search

hatching / vmcloak

Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
483 stars 120 forks source link

vmcloak init --win7x64 seven0 (Stalls) #84

Closed freeload101 closed 8 years ago

freeload101 commented 8 years ago

I am hoping to add some of my own VM 'tricks' to the mix ( macros,yara etc .. ) trying to build out as close I can Open Source Malware Lab - Robert Simmons did ...

root@rmccurdyVM:/media/sf_delete/VM# vmcloak init --win7x64 seven04 -d -v DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'createvm', '--register', '--name', 'seven4', '--basefolder', '/home/operat0r/.vmcloak/vms'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--ostype', 'Windows7_64'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--ioapic', 'on', '--cpus', '1'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--mouse', 'usbtablet'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--memory', '2048'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--vram', '16'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'createhd', '--size', '262144', '--filename', '/home/operat0r/.vmcloak/image/seven4.vdi'] 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'storagectl', u'seven4', '--add', 'ide', '--name', 'IDE'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'storageattach', u'seven4', '--storagectl', 'IDE', '--device', '0', '--type', 'hdd', '--medium', '/home/operat0r/.vmcloak/image/seven4.vdi', '--port', '0'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'storageattach', u'seven4', '--storagectl', 'IDE', '--device', '0', '--type', 'dvddrive', '--medium', '/home/operat0r/.vmcloak/iso/seven4.iso', '--port', '1'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'list', 'hostonlyifs'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--nictype1', '82540EM', '--cableconnected1', 'on', '--nicpromisc1', 'allow-all', '--hostonlyadapter1', 'vboxnet0', '--nic1', 'hostonly'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'modifyvm', u'seven4', '--macaddress1', 'c0e52aaa0c80'] INFO:vmcloak:Starting the Virtual Machine u'seven4' to install Windows. DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'startvm', u'seven4', '--type', 'headless'] DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'showvminfo', u'seven4', '--machinereadable']

... HOURS LATER ...I ^c it ..

DEBUG:vmcloak.vm:Running command: ['/usr/bin/VBoxManage', 'showvminfo', u'seven4', '--machinereadable'] ^C Aborted!

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" CHANGELOG.txt:0.4.1, August 27th 2016

Python 2.7.12

ps auxwww|egrep -ia "(python|vb)" root 1193 0.0 0.0 0 0 ? S< 19:41 0:00 [iprt-VBoxWQueue] root 1212 0.0 0.0 256720 2996 ? Sl 19:41 0:02 /usr/sbin/VBoxService root 1509 0.0 0.0 0 0 ? S< 19:41 0:00 [iprt-VBoxWQueue] root 1510 0.0 0.0 0 0 ? S 19:41 0:00 [iprt-VBoxTscThr] operat0r 2434 0.0 0.0 49464 316 ? S 19:41 0:00 /usr/bin/VBoxClient --clipboard operat0r 2435 0.0 0.0 117848 4276 ? Sl 19:41 0:00 /usr/bin/VBoxClient --clipboard operat0r 2444 0.0 0.0 49464 316 ? S 19:41 0:00 /usr/bin/VBoxClient --display operat0r 2445 0.0 0.0 49600 3548 ? S 19:41 0:00 /usr/bin/VBoxClient --display operat0r 2456 0.0 0.0 49464 312 ? S 19:41 0:00 /usr/bin/VBoxClient --seamless operat0r 2457 0.0 0.0 115648 2120 ? Sl 19:41 0:00 /usr/bin/VBoxClient --seamless operat0r 2461 0.0 0.0 49464 312 ? S 19:41 0:00 /usr/bin/VBoxClient --draganddrop operat0r 2462 0.1 0.0 116164 2000 ? Sl 19:41 0:19 /usr/bin/VBoxClient --draganddrop root 3204 0.5 0.1 247748 14028 ? S 19:44 0:49 /usr/lib/virtualbox/VBoxXPCOMIPCD root 3210 1.2 0.2 675776 21384 ? Sl 19:44 1:59 /usr/lib/virtualbox/VBoxSVC --auto-shutdown root 3427 1.5 6.6 1351712 588164 ? Sl 19:44 2:33 /usr/lib/virtualbox/VBoxHeadless --comment seven4 --startvm d52c87f1-5fae-4bf1-b512-49fe5b849767 --vrde config root 3440 0.0 0.1 241904 14576 ? S 19:44 0:00 /usr/lib/virtualbox/VBoxNetDHCP --ip-address 192.168.56.100 --lower-ip 192.168.56.101 --mac-address 08:00:27:60:59:26 --netmask 255.255.255.0 --network HostInterfaceNetworking-vboxnet0 --trunk-name vboxnet0 --trunk-type netflt --upper-ip 192.168.56.254 root 10465 0.0 0.0 14224 1020 pts/1 S+ 22:27 0:00 grep -E --color=auto -ia (python|vb)

razuz commented 8 years ago

virtualbox version ? and I don't see that you have added win7 mount dir ... ref http://jbremer.org/vmcloak3/

freeload101 commented 8 years ago

/media/sf_delete/VM/Win7 Ultimate Sp1 En-Us July 2015_ x64.iso on /mnt/win7 type udf (ro,relatime,utf8)

Oracle VM VirtualBox Headless Interface 5.1.6 (C) 2008-2016 Oracle Corporation All rights reserved.

5.1.6r110634

~./vmcloak/

4.1M ./image 16M ./deps 6.3G ./iso 64K ./vms/seven4/Logs 76K ./vms/seven4 64K ./vms/seven1/Logs 76K ./vms/seven1 156K ./vms 6.4G .

razuz commented 8 years ago

hmm .... I have some doubts, but it might also be win7 ultimate issue ... can you swap the iso for win7 pro and see if the problem still exist ?

freeload101 commented 8 years ago

Thanks! Fast ! I guess its my ISO's from the 'internet' maybe have -d not run in headless mode so you can see what's going on ill hack up the code / try some other ISO's

boo ... I was thinking it would help with my wifes VM too and unblocking stupid coupons.com site

image

razuz commented 8 years ago

as you have the virtualbox on the same host then you can always click on vm name and then Start will convert to Show ... but I guess the error where you get stuck should be the fact that Ultimate cannot do autoattend well due to mismatching keys - that should be that error ... AFAIK there's nothing much we can do about it besides using win7 Pro :/

--serial-key flag can help out, but needs some testing

freeload101 commented 8 years ago

Any ideas on what I can change to fake out coupons.com ? I made the serial numbers match up too in the vbox file not sure if that matters .. I also removed all the networking devices thinking maybe that was it .. nope

jbremer commented 8 years ago

Seriously, what's coupons.com? :D If that's the only remaining issue, then I think this issue is out of scope regarding VMCloak. When you install such a VM normally speaking, do you do any special handling?

freeload101 commented 8 years ago

Malware ..... Malwr says same thing so I guess I need more fu or to toy a bit with it in IDA and hope for the best. Thanks again

Malwr.com

image

boula1 commented 7 years ago

Hey Anything new about this MALWR?