search

cert-ee / cuckoo3

Cuckoo3 is a Python 3 open source automated malware analysis system.
https://cuckoo-hatch.cert.ee
European Union Public License 1.2
621 stars 79 forks source link

Check SHA1 hash of windows 10 iso before redownloading #171

Open Heasleys opened 1 week ago

Heasleys commented 1 week ago

Feature

_Is your feature request related to a problem? Please describe. When running the quickstart bash file, I encountered an issue where the quickstart failed after downloading the iso file. There was an issue with virtualization, so the bash file failed. When re-running the quickstart file, when it got to the section where it downloads the win10 iso, it started downloading the iso again and overwrote the previously downloaded iso. My download speed is quite slow at times, so downloading the iso takes nearly an hour.

Proposed solution

_Describe the solution you'd like. My proposed solution is to check the sha1 hash of the previously downloaded iso against the known sha1 provided in the forked cert-ee/vmcloak (ce8005a659e8df7fe9b080352cb1c313c3e9adce).

_Describe alternatives you've considered There may be a time when other iso's are available to download for Cuckoo3. I have modified the quickstart for my use case to have the hardcoded sha1 hash, but a more modular solution may be needed later.

Additional context

_Additional context These are the lines of code I have added for the quickstart file I modified.

Line 14: Add variable for win10 sha1 hash.

win10_sha1="ce8005a659e8df7fe9b080352cb1c313c3e9adce"

Lines 357 - 368: Check if the win10x64.iso file exists. If it does not exist, download the image. If it does exist, check the calculated hash against known hash. If they match, skip download. If they do not match, download and overwrite the image.

    if [ ! -f "/home/$username/win10x64.iso" ]; then
        run_as_cuckoo "$username" "$(download_images_for "$username")"
    else
        echo "/home/$username/win10x64.iso file exists. Checking sha1 hash..."
        if [[ $(sha1sum "/home/$username/win10x64.iso" | awk '{print $1}') == "$win10_sha1" ]]; then
            echo "hash matches, skipping download"
        else
            echo "hash does not match, downloading iso"
            run_as_cuckoo "$username" "$(download_images_for "$username")"
        fi
    fi
cert-ee-raidar commented 6 days ago

@Heasleys,

Thank you for the proposal.

This issue will be resolved once we begin using Ansible instead of raw bash.

We hope to complete this in November.

In the meantime, you can use VMCloak to download ISO files outside of the quickstart script.

Check out Downloading an Image from our documentation.

cert-ee-raidar commented 6 days ago

But I will add it to VMCloak as an improvement.