这两天导师要求使用cuckoo沙盒来进行病毒的分析,主要用来收集system calls。在安装的过程中发现Cuckoo对于linux guest的支持实在是太差了,网上也很难找到相关的教程,所以在这里写一个自己安装的步骤来记录一下,如果能帮到别人就更好了。
这里选择了ubuntu18.04版本,下载地址为 ubuntu-18.04.4-desktop-amd64.iso
具体virtualbox里面如何安装我就不详细说明了,但需要注意两点。
sudo passwd
否则可能后续会出错。具体步骤如下:
$ sudo apt install uml-utilities bridge-utils
$ sudo crontab -e
$ sudo apt-get update
$ sudo apt-get install python2.7
$ sudo apt update
$ sudo apt install python-pip
$ pip install --upgrade pip
$ sudo apt install net-tools
$ sudo apt-get install systemtap gcc patch linux-headers-$(uname -r)
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C8CAB6595FDFF622
$ codename=$(lsb_release -cs)
$ sudo tee /etc/apt/sources.list.d/ddebs.list << EOF
deb http://ddebs.ubuntu.com/ ${codename} main restricted universe multiverse
#deb http://ddebs.ubuntu.com/ ${codename}-security main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-proposed main restricted universe multiverse
EOF
$ sudo apt-get update
$ sudo apt-get install linux-image-$(uname -r)-dbgsym
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/expand_execve_envp.patch
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/escape_delimiters.patch
$ sudo patch /usr/share/systemtap/tapset/linux/sysc_execve.stp < expand_execve_envp.patch
$ sudo patch /usr/share/systemtap/tapset/uconversions.stp < escape_delimiters.patch
$ wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/stuff/systemtap/strace.stp
$ sudo stap -p4 -r $(uname -r) strace.stp -m stap_ -v
sudo staprun -v ./stap_.ko
$ sudo mkdir /root/.cuckoo
$ sudo mv stap_.ko /root/.cuckoo/
$ sudo ufw disable
$ sudo timedatectl set-ntp off