Comments (9)
rodionovd
commented on June 3, 2024
@jbremer I have a question about possible APIs for dtrace invocations from Python. There're two ways:
The first looks like this:
syscalls_made = dtrace_syscalls_analysis(target)
files_open = dtrace_fileIO_analysis(target)
# and so oni.e. we'll launch the target as many times as we have things to analyse.
The second approach is:
results = dtrace_analysis(target)
syscalls_made = results.syscalls()
fileIO = results.fileIO()
# and so onso we'll run analysis (as well as the target) only once and it'll be gathering all the data at once.
I've been working on the first way for the last couple days, but finally realised that some targets could act differently when running second/third/etc time, so it's not correct to run analysis this way. But I may be wrong here โ let me know.
The second way is trickier to implement because I'll need one giant dtrace script that'd do all kind of analysis. Don't like this approach, but it seems the only correct one.
Looking forward for your feedback!
from cuckoo-osx-analyzer.
jbremer
commented on June 3, 2024
What we do currently in Cuckoo is that each analysis task starts a Virtual Machine just for that one task. So if I understand your question correctly, then the answer would be to go for the first option.
I somewhat assume this is easier to implement for you as well, so I'd suggest to go that route. If we have time left on the end of the summer we can always experiment some more ;-)
from cuckoo-osx-analyzer.
rodionovd
commented on June 3, 2024
Great! Thank you, I'm going the first way then :)
from cuckoo-osx-analyzer.
phretor
commented on June 3, 2024
@rodionovd have you considered fslogger?
from cuckoo-osx-analyzer.
rodionovd
commented on June 3, 2024
@phretor I'm not sure about integrating 3rd-party tracing scripts/tool, but thanks for mention it โย I'll take a look!
from cuckoo-osx-analyzer.
phretor
commented on June 3, 2024
@rodionovd @jbremer I've integrated some of my code and crafted out a sort of analyzer.py in my fork. However, this is my first time creating a custom analyzer for Cuckoo and I'm not really sure what's the common practice:
- do everything, including the parsing of the behavior trace, on the analyzer (i.e., guest)
- pros: self contained analyzer, no need to modify Cuckoo
- cons: not very elegant, more time consumed on the guest
- dump a "raw" text representation of the trace on the guest and parse it on the host
- pros: small analyzer, focus on collecting data and that's it
- cons: we have to modify Cuckoo
from cuckoo-osx-analyzer.
jbremer
commented on June 3, 2024
Sending "raw" data to the host does not necessarily mean you have to modify Cuckoo, merely add modules to handle that data ;) So based on that I guess option two is the way to go, @phretor.
from cuckoo-osx-analyzer.
phretor
commented on June 3, 2024
@jbremer, you mean <cuckoo root>/modules/processing/, right?
from cuckoo-osx-analyzer.
jbremer
commented on June 3, 2024
Yes!
from cuckoo-osx-analyzer.
Related Issues (20)
- apicalls.d doesn't follow *all* children, only forkโed ones HOT 2
- bootstrap_guest.sh => disable system integrity protection on OS X 10.11 HOT 1
- bootstrap_guest.sh => install pymongo (for bson)
- Post real values for `is_success` and `category` attributes of an API call to the server
- Allow user to specify arguments to be passed for an analysis package
- Send API arguments names to the host
- GUI applications startup is very slow when under apicalls analysis HOT 3
- apicalls's test suite hangs *sometimes* HOT 1
- Cut apicalls.d into pieces
- bootstrap_host.sh => make sure a host-only adapter (e.g. vboxnet0) is up and running
- dtruss tests fail sometimes
- OverflowError: MongoDB can only handle up to 8-byte ints
- Tracing calls to APIs from libraries loaded at runtime HOT 1
- Generate dtrace probes from API descriptions HOT 1
- autoprobes.py => join similar probes together HOT 3
- Add errno value to apicalls reports
- Send dropped files to the host
- Add support for struct arguments in dtrace probes HOT 1
- bootstrap_guest.sh
- package.py -- Unable to import package
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cuckoo-osx-analyzer.