dlllist is used to display a process's loaded DLLs.DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll).
To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and then:
dlldump command is used to extract a DLL from a process's memory space and dump it to disk for analysis.The syntax is nearly the same as what has been seen earlier with any command.This plugin provisions the following :
- Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
- Dump all DLLs from a specific process (with --pid=PID)
- Dump all DLLs from all processes
- Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is useful for extracting hidden DLLs
To specify an output directory, use --dump-dir=DIR or -d DIR.
1. Cuckoo Sandbox is a malware analysis system tool which allows you to throw any suspicious file at it and in a matter of seconds it will provide you back some detailed results outlining what such file did when executed inside an isolated environment.It is written 100% in Python, the architecture is very interesting and it is based on a virtualisation engine like Virtual box to maintain a “fresh” pc always at hand to run the malware called the client, inside this client it is run as an agent that is also written 100% in Python to monitor the different calls that the malware do to the dll’s, host that try to connect, etc.The connection between the Server and the client is done through an isolated network set up by virtual box, it is configured that way in order to avoid the propagation of the malware and to communicate effectively between the client and the server to send the analysis report, infected binaries, etc.This post ahead brings you a step by step screenshot to download and configure this excellent tool,will be good for beginners in cyber security/penetration testing to play with and see results immediately.Though from the looks of this post below,the procedure looks cumbersome and complex,but I have made attempts for a naive to understand and follow up screenshot wise,any queries still will be most welcome :
WHAT IT DOES PRECISELY?
2. Cuckoo can produce the following types of results:
- Files being created, deleted, and downloaded by the malware during its execution
- Network traffic trace in PCAP format(as we get with wireshark and ethreal)
- Traces of win32 API calls spawned by the malware
- Memory dumps of the malware processes
- Screenshots of the Windows desktop as it happens during execution of the malware
- Full memory dumps of the machines
KINDS OF FILES FOR ANALYSIS
3. The following kinds of files can be analysed and put for check in cuckoo :
- Adequate RAM around 4 GB in all with the parent machine.
- i3 processor and above will help u lessen wait and make u patient
5. Python comes preinstalled with the Ubuntu Desktop,but we need some extra python libraries as follows :
Pydeep
Sqlalchemy
Bson
DPKT
Yara
MAEC Python bindings
Jinja2
Magic
Chardet
Pymongo
tcpdump
mongodb
Volatility
Libvirt
Bottlepy
Django
Pefile
Step 1
Firstly we will install all the above mentioned libraries vide a single command.You need to slect the below text and paste as it is in the terminal | sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y
Besides above,there are other python libraries that need PIP for installation.Pip is an alternative to Easy Install for installing Python packages and is largely recommended when used in virtual environments.
Two additional software Yara and Pydeep too need to be installed and the cuckoo documentation states these need to be installed separately, however Yara is provided in the Ubuntu universe repository. but before installing Pydeep , we need to install some dependencies with the following command line to install the following :
Cuckoo requires Yara 1.7 or higher and to install yara,run the following command
sudo apt-get install yara -y
Pydeep depends on ssdeep 2.8+ and ssdeep needs to be compiled from source and likewise for Pydeep. Before doing so, a few packages are needed. The following commands will work :
| sudo apt-get install build-essential git python-dev -y | wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz | tar -xf ssdeep.tar.gz | cd ssdeep-2.12 | ./configure | make | sudo make install | ssdeep -V | 2.12(output for above)
We also need to install “git’:
sudo apt-get install git
Now cd to the directory Download, clone the pydeep project and install manually:
git clone https://github.com/kbandla/pydeep.git
cd pydeep
sudo python setup.py install
Install Yara
sudo apt-get install libtool automake
Then download yara form the git repository and install it:
Now we need to install yara-python with the following commands:
cd yara-python
sudo python setup.py install
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2 but in recent past now on supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 - 3.16 and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.VOLATILITY is to be installed next,we need the following commands:
Where user:usergroup is the user used to login to the ubuntu machine and the group is the group to which user belong
Now we shift our attention to configuring networks for Virtual Box and parent machine.So I assume you have installed Windows 7 in virtual box with Adobe,Microsoft Office and a Mozilla/Chrome browser.
Configure as shown next below :
Vide the above,the two IP addresses I have configured to ping are :
Parent/Host OS : 192.168.56.1
Virtual Windows Machine : 192.168.56.101
Just ping from each IP to other,if they ping all is set now to work ahead.
and one important step that remains is to configure the conf files in the cuckoo configuration,Few important configuration files that we effect to work with are mentioned below with brief functionality:
cuckoo.conf : This configuration file contains information about the general behavior and analysis options in Cuckoo Sandbox. machinemanager.conf : This file holds the information about your virtual machine configuration: Depends on the name of virtualization that we used. processing.conf : This file is used for enabling/configuring the processing of modules. reporting.conf : This file contains information about reporting methodologies.
There are a few things required to be changed in the configuration files as follows:
[I used gedit to edit and make amends to these conf files]
/opt/cuckoo/conf/cuckoo.conf
[cuckoo] memory_dump = on [resultserver] ip = [ip address of the vboxnet0 interface, to check it issue on terminal ifconfig vboxnet0, usually 192.168.56.1]
/opt/cuckoo/conf/virtualbox.conf
[cuckoo1] label = [Name of the Windows guest virtual machine as configured on VirtualBox] ip = [ip address configured i the windows guest] snapshot = [the name of the snapshot taken with virtual box] /opt/cuckoo/conf/memory.conf [basic] delete_memdump = yes
/opt/cuckoo/conf/processing.conf
[memory] enabled = yes [virustotal] enabled = yes key = [key of the virus total API, could be obtained registering in http://www.virustotal.com
/opt/cuckoo/conf/reporting.conf
[maec40] enabled = yes [mongodb] enabled = yes
Now we can run Cuckoo after all the hardwork :
run the command as shown below and you should get the screen as below :
sudo python /opt/cuckoo/cuckoo.py
Now we need to do a submission of a file vide a script as shown below :
In one of my recent updates in UBUNTU 14.04 LTS,I faced an issue in the installed virtual box machines giving a message that goes as follows :
Unsupported version 11 of data unit 'vga' (instance #0, pass 0xffffffff) (VERR_SSM_UNSUPPORTED_DATA_UNIT_VERSION).
Result Code: NS_ERROR_FAILURE (0x80004005)
Component: Console
Interface: IConsole {1968b7d3-e3bf-4ceb-99e0-cb7c913317bb}
This was in-spite of the fact that I had saved my virtual machine in the manner it is supposed be and was not a power off.The machine as made to start vide the VB interface went showing the progress bar but was then followed by this above message.
How I solved this :
After working out many attempts to update and repair the Virtual Box,the simple way worked out like shown in the pic below :
Yes...it is as simple as choosing the machine and selecting "DISCARD SAVED STATE"
1. Setting this up is a simple thing till the time you know how to do it...here I bring you a step by step thing of how you putty to a Backtrack5 v3 machine installed in a Virtual Box from a Ubuntu host OS....
2. First thing is configuring a additional network card on the BTR3 machine.Select the virtual machine and click on Settings,then move to Network settings and then in the Network adapter, there will be a pre-installed NAT adapter for internet usage of the host machine.Under Adapter 2 select Host only Adapter.
Adapter 1 Default Configuration
Adapter 2 to be Configured
Before you get ready to ssh...u need to ensure that ssh service is running in Backtrack...which by default is not...run the terminal commands as seen below in the screen shots...
ifconfig as seen at terminal of the Backtrack R3 machine
Putty to IP of the Backtrack Machine
Putty successfully asks for login as seen below :
Login with Backtrack credentials :
Here above we get the msfconsole...ready to accept the commands....
1. This post will help guys stuck with adding a Host only Adapter in Virtual Box.The screen shots are self explanatory in a step wise manner.First screen shot shows the problem as seen on the screen....rest on how to resolve.
1. This post will be useful for those looking to setup a virtual lab on their laptops/PCs that can be used to play with Backtrack/Kali Linux like similar images.Here I am sharing exact screen shots of configuration required to set up two machines who would access internet independently and would also at the same time ping each other on a local LAN setup...subsequently can be used to work with SET(Social Engineering Toolkit) as discussed in my last post.I have two machines here with Kali Linux and a Windows 7 machine.
2. Both have been setup with two NICs each and configured as shown below :
1. "Cloud" has been easily the most buzzy term in past few years for the computing industry. Case in point is the CloudUSB distribution, a project that promises to provide automatic backups and data along with privacy protection. The cloud name is catchy but the security is far less than promised....it is actually a USB-based Linux distribution based on Ubuntu 10.04 LTS(though old but works for general user..now I m on 14.04 LTS though). The idea is that you can carry your own Linux distribution with you for use anywhere, thus allowing anyone to use Linux on any computer and keep their data safe in the event the USB key is lost.
2. CloudUSB uses the Dropbox service to synchronize data, so users who don't already have a Dropbox account will need to set up an account before being able to use the synchronization service. CloudUSB sets up a data and private-data folder for keeping sensitive files in. The setup.sh script that comes with the distribution uses encfs to set up an encrypted directory. It appears the script isn't properly encrypting the directory, though. When the system is rebooted, it does use encfs to mount the Dropbox/private-data directory as Desktop/.private-data. A step by step screen shot is shown below...i run this on a Virtual Box....and this can be downloaded at http://cloudusb.net/?DOWNLOAD
https://orcid.org/0000-0002-9097-2246
