Comments (8)
I've been using unmodified hackintosh ISOs, which boot and install nicely on both modified KVM/QEMU (http://www.contrib.andrew.cmu.edu/~somlo/OSXKVM/) and unmodified VirtualBox.
The only additions I used were:
analyzer/darwin/bin/fslogger
analyzer/darwin/kext/pt_deny_attach/
tar jxf pt_deny_attach.tbz
sudo mv pt_deny_attach.kext /System/Library/Extensions/pt_deny_attach.kext
cd /System/Library/Extensions/
sudo chmod -R 755 pt_deny_attach.kext
sudo chown -R root:wheel pt_deny_attach.kext
sudo echo "kextload -v 0 /System/Library/Extensions/pt_deny_attach.kext" >> /etc/rc.local
chmod a+x /etc/rc.local
from cuckoo-osx-analyzer.
@phretor yeah, pt_deny_attach
-disabler kext is useful if we need to attach a debugger to a target.
Regarding dtrace
Since dtrace
requires root's privileges to run, we also want to enable the default user to run it (as well as some dtrace
wrappers like dtruss
or iosnoop
) without prompting for a root password. I guess this could be done by editing the local sudoers
file (replace username
with actual user name):
--- a/etc/sudoers
+++ b/etc/sudoers
@@ -43,3 +43,5 @@ root ALL=(ALL) ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
+
+ username ALL=(root) NOPASSWD: /usr/sbin/dtrace
+ username ALL=(root) NOPASSWD: /usr/bin/dtruss
+ username ALL=(root) NOPASSWD: /usr/bin/iosnoop
from cuckoo-osx-analyzer.
Good point about /etc/sudoers
, @rodionovd.
Regarding pt_deny_attach
, AFAIR, it is a good idea to have to avoid anti-dtrace
binaries as well. Moreover, it would be a good way to see if a sample is evading analysis (e.g., run dtrace
w/ and w/o the kext and check the differences).
Also, are we assuming that we want to start the sample via dtrace
fork? What I see is:
sudo dtrace [options] /path/to/sample
:- CONS: implies that
sample
will run with high privileges - PROS: we don't miss anything
- CONS: implies that
sudo /path/to/sample
, take PID, attachdtrace
to it +/path/to/sample
, take PID, attachdtrace
to it- CONS: we may miss the first syscalls (taking the PID and attaching
dtrace
takes some time) - PROS: we can compare
sudo
-launched vs non-sudo
-launched sample
- CONS: we may miss the first syscalls (taking the PID and attaching
Since OS X has sandboxed processes, the sudo vs non-sudo perspective is interesting. However, I expect that most of the sample won't work without sudo. Just brainstorming.
from cuckoo-osx-analyzer.
Moreover, it would be a good way to see if a sample is evading analysis (e.g., run dtrace w/ and w/o the kext and check the differences)
Ah, good point!
Also, are we assuming that we want to start the sample via dtrace fork?
Hmm, yeah I see. So when we run $ sudo dtrace -s foo.d ./sample
our target is going to be launched as root…
Well, what about a wrapper around dtrace
(or some sort of .d script) that would follow children processes of the target? So we can do something like this:
$ sudo dtruss -f sudo -u `whoami` ./sample
(dtruss
already has an option for this: -f : follow children as they are forked
)
I've just tried this approach and it kinda worked: it yields some garbage output from sudo -u
itself. I guess there's a way to mute it, though.
from cuckoo-osx-analyzer.
@rodionovd - makes sense.
About using DTruss directly vs. launching DTrace supplying a D script that we ship with the analyzer: the first option is readily available, the second option gives us more customization power in the future. Which one do you think we should follow?
from cuckoo-osx-analyzer.
@phretor well, dtruss
is actually just a script too, so we can always replace it with our own implementation. Also, it handles lots of edge-cases, so at least we should copy-paste it into our own script in the future :-)
from cuckoo-osx-analyzer.
See also my bootstrap_guest.sh
and bootstrap_host.sh
setup scripts.
from cuckoo-osx-analyzer.
So I close this issue now, feel free to re-open it if you still have any questions.
from cuckoo-osx-analyzer.
Related Issues (20)
- apicalls.d doesn't follow *all* children, only fork‘ed ones HOT 2
- bootstrap_guest.sh => disable system integrity protection on OS X 10.11 HOT 1
- bootstrap_guest.sh => install pymongo (for bson)
- Post real values for `is_success` and `category` attributes of an API call to the server
- Allow user to specify arguments to be passed for an analysis package
- Send API arguments names to the host
- GUI applications startup is very slow when under apicalls analysis HOT 3
- apicalls's test suite hangs *sometimes* HOT 1
- Cut apicalls.d into pieces
- bootstrap_host.sh => make sure a host-only adapter (e.g. vboxnet0) is up and running
- dtruss tests fail sometimes
- OverflowError: MongoDB can only handle up to 8-byte ints
- Tracing calls to APIs from libraries loaded at runtime HOT 1
- Generate dtrace probes from API descriptions HOT 1
- autoprobes.py => join similar probes together HOT 3
- Add errno value to apicalls reports
- Send dropped files to the host
- Add support for struct arguments in dtrace probes HOT 1
- bootstrap_guest.sh
- package.py -- Unable to import package
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cuckoo-osx-analyzer.