cuckoo3+kvm_win10沙箱部署过程

本案例讲解如何在一台Ubuntu20.04的系统上安装Cuckoo3。由于博主技术水平有限，如果你在本地测试过程中发现存在BUG，纯属正常，感谢您的理解！！！（本案例講解如何在一台Ubuntu20.04的系統上安裝Cuckoo3。由於博主技術水平有限，如果你在本地測試過程中發現存在BUG，純屬正常，感謝您的理解！！！）

1.宿主机环境

1.1系统依赖

$ sudo apt-get install libhyperscan5 libhyperscan-dev
$ sudo apt-get install libjpeg8-dev zlib1g-dev p7zip-full rar unace-nonfree cabextract
$ sudo apt-get install yara
$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

1.2安装Cuckoo3

$ python3 --version # 3.8.10
$ git clone https://github.com/cert-ee/cuckoo3.git
$ cd cuckoo3-main && ./install.sh
$ cuckoo createcwd
$ cuckoo getmonitor cuckoo3-main/monitor.zip
$ unzip monitor.zip -d ~/.cuckoocwd/
$ unzip signatures.zip -d ~/.cuckoocwd/signatures/cuckoo/

1.3更新配置项

# ~/.cuckoocwd/conf/cuckoo.yaml
machineries:
  - kvm
resultserver:
  listen_ip: 192.168.156.1
  listen_port: 2042
tcpdump:
  enabled: True
  path: /usr/sbin/tcpdump
network_routing:
  enabled: False
  rooter_socket: null
platform:
  autotag: False
state_control:
  cancel_unidentified: False
processing:
  worker_amount:
    identification: 1
    pre: 1
    post: 1
remote_storage:
  api_url: null
  api_key: null
# ~/.cuckoocwd/conf/analysissettings.yaml
limits:
  max_timeout: 300
  max_priority: 999
  max_platforms: 3
default:
  timeout: 60
  priority: 1
  route:
    type: null
    options:
platform:
  versions:
    windows:
    - 10
# ~/.cuckoocwd/conf/machineries/kvm.yaml
dsn: "qemu:///system"
interface: virbr1
machines:
  win10_64bit_001:
    label: win10_64bit_001
    ip: 192.168.156.101
    platform: windows
    os_version: "10"
    architecture: amd64
    agent_port: 8000
    mac_address: null
    snapshot: win10_64bit_001_snapshot1
    interface: null
    tags:
    - pdfreader
    - java
    - python

1.4配置iptables规则

$ sudo iptables -t nat -A POSTROUTING -o ens33 -s 192.168.156.0/24 -j MASQUERADE
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.156.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.156.0/24 -d 192.168.156.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -j LOG

1.5启动Web服务

$ pip install uwsgi
$ sudo apt-get install uwsgi uwsgi-plugin-python3 nginx -y
$ cuckoo web generateconfig --uwsgi > cuckoo-web.ini
$ sudo mv cuckoo-web.ini /etc/uwsgi/apps-available/
$ sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/cuckoo-web.ini
$ sudo adduser www-data $USER
$ cuckoo web djangocommand collectstatic
$ vim ~/.cuckoocwd/web/web_local_settings.py # STATIC_ROOT = "/opt/cuckoo3/web/cuckoo/web/static"
$ cuckoo web generateconfig --nginx > cuckoo-web.conf
$ vim cuckoo-web.conf # listen 80;
$ sudo mv cuckoo-web.conf /etc/nginx/sites-available/cuckoo-web.conf
$ sudo ln -s /etc/nginx/sites-available/cuckoo-web.conf /etc/nginx/sites-enabled/cuckoo-web.conf
$ sudo rm /etc/nginx/sites-enabled/default
$ sudo systemctl restart nginx uwsgi

1.6启动Cuckoo3

参考https://github.com/cert-ee/cuckoo3/pull/49修改源码

1	$ cuckoo --debug

2.客户机环境

2.1安装操作系统

$ virt-install --accelerate --virt-type=kvm --os-variant=win10 \
  --ram=4096 --vcpus sockets=1,cores=1,threads=1 --network network=isolated --name win10_64bit_001 \
  --disk path=/home/zer0py2c/win10_64bit_001.qcow2,size=30,bus=virtio,format=qcow2 \
  --disk path=/home/zer0py2c/virtio-win-0.1.173.iso,device=cdrom \
  --cdrom=/home/zer0py2c/Win10_1703_English_x64.iso \
  --graphics vnc,listen=0.0.0.0,port=5910,password=123456 --connect qemu:///system --noautoconsole

2.2更改适配器选项

ipv4=192.168.156.101
netmask=255.255.255.0
gateway=192.168.156.1
dns_server1=192.168.156.1
dns_server2=114.114.114.114

2.3禁用补丁防护模式

以管理员身份运行patch.exe，md5：440474c5a51af6d16a193db1d0066b04，执行完毕后重启，选择以Patch Guard disabled模式进入系统。

1
2

# 客户机依赖文件清单
AdbeRdr90_zh_CN.exe,agent.zip,BANDIZIP-SETUP.EXE,jdk-8u281-windows-x64.exe,Office2013(64位VOL版)+激活工具.rar,patch.exe,python-2.7.17.msi,vc_redist.x64.exe,disable_services.ps1,optimize_settings.ps1

2.4禁用服务

禁用防火墙、UAC、Windows Defender、PCA Service
禁用管理员权限限制（https://blog.csdn.net/yanhanhui1/article/details/82746357）
禁用其他服务（powershell -ExecutionPolicy bypass -File disable_services.ps1）

# disable_services.ps1
Write-Host "Disabling all non-vital Windows 10 services"
$errs = 0
Foreach ($servicename in ("PrintNotify", "WpnUserService", "OneSyncSvc", "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "DiagTrack", "DoSvc", "TimeBrokerSvc", "TokenBroker", "Sense", "SecurityHealthService", "wscsvc", "dmwappushservice", "AJRouter", "ALG", "AppMgmt", "bthserv", "PeerDistSvc", "CertPropSvc", "dmwappushservice", "MapsBroker", "Fax", "lfsvc", "HvHost", "vmickvpexchange", "vmicguestinterface", "vmicshutdown", "vmicheartbeat", "vmicvmsession", "vmicrdv", "vmictimesync", "vmicvss", "irmon", "SharedAccess", "iphlpsvc", "IpxlatCfgSvc", "MSiSCSI", "SmsRouter", "NaturalAuthentication", "NetTcpPortSharing", "Netlogon", "NcdAutoSetup", "CscService", "SEMgrSvc", "PhoneSvc", "SessionEnv", "TermService", "UmRdpService", "RpcLocator", "RetailDemo", "SensorDataService", "SensrSvc", "SensorService", "ScDeviceEnum", "SCPolicySvc", "SNMPTRAP", "TabletInputService", "WebClient", "FrameServer", "wcncsvc", "wisvc", "WMPNetworkSvc", "icssvc", "WinRM", "workfolderssvc", "WwanSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc", "WFDSConMgrSvc")) {
If (Test-Path HKLM:\SYSTEM\CurrentControlSet\Services\$servicename) {
    $shhh = reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$servicename" /v "Start" /t REG_DWORD /d 4 /f
    $start = (Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\$servicename -ErrorAction SilentlyContinue).Start
    If ($start -ne "4") {
      Write-Host "Failed to disable service $servicename"
      $errs += 1
    }
  }
}

If ($errs -ne 0) {
  exit 1
}

2.5安装依赖软件

依赖软件	版本/md5	备注
Python	2.7.17
Jdk	8u281	必须安装vc_redist.x64.exe
Adobe Reader	9.0.0
Microsoft Office	2013
BANDIZIP	6.22
agent.pyw	07fc380d3570470eee75d57c4e2b31dc	必需以管理员身份运行

2.6优化Windows10配置（可选）

powershell -ExecutionPolicy bypass -File optimize_settings.ps1

# optimize_settings.ps1
Write-Host "Optimizing windows 10 settings"

###
### Applications
###

# Remove all preinstalled applications that are not dependencies
$packageCount = (Get-AppxPackage).Count
Get-AppxPackage -allusers | Remove-AppxPackage -ErrorAction SilentlyContinue
$packageCount -= (Get-AppxPackage).Count
Write-Host "Removed $packageCount optional AppX packages"

# Remove OneDrive
Write-Host "Removing OneDrive"
Get-Process *onedrive* | stop-process
Start-Process "${Env:WinDir}\SysWOW64\OneDriveSetup.exe" -ArgumentList "/uninstall" -Wait
$onedrivePath = "${Env:LOCALAPPDATA}\Microsoft\OneDrive"
Get-Process *onedrive* | stop-process
remove-item $onedrivePath -Force -Recurse

# Remove OneDrive startup key
If ((Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run").OneDriveSetup) {
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveSetup /f
}

###
### Security
###

Write-Host "Further disabling Windows Defender and Firewall"

# Disable smartscreen
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v Enabledv9 /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost" /v PreventOverride /t REG_DWORD /d 0 /f

# Further disable Windows Defender
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1 /f

# Disable biometrics
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d 0 /f


###
### Notifications
###

# Disable the action center (the hard way)
foreach ($file in ("$Env:WinDir\System32\ActionCenter.dll", "$Env:WinDir\System32\ActionCenterCPL.dll")) {
  takeown /f $file | Out-Null
  $Acl = Get-Acl $file
  $ownerName = $Acl.Owner
  $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("$ownerName","FullControl","Allow")
  $Acl.SetAccessRule($Ar)
  Set-Acl $file $Acl
  Move-Item $file "${file}_BUP" -Force
}

Write-Host "Disabling the Notification Center and other notifications"

# Disable the notification center
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d 1 /f

# Disable the Security and Maintenance toast notifications
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /t REG_DWORD /d 0 /f

# Disable windows defender notifications
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

# Disable tips about Windows (might cause high cpu load)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SoftLandingEnabled /d 0 /t REG_DWORD /f


###
### Performance
###

Write-Host "Optimizing Windows 10 performance"

# Disable Windows app tracking to improve start and search results
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f

# Disable maintenance
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "Activation Boundary" /t REG_SZ /d "2001-01-01T16:00:00" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d 1 /f

# Skip the first logon animation
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f

# Enable admin approval mode
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI" /t REG_SZ /d 1 /f

# Zero Startup Delay
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "Startupdelayinmsec" /t REG_DWORD /d 0 /f


###
### Start menu
###

Write-Host "debloating start menu"

# Disable live tiles
reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v NoTileApplicationNotification /t REG_DWORD /d 1 /f

# Remove all tiles from windows start layout
$startlayout = '<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="">
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\nonexistingpath.lnk" />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>'

$startLayoutPath = "${Env:USERPROFILE}\layout.xml"
$startlayout | sc $startLayoutPath -encoding Utf8
Import-StartLayout -layoutpath "${Env:USERPROFILE}\layout.xml" -mountpath C:\
Remove-Item $startLayoutPath
Remove-Item 'HKCU:\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$start.tilegrid$windows.data.curatedtilecollection.root' -Force -Recurse


###
### General
###

Write-Host "Disabling diagnostics, feedback and telemetry"

# Diagnostics and feedback
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableActivityFeed /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v PublishUserActivities /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v UploadUserActivities /d 0 /t REG_DWORD /f

# Do not collect/send data
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackProgs /d 0 /t REG_DWORD /f

# Disable license telemetry
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f

# Disable windows feedback
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t "REG_DWORD" /d "0" /f

# Inking and typing personalization
reg add "HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /d 1 /t REG_DWORD /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /d 0 /t REG_DWORD /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /d 0 /t REG_DWORD /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v ModelDownloadAllowed /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v PreventHandwritingDataSharing /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /d 1 /t REG_DWORD /f

# Disable Windows tips
reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t "REG_DWORD" /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f

# Do not automatically download apps
reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f

# Do not offer to provide feedback
reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t "REG_DWORD" /d "1" /f

# Skip the 'keep using this app' file assocation dialog
reg add HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer /v NoNewAppAlert /t REG_DWORD /d 1 /f

# Disable KMS connection broker (SppExtComObj.exe)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v DisableDnsPublishing /d 0 /t REG_DWORD /f

# Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /d 0 /t REG_DWORD /f

# Remove Edge from the taskbar
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -match "Edge"}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

# disable Diagnostic Policy Service (problem detection, troubleshooting and resolution, cannot be disabled after reboot)
Set-Service DPS -StartupType disabled

2.7生成快照并关机

1 2	$ sudo virsh snapshot-create-as win10_64bit_001 win10_64bit_001_snapshot1 --description "Patch Guard disabled" $ sudo virsh shutdown --domain win10_64bit_001