Open mr-gosh opened 8 years ago
Ah interesting. This bug is unrelated to #696 for the reasons outlined by my last comment on that issue :-) The issue here seems to be that we've recently been working on a new, improved, Cuckoo Agent, and while the Agent included with the Android analyzer is based on the old Agent, the detection for this Agent doesn't seem to work.. if you can follow that train of thought. (So Windows analysis supports old & new Agent, Android analysis supports old, but for some reason the old Agent is not detected properly for the Android analyzer).
Could you start the Android emulator, make sure it runs the Agent, and then curl guest_ip:8000
(so probably under Android that should be curl 10.0.2.2:8000
). Please let me know the content and http code that returns :-)
OK - we poked around a bit:
Tested with agent.sh file from cuckoo-droid agent.py file from idanr1986/cuckoo-droid and cuckoobox/cuckoo
activated the VM by hand (so it doesn't shut down with the above mentioned error) and did an
adb shell /data/local/agent.sh
than we mapped VM port 8000 to Host port 5001 an curled a bit:
$ curl localhost:5001
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 501.
<p>Message: Unsupported method ('GET').
<p>Error code explanation: 501 = Server does not support this operation.
</body>
We now tried agent.py from jbremer/agent.
That looks better from curl response, but error message from cuckoo tests stays the same.
$ curl localhost:5001 {"message": "Cuckoo Agent!", "version": "0.1"}
shell with agent.py
10.0.2.2 - - [09/Dec/2015 13:32:00] "GET / HTTP/1.1" 200 -
Not so fast, I didn't say that the Android Analyzer supports the new Agent ;-)
In fact, the curl localhost:5001
is correct - XMLRPC is expected to return 501
when requesting /
.
That's also what the Cuckoo magic is based on to decide whether to take the old or the new Agent, see also https://github.com/cuckoobox/cuckoo/blob/master/lib/cuckoo/core/guest.py#L379-L380.
Having said that it seems weird to me that you were getting the new Agent selection in the first place - did you correctly setup all the IP addresses as advertised in the documentation?
Quick question, does your host have the http_proxy set?
As for my issue, thank you jbremer btw, #696 I removed the environment http_proxy and low and behold it started working.
I should note that I am currently waiting for a dedicated "dirty line". While I am waiting for that to be installed I am using my lab network which obviously goes through a proxy. Just trying to get this up, documented and play with it.
Ok, i did not expect 501 to be correct ;) IP settings are as in documentation.
cuckoo.conf
ip = 127.0.0.1
avd.conf
emulator_port = 5554
resultserver_ip = 10.0.2.2
resultserver_port = 2042
No Proxy or http_proxy present. Host Ip Adresse is 192.168.1.x If i need to connect directly to a Service on Android VM i can use adb forward or Telnet to Emulator and redir. Maybe we should start with a older Version first and not with latest repo?
You could try an older version, i.e., our 1.2
release on top of which you can directly apply the patches from Cuckoo Droid as described in their repository. If that works then something is going wrong with the latest updates regarding the old/new Agent.
Otherwise there's some more debugging to do on your side, I suppose.
https://github.com/idanr1986/cuckoo-droid#cuckoodroid---automated-android-malware-analysis
We got 1.2 running and analysis working. Don't know yet why new version is not working. Trying to find out what happens or not, but maybe wait for changes with new Agent. And i am not familiar with Python, unfortunately.
@jbremer Any updates on this?
No, will have to check back later.
hey @jbremer - we really wanna implement this into our pipleline - is there anything going to happen? Or do you have an other idea?
@mr-gosh, I think some of the recent changes fixed this issue. I was able to set up Android analysis. There are still some missing features (e.g. on the web UI), but it definitely should work now. See https://github.com/cuckoosandbox/cuckoo/issues/926 for details.
@benjo9 did you re-check this in our setup?
I get $ curl localhost:5001 {"message": "Cuckoo Agent!", "version": "0.1"} as well but the analysis does not complete for me. I see the "analysis still running" prompt and then a timeout. I feel the analyzer part is not working for me as clearly the cuckoo agent is running fine.
Any pointers ?
@jbremer @botherder
Hey, our Setup based on the git Repo starts the AVD. We used the CuckooDroid-Docs for Preparing the Guest (Android Emulator). But the VM shuts down after a few seconds with the following output. What could cause this?
Thanks for the Hints and this is possibly a duplicate of #696