xjk-007
commented
5 years ago I've solved these three warnings. I replace the Ubuntu 18.04.1_server_x64 linux guest with Ubuntu 18.04_server_x64, and install systemtap by using apt install. All installation is done well, and the systemtap'version is 3.1. But, two new warnings appear in "Analyzer Log". Now, the "Behavioral Analysis" can show process tree. I want to know why "Process Memory" shows no result. Whether the problem is caused by these two warnings? How should I solve this problem? The Analyzer Log is: 09:58:50,017 [root] DEBUG: Starting analyzer from: /tmp0BFTzK 09:58:50,018 [root] DEBUG: Storing results at: /tmp/NKIEzpy 09:58:53,782 [modules.auxiliary.stap] INFO: STAP aux module startup took 3.62 seconds 09:58:53,782 [root] DEBUG: Started auxiliary module STAP 09:58:53,784 [root] INFO: Added new process to list with pid: 1237 10:00:53,020 [root] INFO: Analysis timeout hit, terminating analysis. 10:00:53,020 [root] WARNING: The package "modules.packages.generic" finish function raised an exception: Process instance has no attribute 'dump_memory' 10:00:53,021 [modules.auxiliary.stap] DEBUG: stap subprocess retval 1 10:00:53,022 [modules.auxiliary.stap] WARNING: Exception killing stap: [Errno 3] No such process 10:00:53,135 [root] INFO: Analysis completed.
vinceplayer
My issue is:
I'm using Ubuntu 18.04.1_server_x64 linux guest to analyse some elf executable files, but got some warnings. Besides, the analysis process of one file is very quick, and results of few results. I want to know whether the problem is caused by these warnings? How should I solve this problem?
My envirment is:
Cuckoo Sandbox 2.0.6 in Centos 7.2 x64 host Ubuntu 18.04.1_server_x64 linux guest $
stap -VSystemtap translator/driver (version 4.0/0.170, non-git sources) ... tested kernel versions: 2.6.18 ... 4.19-rc7 enabled features: BPF NLS Note: I've prepared linux guest well according to http://docs.cuckoosandbox.org/en/latest/installation/guest/linux/. Unless the systemtap is compiled installation, for the apt install can not found package "systemtap". I've also usedstapcommand to successfully print "hello" by excute sudostap -ve 'probe begin { log("hello") exit() }'The two warings in Analyzer Log:
13:45:40,002 [root] DEBUG: Starting analyzer from: /tmpUv7P_M 13:45:40,017 [root] DEBUG: Storing results at: /tmp/gCXPYqu 13:45:40,122 [root] WARNING: Cannot execute auxiliary module STAP: [Errno 2] No such file or directory 13:45:40,122 [root] DEBUG: Started auxiliary module STAP 13:45:40,124 [root] INFO: Added new process to list with pid: 2345 13:45:41,134 [root] INFO: Process with pid 2345 has terminated 13:45:41,134 [root] INFO: Process list is empty, terminating analysis. 13:45:42,144 [modules.auxiliary.stap] WARNING: Exception killing stap: 'NoneType' object has no attribute 'poll' 13:45:42,145 [root] INFO: Analysis completed.
The one waring in Cuckoo Log:
13:45:41,055 [cuckoo.core.scheduler] INFO: Task #1: acquired machine cuckoo2 (label=cuckoo2) 13:45:41,067 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 80614 (interface=vboxnet0, host=192.168.56.102) 13:45:41,068 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer 13:45:41,093 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo2 13:45:41,384 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo2 to its current snapshot 13:45:45,261 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo2, ip=192.168.56.102) 13:45:46,268 [cuckoo.core.guest] DEBUG: cuckoo2: not ready yet 13:45:47,275 [cuckoo.core.guest] DEBUG: cuckoo2: not ready yet 13:45:48,284 [cuckoo.core.guest] DEBUG: cuckoo2: not ready yet 13:45:49,296 [cuckoo.core.guest] DEBUG: cuckoo2: not ready yet 13:45:49,339 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo2, ip=192.168.56.102) 13:45:49,371 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo2, ip=192.168.56.102, monitor=latest, size=30538) 13:45:49,432 [cuckoo.core.guest] DEBUG: cuckoo2: analysis still processing 13:45:49,619 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized. 13:45:50,450 [cuckoo.core.guest] DEBUG: cuckoo2: analysis still processing 13:45:51,460 [cuckoo.core.guest] DEBUG: cuckoo2: analysis still processing 13:45:52,467 [cuckoo.core.guest] INFO: cuckoo2: analysis completed successfully 13:45:52,644 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 13:45:52,646 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo2 13:45:54,058 [cuckoo.core.scheduler] DEBUG: Released database task #1 13:45:54,123 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #1 13:45:54,124 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 13:45:54,125 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #1 13:45:54,126 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #1 13:45:54,126 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #1 13:45:54,128 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #1 13:45:54,129 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #1 13:45:54,130 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #1 13:45:54,131 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #1 13:45:54,216 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #1 13:45:54,224 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #1 13:45:54,232 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #1 13:45:54,236 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #1 13:45:54,236 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #1 13:45:54,237 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #1 13:45:54,240 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #1 13:45:54,243 [cuckoo.core.plugins] DEBUG: Running 29 signatures 13:45:54,270 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"