环境准备</h4><blockquote><p>系统版本：Ubuntu 18.4  Python：2.7  virtualbox 6.0.0</p></blockquote><a id="more"></a><h4 id="宿主机配置"><a href="#宿主机配置" class="headerlink" title="宿主机配置"></a>宿主机配置</h4><p> <strong>主机依赖库</strong><br> <figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">apt-get update</span><br><span class="line">apt-get install -y python python-pip python-dev libffi-dev libssl-dev</span><br><span class="line">apt-get install -y python-virtualenv python-setuptools</span><br><span class="line">apt-get install -y libjpeg-dev zlib1g-dev swig</span><br><span class="line"><span class="comment"># 如果使用web交互界面，需要安装mongodb，ubuntu 12.04安装mongodb有问题，不能简单安装，需要参考官网文档进行安装 （可以不安装）</span></span><br><span class="line"><span class="comment">#apt-get install -y mongodb</span></span><br><span class="line"><span class="comment"># 默认使用sqlite3，推荐使用PostgreSQL，需要配置（可以不安装）</span></span><br><span class="line"><span class="comment">#apt-get install -y postgresql libpq-dev</span></span><br><span class="line">apt-get install -y volatility</span><br><span class="line">apt-get install -y swig</span><br><span class="line"><span class="comment">#Tcpdump</span></span><br><span class="line">apt-get install -y tcpdump apparmor-utils libcap2-bin</span><br><span class="line">aa-disable /usr/sbin/tcpdump</span><br><span class="line"><span class="built_in">setcap</span> cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump</span><br></pre></td></tr></table></figure></p><p>  <strong>python 依赖</strong></p> <figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#特征扫描</span></span><br><span class="line">pip install yara-python==3.5.0</span><br><span class="line"><span class="comment">#cuckoo 独立python env环境</span></span><br><span class="line">pip install virtualenv</span><br><span class="line"></span><br><span class="line"><span class="comment">#测试，能导入，不报错就可以了</span></span><br><span class="line">python</span><br><span class="line">import yara</span><br></pre></td></tr></table></figure><p> <strong>virtualbox</strong></p> <figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># virtualbox: http://download.virtualbox.org/virtualbox (我下载的6.0.0)</span></span><br><span class="line">dpkg -i virtualbox-xxxxxx.deb</span><br><span class="line"><span class="comment">#上边如果出错的话，先apt-get remove virtualbox-6.0</span></span><br><span class="line">apt-get install virtualbox-6.0</span><br></pre></td></tr></table></figure><h4 id="虚拟环境配置"><a href="#虚拟环境配置" class="headerlink" title="虚拟环境配置"></a>虚拟环境配置</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#创建独立用户，给cuckoo和virtualbox</span></span><br><span class="line">adduser cuckoo</span><br><span class="line">usermod -a -G vboxusers cuckoo</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#cuckoo环境配置</span></span><br><span class="line"><span class="built_in">cd</span> /opt</span><br><span class="line">virtualenv pyenv</span><br><span class="line">. pyenv/bin/activate</span><br><span class="line">(pyenv)$ pip install -U pip setuptools</span><br><span class="line">(pyenv)$ pip install -U cuckoo</span><br><span class="line">(pyenv)$ cuckoo -d</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#建议虚拟机安装时，用GUI界面，命令行吃不消...</span></span><br><span class="line"><span class="comment">#虚拟机安装 Win7x32 win764 winxp  msdn下载，然后用vbox安装虚拟机</span></span><br><span class="line"><span class="comment">#虚拟机安装   略~略~略~</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#虚拟机配置  -- 作.用命令行安装的，起来以后vbox的vnc管理地址是127.0.0.1:9000</span></span><br><span class="line"><span class="comment">#宿主机连接vnc：-N 不连接控制台  </span></span><br><span class="line">ssh -L 9000:192.168.0.x:9000 cuckoo@192.168.0.x -N</span><br><span class="line"></span><br><span class="line"><span class="comment">#宿主机随便找个vnc连接的软件，我用的chrome插件</span></span><br><span class="line"><span class="comment">#正式虚拟机配置</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#安装 Python 2.7</span></span><br><span class="line"><span class="comment">#安装 Java 8</span></span><br><span class="line"><span class="comment">#安装 PIL(Python截屏库)</span></span><br><span class="line"><span class="comment">#安装 Chrome、pdf、winrar、Firefox、office 2003等</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#关闭 Windows更新</span></span><br><span class="line"><span class="comment">#关闭 防火墙</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#配置静态IP 192.168.56.0/24 </span></span><br><span class="line"><span class="comment">#配置自动登陆  &lt;USERNAME&gt; &lt;PSSWORD&gt; 填自己的</span></span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v DefaultUserName /d &lt;USERNAME&gt; /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v DefaultPassword /d &lt;PASSWORD&gt; /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v AutoAdminLogon /d 1 /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\system\CurrentControlSet\Control\TerminalServer"</span> /v AllowRemoteRPC /d 0x01 /t REG_DWORD /f</span><br><span class="line">reg add <span class="string">"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"</span> /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f</span><br><span class="line"><span class="comment"># 开启guest用户</span></span><br><span class="line">net user guest /active:yes</span><br><span class="line"></span><br><span class="line"><span class="comment"># 将/home/cuckoo/.cuckoo/agent/agent.py 拷贝至虚拟机启动项 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\agent.pyw</span></span><br><span class="line"><span class="comment"># agent.py 改为agent.pyw  据说会无窗口，爱改不改</span></span><br><span class="line"><span class="comment"># python  agent.py , netstat -ano | findstr 8000  #有就ok了</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#vboxmanage hostonlyif create （第一次要先创建hostonly虚拟网卡 vboxnet0）</span></span><br><span class="line">vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 </span><br><span class="line"><span class="comment">#vboxmanage hostonlyif ipconfig vboxnet0  --dhcp  dhcp也可以</span></span><br><span class="line">vboxmanage modifyvm win7x86 --nic1 hostonly --hostonlyadapter1 vboxnet0</span><br><span class="line">vboxmanage modifyvm win7x64 --nic1 hostonly --hostonlyadapter1 vboxnet0</span><br><span class="line">vboxmanage modifyvm winxp --nic1 hostonly --hostonlyadapter1 vboxnet0</span><br><span class="line"><span class="comment">#做完以上主机配置，软件安装，网络配置，然后打快照</span></span><br><span class="line">VBoxManage snapshot <span class="string">"win7x86"</span> take <span class="string">"win7x86_snapshot"</span> --pause</span><br><span class="line">VBoxManage snapshot <span class="string">"win7x64"</span> take <span class="string">"win7x64_snapshot"</span> --pause</span><br><span class="line">VBoxManage snapshot <span class="string">"winxp"</span> take <span class="string">"winxp_snapshot"</span> --pause</span><br></pre></td></tr></table></figure><h4 id="Cuckoo配置"><a href="#Cuckoo配置" class="headerlink" title="Cuckoo配置"></a>Cuckoo配置</h4><ol><li>修改Cuckoo配置文件，路径：/home/cuckoo/.cuckoo/conf/virtualbox.conf</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">machines = win7x86,win7x64,winxp</span><br><span class="line"></span><br><span class="line">[win7x86]</span><br><span class="line">label = win7x86</span><br><span class="line">platform = windows</span><br><span class="line">ip = 192.168.56.10</span><br><span class="line">snapshot = win7x86_snapshot</span><br><span class="line">[win7x64]</span><br><span class="line">label = win7x64</span><br><span class="line">platform = windows</span><br><span class="line">ip = 192.168.56.11</span><br><span class="line">snapshot = win7x64_snapshot</span><br><span class="line">[winxp]</span><br><span class="line">label = winxp</span><br><span class="line">platform = windows</span><br><span class="line">ip = 192.168.56.12</span><br><span class="line">snapshot = winxp_snapshot</span><br></pre></td></tr></table></figure><ol start="2"><li>修改conf/reporting.conf文件，配置数据库，我用了mongodb</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[mongodb]</span><br><span class="line">enabled = yes</span><br></pre></td></tr></table></figure><ol start="3"><li>安装特征库</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">(pyenv)<span class="variable">$cuckoo</span> community</span><br><span class="line">(pyenv)$ cuckoo community --file cuckoo_master.tar.gz</span><br></pre></td></tr></table></figure><ol start="4"><li>配置防火墙(抄来的)</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE</span><br><span class="line">iptables -P FORWARD DROP</span><br><span class="line">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span class="line">iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT</span><br><span class="line">iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT</span><br><span class="line">iptables -A FORWARD -j LOG </span><br><span class="line"><span class="comment"># 主机转发开启</span></span><br><span class="line">sysctl -w net.ipv4.ip_forward=1</span><br><span class="line">sysctl -p /etc/sysctl.conf</span><br></pre></td></tr></table></figure><ol start="5"><li>测试cuckoo</li></ol><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#新窗口</span></span><br><span class="line">cuckoo -d</span><br><span class="line"><span class="comment">#打开cuckoo自带web服务，通过主机ip访问</span></span><br><span class="line">cuckoo web runserver 0.0.0.0:80</span><br><span class="line"><span class="comment">#上传文件测试无误后，修改配置文件conf/cuckoo.conf </span></span><br><span class="line"><span class="comment">#后台运行cuckoo</span></span><br><span class="line">process_results = off</span><br></pre></td></tr></table></figure><h2 id="可能会踩到的一些坑"><a href="#可能会踩到的一些坑" class="headerlink" title="可能会踩到的一些坑"></a>可能会踩到的一些坑</h2><ol><li>环境一般都是复制，粘贴执行，就完事了，建议采用debian、Ubuntu【除12.04】，其他环境可能会有问题</li><li>宿主机，如果不是对linux特别了解，不要采用mini版或server无桌面版</li><li>虚拟机，软件安装，网络配置，全部搞完了再打快照【ps：本人打了无数个快照，这样不好】</li><li>cuckoo配置，cuckoo很强大，一般不会出问题，一定要仔细检测配置，出错了大多数都是配置文件有问题</li><li>以上所有的宿主机命令，<strong><em>不要用ROOT用户执行,用sudo命令执行</em></strong></li></ol><h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p>搭建参考：</p><p><a href="http://www.fualan.com/article/31/" target="_blank" rel="noopener">http://www.fualan.com/article/31/</a></p><p>骚年来看官方文档：</p><p><a href="https://cuckoo.sh/docs/installation/index.html" target="_blank" rel="noopener">https://cuckoo.sh/docs/installation/index.html</a></p><p>旧软件安装</p><p><a href="http://www.oldapps.com/" target="_blank" rel="noopener">http://www.oldapps.com/</a> </p><h1 id="转载请注明来源：mu0gua-github-io"><a href="#转载请注明来源：mu0gua-github-io" class="headerlink" title="转载请注明来源：mu0gua.github.io"></a>转载请注明来源：mu0gua.github.io</h1>]]></content>
    
    <summary type="html">
    
      &lt;h1 id=&quot;cuckoo搭建之virtualbox&quot;&gt;&lt;a href=&quot;#cuckoo搭建之virtualbox&quot; class=&quot;headerlink&quot; title=&quot;cuckoo搭建之virtualbox&quot;&gt;&lt;/a&gt;cuckoo搭建之virtualbox&lt;/h1&gt;&lt;p&gt;&lt;em&gt;搭建完以后敲的，有误留言，谢谢。&lt;/em&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h4 id=&quot;初始环境准备&quot;&gt;&lt;a href=&quot;#初始环境准备&quot; class=&quot;headerlink&quot; title=&quot;初始环境准备&quot;&gt;&lt;/a&gt;初始环境准备&lt;/h4&gt;&lt;blockquote&gt;
&lt;p&gt;系统版本：Ubuntu 18.4  Python：2.7  virtualbox 6.0.0&lt;/p&gt;
&lt;/blockquote&gt;
    
    </summary>
    
      <category term="病毒分析" scheme="http://mu0gua.github.io/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/"/>
    
    
      <category term="cuckoo" scheme="http://mu0gua.github.io/tags/cuckoo/"/>
    
      <category term="virtualbox" scheme="http://mu0gua.github.io/tags/virtualbox/"/>
    
      <category term="病毒分析" scheme="http://mu0gua.github.io/tags/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/"/>
    
      <category term="sanbox" scheme="http://mu0gua.github.io/tags/sanbox/"/>
    
      <category term="沙箱" scheme="http://mu0gua.github.io/tags/%E6%B2%99%E7%AE%B1/"/>
    
  </entry>
  
  <entry>
    <title>cuckoo搭建之KVM</title>
    <link href="http://mu0gua.github.io/2019/04/20/cuckoo-kvm/"/>
    <id>http://mu0gua.github.io/2019/04/20/cuckoo-kvm/</id>
    <published>2019-04-20T05:46:17.000Z</published>
    <updated>2019-04-21T01:25:31.181Z</updated>
    
    <content type="html"><![CDATA[<h1 id="cuckoo搭建之KVM"><a href="#cuckoo搭建之KVM" class="headerlink" title="cuckoo搭建之KVM"></a>cuckoo搭建之KVM</h1><ul><li>搭建完以后敲的，有误留言，谢谢。*</li></ul><hr><h4 id="初始环境准备"><a href="#初始环境准备" class="headerlink" title="初始环境准备"></a>初始环境准备</h4><blockquote><p>系统版本：Ubuntu 18.4  Python：2.7  KVM</p></blockquote><a id="more"></a><h4 id="宿主机环境安装"><a href="#宿主机环境安装" class="headerlink" title="宿主机环境安装"></a>宿主机环境安装</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#检查是否支持 egrep -c '(vmx|svm)' /proc/cpuinfo  虽然无diao用</span></span><br><span class="line"><span class="comment">#安装依赖以及kvm</span></span><br><span class="line">sudo apt-get install qemu-kvm libvirt-bin virtinst bridge-utils cpu-checker</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">apt-get update</span><br><span class="line">apt-get install -y python python-pip python-dev libffi-dev libssl-dev</span><br><span class="line">apt-get install -y python-virtualenv python-setuptools</span><br><span class="line">apt-get install -y libjpeg-dev zlib1g-dev swig</span><br><span class="line"><span class="comment"># 如果使用web交互界面，需要安装mongodb，ubuntu 12.04安装mongodb有问题，不能简单安装，需要参考官网文档进行安装 （可以不安装）</span></span><br><span class="line"><span class="comment">#apt-get install -y mongodb</span></span><br><span class="line"><span class="comment"># 默认使用sqlite3，推荐使用PostgreSQL，需要配置（可以不安装）</span></span><br><span class="line"><span class="comment">#apt-get install -y postgresql libpq-dev</span></span><br><span class="line">apt-get install -y volatility</span><br><span class="line">apt-get install -y swig</span><br><span class="line"><span class="comment">#Tcpdump</span></span><br><span class="line">apt-get install -y tcpdump apparmor-utils libcap2-bin</span><br><span class="line">aa-disable /usr/sbin/tcpdump</span><br><span class="line"><span class="built_in">setcap</span> cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump</span><br><span class="line"><span class="comment">#特征扫描</span></span><br><span class="line">pip install yara-python==3.5.0</span><br><span class="line"><span class="comment">#cuckoo 独立python env环境</span></span><br><span class="line">pip install virtualenv</span><br><span class="line"><span class="comment">#测试，能导入，不报错就可以了</span></span><br><span class="line"><span class="comment">#python import yara</span></span><br></pre></td></tr></table></figure><h4 id="宿主机环境配置"><a href="#宿主机环境配置" class="headerlink" title="宿主机环境配置"></a>宿主机环境配置</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#KVM 硬盘创建</span></span><br><span class="line"><span class="comment">#-f 硬盘格式 存放位置 大小</span></span><br><span class="line">qemu-img create -f qcow2 /data/vm/win7x64.qcow2 20G</span><br><span class="line"><span class="comment">#硬盘格式转换</span></span><br><span class="line"><span class="comment">#qemu-img convert -f raw -O qcow2 test.raw test.raw.qcow2</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#网络配置创建</span></span><br><span class="line">virsh net-define /etc/libvirt/qemu/networks/default.xml <span class="comment">#添加网络配置</span></span><br><span class="line">virsh net-start default <span class="comment"># 启动网络配置</span></span><br><span class="line">virsh net-autostart default <span class="comment"># 自启动，否则重启后就没有了</span></span><br><span class="line">virsh net-destroy default  <span class="comment"># 删除网络配置</span></span><br><span class="line">virsh net-undefine default <span class="comment"># 取消网络配置</span></span><br><span class="line">service libvirtd restart  <span class="comment"># 重新启动kvm网络管理服务</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#常用命令</span></span><br><span class="line">virsh list --all <span class="comment"># 显示所有虚拟机</span></span><br><span class="line">virsh dumpxml vm <span class="comment"># 配置文件查看</span></span><br><span class="line">virsh edit vm <span class="comment"># 配置文件编辑 ctrl +o ,ctrl + x 保存nano编辑方式</span></span><br><span class="line"></span><br><span class="line">virsh <span class="built_in">suspend</span> vm <span class="comment"># 挂起</span></span><br><span class="line">virsh resume vm <span class="comment"># 恢复</span></span><br><span class="line">virsh start vm <span class="comment"># 启动</span></span><br><span class="line">virsh reboot vm <span class="comment"># 重启</span></span><br><span class="line">virsh shutdown vm <span class="comment"># 正常关机</span></span><br><span class="line">virsh destroy vm <span class="comment"># 强制关机</span></span><br><span class="line">virsh undefine vm <span class="comment"># 删除名称为vm的虚拟机</span></span><br><span class="line">virsh autostart vm <span class="comment"># 自启动</span></span><br><span class="line">virsh autostart --<span class="built_in">disable</span> vm <span class="comment"># 关闭自启动</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#以下快照方式只可以关机使用，并且快照不能为cuckoo所工作</span></span><br><span class="line">qemu-img snapshot -c <span class="comment">#创建快照 快照名 磁盘路径</span></span><br><span class="line">qemu-img snapshot -l <span class="comment">#显示所有快照  磁盘路径</span></span><br><span class="line">qemu-img snapshot -a <span class="comment">#恢复到指定快照 快照名 磁盘路径</span></span><br><span class="line">qemu-img snapshot -d <span class="comment">#删除快照 快照名 磁盘路径</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建快照时用以下方式，可开机创建，并且时cuckoo所用的</span></span><br><span class="line">virsh snapshot-create-as <span class="comment">#创建快照  磁盘路径 快照名 快照说明</span></span><br><span class="line">virsh snapshot-list <span class="comment">#显示所有快照  虚拟机名称</span></span><br><span class="line">virsh snapshot-revert --domain <span class="comment">#恢复到指定快照 虚拟机名称 快照名</span></span><br><span class="line">virsh snapshot-delete <span class="comment">#删除快照 虚拟机名称 快照名 </span></span><br><span class="line">virsh snapshot-delete --domain xx --snapshotname xx <span class="comment">#删除快照 虚拟机名称 快照名 </span></span><br><span class="line"><span class="comment">#克隆kvm虚拟机</span></span><br><span class="line">virsh <span class="built_in">clone</span> -o node99 -n node11 -f /mnt/data/vhost/node11.img -m 00:00:00:80:00:11 -m 00:00:00:10:00:11</span><br><span class="line"></span><br><span class="line">net-autostart                  自动开始网络</span><br><span class="line">net-create                     从一个 XML 文件创建一个网络</span><br><span class="line">net-define                     定义一个永久网络或修改一个xml文件中定义的持久网络</span><br><span class="line">net-destroy                    销毁（停止）网络</span><br><span class="line">net-dhcp-leases                打印给定网络的租赁信息</span><br><span class="line">net-dumpxml                    XML 中的网络信息</span><br><span class="line">net-edit                       为网络编辑 XML 配置</span><br><span class="line">net-event                      Network Events</span><br><span class="line">net-info                       网络信息</span><br><span class="line">net-list                       列出网络</span><br><span class="line">net-name                       把一个网络UUID 转换为网络名</span><br><span class="line">net-start                      开始一个(以前定义的)不活跃的网络</span><br><span class="line">net-undefine                   取消（删除）定义一个永久网络</span><br><span class="line">net-update                     更新现有网络配置的部分</span><br><span class="line">net-uuid                       把一个网络名转换为网络UUID</span><br><span class="line"></span><br><span class="line"><span class="comment">#KVM虚拟机安装，运行完等待10s，ctrl + c就可以了</span></span><br><span class="line">sudo virt-install \</span><br><span class="line">--virt-type=kvm \</span><br><span class="line">--name win7x64 \</span><br><span class="line">--ram 1024 \</span><br><span class="line">--vcpus=1 \</span><br><span class="line">--os-variant=win7 \</span><br><span class="line">--virt-type=kvm \</span><br><span class="line">--hvm \</span><br><span class="line">--cdrom=/data/image/cn_windows_7_professional_with_sp1_x64_dvd_u_677031.iso \</span><br><span class="line">--network=bridge:virbr0,model=virtio \</span><br><span class="line">--graphics vnc \</span><br><span class="line">--disk path=/data/vm/win7x64.qcow2</span><br><span class="line"><span class="comment"># 安装完以后一定要通过virsh edit win7x64配置 network,之后一定先关机再启动，直接重启无效</span></span><br><span class="line">&lt;interface <span class="built_in">type</span>=<span class="string">'bridge'</span>&gt;</span><br><span class="line">    &lt;mac address=<span class="string">'52:54:00:73:ce:69'</span>/&gt;</span><br><span class="line">    &lt;<span class="built_in">source</span> bridge=<span class="string">'virbr0'</span>/&gt;</span><br><span class="line">    &lt;model <span class="built_in">type</span>=<span class="string">'virtio'</span>/&gt;</span><br><span class="line">&lt;address <span class="built_in">type</span>=<span class="string">'pci'</span> domain=<span class="string">'0x0000'</span> bus=<span class="string">'0x00'</span> slot=<span class="string">'0x03'</span> <span class="keyword">function</span>=<span class="string">'0x0'</span>/&gt;</span><br><span class="line">&lt;/interface&gt;</span><br><span class="line"><span class="comment">#改为</span></span><br><span class="line">&lt;interface <span class="built_in">type</span>=<span class="string">'bridge'</span>&gt;</span><br><span class="line">    &lt;mac address=<span class="string">'52:54:00:73:ce:69'</span>/&gt;</span><br><span class="line">    &lt;<span class="built_in">source</span> bridge=<span class="string">'virbr0'</span>/&gt;</span><br><span class="line">    &lt;model <span class="built_in">type</span>=<span class="string">'e1000'</span>/&gt;</span><br><span class="line">&lt;address <span class="built_in">type</span>=<span class="string">'pci'</span> domain=<span class="string">'0x0000'</span> bus=<span class="string">'0x00'</span> slot=<span class="string">'0x03'</span> <span class="keyword">function</span>=<span class="string">'0x0'</span>/&gt;</span><br><span class="line">&lt;/interface&gt;</span><br></pre></td></tr></table></figure><h4 id="虚拟机配置"><a href="#虚拟机配置" class="headerlink" title="虚拟机配置"></a>虚拟机配置</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#虚拟机配置  -- 作.用命令行安装的，起来以后kvm的vnc管理地址是127.0.0.1:5900</span></span><br><span class="line">ssh -L 9000:192.168.0.x:9000 cuckoo@192.168.0.x -N</span><br><span class="line"></span><br><span class="line"><span class="comment">#宿主机随便找个vnc连接的软件，我用的chrome插件</span></span><br><span class="line"><span class="comment">#正式虚拟机配置</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#安装 Python 2.7</span></span><br><span class="line"><span class="comment">#安装 Java 8</span></span><br><span class="line"><span class="comment">#安装 PIL(Python截屏库)</span></span><br><span class="line"><span class="comment">#安装 Chrome、pdf、winrar、Firefox、office 2003等</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#关闭 Windows更新</span></span><br><span class="line"><span class="comment">#关闭 防火墙</span></span><br><span class="line"><span class="comment">#关闭 UAC</span></span><br><span class="line"><span class="comment">#关闭软件更新，chrome、java、firefox、office</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#启用administrator、guest</span></span><br><span class="line">net user guest /active:yes</span><br><span class="line">net user administrator /active:yes</span><br><span class="line"><span class="comment">#设置自动登陆administrator</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#配置静态IP 与宿主机vir0br0 ip段一致 我的是192.168.122.0/24 </span></span><br><span class="line"></span><br><span class="line"><span class="comment">#配置自动登陆  &lt;USERNAME&gt; &lt;PSSWORD&gt; 填自己的</span></span><br><span class="line"><span class="comment">#control userpasswords2</span></span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v DefaultUserName /d &lt;USERNAME&gt; /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v DefaultPassword /d &lt;PSSWORD&gt; /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon"</span> /v AutoAdminLogon /d 1 /t REG_SZ /f</span><br><span class="line">reg add <span class="string">"hklm\system\CurrentControlSet\Control\TerminalServer"</span> /v AllowRemoteRPC /d 0x01 /t REG_DWORD /f</span><br><span class="line">reg add <span class="string">"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"</span> /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f</span><br><span class="line"></span><br><span class="line"><span class="comment"># 将/home/cuckoo/.cuckoo/agent/agent.py 拷贝至虚拟机启动项 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\agent.pyw</span></span><br><span class="line"><span class="comment"># agent.py 改为agent.pyw  据说会无窗口，爱改不改</span></span><br><span class="line"><span class="comment"># python  agent.py , netstat -ano | findstr 8000  #有就ok了</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#网络配置</span></span><br><span class="line">iptables -t nat -A POSTROUTING -o ens33 -s 192.168.122.0/24 -j MASQUERADE</span><br><span class="line">iptables -P FORWARD DROP</span><br><span class="line">iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span class="line">iptables -A FORWARD -s 192.168.122.0/24 -j ACCEPT</span><br><span class="line">iptables -A FORWARD -s 192.168.122.0/24 -d 192.168.122.0/24 -j ACCEPT</span><br><span class="line">iptables -A FORWARD -j LOG </span><br><span class="line"><span class="comment"># 主机转发开启</span></span><br><span class="line">sysctl -w net.ipv4.ip_forward=1</span><br><span class="line">sysctl -p /etc/sysctl.conf</span><br><span class="line"></span><br><span class="line"><span class="comment"># 打快照</span></span><br><span class="line">qemu-img snapshot -c cuckoo /data/vm/win7x64.qcow2</span><br><span class="line">`</span><br></pre></td></tr></table></figure><h4 id="Cuckoo配置"><a href="#Cuckoo配置" class="headerlink" title="Cuckoo配置"></a>Cuckoo配置</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#配置默认虚拟机为kvm</span></span><br><span class="line">vim /home/cuckoo/.cuckoo/conf/cuckoo.conf</span><br><span class="line"><span class="comment">#machinery = virtualbox 改为</span></span><br><span class="line"><span class="comment">#machinery = kvm</span></span><br><span class="line">. /data/pyenv/bin/active</span><br><span class="line"></span><br><span class="line"><span class="comment">#新窗口</span></span><br><span class="line"><span class="comment">#执行失败的话，安装这个 pip install libvirt-python</span></span><br><span class="line">(pyenv)$ cuckoo -d</span><br><span class="line"><span class="comment">#打开cuckoo自带web服务，通过主机ip访问</span></span><br><span class="line">(pyenv)$ cuckoo web runserver 0.0.0.0:80</span><br><span class="line"></span><br><span class="line"><span class="comment">#上传文件测试无误后，修改配置文件conf/cuckoo.conf </span></span><br><span class="line"><span class="comment">#后台运行cuckoo</span></span><br><span class="line"><span class="comment">#process_results = off</span></span><br></pre></td></tr></table></figure><h2 id="可能会踩到的一些坑"><a href="#可能会踩到的一些坑" class="headerlink" title="可能会踩到的一些坑"></a>可能会踩到的一些坑</h2><ol><li>想要通过virsh shutdown关机，<strong><em>必须在虚拟机中安装acpid acpid-sysvinit，不是宿主机！</em></strong></li><li>宿主机，如果不是对linux特别了解，不要采用mini版或server无桌面版</li><li>虚拟机，软件安装，网络配置，全部搞完了再打快照【ps：本人打了无数个快照，这样不好】</li><li>cuckoo配置，cuckoo很强大，一般不会出问题，一定要仔细检测配置，出错了大多数都是配置文件有问题</li><li>以上所有的宿主机命令，<strong><em>不要用ROOT用户执行,用sudo命令执行</em></strong></li><li><strong><em>Cuckoo 配置文件中提到的快照是用virsh snapshot 创建的，不是qemu-img创建的</em></strong></li></ol><h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p>搭建参考：</p><p><a href="http://www.linux-kvm.org/page/Documents" target="_blank" rel="noopener">http://www.linux-kvm.org/page/Documents</a></p><p>后续配置</p><p><a href="https://www.secpulse.com/archives/74909.html" target="_blank" rel="noopener">https://www.secpulse.com/archives/74909.html</a></p><p><a href="https://www.secpulse.com/archives/75180.html" target="_blank" rel="noopener">https://www.secpulse.com/archives/75180.html</a></p><p>克隆KVM</p><p><a href="https://blog.csdn.net/yzy1103203312/article/details/81067326" target="_blank" rel="noopener">https://blog.csdn.net/yzy1103203312/article/details/81067326</a></p><p>史上最强说明（有能力就按照官方文档走吧）：</p><p><a href="https://cuckoo.sh/docs/installation/index.html" target="_blank" rel="noopener">https://cuckoo.sh/docs/installation/index.html</a></p><p>旧软件安装</p><p><a href="http://www.oldapps.com/" target="_blank" rel="noopener">http://www.oldapps.com/</a> </p><h1 id="转载请注明来源：mu0gua-github-io"><a href="#转载请注明来源：mu0gua-github-io" class="headerlink" title="转载请注明来源：mu0gua.github.io"></a>转载请注明来源：mu0gua.github.io</h1>]]></content>
    
    <summary type="html">
    
      &lt;h1 id=&quot;cuckoo搭建之KVM&quot;&gt;&lt;a href=&quot;#cuckoo搭建之KVM&quot; class=&quot;headerlink&quot; title=&quot;cuckoo搭建之KVM&quot;&gt;&lt;/a&gt;cuckoo搭建之KVM&lt;/h1&gt;&lt;ul&gt;
&lt;li&gt;搭建完以后敲的，有误留言，谢谢。*&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;h4 id=&quot;初始环境准备&quot;&gt;&lt;a href=&quot;#初始环境准备&quot; class=&quot;headerlink&quot; title=&quot;初始环境准备&quot;&gt;&lt;/a&gt;初始环境准备&lt;/h4&gt;&lt;blockquote&gt;
&lt;p&gt;系统版本：Ubuntu 18.4  Python：2.7  KVM&lt;/p&gt;
&lt;/blockquote&gt;
    
    </summary>
    
      <category term="病毒分析" scheme="http://mu0gua.github.io/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/"/>
    
    
      <category term="cuckoo" scheme="http://mu0gua.github.io/tags/cuckoo/"/>
    
      <category term="病毒分析" scheme="http://mu0gua.github.io/tags/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/"/>
    
      <category term="sanbox" scheme="http://mu0gua.github.io/tags/sanbox/"/>
    
      <category term="沙箱" scheme="http://mu0gua.github.io/tags/%E6%B2%99%E7%AE%B1/"/>
    
      <category term="kvm" scheme="http://mu0gua.github.io/tags/kvm/"/>
    
  </entry>
  
</feed>