pystemon インストール
sudo apt-get install python-pip sudo pip install PyYAML sudo pip install BeautifulSoup git clone https://github.com/cvandeplas/pystemon
[malware] Viper
マルウェア管理、解析フレームワーク
http://viper-framework.readthedocs.org/en/latest/index.html
Viper is a binary analysis and management framework.
sudo apt-get install gcc python-dev python-pip sudo pip install SQLAlchemy PrettyTable python-magic tar -zxvf ssdeep-2.12.tar.gz cd ssdeep-2.12/ ./configure && make sudo make install sudo pip install pydeep sudo apt-get install python-socksipy git clone https://github.com/botherder/viper sudo pip install -r requirements.txt ./viper.py
■データ移行は「viper/projects」内のファイルをコピーする。
■「20141215」フォルダのファイル読込、タグ「xxxxxx」付け
viper > store -f /home/ubuntu/Malware/20141215 -t [xxxxxx]
nginx,elasticsearch,kibanaインストール
==============================================================
nginxのインストール
#vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/5/$basearch/
gpgcheck=0
enabled=1
# yum update
# yum search nginx
# yum install nginx
# service nginx start
# curl 127.0.0.1
# chkconfig nginx on
==============================================================
JAVAのインストール
# java -version
# yum remove java
# yum install java-1.7.0-openjdk.i386
==============================================================
elasticsearch インストール
# wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.4.tar.gz
# tar zxvf elasticsearch-1.3.4.tar.gz
# mv elasticsearch-1.3.4 /opt/
# /opt/elasticsearch-1.3.4/bin/elasticsearch
# curl 127.0.0.1:9200
{
"status" : 200,
"name" : "Aleksander Lukin",
"version" : {
"number" : "1.3.4",
"build_hash" : "a70f3ccb52200f8f2c87e9c370c6597448eb3e45",
"build_timestamp" : "2014-09-30T09:07:17Z",
"build_snapshot" : false,
"lucene_version" : "4.9"
},
"tagline" : "You Know, for Search"
}
==============================================================
kibanaのインストール
# wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.1.tar.gz
# tar zxvf kibana-3.1.1.tar.gz
# mv kibana-3.1.1 /opt/
# vi config.js
elasticsearch: "http://IP_address:9200",
# vi /etc/nginx/conf.d/default.conf
location / {
root /opt/kibana-3.1.1/;
index index.html index.htm;
}
==============================================================
nginx 再起動
#service nginx restart
==============================================================
logstashのインストール
wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz
tar zxvf logstash-1.4.2.tar.gz
wget http://logstash.net/docs/1.4.2/tutorials/10-minute-walkthrough/apache-elasticsearch.conf
bin/logstash agent -f apache-elasticsearch.conf web
nc localhost 3333 < apache_log.2
[Memory Forensics] メモリフォレンジック
lsass.exeの正しい位置 winlogon.exe | --- lsass.exe --- services.exe | --- Process_A.exe --- Process_B.exe --- Process_B.exe --- Process_B.exe --- Process_B.exe --- Process_B.exe ※「lsass.exe」は一つのみ、複数ある場合はおかしい。 ※「lsass.exe」は「winlogon.exe」の下に作成される ※他のサービスは「services.exe」の下に作成される ※「lsass.exe」のスタートタイムはBOOT時間の近くになる
Explorer.exeの正しい位置 C:\Windows | --- Explorer.exe
iexplore.exeの正しい位置 C:\Program Files | --- iexplore.exe
svchost.exeに関して explorer.exe | --- svchost.exe ※「svchost.exe」はシステム権限なので ※ユーザ権限である「explorer.exe」の下にはつかない
[forensics] SuperTimeline
【旧】 # mount -o loop,ro,show_files,streams_interface=windows,offset=32256 /mnt/hgfs/image.dd /mnt/windows_mount # log2timeline -z Japan -p -r -f winxp /mnt/windows_mount -w supertimeline.txt # l2t_process -b supertimeline.txt > supertimeline.csv 【新】 # log2timeline.py -o 63 --parsers "win7" /cases/timeline/myhost.dump image.dd # psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.dump 【Windows】 log2timeline.exe -o 63 -z Japan -p --vss myhost.dump image.dd psort.exe -z Japan -w supertimeline.txt myhost.dump http://plaso.kiddaland.net/usage/upgrading-from-0-x-branch
INetSim: Internet Services Simulation Suite
偽サーバ,DNS,HTTPなど
INetSim: Internet Services Simulation Suite - Project Homepage # Available service names are: # dns, http, smtp, pop3, tftp, ftp, ntp, time_tcp, # time_udp, daytime_tcp, daytime_udp, echo_tcp, # echo_udp, discard_tcp, discard_udp, quotd_tcp, # quotd_udp, chargen_tcp, chargen_udp, finger, # ident, syslog, dummy_tcp, dummy_udp, smtps, pop3s, # ftps, irc, https /etc/inetsim/inetsim.conf service_bind_address 192.168.1.1 dns_default_ip 192.168.1.1 上記項目を自IP「192.168.1.1」に変更 remnux@remnux:/var/log/inetsim$ inetsim INetSim 1.2.3 (2012-10-01) by Matthias Eckert & Thomas Hungenberg Using log directory: /var/log/inetsim/ Using data directory: /var/lib/inetsim/ Using report directory: /var/log/inetsim/report/ Using configuration file: /etc/inetsim/inetsim.conf Parsing configuration file. Configuration file parsed successfully. === INetSim main process started (PID 3521) === Session ID: 3521 Listening on: 192.168.1.1 Real Date/Time: Tue Jan 7 02:09:26 2014 Fake Date/Time: Tue Jan 7 02:09:26 2014 (Delta: 0 seconds) Forking services... * ident_113_tcp - started (PID 3536) * time_37_tcp - started (PID 3538) * daytime_13_tcp - started (PID 3540) * tftp_69_udp - started (PID 3532) * dns_53_tcp_udp - started (PID 3523) * time_37_udp - started (PID 3539) * daytime_13_udp - started (PID 3541) * quotd_17_tcp - started (PID 3546) * echo_7_tcp - started (PID 3542) * discard_9_udp - started (PID 3545) * quotd_17_udp - started (PID 3547) * finger_79_tcp - started (PID 3535) * chargen_19_udp - started (PID 3549) * irc_6667_tcp - started (PID 3533) * ntp_123_udp - started (PID 3534) * chargen_19_tcp - started (PID 3548) * dummy_1_udp - started (PID 3551) * discard_9_tcp - started (PID 3544) * dummy_1_tcp - started (PID 3550) * syslog_514_udp - started (PID 3537) * echo_7_udp - started (PID 3543) * smtps_465_tcp - started (PID 3527) * pop3s_995_tcp - started (PID 3529) * ftp_21_tcp - started (PID 3530) * smtp_25_tcp - started (PID 3526) * ftps_990_tcp - started (PID 3531) * pop3_110_tcp - started (PID 3528) * http_80_tcp - started (PID 3524) * https_443_tcp - started (PID 3525) done. Simulation running. /var/log/inetsim/service.log [2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] connect [2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] recv: Query Type A, Class IN, Name xxxxxxxxx.ddo.jp [2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] send: xxxxxxxxx.ddo.jp 3600 IN A 127.0.0.1 [2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] disconnect [2014-01-07 02:30:34] [3812] [dns_53_tcp_udp 3814] [192.168.1.2] stat: 1 qtype=A qclass=IN qname=xxxxxxxxx.ddo.jp [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Host: xxxxxxxxx.ddo.jp [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Connection: Keep-Alive [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Cache-Control: no-cache [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] recv: Pragma: no-cache [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: Request URL: http://xxxxxxxxx.ddo.jp/usr/Y-Vm6St6fBt9BgNTez6BOK [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: No matching file extension configured. Sending default fake file. [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: HTTP/1.1 200 OK [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Server: INetSim HTTP Server [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Connection: Close [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Content-Length: 258 [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Content-Type: text/html [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] send: Date: Tue, 07 Jan 2014 07:45:06 GMT [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html [2014-01-07 02:45:06] [4033] [http_80_tcp 4105] [192.168.1.2:1065] stat: 1 method=GET url=http://xxxxxxxxx.ddo.jp/usr/Y-Vm6St6fBt9BgNTez6BOK sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=
[malware] Malware-Analyzer.com
Malware-Analyzer.com is your solution to malware analysis tools, resources, and discounted malware reverse engineer training. Malware-Analyzer.com has a variety of tools from automated analysis to memory forensics. If you have a malware analysis tool, dissassembler, debugger, or web site you would like featured, please let me know on my contact page!
Malware-Analyzer - Malware Analysis Tools and Resources