Cuckoo: Can cuckoo support Linux guest well?

Created on 31 Jul 2019  路  5Comments  路  Source: cuckoosandbox/cuckoo

Thanks for creating an issue! But first: did you read our community guidelines?
https://cuckoo.sh/docs/introduction/community.html

My issue is:
  1. I always can't get the behavior analysis result after cuckoo analyzed Linux sample.
  2. It seems to use Windows API to analyze Linux memory dump.

    My Cuckoo version and operating system are:
  3. Cuckoo version: 2.0.7

  4. Host OS: Ubuntu 18.04
  5. Guest OS: Ubuntu 18.04
    This can be reproduced by:
The log, error, files etc can be found at:

  1. #

2019-07-29 11:07:24,765 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.

#

  1. Logs

    #

2019-07-29 10:27:51,506 [cuckoo.core.plugins] ERROR: Failed to run the processing module "Memory" for task #27:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1039, in run
results[plugin_name] = getattr(self.vol, plugin_name)()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 172, in pslist
for process in command.calculate():
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 88, in pslist
for p in get_kdbg(addr_space).processes():
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 50, in get_kdbg
if obj.VolMagic(addr_space).KPCR.value:
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__
return self.m(attr)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KPCR

#

Most helpful comment

Update issue 1, I can't get the behavior analysis result.
In my testing, I always get the warning message "Netlog client requested banned path: logs/all.stap".
And I found in the resultserver.py

RESULT_UPLOADABLE = ("files", "shots", "buffer",  "extracted", "memory")
RESULT_DIRECTORIES = RESULT_UPLOADABLE + ("reports", "logs")
def netlog_sanitize_fname(path):
    """Validate agent-provided path for result files"""
    path = path.replace("\\", "/")
    dir_part, name = os.path.split(path)
    if dir_part not in RESULT_UPLOADABLE:
        raise CuckooOperationalError("Netlog client requested banned path: %r"
                                     % path)
    if any(c in BANNED_PATH_CHARS for c in name):
        for c in BANNED_PATH_CHARS:
            path = path.replace(c, "X")

    return path

In my result, the "dir_part" is "logs", but it is not in RESULT_UPLOADABLE. If I revise "if dir_part not in RESULT_UPLOADABLE:" to "if dir_part not in RESULT_DIRECTORIES:", everything works well.
Is it correct or I misunderstand something?

All 5 comments

Update issue 1, I can't get the behavior analysis result.
In my testing, I always get the warning message "Netlog client requested banned path: logs/all.stap".
And I found in the resultserver.py

RESULT_UPLOADABLE = ("files", "shots", "buffer",  "extracted", "memory")
RESULT_DIRECTORIES = RESULT_UPLOADABLE + ("reports", "logs")
def netlog_sanitize_fname(path):
    """Validate agent-provided path for result files"""
    path = path.replace("\\", "/")
    dir_part, name = os.path.split(path)
    if dir_part not in RESULT_UPLOADABLE:
        raise CuckooOperationalError("Netlog client requested banned path: %r"
                                     % path)
    if any(c in BANNED_PATH_CHARS for c in name):
        for c in BANNED_PATH_CHARS:
            path = path.replace(c, "X")

    return path

In my result, the "dir_part" is "logs", but it is not in RESULT_UPLOADABLE. If I revise "if dir_part not in RESULT_UPLOADABLE:" to "if dir_part not in RESULT_DIRECTORIES:", everything works well.
Is it correct or I misunderstand something?

Can confirm this fixes it....

Thanks for posting an issue. The netlog warning is a bug. The logs path should be open for uploads from the analyzer. This is on my patch list. I am also working on some other bugs.

Sorry for the inconvenience.

Hi!

I had a similar problem using procmon module (which also does upload_to_host(self.procmon_xml, os.path.join("logs", "procmon.xml"))).

I modified the resultserver.py code as @myhsu says, and it has worked for me :)

Now, I regard that the code is correct! If this directory was uploadable, malware could overwrite other logs... Shouldn't modules write in other directories (like, the uploadable path files)?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ahroobe picture ahroobe  路  5Comments

rayenmessaoudi picture rayenmessaoudi  路  4Comments

adricnet picture adricnet  路  7Comments

kirill039 picture kirill039  路  5Comments

Tigzy picture Tigzy  路  8Comments