Original link: https://www.trustwave.com/Resources/SpiderLabs-Blog/Cuckoo--Linux-Subsystem--Some-Love-for-Windows-10/
Thanks to this author's article, it is really convenient and quick to configure the environment. Here to record the configuration and use of the method:
1. Deploy Windows Subsystem for Linux
Follow the steps of the official documentation to install https://msdn.microsoft.com/en-us/commandline/wsl/install_guide
1. Open PowerShell, enter the following command to enable the function, restart
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux2. Install a linux application in the application store, I installed ubuntu
3. Install the following modules in the command window of ubuntu
# Get latest updates
$ sudo apt-get update
$ sudo apt-get upgrade
# Install LAMP server
$ sudo apt-get install lamp-server^
# Install MongoDB
$ sudo apt-get install mongodb
# Run Apache, MySQL and MongoDB
$ sudo service apache2 start
$ sudo service mysql start
$ sudo service mongodb start
When I installed it, I reported an error when apache2 and mysql were turned on, but it did not affect the main functions.
2. Install cuckoo
The python version I am using is 2.7.12
1.Cmd input the command pip install cuckoo to start installing cuckoo (it can also be installed on windows7, but it does not have the function of the mongodb module), this command will install the necessary libraries of cuckoo, if one fails, you can continue to execute pip install cuckoo
2.Cmd enter the command cuckoo init, and then a .cuckoo folder will be generated under the path of %USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo) , in which we can configure the virtual machine and View the analyzed file.
3.Cmd input the command cuckoo community to download the signature library file
4. Cmd input the command cuckoo -d to start the analysis, the result of this method is only json more detailed, the generated html is very simple, if mongodb is installed, you can use the cuckoo web runserver command to submit and view the detailed analysis results using the web page .
5.Cmd input the command cuckoo submit path, you can submit the sample. When mongodb is installed, it can be submitted directly in the web page.
6.Yaya:http://yara.readthedocs.io/en/v3.4.0/gettingstarted.html#installing-on-windows
7.Volatility:
C:\> pip install distorm3 C:\> pip install pycrypto C:\> pip install volatility
8.MySQL
C:\> easy_install mysql-python
3. Host configuration
1. Find the conf file in the path of %USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo) and modify the configuration file inside
cuckoo.conf [database] connection = mysql://cuckoo:[email protected]/cuckoo # NOTE: I created a MySQL user 'cuckoo' with 'cuckoo' as the password and a database name of 'cuckoo' # I haven't used this function yet auxillary.conf [sniffer] enabled = yes tcpdump = c:\tools\tcpdump\tcpdump.exe # NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe vmware.conf [vmware] # Specify which Vmware Workstation mode you want to run your machines on. # Can be "gui" or "nogui". Refer to VMware's official # documentation to understand the differences. mode = gui # Path to the local installation of the vmrun utility. path = D:\VMware\vmrun.exe # Specify a comma-separated list of available machines to be used. For each # specified ID you have to define a dedicated section containing the details # on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = cuckoo1 [cuckoo1] # Specify the path to vmx file of this virtual machine. vmx_path = C:\VM\Windows 7 x64\Windows 7 x64.vmx # Specify the snapshot name to use. snapshot = cuckoo # Specify the operating system platform used by current machine # [windows/darwin/linux]. platform = windows # Specify the IP address of the current virtual machine. Make sure that the # IP address is valid and that the host machine is able to reach it. If not, # the analysis will fail. ip = 192.168.56.128 reporting.conf [mongodb] enabled = yes
2.windump: https://www.winpcap.org/windump/install/default.htm , C:⧵Python27⧵Lib⧵site-packages⧵cuckoo⧵auxiliary⧵sniffer.py file in cuckoo uses windump to analyze the results, this The file can be modified a little to adapt to windows
Added a '\r' and the path to tcpdump.exe below
for line in err.split("\r\n"):
if not line continue or line.startswith(err_whitelist_start):
continue
err_whitelist_start = (
"tcpdump: listening on ",
"c:\\tools\\tcpdump\\tcpdump.exe: listening on ",
)
3. The configuration of cuckoo is host-only mode, you can modify the following host, use the host name to communicate, and use the NAT network to capture network events.
Fourth, the client
1. The vmware I use, or the host-only mode, first configure the Ip of the host, and configure the VMnet1 bit in the host to 192.168.56.1
2. Install python in the virtual machine and install the pillow library (using NAT mode)
pip install pillow
3. Configure a static IP in the virtual machine: 192.168.56.128 (select a custom VMnet1 network and configure a static IP)
4. Copy the agent file in the path of %USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo) to the virtual machine, run it, and save the image
Now you can use cuckoo -d or cuckoo web runserver from step 2 to wait for the task to be analyzed.