├── 2015-08-01.tar.gz ├── README.md ├── boost_1_60_0.tar.gz ├── buildworld.sh ├── clamav-base_0.99.2-0ubuntu0_all.deb ├── clamav-daemon_0.99.2-0ubuntu0_amd64.deb ├── clamav-dbg_0.99.2-0ubuntu0_amd64.deb ├── clamav-docs_0.99.2-0ubuntu0_all.deb ├── clamav-freshclam_0.99.2-0ubuntu0_amd64.deb ├── clamav-milter_0.99.2-0ubuntu0_amd64.deb ├── clamav-testfiles_0.99.2-0ubuntu0_all.deb ├── clamav_0.99.2-0ubuntu0_amd64.deb ├── cpuset.py ├── createVBoxWin7.py ├── createVBoxWin8.py ├── createVBoxWinXP.py ├── guest ├── AcrobatReader10.reg ├── AcrobatReader9.reg ├── Office2010.reg ├── Office2013.reg ├── Zombies.reg ├── ZombiesXP.reg ├── Zombieswin7.reg └── hidemore.bat ├── hyperscan.tar.gz ├── libclamav-dev_0.99.2-0ubuntu0_amd64.deb ├── libclamav7_0.99.2-0ubuntu0_amd64.deb ├── local.rules ├── luazip.c ├── moloch-fixes.diff ├── moloch.tar.gz ├── pefile-1.2.10-139.tar.gz ├── procyon-decompiler-0.5.30.jar ├── pulledpork-0.6.1.tar.gz ├── pulledpork-etpro-fix.diff ├── services ├── cuckoo ├── iptables ├── moloch └── suricata ├── setupmysql.sh ├── suricata-3.0.1.tar.gz ├── suricata.yaml ├── v3.4.0.tar.gz ├── vboxConfBiosWin7.py ├── vboxConfBiosWin8.py ├── vboxConfBiosWinXP.py └── volatility-2.4.tar.gz /2015-08-01.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/2015-08-01.tar.gz -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/README.md -------------------------------------------------------------------------------- /boost_1_60_0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/boost_1_60_0.tar.gz -------------------------------------------------------------------------------- /buildworld.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | sudo apt-get update -y && sudo apt-get upgrade -y 3 | sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 4 | echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list 5 | sudo apt-get update 6 | sudo apt-get install -y mongodb-org 7 | sudo apt-get install -y vim screen unzip python python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-chardet tcpdump clamav-daemon clamav-unofficial-sigs clamav clamav-base libcap2-bin python-dev build-essential subversion pcregrep libpcre++-dev python-pip ssdeep libfuzzy-dev git automake libtool autoconf libapr1 libapr1-dev libnspr4-dev libnss3-dev libwww-Perl libcrypt-ssleay-perl python-dev python-scapy python-yaml bison libpcre3-dev bison flex libdumbnet-dev autotools-dev libnet1-dev libpcap-dev libyaml-dev libnetfilter-queue-dev libprelude-dev zlib1g-dev libz-dev libcap-ng-dev libmagic-dev python-mysqldb lua-zip-dev lua-zip luarocks cmake libjansson-dev libswitch-perl libcdio-utils python-simplejson p7zip-full libzzip-dev python-geoip python-chardet python-m2crypto python-dnspython lua-bitop lua-zlib libcap2-bin zram-config xfce4 python-pil libidn11-dev libtommath-dev libjson-c-dev libjson-c-dev libmilter1.0.1 python-dateutil lua-apr python-pyparsing libbz2-dev cmake ragel 8 | 9 | sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump 10 | sudo pip install bottle Django==1.8.8 pycrypto clamd distorm3 pygal django-ratelimit 11 | sudo luarocks install struct 12 | #sudo luarocks install lua-apr 13 | 14 | #wget https://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz 15 | tar -xzvf pefile-1.2.10-139.tar.gz 16 | cd pefile-1.2.10-139 17 | python setup.py build 18 | sudo python setup.py install 19 | cd .. 20 | 21 | #yara 22 | tar -zxf v3.4.0.tar.gz 23 | cd yara-3.4.0 24 | ./bootstrap.sh 25 | chmod +x build.sh 26 | ./build.sh 27 | sudo make install 28 | 29 | echo "/usr/local/lib" | sudo tee /etc/ld.so.conf.d/cuckoo 30 | sudo ldconfig 31 | cd yara-python 32 | python setup.py build 33 | sudo python setup.py install 34 | cd ../.. 35 | 36 | #volatility 37 | tar -zxf volatility-2.4.tar.gz 38 | cd volatility-2.4 39 | python setup.py build 40 | sudo python setup.py install 41 | cd .. 42 | 43 | git clone https://github.com/kbandla/pydeep.git 44 | cd pydeep 45 | python setup.py build 46 | sudo python setup.py install 47 | cd .. 48 | 49 | sudo mkdir -p /usr/local/suricata/bin 50 | sudo mkdir -p /usr/local/suricata/lib 51 | sudo mkdir -p /usr/local/suricata/lib 52 | sudo mkdir -p /usr/local/suricata/include/linux 53 | sudo mkdir -p /usr/local/suricata/sbin 54 | sudo mkdir -p /usr/local/suricata/etc/ 55 | sudo mkdir -p /usr/local/suricata/etc/ 56 | sudo mkdir -p /usr/local/suricata/et-luajit-scripts/ 57 | sudo mkdir -p /usr/local/suricata/var/log 58 | sudo mkdir -p /usr/local/suricata/var/run/suricata/ 59 | sudo mkdir -p /data/etc/ 60 | sudo apt-get install build-essential libapr1 libapr1-dev libnspr4-dev libnss3-dev libwww-Perl libcrypt-ssleay-perl python-dev python-scapy python-yaml bison libpcre3-dev bison flex libdumbnet-dev autotools-dev libnet1-dev libpcap-dev libyaml-dev libnetfilter-queue-dev libprelude-dev zlib1g-dev libz-dev libcap-ng-dev libmagic-dev python-mysqldb lua-zip-dev luarocks cmake openvswitch-switch libaprutil1-dev libaprutil1-dbd-sqlite3 libapreq2-3 libapreq2-dev liblua5.1-0 liblua5.1-0-dev libapr1 libaprutil1 libaprutil1-dev libaprutil1-dbd-sqlite3 libapreq2-3 libapreq2-dev xrdp python-sqlalchemy -y 61 | 62 | tar -xzvf 2015-08-01.tar.gz 63 | cd re2-2015-08-01 64 | make 65 | make test 66 | sudo make install 67 | sudo make testinstall 68 | cd .. 69 | git clone https://github.com/axiak/pyre2.git 70 | cd pyre2 71 | sudo python setup.py install 72 | cd .. 73 | 74 | git clone https://github.com/mkottman/ltn12ce 75 | cd ltn12ce 76 | mkdir build 77 | cd build 78 | cmake .. -DBUILD_ZLIB=Off -DLUA_LIBRARY=/usr/lib/x86_64-linux-gnu/liblua5.1.so -DLUA_INCLUDE_DIR=/usr/include/lua5.1/ 79 | make 80 | sudo make install 81 | cd ../.. 82 | sudo ln -s /usr/local/lib/lua/ltn12ce /usr/local/lib/lua/5.1/ltn12ce 83 | 84 | git clone https://github.com/bighil/aeslua 85 | cd aeslua 86 | make 87 | sudo make install 88 | cd .. 89 | 90 | luarocks download luazip 91 | luarocks unpack luazip 92 | rm luazip-1.2.4-1/luazip/src/luazip.c 93 | cp -f luazip.c luazip-1.2.4-1/luazip/src/ 94 | cd luazip-1.2.4-1/luazip 95 | sudo luarocks make luazip-1.2.4-1.rockspec 96 | cd ../.. 97 | 98 | tar -xvzf boost_1_60_0.tar.gz 99 | cd boost_1_60_0 100 | ./bootstrap.sh --prefix=/tmp/boost-1.60 101 | ./b2 install 102 | cd .. 103 | 104 | tar -xzvf hyperscan.tar.gz 105 | cd hyperscan 106 | git checkout v4.0.1 -b ver401 107 | mkdir build 108 | cd build 109 | cmake -DBUILD_SHARED_LIBS=1 -DBOOST_ROOT=/tmp/boost-1.60 ../ 110 | make 111 | sudo make install 112 | cd ../.. 113 | 114 | #sudo apt-get install apache2 libapache2-mod-wsgi 115 | #sudo a2enmod wsgi 116 | #sudo a2enmod ssl 117 | #sudo a2enmod proxy 118 | #sudo a2enmod proxy_http 119 | #sudo a2enmod auth_basic 120 | #sudo a2enmod headers 121 | 122 | #wget http://www.openinfosecfoundation.org/download/suricata-3.0.1.tar.gz 123 | #wget https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/master/suricata.yaml 124 | tar -xzvf suricata-3.0.1.tar.gz 125 | cd suricata-3.0.1 126 | ./configure --enable-profiling --prefix=/usr/local/suricata/ --with-libnss-includes=/usr/include/nss --with-libnss-libs=/usr/lib/nss --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/nspr --enable-lua --enable-unix-socket && make -j && sudo make install 127 | sudo cp ../suricata.yaml /usr/local/suricata/etc/ 128 | sudo cp reference.config /usr/local/suricata/etc/ 129 | sudo cp classification.config /usr/local/suricata/etc/ 130 | cd .. 131 | 132 | echo "alert http any any -> any any (msg:\"FILE store all\"; filestore; flowbits:noalert; sid:44444; rev:1;)" > local.rules 133 | sudo cp local.rules /usr/local/suricata/etc/ 134 | #cp rules/files.rules /usr/local/suricata/etc/etpro/ 135 | 136 | sudo git clone https://github.com/EmergingThreats/et-luajit-scripts /usr/local/suricata/et-luajit-scripts 137 | sudo cp /usr/local/suricata/et-luajit-scripts/* /usr/local/suricata/etc/ 138 | read -p "Enter your ETPRO oinkcode if you have one [ENTER]: " oinkcode 139 | if ["$oinkcode" = ""]; then 140 | rule_url="https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open" 141 | else 142 | rule_url="https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|$oinkcode" 143 | fi 144 | 145 | echo "rule_url=$rule_url 146 | ignore=local.rules 147 | temp_path=/tmp 148 | rule_path=/usr/local/suricata/etc/all.rules 149 | sid_msg=/usr/local/suricata/etc/sid-msg.map 150 | sid_changelog=/usr/local/suricata/var/log/etpro_sid_changes.log 151 | disablesid=/usr/local/suricata/etc/disablesid.conf 152 | engine=suricata 153 | suricata_version=2.0.4 154 | version=0.6.0 155 | " > pp.config 156 | 157 | #wget https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz 158 | tar -xzvf pulledpork-0.6.1.tar.gz 159 | cd pulledpork-0.6.1 160 | patch -p1 < ../pulledpork-etpro-fix.diff 161 | sudo cp -f pulledpork.pl /usr/local/bin/ 162 | echo "#!/bin/sh 163 | /usr/local/bin/pulledpork.pl -c /usr/local/suricata/etc/pp.config 164 | cd /usr/local/suricata/et-luajit-scripts/ && git pull 165 | cp -f /usr/local/suricata/et-luajit-scripts/*.lua /usr/local/suricata/etc/ 166 | cp -f /usr/local/suricata/et-luajit-scripts/d*.rules /usr/local/suricata/etc/ 167 | " > ruleupdates.sh 168 | chmod +x ruleupdates.sh 169 | echo "pcre:SURICATA (STMP|IP|TCP|ICMP|HTTP|STREAM)" >> etc/disablesid.conf 170 | echo "pcre:GPL NETBIOS" >> etc/disablesid.conf 171 | sudo cp ruleupdates.sh /usr/local/bin/ 172 | sudo cp ../pp.config /usr/local/suricata/etc/ 173 | sudo cp etc/modifysid.conf /usr/local/suricata/etc/ 174 | sudo cp etc/enablesid.conf /usr/local/suricata/etc/ 175 | sudo cp etc/disablesid.conf /usr/local/suricata/etc/ 176 | cd .. 177 | ruleupdates.sh 178 | 179 | tar -xzvf moloch.tar.gz 180 | cd moloch-0.12.2 181 | sudo ./easybutton-singlehost.sh 182 | cd .. 183 | sudo pkill -f "/data/moloch/bin/node viewer.js" 184 | sudo pkill -f "/data/moloch/elasticsearch" 185 | 186 | 187 | #sudo git clone https://github.com/EmergingThreats/cuckoo-1.1.git /data/cuckoo 188 | git clone https://github.com/spender-sandbox/cuckoo-modified cuckoo 189 | cd cuckoo/utils 190 | ./community.py -a -f 191 | cd ../.. 192 | sudo mv cuckoo /data/cuckoo 193 | sudo cp procyon-decompiler-0.5.30.jar /data/cuckoo/ 194 | 195 | rm suricata-3.0.1 -Rf 196 | rm pulledpork-0.6.1 -Rf 197 | rm lua-zlib -Rf 198 | rm ltn12ce -Rf 199 | rm yara-3.4.0 -Rf 200 | sudo rm volatility-2.4 -Rf 201 | rm pydeep -Rf 202 | sudo rm moloch-0.12.2 -Rf 203 | rm pp.config 204 | sudo rm luazip-1.2.4-1.rockspec 205 | sudo rm luazip-1.2.4-1 -Rf 206 | sudo rm pefile-1.2.10-139 -Rf 207 | sudo rm re2-2015-08-01 -Rf 208 | sudo rm pyre2 -Rf 209 | sudo rm aeslua -Rf 210 | sudo rm hyperscan -Rf 211 | sudo rm /tmp/boost-1.60 -Rf 212 | sudo rm boost_1_60_0 -Rf 213 | sudo ovs-vsctl add-br lan0 214 | for tap in `seq 0 16`; do 215 | sudo ip tuntap add mode tap lan0p$tap 216 | done; 217 | sudo ip tuntap list 218 | for tap in `seq 0 16`; do 219 | sudo ip link set lan0p$tap up 220 | done; 221 | sudo ip link 222 | for tap in `seq 0 16`; do 223 | sudo ovs-vsctl add-port lan0 lan0p$tap 224 | done; 225 | sudo ovs-vsctl list-ports lan0 226 | #sudo ovs-vsctl -- --id=@m create mirror name=mirror3 select_all=1 -- add bridge lan0 mirrors @m 227 | #mirror port 228 | sudo modprobe dummy 229 | sudo ip link set up dummy0 230 | sudo ifconfig dummy0 promisc -arp 231 | sudo ovs-vsctl -- --may-exist add-port lan0 dummy0 232 | sudo ovs-vsctl -- --id=@p get port dummy0 -- --id=@m create mirror name=mirror0 select_all=1 -- add bridge lan0 mirrors @m -- set mirror mirror0 output_port=@p 233 | #mgmt 234 | sudo ovs-vsctl add-port lan0 lan0hp0 -- set interface lan0hp0 type=internal 235 | sudo ip addr add 192.168.1.1 dev lan0hp0 236 | sudo ip link set lan0hp0 up 237 | sudo ip route add 192.168.1.0/24 dev lan0hp0 238 | 239 | chmod +x services/* 240 | sudo cp services/* /etc/init.d/ 241 | sudo update-rc.d iptables defaults 242 | sudo update-rc.d suricata defaults 243 | 244 | echo "service /etc/init.d/openvswitch-switch restart 245 | for tap in \`seq 0 16\`; do 246 | sudo ip tuntap add mode tap lan0p\$tap 247 | done; 248 | sudo ip tuntap list 249 | for tap in \`seq 0 16\`; do 250 | sudo ip link set lan0p\$tap up 251 | done; 252 | sudo ip link 253 | 254 | #mirror port 255 | sudo modprobe dummy 256 | sudo ip link set up dummy0 257 | sudo ifconfig dummy0 promisc -arp 258 | #mgmt 259 | sudo ip addr add 192.168.1.1 dev lan0hp0 260 | sudo ip link set lan0hp0 up 261 | sudo ip route add 192.168.1.0/24 dev lan0hp0 262 | 263 | /etc/init.d/moloch start 264 | /etc/init.d/cuckoo start 265 | setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump 266 | exit 0" | sudo tee /etc/rc.local 267 | 268 | CURRENT_USER=`whoami` 269 | sudo chown $CURRENT_USER:$CURRENT_USER /usr/local/suricata/ -Rf 270 | sudo chown $CURRENT_USER:$CURRENT_USER /data/moloch -Rf 271 | sudo chown $CURRENT_USER:$CURRENT_USER /data/cuckoo -Rf 272 | sudo usermod -a -G cuckoo clamav 273 | 274 | echo "/data/cuckoo/storage/** r," | sudo tee /etc/apparmor.d/local/usr.sbin.clamd 275 | 276 | echo "deb http://download.virtualbox.org/virtualbox/debian trusty contrib" |sudo tee -a /etc/apt/sources.list 277 | wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add - 278 | sudo apt-get update 279 | sudo apt-get install virtualbox-5.0 -y 280 | 281 | sudo dpkg -i *clamav*.deb 282 | sudo apt-get -f install 283 | echo "add_dbs=\"https://raw.githubusercontent.com/wmetcalf/clam-punch/master/miscreantpunch099.ldb\"" |sudo tee -a /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf 284 | sudo -u clamav /usr/sbin/clamav-unofficial-sigs 285 | 286 | echo xfce4-session > ~/.xsession 287 | sudo service xrdp restart 288 | 289 | sudo virsh net-destroy default 290 | sudo virsh net-undefine default 291 | sudo service libvirtd restart 292 | 293 | echo "#!/bin/sh 294 | su cuckoo -c \"/usr/local/bin/ruleupdates.sh\" && /etc/init.d/suricata restart" | sudo tee /etc/cron.daily/ruleupdates 295 | sudo chmod +x /etc/cron.daily/ruleupdates 296 | -------------------------------------------------------------------------------- /clamav-base_0.99.2-0ubuntu0_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-base_0.99.2-0ubuntu0_all.deb -------------------------------------------------------------------------------- /clamav-daemon_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-daemon_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /clamav-dbg_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-dbg_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /clamav-docs_0.99.2-0ubuntu0_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-docs_0.99.2-0ubuntu0_all.deb -------------------------------------------------------------------------------- /clamav-freshclam_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-freshclam_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /clamav-milter_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-milter_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /clamav-testfiles_0.99.2-0ubuntu0_all.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav-testfiles_0.99.2-0ubuntu0_all.deb -------------------------------------------------------------------------------- /clamav_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/clamav_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /cpuset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import subprocess 3 | import sys 4 | from optparse import OptionParser 5 | 6 | #### Maybe random select from these in the future This is needed as setting cpu mfr/model via extadata doesn't seem to do anything ### 7 | #intel=["Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz", 8 | #"Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz", 9 | #"Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz", 10 | #"Intel(R) Core(TM) i7-3820 CPU @ 3.60GHz", 11 | #"Intel(R) Core(TM)2 CPU 4400 @ 2.00GHz", 12 | #"Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz", 13 | #"Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz", 14 | #"Intel(R) Core(TM) i3-2100 CPU @ 3.10GHz", 15 | #"Intel(R) Celeron(R) CPU G530 @ 2.40GHz", 16 | #"Intel(R) Pentium(R) CPU G645T @ 2.50GHz", 17 | #"Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz", 18 | #"Intel(R) Core(TM) i3-4340 CPU @ 3.60GHz", 19 | #"Intel(R) Core(TM) i3-3110M CPU @ 2.40GHz", 20 | #"Intel(R) Core(TM) i3-4130T CPU @ 2.90GHz", 21 | #"Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz", 22 | #"Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz"] 23 | 24 | #amd=["AMD Sempron(tm) X2 190 Processor", 25 | #"AMD Phenom(tm) II X4 20 Processor", 26 | #"AMD FX(tm)-6300 Six-Core Processor", 27 | #"AMD Athlon(tm) 64 X2 Dual Core Processor 4400+", 28 | #"AMD A4-5000 APU with Radeon(TM) HD Graphics", 29 | #"AMD FX(tm)-8120 Eight-Core Processor, 30 | #"AMD A4-3300M APU with Radeon(tm) HD Graphics" 31 | #"AMD Phenom(tm) II X2 20 Processor"] 32 | 33 | parser = OptionParser() 34 | parser.add_option("--vm", dest="vm", type="string", help="target vm") 35 | parser.add_option("--cpu",dest="cpu", type="string", help="user specified cpu to add") 36 | (options, args) = parser.parse_args() 37 | 38 | def cmd_wrapper(cmd): 39 | print("running command and waiting for it to finish %s" % (cmd)) 40 | p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) 41 | stdout,stderr = p.communicate() 42 | return (p.returncode, stdout, stderr) 43 | 44 | def chunkstring(string, length): 45 | return (string[0+i:length+i] for i in range(0, len(string), length)) 46 | 47 | 48 | if len(options.cpu) < 48: 49 | options.cpu = "\x20" * (47 - len(options.cpu)) + options.cpu + "\x00" 50 | 51 | if options.cpu[-1] is not "\x00": 52 | print "the cpu target must be null terminated" 53 | sys.exit(-1) 54 | 55 | ar2=[] 56 | sp=list(chunkstring(options.cpu,4)) 57 | for e in sp: 58 | ar2.append(e[::-1].encode("hex")) 59 | print "running twice because of weirdness" 60 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000002 %s %s %s %s" % (options.vm,ar2[0],ar2[1],ar2[2],ar2[3])) 61 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000003 %s %s %s %s" % (options.vm,ar2[4],ar2[5],ar2[6],ar2[7])) 62 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000004 %s %s %s %s" % (options.vm,ar2[8],ar2[9],ar2[10],ar2[11])) 63 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000002 %s %s %s %s" % (options.vm,ar2[0],ar2[1],ar2[2],ar2[3])) 64 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000003 %s %s %s %s" % (options.vm,ar2[4],ar2[5],ar2[6],ar2[7])) 65 | cmd_wrapper("VBoxManage modifyvm \"%s\" --cpuidset 80000004 %s %s %s %s" % (options.vm,ar2[8],ar2[9],ar2[10],ar2[11])) 66 | -------------------------------------------------------------------------------- /createVBoxWin7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import os 6 | import sys 7 | import subprocess 8 | 9 | def runcmd(cmd): 10 | try: 11 | print "Executing %s" % ' '.join(cmd) 12 | output = subprocess.check_output(cmd) 13 | print output 14 | return output 15 | except: 16 | print "Failed" 17 | return None 18 | 19 | VBoxManage = '/usr/bin/VBoxManage' 20 | vboxConfBios = './vboxConfBiosWin7.py' 21 | 22 | for machine in sys.argv[1:]: 23 | hdpath = os.path.join('/','data','VirtualBox VMs',machine,machine+'.vdi') 24 | runcmd([VBoxManage,'createhd','--filename',hdpath,'--size',str(80*1024)]) 25 | runcmd([VBoxManage,'createvm','--name',machine,'--ostype','Windows7_64','--register']) 26 | runcmd([VBoxManage,'storagectl',machine,'--name','SATA Controller','--add','sata','--controller','IntelAHCI']) 27 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','SATA Controller','--port','0','--device','0','--type','hdd','--medium',hdpath]) 28 | runcmd([VBoxManage,'storagectl',machine,'--name','PIIX4','--add','ide','--controller','PIIX4']) 29 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','PIIX4','--port','0','--device','0','--type','dvddrive','--medium','emptydrive']) 30 | runcmd([VBoxManage,'modifyvm',machine,'--ioapic','on']) 31 | runcmd([VBoxManage,'modifyvm',machine,'--boot2','dvd','--boot3','disk','--boot4','none']) 32 | runcmd([VBoxManage,'modifyvm',machine,'--memory','1024','--vram','128']) 33 | runcmd([VBoxManage,'modifyvm',machine,'--nic1','bridged','--bridgeadapter1','lan0p1']) 34 | runcmd([vboxConfBios,machine]) 35 | -------------------------------------------------------------------------------- /createVBoxWin8.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import os 6 | import sys 7 | import subprocess 8 | 9 | def runcmd(cmd): 10 | try: 11 | print "Executing %s" % ' '.join(cmd) 12 | output = subprocess.check_output(cmd) 13 | print output 14 | return output 15 | except: 16 | print "Failed" 17 | return None 18 | 19 | VBoxManage = '/usr/bin/VBoxManage' 20 | vboxConfBios = './vboxConfBiosWin8.py' 21 | 22 | for machine in sys.argv[1:]: 23 | hdpath = os.path.join('/','data','VirtualBox VMs',machine,machine+'.vdi') 24 | runcmd([VBoxManage,'createhd','--filename',hdpath,'--size',str(80*1024)]) 25 | runcmd([VBoxManage,'createvm','--name',machine,'--ostype','Windows81_64','--register']) 26 | runcmd([VBoxManage,'storagectl',machine,'--name','SATA Controller','--add','sata','--controller','IntelAHCI']) 27 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','SATA Controller','--port','0','--device','0','--type','hdd','--medium',hdpath]) 28 | runcmd([VBoxManage,'storagectl',machine,'--name','PIIX4','--add','ide','--controller','PIIX4']) 29 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','PIIX4','--port','0','--device','0','--type','dvddrive','--medium','emptydrive']) 30 | runcmd([VBoxManage,'modifyvm',machine,'--ioapic','on']) 31 | runcmd([VBoxManage,'modifyvm',machine,'--boot2','dvd','--boot3','disk','--boot4','none']) 32 | runcmd([VBoxManage,'modifyvm',machine,'--memory','1024','--vram','128']) 33 | runcmd([VBoxManage,'modifyvm',machine,'--nic1','bridged','--bridgeadapter1','lan0p1']) 34 | runcmd([vboxConfBios,machine]) 35 | -------------------------------------------------------------------------------- /createVBoxWinXP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import os 6 | import sys 7 | import subprocess 8 | 9 | def runcmd(cmd): 10 | try: 11 | print "Executing %s" % ' '.join(cmd) 12 | output = subprocess.check_output(cmd) 13 | print output 14 | return output 15 | except: 16 | print "Failed" 17 | return None 18 | 19 | VBoxManage = '/usr/bin/VBoxManage' 20 | vboxConfBios = './vboxConfBiosWinXP.py' 21 | 22 | for machine in sys.argv[1:]: 23 | hdpath = os.path.join('/','data','VirtualBox VMs',machine,machine+'.vdi') 24 | runcmd([VBoxManage,'createhd','--filename',hdpath,'--size',str(80*1024)]) 25 | runcmd([VBoxManage,'createvm','--name',machine,'--ostype','WindowsXP','--register']) 26 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','SATA Controller','--port','0','--device','0','--type','hdd','--medium',hdpath]) 27 | runcmd([VBoxManage,'storagectl',machine,'--name','PIIX4','--add','ide','--controller','PIIX4']) 28 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','PIIX4','--port','0','--device','0','--type','dvddrive','--medium','emptydrive']) 29 | runcmd([VBoxManage,'storageattach', machine,'--storagectl','PIIX4','--port','0','--device','1','--type','hdd','--medium',hdpath]) 30 | runcmd([VBoxManage,'modifyvm',machine,'--ioapic','on']) 31 | runcmd([VBoxManage,'modifyvm',machine,'--boot2','dvd','--boot3','disk','--boot4','none']) 32 | runcmd([VBoxManage,'modifyvm',machine,'--memory','1024','--vram','128']) 33 | runcmd([VBoxManage,'modifyvm',machine,'--nic1','bridged','--bridgeadapter1','lan0p1']) 34 | runcmd([vboxConfBios,machine]) 35 | -------------------------------------------------------------------------------- /guest/AcrobatReader10.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown\cDefaultLaunchAttachmentPerms] 4 | "tBuiltInPermList"="version:1|.ade:2|.adp:2|.app:2|.arc:2|.arj:2|.asp:2|.bas:2|.bat:2|.bz:2|.bz2:2|.cab:2|.chm:2|.class:2|.cmd:2|.com:2|.command:2|.cpl:2|.crt:2|.csh:2|.desktop:2|.dll:2|.exe:2|.fxp:2|.gz:2|.hex:2|.hlp:2|.hqx:2|.hta:2|.inf:2|.ini:2|.ins:2|.isp:2|.its:2|.job:2|.js:2|.jse:2|.ksh:2|.lnk:2|.lzh:2|.mad:2|.maf:2|.mag:2|.mam:2|.maq:2|.mar:2|.mas:2|.mat:2|.mau:2|.mav:2|.maw:2|.mda:2|.mdb:2|.mde:2|.mdt:2|.mdw:2|.mdz:2|.msc:2|.msi:2|.msp:2|.mst:2|.ocx:2|.ops:2|.pcd:2|.pi:2|.pif:2|.prf:2|.prg:2|.pst:2|.rar:2|.reg:2|.scf:2|.scr:2|.sct:2|.sea:2|.shb:2|.shs:2|.sit:2|.tar:2|.taz:2|.tgz:2|.tmp:2|.url:2|.vb:2|.vbe:2|.vbs:2|.vsmacros:2|.vss:2|.vst:2|.vsw:2|.webloc:2|.ws:2|.wsc:2|.wsf:2|.wsh:2|.z:2|.zip:2|.zlo:2|.zoo:2|.pdf:2|.fdf:2|.jar:2|.pkg:2|.tool:2|.term:2|.doc:2|.dot:2|.ooxml:2|.docx:2|.docm:2|.dotx:2|.dotm:2|.docb:2|.xls:2|.xlt:2|.xlm:2|.xlsx:2|.xlsm:2|.xltx:2|.xltm:2|.xlsb:2|xla:2|.xlam:2|xll:2|.xlw:2|.ppt:2|.pot:2|.pps:2|.pptx:2|.pptm:2|.potx:2|.potm:2|.ppam:2|.ppsx:2|.ppsm:2|.sldx:2|.sldm:2|.accdb:2|.mdb:2|.accde:2|.accdt:2|.accdr:2|.pub:2" 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown\cDefaultLaunchURLPerms] 7 | "tSchemePerms"="version:1|shell:2|hcp:2|ms-help:2|ms-its:2|ms-itss:2|its:2|mk:2|mhtml:2|help:2|disk:2|afp:2|disks:2|telnet:2|ssh:2|acrobat:2|mailto:2|file:1|rlogin:2" 8 | 9 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\10.0\FeatureLockDown] 10 | "bProtectedMode"=dword:00000000 11 | -------------------------------------------------------------------------------- /guest/AcrobatReader9.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms] 4 | "tBuiltInPermList"="version:1|.ade:2|.adp:2|.app:2|.arc:2|.arj:2|.asp:2|.bas:2|.bat:2|.bz:2|.bz2:2|.cab:2|.chm:2|.class:2|.cmd:2|.com:2|.command:2|.cpl:2|.crt:2|.csh:2|.desktop:2|.dll:2|.exe:2|.fxp:2|.gz:2|.hex:2|.hlp:2|.hqx:2|.hta:2|.inf:2|.ini:2|.ins:2|.isp:2|.its:2|.job:2|.js:2|.jse:2|.ksh:2|.lnk:2|.lzh:2|.mad:2|.maf:2|.mag:2|.mam:2|.maq:2|.mar:2|.mas:2|.mat:2|.mau:2|.mav:2|.maw:2|.mda:2|.mdb:2|.mde:2|.mdt:2|.mdw:2|.mdz:2|.msc:2|.msi:2|.msp:2|.mst:2|.ocx:2|.ops:2|.pcd:2|.pi:2|.pif:2|.prf:2|.prg:2|.pst:2|.rar:2|.reg:2|.scf:2|.scr:2|.sct:2|.sea:2|.shb:2|.shs:2|.sit:2|.tar:2|.taz:2|.tgz:2|.tmp:2|.url:2|.vb:2|.vbe:2|.vbs:2|.vsmacros:2|.vss:2|.vst:2|.vsw:2|.webloc:2|.ws:2|.wsc:2|.wsf:2|.wsh:2|.z:2|.zip:2|.zlo:2|.zoo:2|.pdf:2|.fdf:2|.jar:2|.pkg:2|.tool:2|.term:2|.doc:2|.dot:2|.ooxml:2|.docx:2|.docm:2|.dotx:2|.dotm:2|.docb:2|.xls:2|.xlt:2|.xlm:2|.xlsx:2|.xlsm:2|.xltx:2|.xltm:2|.xlsb:2|xla:2|.xlam:2|xll:2|.xlw:2|.ppt:2|.pot:2|.pps:2|.pptx:2|.pptm:2|.potx:2|.potm:2|.ppam:2|.ppsx:2|.ppsm:2|.sldx:2|.sldm:2|.accdb:2|.mdb:2|.accde:2|.accdt:2|.accdr:2|.pub:2" 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchURLPerms] 7 | "tSchemePerms"="version:1|shell:2|hcp:2|ms-help:2|ms-its:2|ms-itss:2|its:2|mk:2|mhtml:2|help:2|disk:2|afp:2|disks:2|telnet:2|ssh:2|acrobat:2|mailto:2|file:1|rlogin:2" 8 | -------------------------------------------------------------------------------- /guest/Office2010.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common] 4 | "UpdateReliabilityData"=dword:00000000 5 | "QMSessionCount"=dword:00000002 6 | 7 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\TrustCenter] 8 | "TrustBar"=dword:00000001 9 | 10 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet] 11 | "UseOnlineContent"=dword:00000000 12 | "IDN_AlertOff"=dword:00000001 13 | "UseOnlineAppDetect"=dword:00000000 14 | 15 | 16 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Research\Options] 17 | "DiscoveryNeedOptIn"=dword:00000001 18 | 19 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security] 20 | "AccessVBOM"=dword:00000001 21 | "VBAWarnings"=dword:00000001 22 | "EnableDEP"=dword:00000000 23 | 24 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] 25 | "Word95Files"=dword:00000000 26 | "Word60Files"=dword:00000000 27 | "Word2Files"=dword:00000000 28 | "OpenInProtectedView"=dword:00000002 29 | 30 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\ProtectedView] 31 | "DisableInternetFilesInPV"=dword:00000001 32 | "DisableAttachmentsInPV"=dword:00000001 33 | "DisableUnsafeLocationsInPV"=dword:00000001 34 | 35 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Locations] 36 | "AllowNetworkLocations"=dword:00000001 37 | 38 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security] 39 | "AccessVBOM"=dword:00000001 40 | "VBAWarnings"=dword:00000001 41 | "EnableDEP"=dword:00000000 42 | "DataConnectionWarnings"=dword:00000000 43 | "WorkbookLinkWarnings"=dword:00000002 44 | "ExtensionHardening"=dword:00000000 45 | 46 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileBlock] 47 | "XL4Workbooks"=dword:00000000 48 | "XL4Worksheets"=dword:00000000 49 | "XL3Worksheets"=dword:00000000 50 | "XL2Worksheets"=dword:00000000 51 | "XL4Macros"=dword:00000000 52 | "XL3Macros"=dword:00000000 53 | "XL2Macros"=dword:00000000 54 | "OpenInProtectedView"=dword:00000002 55 | 56 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView] 57 | "DisableInternetFilesInPV"=dword:00000001 58 | "DisableAttachmentsInPV"=dword:00000001 59 | "DisableUnsafeLocationsInPV"=dword:00000001 60 | 61 | 62 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security] 63 | "AccessVBOM"=dword:00000001 64 | "VBAWarnings"=dword:00000001 65 | "EnableDEP"=dword:00000000 66 | 67 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView] 68 | "DisableInternetFilesInPV"=dword:00000001 69 | "DisableAttachmentsInPV"=dword:00000001 70 | "DisableUnsafeLocationsInPV"=dword:00000001 71 | 72 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Publisher\Security] 73 | "VBAWarnings"=dword:00000001 74 | "EnableDEP"=dword:00000000 75 | -------------------------------------------------------------------------------- /guest/Office2013.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common] 4 | "OverridePointerMode"=dword:00000001 5 | "QMEnable"=dword:00000000 6 | "UpdateReliabilityData"=dword:00000000 7 | "QMNFN"=dword:00000002 8 | "QMSessionCount"=dword:00000003 9 | 10 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Feedback] 11 | "Enabled"=dword:00000000 12 | 13 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Internet] 14 | "IDN_AlertOff"=dword:00000001 15 | "UseOnlineContent"=dword:00000002 16 | 17 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\PTWatson] 18 | "PTWOptIn"=dword:00000000 19 | "PTWReadyToSend"=dword:00000000 20 | "PTWNextUpload"=dword:00000000 21 | "PTWCount"=dword:00000000 22 | "PTWExpire"=dword:00000000 23 | 24 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Research\Options] 25 | "DiscoveryNeedOptIn"=dword:00000001 26 | 27 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Research\Translation] 28 | "UseOnline"=dword:00000000 29 | 30 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Security\FileValidation] 31 | "DisableReporting"=dword:00000001 32 | 33 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\TrustCenter] 34 | "TrustBar"=dword:00000001 35 | 36 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security] 37 | "AccessVBOM"=dword:00000001 38 | "VBAWarnings"=dword:00000001 39 | 40 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] 41 | "Word95Files"=dword:00000000 42 | "Word60Files"=dword:00000000 43 | "Word2Files"=dword:00000000 44 | 45 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\ProtectedView] 46 | "DisableInternetFilesInPV"=dword:00000001 47 | "DisableAttachmentsInPV"=dword:00000001 48 | "DisableUnsafeLocationsInPV"=dword:00000001 49 | 50 | [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security] 51 | "UFIControls"=dword:00000001 52 | 53 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security] 54 | "AccessVBOM"=dword:00000001 55 | "VBAWarnings"=dword:00000001 56 | "DataConnectionWarnings"=dword:00000000 57 | "WorkbookLinkWarnings"=dword:00000002 58 | "ExtensionHardening"=dword:00000000 59 | 60 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\FileBlock] 61 | "XL4Workbooks"=dword:00000000 62 | "XL4Worksheets"=dword:00000000 63 | "XL3Worksheets"=dword:00000000 64 | "XL2Worksheets"=dword:00000000 65 | "XL4Macros"=dword:00000000 66 | "XL3Macros"=dword:00000000 67 | "XL2Macros"=dword:00000000 68 | "OpenInProtectedView"=dword:00000002 69 | 70 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView] 71 | "DisableInternetFilesInPV"=dword:00000001 72 | "DisableAttachmentsInPV"=dword:00000001 73 | "DisableUnsafeLocationsInPV"=dword:00000001 74 | 75 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\Trusted Locations] 76 | "AllowNetworkLocations"=dword:00000001 77 | 78 | 79 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Internet] 80 | "IDN_AlertOff"=dword:00000001 81 | "UseOnlineContent"=dword:00000000 82 | 83 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security] 84 | "AccessVBOM"=dword:00000001 85 | "VBAWarnings"=dword:00000001 86 | 87 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\FileBlock] 88 | "OpenInProtectedView"=dword:00000002 89 | 90 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView] 91 | "DisableInternetFilesInPV"=dword:00000001 92 | "DisableAttachmentsInPV"=dword:00000001 93 | "DisableUnsafeLocationsInPV"=dword:00000001 94 | 95 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Access\Security] 96 | "VBAWarnings"=dword:00000001 97 | 98 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Publisher\Security] 99 | "VBAWarnings"=dword:00000001 100 | -------------------------------------------------------------------------------- /guest/Zombies.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/guest/Zombies.reg -------------------------------------------------------------------------------- /guest/ZombiesXP.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer] 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery] 6 | 7 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions] 8 | "NoSearchBox"=dword:00000001 9 | "NoUpdateCheck"=dword:00000001 10 | 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter] 12 | "Enabled"=dword:00000000 13 | "EnabledV8"=dword:00000000 14 | 15 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy] 16 | "ClearBrowsingHistoryOnExit"=dword:00000001 17 | 18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security] 19 | "DisableFixSecuritySettings"=dword:00000001 20 | "DisableSecuritySettingsCheck"=dword:00000001 21 | 22 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings] 23 | "CertificateRevocation"=dword:00000000 24 | 25 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache] 26 | 27 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones] 28 | 29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 30 | "1001"=dword:00000000 31 | "1004"=dword:00000000 32 | "1609"=dword:00000000 33 | "1809"=dword:00000003 34 | "1803"=dword:00000000 35 | "1800"=dword:00000000 36 | "1804"=dword:00000000 37 | "1200"=dword:00000000 38 | "2301"=dword:00000003 39 | "1806"=dword:00000000 40 | 41 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 42 | 43 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 44 | "NoAutoUpdate"=dword:00000001 45 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] 46 | 47 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] 48 | "EnableFirewall"=dword:00000000 49 | 50 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] 51 | "EnableFirewall"=dword:00000000 52 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update] 53 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000 54 | 55 | [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Update] 56 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000 57 | -------------------------------------------------------------------------------- /guest/Zombieswin7.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer] 4 | 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery] 6 | 7 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions] 8 | "NoSearchBox"=dword:00000001 9 | "NoUpdateCheck"=dword:00000001 10 | 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter] 12 | "Enabled"=dword:00000000 13 | "EnabledV8"=dword:00000000 14 | 15 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy] 16 | "ClearBrowsingHistoryOnExit"=dword:00000001 17 | 18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security] 19 | "DisableFixSecuritySettings"=dword:00000001 20 | "DisableSecuritySettingsCheck"=dword:00000001 21 | 22 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings] 23 | "CertificateRevocation"=dword:00000000 24 | 25 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache] 26 | 27 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones] 28 | 29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 30 | "1001"=dword:00000000 31 | "1004"=dword:00000000 32 | "1609"=dword:00000000 33 | "1809"=dword:00000003 34 | "1803"=dword:00000000 35 | "1800"=dword:00000000 36 | "1804"=dword:00000000 37 | "1200"=dword:00000000 38 | "2301"=dword:00000003 39 | "1806"=dword:00000000 40 | 41 | [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] 42 | "FormSuggest Passwords"="no" 43 | "FormSuggest PW Ask"="no" 44 | "Use FormSuggest"="no" 45 | 46 | [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch] 47 | "AutoCompleteGroups"=dword:00000000 48 | "EnabledScopes"=dword:00000000 49 | 50 | [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion] 51 | "Enabled"=dword:00000000 52 | 53 | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete] 54 | "AutoSuggest"="no" 55 | 56 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient] 57 | "EnableMulticast"=dword:00000000 58 | 59 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet] 60 | "PassivePollPeriod"=dword:00000005 61 | "StaleThreshold"=dword:0000001e 62 | "WebTimeout"=dword:00000023 63 | "EnableActiveProbing"=dword:00000000 64 | "ActiveWebProbeHost"="www.msftncsi.com" 65 | "ActiveWebProbePath"="ncsi.txt" 66 | "ActiveWebProbeContent"="Microsoft NCSI" 67 | "ActiveDnsProbeHost"="dns.msftncsi.com" 68 | "ActiveDnsProbeContent"="131.107.255.255" 69 | 70 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies] 71 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP] 72 | 73 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition] 74 | "Teredo_State"="Disable" 75 | 76 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 77 | "EnableLUA"=dword:00000000 78 | 79 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext] 80 | "DisableAddonLoadTimePerformanceNotifications"=dword:00000001 81 | "IgnoreFrameApprovalCheck"=dword:00000001 82 | "NoFirsttimeprompt"=dword:00000001 83 | 84 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 85 | 86 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 87 | "NoAutoUpdate"=dword:00000001 88 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] 89 | 90 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] 91 | "EnableFirewall"=dword:00000000 92 | 93 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] 94 | "EnableFirewall"=dword:00000000 95 | 96 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows] 97 | CEIPEnable=dword:00000000 98 | 99 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update] 100 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000 101 | 102 | [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Update] 103 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000 104 | 105 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff] 106 | -------------------------------------------------------------------------------- /guest/hidemore.bat: -------------------------------------------------------------------------------- 1 | REM http://blog.prowling.nu/2012/10/modifying-virtualbox-settings-for.html 2 | REM You must investigate each key and replace and WOOT with the value found 3 | REM This value will differ based on your Hardware for DDST 4 | @reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f 5 | @reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f 6 | 7 | @reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f 8 | @reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f 9 | 10 | @reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\\WOOTFACP /s /f 11 | @reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\\VBOXFACP /f 12 | 13 | @reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\\WOOTRSDT /s /f 14 | @reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\\VBOXRSDT /f 15 | 16 | @reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f 17 | @reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosDate /t REG_SZ /d "05/05/12" /f 18 | 19 | netsh interface teredo set state disabled 20 | -------------------------------------------------------------------------------- /hyperscan.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/hyperscan.tar.gz -------------------------------------------------------------------------------- /libclamav-dev_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/libclamav-dev_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /libclamav7_0.99.2-0ubuntu0_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/libclamav7_0.99.2-0ubuntu0_amd64.deb -------------------------------------------------------------------------------- /local.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg:"FILE store all"; filestore; flowbits:noalert; sid:44444; rev:1;) 2 | -------------------------------------------------------------------------------- /luazip.c: -------------------------------------------------------------------------------- 1 | /* 2 | LuaZip - Reading files inside zip files. 3 | http://www.keplerproject.org/luazip/ 4 | 5 | Author: Danilo Tuler 6 | Copyright (c) 2003-2007 Kepler Project 7 | 8 | $Id: luazip.c,v 1.11 2007-06-18 18:47:05 carregal Exp $ 9 | */ 10 | 11 | #include 12 | #include 13 | #include "zzip/zzip.h" 14 | #include "luazip.h" 15 | #include "lauxlib.h" 16 | #if ! defined (LUA_VERSION_NUM) || LUA_VERSION_NUM < 501 17 | #include "compat-5.1.h" 18 | #endif 19 | 20 | #define ZIPFILEHANDLE "lzipFile" 21 | #define ZIPINTERNALFILEHANDLE "lzipInternalFile" 22 | #define LUAZIP_MAX_EXTENSIONS 32 23 | 24 | static int pushresult (lua_State *L, int i, const char *filename) { 25 | if (i) { 26 | lua_pushboolean(L, 1); 27 | return 1; 28 | } 29 | else { 30 | lua_pushnil(L); 31 | if (filename) 32 | lua_pushfstring(L, "%s: %s", filename, zzip_strerror(zzip_errno(errno))); 33 | else 34 | lua_pushfstring(L, "%s", zzip_strerror(zzip_errno(errno))); 35 | lua_pushnumber(L, zzip_errno(errno)); 36 | return 3; 37 | } 38 | } 39 | 40 | static ZZIP_DIR** topfile (lua_State *L, int findex) { 41 | ZZIP_DIR** f = (ZZIP_DIR**)luaL_checkudata(L, findex, ZIPFILEHANDLE); 42 | if (f == NULL) luaL_argerror(L, findex, "bad zip file"); 43 | return f; 44 | } 45 | 46 | static ZZIP_DIR* tofile (lua_State *L, int findex) { 47 | ZZIP_DIR** f = topfile(L, findex); 48 | if (*f == NULL) 49 | luaL_error(L, "attempt to use a closed zip file"); 50 | return *f; 51 | } 52 | 53 | static ZZIP_FILE** topinternalfile (lua_State *L, int findex) { 54 | ZZIP_FILE** f = (ZZIP_FILE**)luaL_checkudata(L, findex, ZIPINTERNALFILEHANDLE); 55 | if (f == NULL) luaL_argerror(L, findex, "bad zip file"); 56 | return f; 57 | } 58 | 59 | static ZZIP_FILE* tointernalfile (lua_State *L, int findex) { 60 | ZZIP_FILE** f = topinternalfile(L, findex); 61 | if (*f == NULL) 62 | luaL_error(L, "attempt to use a closed zip file"); 63 | return *f; 64 | } 65 | 66 | /* 67 | ** When creating file handles, always creates a `closed' file handle 68 | ** before opening the actual file; so, if there is a memory error, the 69 | ** file is not left opened. 70 | */ 71 | static ZZIP_DIR** newfile (lua_State *L) { 72 | ZZIP_DIR** pf = (ZZIP_DIR**)lua_newuserdata(L, sizeof(ZZIP_DIR*)); 73 | *pf = NULL; /* file handle is currently `closed' */ 74 | luaL_getmetatable(L, ZIPFILEHANDLE); 75 | lua_setmetatable(L, -2); 76 | return pf; 77 | } 78 | 79 | static ZZIP_FILE** newinternalfile (lua_State *L) { 80 | ZZIP_FILE** pf = (ZZIP_FILE**)lua_newuserdata(L, sizeof(ZZIP_FILE*)); 81 | *pf = NULL; /* file handle is currently `closed' */ 82 | luaL_getmetatable(L, ZIPINTERNALFILEHANDLE); 83 | lua_setmetatable(L, -2); 84 | return pf; 85 | } 86 | 87 | 88 | static int zip_open (lua_State *L) { 89 | const char *zipfilename = luaL_checkstring(L, 1); 90 | /*const char *mode = luaL_optstring(L, 2, "r");*/ 91 | 92 | ZZIP_DIR** pf = newfile(L); 93 | *pf = zzip_dir_open(zipfilename, 0); 94 | if (*pf == NULL) 95 | { 96 | lua_pushnil(L); 97 | lua_pushfstring(L, "could not open file `%s'", zipfilename); 98 | return 2; 99 | } 100 | return 1; 101 | } 102 | 103 | static int zip_close (lua_State *L) { 104 | ZZIP_DIR* f = tofile(L, 1); 105 | if (zzip_dir_close(f) == 0) 106 | { 107 | *(ZZIP_DIR**)lua_touserdata(L, 1) = NULL; /* mark file as close */ 108 | lua_pushboolean(L, 1); 109 | } 110 | else 111 | lua_pushboolean(L, 0); 112 | return 1; 113 | } 114 | 115 | static int f_open (lua_State *L) { 116 | ZZIP_DIR* uf = tofile(L, 1); 117 | const char *filename = luaL_checkstring(L, 2); 118 | /*const char *mode = luaL_optstring(L, 3, "r");*/ 119 | ZZIP_FILE** inf = newinternalfile(L); 120 | 121 | *inf = zzip_file_open(uf, filename, 0); 122 | if (*inf) 123 | return 1; 124 | 125 | lua_pushnil(L); 126 | lua_pushfstring(L, "could not open file `%s'", filename); 127 | return 2; 128 | } 129 | 130 | /* 131 | 132 | */ 133 | static int zip_openfile (lua_State *L) { 134 | ZZIP_FILE** inf; 135 | 136 | const char * ext2[LUAZIP_MAX_EXTENSIONS+1]; 137 | zzip_strings_t *ext = ext2; 138 | 139 | const char *filename = luaL_checkstring(L, 1); 140 | /*const char *mode = luaL_optstring(L, 2, "r");*/ 141 | 142 | inf = newinternalfile(L); 143 | 144 | if (lua_isstring(L, 2)) 145 | { 146 | /* creates a table with the string as the first and only (numerical) element */ 147 | lua_newtable(L); 148 | lua_pushvalue(L, 2); 149 | lua_rawseti(L, -2, 1); 150 | 151 | /* replaces the string by the table with the string inside */ 152 | lua_replace(L, 2); 153 | } 154 | 155 | if (lua_istable(L, 2)) 156 | { 157 | int i, m, n; 158 | 159 | /* how many extension were specified? */ 160 | n = luaL_getn(L, 2); 161 | 162 | if (n > LUAZIP_MAX_EXTENSIONS) 163 | { 164 | luaL_error(L, "too many extensions specified"); 165 | } 166 | 167 | for (i = 0, m = 0; i < n; i++) 168 | { 169 | lua_rawgeti(L, 2, i+1); 170 | if (lua_isstring(L, -1)) 171 | { 172 | /* luazip specifies "zip" as the extension, but zziplib expects ".zip" */ 173 | lua_pushstring(L, "."); 174 | lua_insert(L, -2); 175 | lua_concat(L, 2); 176 | 177 | ext2[m] = lua_tostring(L, -1); 178 | m++; 179 | } 180 | lua_pop(L, 1); 181 | } 182 | ext2[m] = 0; 183 | 184 | *inf = zzip_open_ext_io(filename, 0, 0664, ext, 0); 185 | } 186 | else 187 | { 188 | *inf = zzip_open(filename, 0); 189 | } 190 | 191 | if (*inf) 192 | return 1; 193 | 194 | lua_pushnil(L); 195 | lua_pushfstring(L, "could not open file `%s'", filename); 196 | return 2; 197 | } 198 | 199 | static int zip_type (lua_State *L) { 200 | ZZIP_DIR** f = (ZZIP_DIR**)luaL_checkudata(L, 1, ZIPFILEHANDLE); 201 | if (f == NULL) lua_pushnil(L); 202 | else if (*f == NULL) 203 | lua_pushliteral(L, "closed zip file"); 204 | else 205 | lua_pushliteral(L, "zip file"); 206 | return 1; 207 | } 208 | 209 | static int zip_tostring (lua_State *L) { 210 | char buff[32]; 211 | ZZIP_DIR** f = topfile(L, 1); 212 | if (*f == NULL) 213 | strcpy(buff, "closed"); 214 | else 215 | sprintf(buff, "%p", lua_touserdata(L, 1)); 216 | lua_pushfstring(L, "zip file (%s)", buff); 217 | return 1; 218 | } 219 | 220 | static int ff_tostring (lua_State *L) { 221 | char buff[32]; 222 | ZZIP_FILE** f = topinternalfile(L, 1); 223 | if (*f == NULL) 224 | strcpy(buff, "closed"); 225 | else 226 | sprintf(buff, "%p", lua_touserdata(L, 1)); 227 | lua_pushfstring(L, "file in zip file (%s)", buff); 228 | return 1; 229 | } 230 | 231 | static int zip_gc (lua_State *L) { 232 | ZZIP_DIR**f = topfile(L, 1); 233 | if (*f != NULL) /* ignore closed files */ 234 | zip_close(L); 235 | return 0; 236 | } 237 | 238 | static int zip_readfile (lua_State *L) { 239 | ZZIP_DIRENT* ent = NULL; 240 | ZZIP_DIR* uf = NULL; 241 | 242 | uf = *(ZZIP_DIR**)lua_touserdata(L, lua_upvalueindex(1)); 243 | if (uf == NULL) /* file is already closed? */ 244 | luaL_error(L, "file is already closed"); 245 | 246 | ent = zzip_readdir(uf); 247 | 248 | if (ent == NULL) 249 | return 0; 250 | 251 | lua_newtable(L); 252 | lua_pushstring(L, "compressed_size"); lua_pushnumber(L, ent->d_csize); lua_settable(L, -3); 253 | lua_pushstring(L, "compression_method"); lua_pushnumber(L, ent->d_compr); lua_settable(L, -3); 254 | lua_pushstring(L, "uncompressed_size"); lua_pushnumber(L, ent->st_size); lua_settable(L, -3); 255 | lua_pushstring(L, "filename"); lua_pushstring(L, ent->d_name); lua_settable(L, -3); 256 | 257 | return 1; 258 | } 259 | 260 | static int f_files (lua_State *L) { 261 | ZZIP_DIR *f = tofile(L, 1); 262 | zzip_rewinddir(f); 263 | lua_pushliteral(L, ZIPFILEHANDLE); 264 | lua_rawget(L, LUA_REGISTRYINDEX); 265 | lua_pushcclosure(L, zip_readfile, 2); 266 | return 1; 267 | } 268 | 269 | static int aux_close (lua_State *L) { 270 | ZZIP_FILE *f = tointernalfile(L, 1); 271 | int ok = (zzip_fclose(f) == 0); 272 | if (ok) 273 | *(ZZIP_FILE **)lua_touserdata(L, 1) = NULL; /* mark file as closed */ 274 | return ok; 275 | } 276 | 277 | static int ff_close (lua_State *L) { 278 | return pushresult(L, aux_close(L), NULL); 279 | } 280 | 281 | static int ff_gc (lua_State *L) { 282 | ZZIP_FILE**f = topinternalfile(L, 1); 283 | if (*f != NULL) /* ignore closed files */ 284 | aux_close(L); 285 | return 0; 286 | } 287 | 288 | static int zzip_getc (ZZIP_FILE *f) 289 | { 290 | char c; 291 | return (zzip_fread(&c, sizeof(char), 1, f) == 0) ? EOF : (int)c; 292 | } 293 | 294 | static char* zzip_fgets(char *str, int size, ZZIP_FILE *stream) 295 | { 296 | int c, i; 297 | 298 | for (i = 0; i < size-1; i++) 299 | { 300 | c = zzip_getc(stream); 301 | if (EOF == c) 302 | return NULL; 303 | str[i]=c; 304 | if (('\n' == c)/* || ('\r' == c)*/) 305 | { 306 | str[i++]='\n'; 307 | break; 308 | } 309 | } 310 | str[i] = '\0'; 311 | 312 | return str; 313 | } 314 | 315 | /* no support to read numbers 316 | static int zzip_fscanf (ZZIP_FILE *f, const char *format, ...) 317 | { 318 | // TODO 319 | return 0; 320 | } 321 | 322 | static int read_number (lua_State *L, ZZIP_FILE *f) { 323 | lua_Number d; 324 | if (zzip_fscanf(f, LUA_NUMBER_SCAN, &d) == 1) { 325 | lua_pushnumber(L, d); 326 | return 1; 327 | } 328 | else return 0; // read fails 329 | } 330 | */ 331 | 332 | static int test_eof (lua_State *L, ZZIP_FILE *f) { 333 | /* TODO */ 334 | (void) L; 335 | (void) f; 336 | return 1; 337 | } 338 | 339 | static int read_line (lua_State *L, ZZIP_FILE *f) { 340 | luaL_Buffer b; 341 | luaL_buffinit(L, &b); 342 | for (;;) { 343 | size_t l; 344 | char *p = luaL_prepbuffer(&b); 345 | if (zzip_fgets(p, LUAL_BUFFERSIZE, f) == NULL) { /* eof? */ 346 | luaL_pushresult(&b); /* close buffer */ 347 | return (lua_strlen(L, -1) > 0); /* check whether read something */ 348 | } 349 | l = strlen(p); 350 | if (p[l-1] != '\n') 351 | luaL_addsize(&b, l); 352 | else { 353 | luaL_addsize(&b, l - 1); /* do not include `eol' */ 354 | luaL_pushresult(&b); /* close buffer */ 355 | return 1; /* read at least an `eol' */ 356 | } 357 | } 358 | } 359 | 360 | static int read_chars (lua_State *L, ZZIP_FILE *f, size_t n) { 361 | size_t rlen; /* how much to read */ 362 | size_t nr; /* number of chars actually read */ 363 | luaL_Buffer b; 364 | luaL_buffinit(L, &b); 365 | rlen = LUAL_BUFFERSIZE; /* try to read that much each time */ 366 | do { 367 | char *p = luaL_prepbuffer(&b); 368 | if (rlen > n) rlen = n; /* cannot read more than asked */ 369 | nr = zzip_fread(p, sizeof(char), rlen, f); 370 | if (nr == (size_t)-1) { 371 | printf("nr %llu\n", (unsigned long long)nr); 372 | return 0; 373 | } 374 | luaL_addsize(&b, nr); 375 | n -= nr; /* still have to read `n' chars */ 376 | } while (n > 0 && nr == rlen); /* until end of count or eof */ 377 | luaL_pushresult(&b); /* close buffer */ 378 | return (n == 0 || lua_strlen(L, -1) > 0); 379 | } 380 | 381 | static int g_read (lua_State *L, ZZIP_FILE *f, int first) { 382 | int nargs = lua_gettop(L) - 1; 383 | int success; 384 | int n; 385 | if (nargs == 0) { /* no arguments? */ 386 | success = read_line(L, f); 387 | n = first+1; /* to return 1 result */ 388 | } 389 | else { /* ensure stack space for all results and for auxlib's buffer */ 390 | luaL_checkstack(L, nargs+LUA_MINSTACK, "too many arguments"); 391 | success = 1; 392 | for (n = first; nargs-- && success; n++) { 393 | if (lua_type(L, n) == LUA_TNUMBER) { 394 | size_t l = (size_t)lua_tonumber(L, n); 395 | success = (l == 0) ? test_eof(L, f) : read_chars(L, f, l); 396 | } 397 | else { 398 | const char *p = lua_tostring(L, n); 399 | luaL_argcheck(L, p && p[0] == '*', n, "invalid option"); 400 | switch (p[1]) { 401 | case 'l': /* line */ 402 | success = read_line(L, f); 403 | break; 404 | case 'a': /* file */ 405 | read_chars(L, f, ~((size_t)0)); /* read MAX_SIZE_T chars */ 406 | success = 1; /* always success */ 407 | break; 408 | default: 409 | return luaL_argerror(L, n, "invalid format"); 410 | } 411 | } 412 | } 413 | } 414 | if (!success) { 415 | lua_pop(L, 1); /* remove last result */ 416 | lua_pushnil(L); /* push nil instead */ 417 | } 418 | return n - first; 419 | } 420 | 421 | static int ff_read (lua_State *L) { 422 | return g_read(L, tointernalfile(L, 1), 2); 423 | } 424 | 425 | static int zip_readline (lua_State *L); 426 | 427 | static void aux_lines (lua_State *L, int idx, int close) { 428 | lua_pushliteral(L, ZIPINTERNALFILEHANDLE); 429 | lua_rawget(L, LUA_REGISTRYINDEX); 430 | lua_pushvalue(L, idx); 431 | lua_pushboolean(L, close); /* close/not close file when finished */ 432 | lua_pushcclosure(L, zip_readline, 3); 433 | } 434 | 435 | static int ff_lines (lua_State *L) { 436 | tointernalfile(L, 1); /* check that it's a valid file handle */ 437 | aux_lines(L, 1, 0); 438 | return 1; 439 | } 440 | 441 | static int zip_readline (lua_State *L) { 442 | ZZIP_FILE *f = *(ZZIP_FILE **)lua_touserdata(L, lua_upvalueindex(2)); 443 | if (f == NULL) /* file is already closed? */ 444 | luaL_error(L, "file is already closed"); 445 | if (read_line(L, f)) return 1; 446 | else { /* EOF */ 447 | if (lua_toboolean(L, lua_upvalueindex(3))) { /* generator created file? */ 448 | lua_settop(L, 0); 449 | lua_pushvalue(L, lua_upvalueindex(2)); 450 | aux_close(L); /* close it */ 451 | } 452 | return 0; 453 | } 454 | } 455 | 456 | static int ff_seek (lua_State *L) { 457 | static const int mode[] = {SEEK_SET, SEEK_CUR, SEEK_END}; 458 | static const char *const modenames[] = {"set", "cur", "end", NULL}; 459 | ZZIP_FILE *f = tointernalfile(L, 1); 460 | long offset = luaL_optlong(L, 3, 0); 461 | #if ! defined (LUA_VERSION_NUM) || LUA_VERSION_NUM < 501 462 | int op = luaL_findstring(luaL_optstring(L, 2, "cur"), modenames); 463 | luaL_argcheck(L, op != -1, 2, "invalid mode"); 464 | #else 465 | int op = luaL_checkoption(L, 2, "cur", modenames); 466 | #endif 467 | op = zzip_seek(f, offset, mode[op]); 468 | if (op < 0) 469 | return pushresult(L, 0, NULL); /* error */ 470 | else { 471 | lua_pushnumber(L, zzip_tell(f)); 472 | return 1; 473 | } 474 | } 475 | 476 | static const luaL_reg ziplib[] = { 477 | {"open", zip_open}, 478 | {"close", zip_close}, 479 | {"type", zip_type}, 480 | // {"files", io_files}, 481 | {"openfile", zip_openfile}, 482 | {NULL, NULL} 483 | }; 484 | 485 | static const luaL_reg flib[] = { 486 | {"open", f_open}, 487 | {"close", zip_close}, 488 | {"files", f_files}, 489 | {"__gc", zip_gc}, 490 | {"__tostring", zip_tostring}, 491 | {NULL, NULL} 492 | }; 493 | 494 | static const luaL_reg fflib[] = { 495 | {"read", ff_read}, 496 | {"close", ff_close}, 497 | {"seek", ff_seek}, 498 | {"lines", ff_lines}, 499 | {"__gc", ff_gc}, 500 | {"__tostring", ff_tostring}, 501 | /* {"flush", ff_flush}, 502 | {"write", ff_write},*/ 503 | {NULL, NULL} 504 | }; 505 | 506 | 507 | /* 508 | ** Assumes the table is on top of the stack. 509 | */ 510 | static void set_info (lua_State *L) { 511 | lua_pushliteral (L, "_COPYRIGHT"); 512 | lua_pushliteral (L, "Copyright (C) 2003-2007 Kepler Project"); 513 | lua_settable (L, -3); 514 | lua_pushliteral (L, "_DESCRIPTION"); 515 | lua_pushliteral (L, "Reading files inside zip files"); 516 | lua_settable (L, -3); 517 | lua_pushliteral (L, "_VERSION"); 518 | lua_pushliteral (L, "LuaZip 1.2.4"); 519 | lua_settable (L, -3); 520 | } 521 | 522 | static void createmeta (lua_State *L) { 523 | luaL_newmetatable(L, ZIPFILEHANDLE); /* create new metatable for file handles */ 524 | /* file methods */ 525 | lua_pushliteral(L, "__index"); 526 | lua_pushvalue(L, -2); /* push metatable */ 527 | lua_rawset(L, -3); /* metatable.__index = metatable */ 528 | luaL_openlib(L, NULL, flib, 0); 529 | 530 | luaL_newmetatable(L, ZIPINTERNALFILEHANDLE); /* create new metatable for internal file handles */ 531 | /* internal file methods */ 532 | lua_pushliteral(L, "__index"); 533 | lua_pushvalue(L, -2); /* push metatable */ 534 | lua_rawset(L, -3); /* metatable.__index = metatable */ 535 | luaL_openlib(L, NULL, fflib, 0); 536 | } 537 | 538 | LUAZIP_API int luaopen_zip (lua_State *L) { 539 | createmeta(L); 540 | lua_pushvalue(L, -1); 541 | luaL_openlib(L, LUA_ZIPLIBNAME, ziplib, 1); 542 | set_info(L); 543 | return 1; 544 | } 545 | -------------------------------------------------------------------------------- /moloch-fixes.diff: -------------------------------------------------------------------------------- 1 | diff -uNr moloch-0.11.3/easybutton-build.sh moloch-0.11.3-patch/easybutton-build.sh 2 | --- moloch-0.11.3/easybutton-build.sh 2015-02-26 10:58:02.000000000 -0600 3 | +++ moloch-0.11.3-patch/easybutton-build.sh 2015-03-11 09:00:12.151399099 -0500 4 | @@ -127,7 +127,7 @@ 5 | # (cd GeoIP-$GEOIP ; libtoolize -f) 6 | # fi 7 | 8 | - (cd GeoIP-$GEOIP ; ./configure --enable-static; $MAKE) 9 | + (cd GeoIP-$GEOIP ; libtoolize -f && ./bootstrap && ./configure --enable-static; $MAKE) 10 | if [ $? -ne 0 ]; then 11 | echo "MOLOCH: $MAKE failed" 12 | exit 1 13 | diff -uNr moloch-0.11.3/single-host/etc/config.ini.template moloch-0.11.3-patch/single-host/etc/config.ini.template 14 | --- moloch-0.11.3/single-host/etc/config.ini.template 2015-02-26 10:58:02.000000000 -0600 15 | +++ moloch-0.11.3-patch/single-host/etc/config.ini.template 2015-03-11 09:01:08.515399092 -0500 16 | @@ -98,7 +98,7 @@ 17 | # expressed as a percentage (ex: 5%). This does NOT delete the session records in 18 | # the database. It is recommended this value is between 5% and 10% of the disk. 19 | # Database deletes are done by the db.pl expire script 20 | -freeSpaceG = 600 21 | +freeSpaceG = 5 22 | 23 | # The port to listen on, by default 8005 24 | viewPort = 8005 25 | @@ -256,7 +256,7 @@ 26 | # Classes of nodes 27 | # Can override most default values, and create a tag call node: 28 | [test] 29 | -freeSpaceG = 200 30 | +freeSpaceG = 5 31 | 32 | ############################################################################## 33 | # Nodes 34 | -------------------------------------------------------------------------------- /moloch.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/moloch.tar.gz -------------------------------------------------------------------------------- /pefile-1.2.10-139.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/pefile-1.2.10-139.tar.gz -------------------------------------------------------------------------------- /procyon-decompiler-0.5.30.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/procyon-decompiler-0.5.30.jar -------------------------------------------------------------------------------- /pulledpork-0.6.1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/pulledpork-0.6.1.tar.gz -------------------------------------------------------------------------------- /pulledpork-etpro-fix.diff: -------------------------------------------------------------------------------- 1 | diff -uNr pulledpork-0.6.1/pulledpork.pl pulledpork-0.6.1-dev/pulledpork.pl 2 | --- pulledpork-0.6.1/pulledpork.pl 2011-04-01 10:57:50.000000000 -0500 3 | +++ pulledpork-0.6.1-dev/pulledpork.pl 2012-07-12 11:58:02.000000000 -0500 4 | @@ -49,7 +49,7 @@ 5 | my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, ); 6 | my ( $pid_path, $SigHup, $NoDownload, $sid_msg_map, @base_url ); 7 | my ( $local_rules, $arch, $docs, @records, $enonly ); 8 | -my ( $rstate, $keep_rulefiles, $rule_file_path, $prefix ); 9 | +my ( $rstate, $keep_rulefiles, $rule_file_path, $prefix, $Engine, $SuriVersion); 10 | 11 | # verbose and quiet control print() 12 | # default values if not set otherwise in getopt 13 | @@ -172,6 +172,8 @@ 14 | -V Print Version and exit 15 | -v Verbose mode, you know.. for troubleshooting and such nonsense. 16 | -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense. 17 | + -z Engine suricata or snort (defaults to snort) 18 | + -Z Suricata Version (no effect if engine is snort) 19 | __EOT 20 | 21 | exit(0); 22 | @@ -435,12 +437,13 @@ 23 | getstore( "https://www.snort.org/reg-rules/$rule_file.md5/$oinkcode", 24 | $temp_path . $rule_file . ".md5" ); 25 | } 26 | - elsif ( $base_url =~ /emergingthreats\.net/i ) { 27 | + elsif ( $base_url =~ /emergingthreats(pro\.com|\.net)/i ) { 28 | $getrules_md5 = getstore( 29 | "$base_url/$rule_file" . ".md5", 30 | $temp_path . $rule_file . ".md5" 31 | ); 32 | } 33 | + 34 | if ( $getrules_md5 == 403 ) { 35 | print 36 | "\tA 403 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n", 37 | @@ -1435,6 +1438,8 @@ 38 | "u=s" => \@base_url, 39 | "V!" => sub { Version() }, 40 | "v+" => \$Verbose, 41 | + "z=s" => \$Engine, 42 | + "Z=s" => \$SuriVersion, 43 | "help|?" => sub { Help() } 44 | ); 45 | 46 | @@ -1587,6 +1592,22 @@ 47 | $ips_policy = "Disabled"; 48 | } 49 | 50 | +if ( !$Engine ) { 51 | + if ( exists $Config_info{'engine'} ) { 52 | + $Engine = $Config_info{'engine'}; 53 | + } 54 | + else { 55 | + $Engine = 'snort'; 56 | + } 57 | +} 58 | + 59 | +croak("Unknown IDS Engine $Engine please specify an engine of \'snort\' or \'suricata\' in your pulledpork.conf\n") 60 | + unless $Engine =~ /^(snort|suricata)$/; 61 | + 62 | +if ( $Engine eq 'suricata' && ( !$SuriVersion ) && ( $Config_info{'suricata_version'} ) ) { 63 | + $SuriVersion = ( $Config_info{'suricata_version'} ); 64 | +} 65 | + 66 | if ( $Verbose && !$Quiet ) { 67 | print "MISC (CLI and Autovar) Variable Debug:\n"; 68 | if ($arch) { print "\tarch Def is: $arch\n"; } 69 | @@ -1742,12 +1763,21 @@ 70 | $rule_file = "snortrules-snapshot-$Snortv.tar.gz"; 71 | } 72 | } 73 | - elsif ( $base_url =~ /emergingthreats.net/ ) { 74 | + elsif ( $base_url =~ /emergingthreats(pro\.com|\.net)/ ) { 75 | $prefix = "ET-"; 76 | - my $Snortv = $Snort; 77 | - $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//; 78 | - $base_url .= "$oinkcode/snort-$Snortv/"; 79 | - 80 | + if ( $Engine eq 'snort' ) { 81 | + my $Snortv = $Snort; 82 | + $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//; 83 | + $base_url .= "$oinkcode/snort-$Snortv/"; 84 | + } 85 | + elsif ( $Engine eq 'suricata' ){ 86 | + if ( !$SuriVersion ) { 87 | + $base_url .= "$oinkcode/suricata/"; 88 | + } 89 | + else { 90 | + $base_url .= "$oinkcode/suricata-$SuriVersion/"; 91 | + } 92 | + } 93 | #$Textonly = 1; 94 | } 95 | 96 | -------------------------------------------------------------------------------- /services/cuckoo: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### BEGIN INIT INFO 3 | # Provides: Cuckoo 4 | # Required-Start: $remote_fs $syslog 5 | # Required-Stop: $remote_fs $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: Cuckoo 9 | ### END INIT INFO 10 | 11 | case "$1" in 12 | start) 13 | su cuckoo -c "cd /data/cuckoo/ && screen -d -m ./cuckoo.py" 14 | su cuckoo -c "cd /data/cuckoo/web && screen -d -m python manage.py runserver 0.0.0.0:8080" 15 | ;; 16 | stop) 17 | pkill -f "SCREEN -d -m ./cuckoo.py" 18 | pkill -f "SCREEN -d -m python manage.py runserver 0.0.0.0:8080" 19 | ;; 20 | 21 | restart) 22 | $0 stop 23 | sleep 30 24 | $0 start 25 | ;; 26 | 27 | esac 28 | exit 0 29 | -------------------------------------------------------------------------------- /services/iptables: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### BEGIN INIT INFO 3 | # Provides: iptables fw 4 | # Required-Start: $remote_fs $syslog 5 | # Required-Stop: $remote_fs $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: iptables fw 9 | ### END INIT INFO 10 | 11 | IPTABLES="/sbin/iptables" 12 | ZOMBIEIF="lan0p1" 13 | RTRIF="lan0p0" 14 | HOSTIF="lan0hp0" 15 | INTIF_IP="192.168.1.254" 16 | INTIF_NET="192.168.1.0/24" 17 | MGMTIF="p118p1" 18 | LO="lo" 19 | LO_IP="127.0.0.1" 20 | 21 | case "$1" in 22 | start) 23 | 24 | echo "1" > /proc/sys/net/ipv4/ip_forward 25 | echo "1" > /proc/sys/net/ipv4/tcp_syncookies 26 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 27 | echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 28 | echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects 29 | echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 30 | 31 | /sbin/modprobe ip_tables 32 | /sbin/modprobe ip_conntrack 33 | /sbin/modprobe ip_nat_ftp 34 | /sbin/modprobe ip_conntrack_ftp 35 | /sbin/modprobe ip_nat_irc 36 | /sbin/modprobe ip_conntrack_irc 37 | 38 | $IPTABLES -F 39 | $IPTABLES -F -t nat 40 | $IPTABLES -X 41 | $IPTABLES -X -t nat 42 | $IPTABLES -P INPUT DROP 43 | $IPTABLES -P OUTPUT ACCEPT 44 | $IPTABLES -P FORWARD DROP 45 | 46 | ############################################################################### 47 | ### INPUT 48 | ############################################################################### 49 | $IPTABLES -A INPUT -p 47 -j ACCEPT 50 | $IPTABLES -A INPUT -p udp --dport 68 -j ACCEPT 51 | $IPTABLES -A INPUT -p udp --dport 67 -j ACCEPT 52 | $IPTABLES -A INPUT -p ALL -m state --state INVALID -j LOG --log-level notice --log-prefix "(INPUT-D) INVALID: " 53 | $IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP 54 | 55 | $IPTABLES -A INPUT -p ALL -i $LO -j LOG --log-level notice --log-prefix "(INPUT-A) LOCAL: " 56 | $IPTABLES -A INPUT -p ALL -i $LO -j ACCEPT 57 | 58 | $IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "(INPUT-D) NEW NOT SYN: " 59 | $IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP 60 | 61 | $IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j LOG --log-level notice --log-prefix "(INPUT-A) ESTABLISHED: " 62 | $IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT 63 | 64 | $IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j LOG --log-level notice --log-prefix "(INPUT-A) ICMP 8: " 65 | $IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT 66 | $IPTABLES -A INPUT -p tcp --dport 22 -i $MGMTIF -m state --state NEW -j ACCEPT 67 | #$IPTABLES -A INPUT -p tcp --dport 443 -i $EXTIF -m state --state NEW -j ACCEPT 68 | $IPTABLES -A INPUT -p tcp --dport 3389 -i $MGMTIF -m state --state NEW -j ACCEPT 69 | $IPTABLES -A INPUT -p tcp --dport 8080 -i $MGMTIF -m state --state NEW -j ACCEPT 70 | $IPTABLES -A INPUT -p tcp --dport 2042:2052 -i $HOSTIF -m state --state NEW -j ACCEPT 71 | $IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -i $MGMTIF -j ACCEPT 72 | $IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -i $EXTIF -j ACCEPT 73 | $IPTABLES -A INPUT -p tcp --dport 8005 -m state --state NEW -i $MGMTIF -j ACCEPT 74 | ############################################################################### 75 | ### FORWARD 76 | ############################################################################### 77 | 78 | $IPTABLES -A FORWARD -p ALL -m state --state INVALID -j LOG --log-level notice --log-prefix "(FORWARD-D) INVALID: " 79 | $IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP 80 | 81 | $IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "(FORWARD-D) NEW NOT SYN: " 82 | $IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP 83 | 84 | $IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j LOG --log-level notice --log-prefix "(FORWARD-A) EST: " 85 | $IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT 86 | $IPTABLES -A FORWARD -p ALL -i $ZOMBIEIF -o $RTRIF -j ACCEPT 87 | $IPTABLES -A FORWARD -p tcp -o $ZOMBIEIF --dport 2042:2052 -j ACCEPT 88 | $IPTABLES -A FORWARD -j LOG --log-level notice --log-prefix "FORWARD DROP: " 89 | 90 | ############################################################################### 91 | ### POSTROUTING 92 | ############################################################################### 93 | ;; 94 | stop) 95 | 96 | 97 | echo "0" > /proc/sys/net/ipv4/ip_forward 98 | 99 | $IPTABLES -F 100 | $IPTABLES -F -t nat 101 | $IPTABLES -X 102 | $IPTABLES -X -t nat 103 | $IPTABLES -P INPUT DROP 104 | $IPTABLES -P OUTPUT DROP 105 | $IPTABLES -P FORWARD DROP 106 | ;; 107 | 108 | restart) 109 | $0 stop 110 | $0 start 111 | ;; 112 | 113 | esac 114 | exit 0 115 | 116 | -------------------------------------------------------------------------------- /services/moloch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### BEGIN INIT INFO 3 | # Provides: moloch 4 | # Required-Start: $remote_fs $syslog 5 | # Required-Stop: $remote_fs $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: moloch 9 | ### END INIT INFO 10 | 11 | case "$1" in 12 | start) 13 | su cuckoo -c "cd /data/moloch/bin/ && ./run_es.sh" 14 | sleep 15 15 | su cuckoo -c "cd /data/moloch/bin/ && screen -d -m ./run_viewer.sh" 16 | su cuckoo -c "cd /data/moloch/bin/ && screen -d -m ./run_wise.sh" 17 | ;; 18 | stop) 19 | pkill -f "elasticsearch-" 20 | pkill -f "viewer.js" 21 | pkill -f "run_wise.sh" 22 | ;; 23 | 24 | restart) 25 | $0 stop 26 | sleep 10 27 | $0 start 28 | ;; 29 | 30 | esac 31 | exit 0 32 | 33 | -------------------------------------------------------------------------------- /services/suricata: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### BEGIN INIT INFO 3 | # Provides: suricata 4 | # Required-Start: $remote_fs $syslog 5 | # Required-Stop: $remote_fs $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: suricata 9 | ### END INIT INFO 10 | 11 | case "$1" in 12 | start) 13 | #/etc/init.d/openvswitch-switch restart 14 | su cuckoo -c "/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata.yaml --set mpm-algo=hs --unix-socket -D" 15 | ;; 16 | stop) 17 | kill `cat /usr/local/suricata/var/run/suricata.pid` 18 | ;; 19 | 20 | restart) 21 | $0 stop 22 | sleep 30 23 | $0 start 24 | ;; 25 | 26 | esac 27 | exit 0 28 | 29 | -------------------------------------------------------------------------------- /setupmysql.sh: -------------------------------------------------------------------------------- 1 | sudo apt-get install mysql-server python-mysqldb -y 2 | 3 | read -p "Enter The password you would like to use for the cuckoo db user[ENTER]: " cuckoopass 4 | if ["$cuckoopass" = ""]; then 5 | echo "you didn't enter a password exiting" 6 | exit 7 | else 8 | echo "create database cuckoo; 9 | grant all privileges on cuckoo.* to cuckoo@localhost identified by '$cuckoopass'; 10 | flush privileges; 11 | quit;" > dbsetup.txt 12 | 13 | echo "You will be prompted for the root mysql password to setup cuckoo db" 14 | mysql -u root -p mysql < dbsetup.txt 15 | rm dbsetup.txt 16 | 17 | echo "You will need to add the following to the db config in your cuckoo.conf\n 18 | connection=mysql://cuckoo:$cuckoopass@localhost/cuckoo" 19 | fi 20 | -------------------------------------------------------------------------------- /suricata-3.0.1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/suricata-3.0.1.tar.gz -------------------------------------------------------------------------------- /suricata.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | runmode: single 4 | default-log-dir: /usr/local/suricata/var/log/ 5 | outputs: 6 | - fast: 7 | enabled: no 8 | filename: alert 9 | append: yes 10 | - unified2-alert: 11 | enabled: no 12 | filename: unified2.alert 13 | - http-log: 14 | enabled: no 15 | filename: http.log 16 | append: yes 17 | extended: yes 18 | - pcap-info: 19 | enabled: no 20 | - alert-debug: 21 | enabled: no 22 | filename: alert-debug.log 23 | append: yes 24 | - stats: 25 | enabled: no 26 | filename: stats.log 27 | interval: 8 28 | - file-store: 29 | enabled: yes # set to yes to enable 30 | log-dir: files # directory to store the files 31 | force-magic: yes # force logging magic on all stored files 32 | force-md5: yes # force logging of md5 checksums 33 | - file-log: 34 | enabled: yes 35 | filename: files-json.log 36 | append: yes 37 | force-magic: yes # force logging magic on all logged files 38 | force-md5: yes # force logging of md5 checksums 39 | - tls-log: 40 | enabled: no # Log TLS connections. 41 | filename: tls.log # File to store TLS logs. 42 | extended: yes # Log extended information like fingerprint 43 | - eve-log: 44 | enabled: yes 45 | type: file #file|syslog|unix_dgram|unix_stream 46 | filename: alert.json 47 | types: 48 | - alert 49 | - eve-log: 50 | enabled: yes 51 | type: file #file|syslog|unix_dgram|unix_stream 52 | filename: http.json 53 | types: 54 | - http: 55 | extended: yes # enable this for extended logging information 56 | - eve-log: 57 | enabled: yes 58 | type: file #file|syslog|unix_dgram|unix_stream 59 | filename: dns.json 60 | types: 61 | - dns: 62 | - eve-log: 63 | enabled: yes 64 | type: file #file|syslog|unix_dgram|unix_stream 65 | filename: tls.json 66 | types: 67 | - tls: 68 | extended: yes # enable this for extended logging information 69 | - eve-log: 70 | enabled: yes 71 | type: file #file|syslog|unix_dgram|unix_stream 72 | filename: files.json 73 | types: 74 | - files: 75 | force-magic: yes # force logging magic on all logged files 76 | force-md5: yes # force logging of md5 checksums 77 | - eve-log: 78 | enabled: yes 79 | type: file #file|syslog|unix_dgram|unix_stream 80 | filename: ssh.json 81 | types: 82 | - ssh 83 | 84 | magic-file: /usr/share/file/magic 85 | af-packet: 86 | - interface: eth0 87 | threads: 1 88 | cluster-id: 99 89 | cluster-type: cluster_round_robin 90 | defrag: yes 91 | use-mmap: yes 92 | - interface: eth1 93 | threads: 1 94 | cluster-id: 98 95 | cluster-type: cluster_round_robin 96 | defrag: yes 97 | 98 | detect-engine: 99 | - profile: medium 100 | - custom-values: 101 | toclient-src-groups: 2 102 | toclient-dst-groups: 2 103 | toclient-sp-groups: 2 104 | toclient-dp-groups: 3 105 | toserver-src-groups: 2 106 | toserver-dst-groups: 4 107 | toserver-sp-groups: 2 108 | toserver-dp-groups: 25 109 | - sgh-mpm-context: auto 110 | - inspection-recursion-limit: 3000 111 | 112 | threading: 113 | set-cpu-affinity: no 114 | cpu-affinity: 115 | - management-cpu-set: 116 | cpu: [ 0 ] # include only these cpus in affinity settings 117 | - receive-cpu-set: 118 | cpu: [ 0 ] # include only these cpus in affinity settings 119 | - decode-cpu-set: 120 | cpu: [ 0, 1 ] 121 | mode: "balanced" 122 | - stream-cpu-set: 123 | cpu: [ "0-1" ] 124 | - detect-cpu-set: 125 | cpu: [ "all" ] 126 | mode: "exclusive" # run detect threads in these cpus 127 | prio: 128 | low: [ 0 ] 129 | medium: [ "1-2" ] 130 | high: [ 3 ] 131 | default: "medium" 132 | - verdict-cpu-set: 133 | cpu: [ 0 ] 134 | prio: 135 | default: "high" 136 | - reject-cpu-set: 137 | cpu: [ 0 ] 138 | prio: 139 | default: "low" 140 | - output-cpu-set: 141 | cpu: [ "all" ] 142 | prio: 143 | default: "medium" 144 | detect-thread-ratio: 1.5 145 | 146 | cuda: 147 | - mpm: 148 | packet-buffer-limit: 2400 149 | packet-size-limit: 1500 150 | packet-buffers: 10 151 | batching-timeout: 1 152 | page-locked: enabled 153 | device-id: 0 154 | cuda-streams: 2 155 | 156 | mpm-algo: ac 157 | pattern-matcher: 158 | - b2gc: 159 | search-algo: B2gSearchBNDMq 160 | hash-size: low 161 | bf-size: medium 162 | - b2gm: 163 | search-algo: B2gSearchBNDMq 164 | hash-size: low 165 | bf-size: medium 166 | - b2g: 167 | search-algo: B2gSearchBNDMq 168 | hash-size: low 169 | bf-size: medium 170 | - b3g: 171 | search-algo: B3gSearchBNDMq 172 | hash-size: low 173 | bf-size: medium 174 | - wumanber: 175 | hash-size: low 176 | bf-size: medium 177 | 178 | defrag: 179 | max-frags: 65535 180 | prealloc: yes 181 | timeout: 60 182 | 183 | flow: 184 | memcap: 32mb 185 | hash-size: 65536 186 | prealloc: 10000 187 | emergency-recovery: 30 188 | prune-flows: 5 189 | 190 | flow-timeouts: 191 | default: 192 | new: 30 193 | established: 300 194 | closed: 0 195 | emergency-new: 10 196 | emergency-established: 100 197 | emergency-closed: 0 198 | tcp: 199 | new: 60 200 | established: 3600 201 | closed: 120 202 | emergency-new: 10 203 | emergency-established: 300 204 | emergency-closed: 20 205 | udp: 206 | new: 30 207 | established: 300 208 | emergency-new: 10 209 | emergency-established: 100 210 | icmp: 211 | new: 30 212 | established: 300 213 | emergency-new: 10 214 | emergency-established: 100 215 | 216 | stream: 217 | memcap: 32mb 218 | checksum-validation: no # reject wrong csums 219 | inline: no # no inline mode 220 | reassembly: 221 | memcap: 64mb 222 | depth: 0 # reassemble 1mb into a stream 223 | toserver-chunk-size: 2560 224 | toclient-chunk-size: 2560 225 | 226 | host: 227 | hash-size: 4096 228 | prealloc: 1000 229 | memcap: 16777216 230 | 231 | logging: 232 | default-log-level: info 233 | default-output-filter: 234 | outputs: 235 | - console: 236 | enabled: yes 237 | 238 | pfring: 239 | - interface: eth0 240 | threads: 1 241 | interface: eth0 242 | cluster-id: 99 243 | cluster-type: cluster_round_robin 244 | pcap: 245 | - interface: eth0 246 | 247 | classification-file: /usr/local/suricata/etc/classification.config 248 | reference-config-file: /usr/local/suricata/etc/reference.config 249 | 250 | vars: 251 | address-groups: 252 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 253 | EXTERNAL_NET: "any" 254 | HTTP_SERVERS: "$HOME_NET" 255 | SMTP_SERVERS: "$HOME_NET" 256 | SQL_SERVERS: "$HOME_NET" 257 | DNS_SERVERS: "$HOME_NET" 258 | TELNET_SERVERS: "$HOME_NET" 259 | AIM_SERVERS: "$EXTERNAL_NET" 260 | port-groups: 261 | HTTP_PORTS: "80" 262 | SHELLCODE_PORTS: "!80" 263 | ORACLE_PORTS: 1521 264 | SSH_PORTS: 22 265 | 266 | action-order: 267 | - pass 268 | - drop 269 | - reject 270 | - alert 271 | 272 | host-os-policy: 273 | windows: [0.0.0.0/0] 274 | bsd: [] 275 | bsd-right: [] 276 | old-linux: [] 277 | linux: [] 278 | old-solaris: [] 279 | solaris: [] 280 | hpux10: [] 281 | hpux11: [] 282 | irix: [] 283 | macos: [] 284 | vista: [] 285 | windows2k3: [] 286 | 287 | asn1-max-frames: 256 288 | 289 | engine-analysis: 290 | rules-fast-pattern: yes 291 | rules: yes 292 | 293 | pcre: 294 | match-limit: 3500 295 | match-limit-recursion: 1500 296 | 297 | libhtp: 298 | default-config: 299 | personality: IDS 300 | request-body-limit: 0 301 | response-body-limit: 0 302 | 303 | # inspection limits 304 | request-body-minimal-inspect-size: 16kb 305 | request-body-inspect-window: 16kb 306 | response-body-minimal-inspect-size: 40kb 307 | response-body-inspect-window: 32kb 308 | 309 | profiling: 310 | rules: 311 | enabled: yes 312 | filename: perf.txt 313 | append: yes 314 | sort: avgticks 315 | packets: 316 | enabled: no 317 | filename: packet_stats.log 318 | append: yes 319 | locks: 320 | enabled: no 321 | filename: lock_stats.log 322 | append: yes 323 | 324 | coredump: 325 | max-dump: unlimited 326 | 327 | app-layer: 328 | protocols: 329 | tls: 330 | enabled: yes 331 | detection-ports: 332 | dp: 443 333 | dcerpc: 334 | enabled: yes 335 | ftp: 336 | enabled: yes 337 | ssh: 338 | enabled: yes 339 | smtp: 340 | enabled: yes 341 | imap: 342 | enabled: detection-only 343 | msn: 344 | enabled: detection-only 345 | smb: 346 | enabled: yes 347 | detection-ports: 348 | dp: 139 349 | dns: 350 | tcp: 351 | enabled: yes 352 | detection-ports: 353 | dp: 53 354 | udp: 355 | enabled: yes 356 | detection-ports: 357 | dp: 53 358 | http: 359 | enabled: yes 360 | default-rule-path: /usr/local/suricata/etc/ 361 | rule-files: 362 | - all.rules 363 | - luajit.rules 364 | - local.rules 365 | - dyndns-http-alert-and-drop.rules 366 | - dyndns-dns.rules 367 | - dyndns-tls.rules 368 | -------------------------------------------------------------------------------- /v3.4.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/v3.4.0.tar.gz -------------------------------------------------------------------------------- /vboxConfBiosWin7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import re 6 | import subprocess 7 | import sys 8 | import os 9 | import json 10 | import random 11 | 12 | from pprint import pprint 13 | 14 | def cloneMAC(): 15 | ifconfig_out = runcmd(["/sbin/ifconfig","eth0"]) 16 | regex = r"HWaddr (?P([0-9A-Fa-f]{2}[:-]){5}[0-9a-fA-F]{2})" 17 | pat = re.compile(regex, re.I | re.S | re.M) 18 | print ifconfig_out 19 | if pat.search(ifconfig_out): 20 | mac = pat.search(ifconfig_out).group("mac").split(":") 21 | mac[0] = int(mac[0], 16) 22 | mac[1] = int(mac[1], 16) 23 | mac[2] = int(mac[2], 16) 24 | mac[3] = random.randint(0x00, 0x7f) 25 | mac[4] = random.randint(0x00, 0xff) 26 | mac[5] = random.randint(0x00, 0xff) 27 | pprint(mac) 28 | return ''.join(map(lambda x: "%02x" % x, mac)) 29 | 30 | def randomMAC(): 31 | # 00:1b:fc = ASUSTek COMPUTER INC. 32 | mac = [ 0x00, 0x1b, 0xfc, 33 | random.randint(0x00, 0x7f), 34 | random.randint(0x00, 0xff), 35 | random.randint(0x00, 0xff) ] 36 | return ''.join(map(lambda x: "%02x" % x, mac)) 37 | 38 | def getnewmac(hostname): 39 | regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname 40 | pat = re.compile(regex, re.I | re.S | re.M) 41 | with open("/data/macs.txt") as fh: 42 | for line in fh: 43 | if pat.search(line): 44 | (hostname,mac,ip) = pat.match(line).groups() 45 | if mac: 46 | return mac 47 | return randomMAC() 48 | 49 | def runcmd(cmd): 50 | try: 51 | print "Executing %s" % ' '.join(cmd) 52 | output = subprocess.check_output(cmd) 53 | print output 54 | return output 55 | except: 56 | print "Failed" 57 | return None 58 | 59 | def gethd(): 60 | hd ={} 61 | hdparm = runcmd(["sudo","hdparm","-i","/dev/sda"]) 62 | #Model=ST2000DM001-1CH164, FwRev=CC26, SerialNo=S1E1R0TH 63 | m = re.search(r"\s*?Model=(?P[^,]+),\s*?FwRev=(?P[^,]+),\s*?SerialNo=(?P[^\r\n]+)[\r\n]",hdparm) 64 | if m: 65 | hd["SerialNumber"] = "string:" + m.group("SerialNo") 66 | hd["FirmwareRevision"] = m.group("FwRev") 67 | hd["ModelNumber"] = m.group("Model") 68 | for key, value in hd.iteritems(): 69 | if value == None: 70 | del hd[key] 71 | else: 72 | if isinstance( value, ( int, long ) ): 73 | hd[key] = str(value) 74 | else: 75 | hd[key] = value.strip() 76 | return hd 77 | 78 | def getcd(): 79 | cd ={} 80 | cddrive = runcmd(["cd-drive"]) 81 | m = re.search(r"\nVendor\s*\x3a\s*(?P[^\n]+)\s*\nModel\s*\x3a\s*(?P[^\n]+)\s*\nRevision\s*\x3a\s*(?P[^\n]+)\s*\n",cddrive) 82 | if m: 83 | cd["ATAPIVendorId"] = m.group("vendor") 84 | cd["ATAPIProductId"] = m.group("Model") 85 | cd["ATAPIRevision"] = m.group("Revision") 86 | cd["ATAPISerialNumber"] = "string:" + str(random.randint(1,10**(20-1))) 87 | for key, value in cd.iteritems(): 88 | if value == None: 89 | del cd[key] 90 | else: 91 | if isinstance( value, ( int, long ) ): 92 | cd[key] = str(value) 93 | else: 94 | cd[key] = value.strip() 95 | print cd 96 | return cd 97 | 98 | # Gather system information 99 | def getdmi(): 100 | dmi = {} 101 | 102 | # Anti-VM detection, DMI BIOS information (type 0) 103 | dmitmp = runcmd(["sudo","dmidecode","-t0"]) 104 | dmi['DmiBIOSVendor'] = re.search("Vendor: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 105 | dmi['DmiBIOSVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 106 | dmi['DmiBIOSReleaseDate']= re.search("Release Date: ([0-9\\/\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 107 | 108 | # Anti-VM detection, DMI BIOS information (type 1) 109 | dmitmp = runcmd(["sudo","dmidecode","-t1"]) 110 | dmi['DmiSystemVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 111 | dmi['DmiSystemProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 112 | dmi['DmiSystemVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 113 | dmi['DmiSystemSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 114 | dmi['DmiSystemSKU'] = re.search("SKU Number: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 115 | dmi['DmiSystemFamily'] = re.search("Family: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 116 | dmi['DmiSystemUuid'] = re.search("UUID: ([0-9A-Z\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 117 | 118 | # Anti-VM detection, DMI BIOS information (type 2) 119 | MotherboardTypes = [ 120 | "Unknown", 121 | "Other", 122 | "Server Blade", 123 | "Connectivity Switch", 124 | "System Management Module", 125 | "Processor Module", 126 | "I/O Module", 127 | "Memory Module", 128 | "Daughter Board", 129 | "Motherboard", 130 | "Processor+Memory Module", 131 | "Processor+I/O Module", 132 | "Interconnect Board" 133 | ] 134 | 135 | dmitmp = runcmd(["sudo","dmidecode","-t2"]) 136 | 137 | dmi['DmiBoardVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 138 | dmi['DmiBoardProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.\\-/]+)", dmitmp, re.I | re.S | re.M).group(1) 139 | dmi['DmiBoardVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 140 | dmi['DmiBoardSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 141 | try: 142 | dmi['DmiBoardAssetTag'] = re.search("Asset Tag: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 143 | except: 144 | print "Failed to get Asset Tag" 145 | try: 146 | dmi['DmiBoardLocInChass'] = re.search("Location In Chassis: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 147 | except: 148 | print "Failed to get Location in Chassis" 149 | try: 150 | dmi['DmiBoardBoardType'] = str(MotherboardTypes.index(re.search("Type: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 151 | except: 152 | print "Failed to get Motherboard Type" 153 | # Anti-VM detection, DMI system enclosure or chassis (type 3) 154 | ChassiTypes = [ 155 | "Other", 156 | "Unknown", 157 | "Desktop", 158 | "Low Profile Desktop", 159 | "Pizza Box", 160 | "Mini Tower", 161 | "Tower", 162 | "Portable", 163 | "Laptop", 164 | "Notebook", 165 | "Hand Held", 166 | "Docking Station", 167 | "All In One", 168 | "Sub Notebook", 169 | "Space-saving", 170 | "Lunch Box", 171 | "Main Server Chassis", 172 | "Expansion Chassis", 173 | "Sub Chassis", 174 | "Bus Expansion Chassis", 175 | "Peripheral Chassis", 176 | "RAID Chassis", 177 | "Rack Mount Chassis", 178 | "Sealed-case PC", 179 | "Multi-system", 180 | "CompactPCI", 181 | "AdvancedTCA", 182 | "Blade", 183 | "Blade Enclosing" 184 | ] 185 | 186 | dmitmp = runcmd(["sudo","dmidecode","-t3"]) 187 | dmi['DmiChassisVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 188 | dmi['DmiChassisType'] = str(ChassiTypes.index(re.search("Type: ([0-9A-Z\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 189 | dmi['DmiChassisVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 190 | dmi['DmiChassisSerial'] = "string:" + re.search("Serial Number: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 191 | dmi['DmiChassisAssetTag'] = re.search("Asset Tag: ([A-Z0-9\\ \\.\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 192 | 193 | # Anti-VM detection, DMI processor informatiion (type 4) 194 | dmitmp = runcmd(["sudo","dmidecode","-t4"]) 195 | dmi['DmiProcManufacturer'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 196 | dmi['DmiProcVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.\\(\\)\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 197 | 198 | for key, value in dmi.iteritems(): 199 | if value == None: 200 | del dmi[key] 201 | else: 202 | if isinstance( value, ( int, long ) ): 203 | dmi[key] = str(value) 204 | else: 205 | dmi[key] = value.strip() 206 | return dmi 207 | 208 | dmi = None 209 | try: 210 | fh = open('/data/dmi.txt', 'r') 211 | if fh: 212 | dmi = json.load(fh) 213 | fh.close() 214 | except Exception: 215 | dmi = getdmi() 216 | 217 | with open('/data/dmi.txt', 'w') as outfile: 218 | json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': ')) 219 | print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': ')) 220 | 221 | 222 | 223 | for target in sys.argv[1:]: 224 | # Globals, of sorts 225 | DSDT_BIN="/data/%sdsdt.bin" % (target) 226 | VBoxManage = '/usr/bin/VBoxManage' 227 | 228 | # Get the DSDT 229 | if not os.path.exists(DSDT_BIN): 230 | runcmd(['sudo','dd','if=/sys/firmware/acpi/tables/DSDT','of=%s' % DSDT_BIN]) 231 | 232 | # Configure all the virtual BIOS setings 233 | for key, value in dmi.iteritems(): 234 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value]) 235 | 236 | # Configure DSDT 237 | if os.path.exists(DSDT_BIN): 238 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/acpi/0/Config/CustomTable",DSDT_BIN]) 239 | 240 | # Setting guest MAC 241 | #newmac = getnewmac(target) 242 | newmac = cloneMAC() 243 | runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac]) 244 | 245 | hd = gethd() 246 | for key, value in hd.iteritems(): 247 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/ahci/0/Config/Port0/" + key,value]) 248 | 249 | cd = getcd() 250 | for key, value in cd.iteritems(): 251 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/" + key,value]) 252 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer",""]) 253 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev",""]) 254 | -------------------------------------------------------------------------------- /vboxConfBiosWin8.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import re 6 | import subprocess 7 | import sys 8 | import os 9 | import json 10 | import random 11 | 12 | from pprint import pprint 13 | 14 | def cloneMAC(): 15 | ifconfig_out = runcmd(["/sbin/ifconfig","eth0"]) 16 | regex = r"HWaddr (?P([0-9A-Fa-f]{2}[:-]){5}[0-9a-fA-F]{2})" 17 | pat = re.compile(regex, re.I | re.S | re.M) 18 | print ifconfig_out 19 | if pat.search(ifconfig_out): 20 | mac = pat.search(ifconfig_out).group("mac").split(":") 21 | mac[0] = int(mac[0], 16) 22 | mac[1] = int(mac[1], 16) 23 | mac[2] = int(mac[2], 16) 24 | mac[3] = random.randint(0x00, 0x7f) 25 | mac[4] = random.randint(0x00, 0xff) 26 | mac[5] = random.randint(0x00, 0xff) 27 | pprint(mac) 28 | return ''.join(map(lambda x: "%02x" % x, mac)) 29 | 30 | def randomMAC(): 31 | # 00:1b:fc = ASUSTek COMPUTER INC. 32 | mac = [ 0x00, 0x1b, 0xfc, 33 | random.randint(0x00, 0x7f), 34 | random.randint(0x00, 0xff), 35 | random.randint(0x00, 0xff) ] 36 | return ''.join(map(lambda x: "%02x" % x, mac)) 37 | 38 | def getnewmac(hostname): 39 | regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname 40 | pat = re.compile(regex, re.I | re.S | re.M) 41 | with open("/data/macs.txt") as fh: 42 | for line in fh: 43 | if pat.search(line): 44 | (hostname,mac,ip) = pat.match(line).groups() 45 | if mac: 46 | return mac 47 | return randomMAC() 48 | 49 | def runcmd(cmd): 50 | try: 51 | print "Executing %s" % ' '.join(cmd) 52 | output = subprocess.check_output(cmd) 53 | print output 54 | return output 55 | except: 56 | print "Failed" 57 | return None 58 | 59 | def gethd(): 60 | hd ={} 61 | hdparm = runcmd(["sudo","hdparm","-i","/dev/sda"]) 62 | #Model=ST2000DM001-1CH164, FwRev=CC26, SerialNo=S1E1R0TH 63 | m = re.search(r"\s*?Model=(?P[^,]+),\s*?FwRev=(?P[^,]+),\s*?SerialNo=(?P[^\r\n]+)[\r\n]",hdparm) 64 | if m: 65 | hd["SerialNumber"] = "string:" + m.group("SerialNo") 66 | hd["FirmwareRevision"] = m.group("FwRev") 67 | hd["ModelNumber"] = m.group("Model") 68 | for key, value in hd.iteritems(): 69 | if value == None: 70 | del hd[key] 71 | else: 72 | if isinstance( value, ( int, long ) ): 73 | hd[key] = str(value) 74 | else: 75 | hd[key] = value.strip() 76 | return hd 77 | 78 | def getcd(): 79 | cd ={} 80 | cddrive = runcmd(["cd-drive"]) 81 | m = re.search(r"\nVendor\s*\x3a\s*(?P[^\n]+)\s*\nModel\s*\x3a\s*(?P[^\n]+)\s*\nRevision\s*\x3a\s*(?P[^\n]+)\s*\n",cddrive) 82 | if m: 83 | cd["ATAPIVendorId"] = m.group("vendor") 84 | cd["ATAPIProductId"] = m.group("Model") 85 | cd["ATAPIRevision"] = m.group("Revision") 86 | cd["ATAPISerialNumber"] = "string:" + str(random.randint(1,10**(20-1))) 87 | for key, value in cd.iteritems(): 88 | if value == None: 89 | del cd[key] 90 | else: 91 | if isinstance( value, ( int, long ) ): 92 | cd[key] = str(value) 93 | else: 94 | cd[key] = value.strip() 95 | print cd 96 | return cd 97 | 98 | # Gather system information 99 | def getdmi(): 100 | dmi = {} 101 | 102 | # Anti-VM detection, DMI BIOS information (type 0) 103 | dmitmp = runcmd(["sudo","dmidecode","-t0"]) 104 | dmi['DmiBIOSVendor'] = re.search("Vendor: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 105 | dmi['DmiBIOSVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 106 | dmi['DmiBIOSReleaseDate']= re.search("Release Date: ([0-9\\/\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 107 | 108 | # Anti-VM detection, DMI BIOS information (type 1) 109 | dmitmp = runcmd(["sudo","dmidecode","-t1"]) 110 | dmi['DmiSystemVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 111 | dmi['DmiSystemProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 112 | dmi['DmiSystemVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 113 | dmi['DmiSystemSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 114 | dmi['DmiSystemSKU'] = re.search("SKU Number: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 115 | dmi['DmiSystemFamily'] = re.search("Family: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 116 | dmi['DmiSystemUuid'] = re.search("UUID: ([0-9A-Z\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 117 | 118 | # Anti-VM detection, DMI BIOS information (type 2) 119 | MotherboardTypes = [ 120 | "Unknown", 121 | "Other", 122 | "Server Blade", 123 | "Connectivity Switch", 124 | "System Management Module", 125 | "Processor Module", 126 | "I/O Module", 127 | "Memory Module", 128 | "Daughter Board", 129 | "Motherboard", 130 | "Processor+Memory Module", 131 | "Processor+I/O Module", 132 | "Interconnect Board" 133 | ] 134 | 135 | dmitmp = runcmd(["sudo","dmidecode","-t2"]) 136 | 137 | dmi['DmiBoardVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 138 | dmi['DmiBoardProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.\\-/]+)", dmitmp, re.I | re.S | re.M).group(1) 139 | dmi['DmiBoardVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 140 | dmi['DmiBoardSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 141 | try: 142 | dmi['DmiBoardAssetTag'] = re.search("Asset Tag: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 143 | except: 144 | print "Failed to get Asset Tag" 145 | try: 146 | dmi['DmiBoardLocInChass'] = re.search("Location In Chassis: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 147 | except: 148 | print "Failed to get Location in Chassis" 149 | try: 150 | dmi['DmiBoardBoardType'] = str(MotherboardTypes.index(re.search("Type: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 151 | except: 152 | print "Failed to get Motherboard Type" 153 | # Anti-VM detection, DMI system enclosure or chassis (type 3) 154 | ChassiTypes = [ 155 | "Other", 156 | "Unknown", 157 | "Desktop", 158 | "Low Profile Desktop", 159 | "Pizza Box", 160 | "Mini Tower", 161 | "Tower", 162 | "Portable", 163 | "Laptop", 164 | "Notebook", 165 | "Hand Held", 166 | "Docking Station", 167 | "All In One", 168 | "Sub Notebook", 169 | "Space-saving", 170 | "Lunch Box", 171 | "Main Server Chassis", 172 | "Expansion Chassis", 173 | "Sub Chassis", 174 | "Bus Expansion Chassis", 175 | "Peripheral Chassis", 176 | "RAID Chassis", 177 | "Rack Mount Chassis", 178 | "Sealed-case PC", 179 | "Multi-system", 180 | "CompactPCI", 181 | "AdvancedTCA", 182 | "Blade", 183 | "Blade Enclosing" 184 | ] 185 | 186 | dmitmp = runcmd(["sudo","dmidecode","-t3"]) 187 | dmi['DmiChassisVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 188 | dmi['DmiChassisType'] = str(ChassiTypes.index(re.search("Type: ([0-9A-Z\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 189 | dmi['DmiChassisVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 190 | dmi['DmiChassisSerial'] = "string:" + re.search("Serial Number: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 191 | dmi['DmiChassisAssetTag'] = re.search("Asset Tag: ([A-Z0-9\\ \\.\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 192 | 193 | # Anti-VM detection, DMI processor informatiion (type 4) 194 | dmitmp = runcmd(["sudo","dmidecode","-t4"]) 195 | dmi['DmiProcManufacturer'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 196 | dmi['DmiProcVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.\\(\\)\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 197 | 198 | for key, value in dmi.iteritems(): 199 | if value == None: 200 | del dmi[key] 201 | else: 202 | if isinstance( value, ( int, long ) ): 203 | dmi[key] = str(value) 204 | else: 205 | dmi[key] = value.strip() 206 | return dmi 207 | 208 | dmi = None 209 | try: 210 | fh = open('/data/dmi.txt', 'r') 211 | if fh: 212 | dmi = json.load(fh) 213 | fh.close() 214 | except Exception: 215 | dmi = getdmi() 216 | 217 | with open('/data/dmi.txt', 'w') as outfile: 218 | json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': ')) 219 | print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': ')) 220 | 221 | 222 | 223 | for target in sys.argv[1:]: 224 | # Globals, of sorts 225 | DSDT_BIN="/data/%sdsdt.bin" % (target) 226 | VBoxManage = '/usr/bin/VBoxManage' 227 | 228 | # Get the DSDT 229 | if not os.path.exists(DSDT_BIN): 230 | runcmd(['sudo','dd','if=/sys/firmware/acpi/tables/DSDT','of=%s' % DSDT_BIN]) 231 | 232 | # Configure all the virtual BIOS setings 233 | for key, value in dmi.iteritems(): 234 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value]) 235 | 236 | # Configure DSDT 237 | if os.path.exists(DSDT_BIN): 238 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/acpi/0/Config/CustomTable",DSDT_BIN]) 239 | 240 | # Setting guest MAC 241 | #newmac = getnewmac(target) 242 | newmac = cloneMAC() 243 | runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac]) 244 | 245 | hd = gethd() 246 | for key, value in hd.iteritems(): 247 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/ahci/0/Config/Port0/" + key,value]) 248 | 249 | cd = getcd() 250 | for key, value in cd.iteritems(): 251 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/" + key,value]) 252 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer",""]) 253 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev",""]) 254 | -------------------------------------------------------------------------------- /vboxConfBiosWinXP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ############################################################################################################# 3 | # This script is take from http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html # 4 | ############################################################################################################# 5 | import re 6 | import subprocess 7 | import sys 8 | import os 9 | import json 10 | import random 11 | 12 | from pprint import pprint 13 | 14 | def cloneMAC(): 15 | ifconfig_out = runcmd(["/sbin/ifconfig","eth0"]) 16 | regex = r"HWaddr (?P([0-9A-Fa-f]{2}[:-]){5}[0-9a-fA-F]{2})" 17 | pat = re.compile(regex, re.I | re.S | re.M) 18 | print ifconfig_out 19 | if pat.search(ifconfig_out): 20 | mac = pat.search(ifconfig_out).group("mac").split(":") 21 | mac[0] = int(mac[0], 16) 22 | mac[1] = int(mac[1], 16) 23 | mac[2] = int(mac[2], 16) 24 | mac[3] = random.randint(0x00, 0x7f) 25 | mac[4] = random.randint(0x00, 0xff) 26 | mac[5] = random.randint(0x00, 0xff) 27 | pprint(mac) 28 | return ''.join(map(lambda x: "%02x" % x, mac)) 29 | 30 | def randomMAC(): 31 | # 00:1b:fc = ASUSTek COMPUTER INC. 32 | mac = [ 0x00, 0x1b, 0xfc, 33 | random.randint(0x00, 0x7f), 34 | random.randint(0x00, 0xff), 35 | random.randint(0x00, 0xff) ] 36 | return ''.join(map(lambda x: "%02x" % x, mac)) 37 | 38 | def getnewmac(hostname): 39 | regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname 40 | pat = re.compile(regex, re.I | re.S | re.M) 41 | with open("/data/macs.txt") as fh: 42 | for line in fh: 43 | if pat.search(line): 44 | (hostname,mac,ip) = pat.match(line).groups() 45 | if mac: 46 | return mac 47 | return randomMAC() 48 | 49 | def runcmd(cmd): 50 | try: 51 | print "Executing %s" % ' '.join(cmd) 52 | output = subprocess.check_output(cmd) 53 | print output 54 | return output 55 | except: 56 | print "Failed" 57 | return None 58 | 59 | def gethd(): 60 | hd ={} 61 | hdparm = runcmd(["sudo","hdparm","-i","/dev/sda"]) 62 | #Model=ST2000DM001-1CH164, FwRev=CC26, SerialNo=S1E1R0TH 63 | m = re.search(r"\s*?Model=(?P[^,]+),\s*?FwRev=(?P[^,]+),\s*?SerialNo=(?P[^\r\n]+)[\r\n]",hdparm) 64 | if m: 65 | hd["SerialNumber"] = "string:" + m.group("SerialNo") 66 | hd["FirmwareRevision"] = m.group("FwRev") 67 | hd["ModelNumber"] = m.group("Model") 68 | for key, value in hd.iteritems(): 69 | if value == None: 70 | del hd[key] 71 | else: 72 | if isinstance( value, ( int, long ) ): 73 | hd[key] = str(value) 74 | else: 75 | hd[key] = value.strip() 76 | return hd 77 | 78 | def getcd(): 79 | cd ={} 80 | cddrive = runcmd(["cd-drive"]) 81 | m = re.search(r"\nVendor\s*\x3a\s*(?P[^\n]+)\s*\nModel\s*\x3a\s*(?P[^\n]+)\s*\nRevision\s*\x3a\s*(?P[^\n]+)\s*\n",cddrive) 82 | if m: 83 | cd["ATAPIVendorId"] = m.group("vendor") 84 | cd["ATAPIProductId"] = m.group("Model") 85 | cd["ATAPIRevision"] = m.group("Revision") 86 | cd["ATAPISerialNumber"] = "string:" + str(random.randint(1,10**(20-1))) 87 | for key, value in cd.iteritems(): 88 | if value == None: 89 | del cd[key] 90 | else: 91 | if isinstance( value, ( int, long ) ): 92 | cd[key] = str(value) 93 | else: 94 | cd[key] = value.strip() 95 | print cd 96 | return cd 97 | 98 | # Gather system information 99 | def getdmi(): 100 | dmi = {} 101 | 102 | # Anti-VM detection, DMI BIOS information (type 0) 103 | dmitmp = runcmd(["sudo","dmidecode","-t0"]) 104 | dmi['DmiBIOSVendor'] = re.search("Vendor: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 105 | dmi['DmiBIOSVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 106 | dmi['DmiBIOSReleaseDate']= re.search("Release Date: ([0-9\\/\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 107 | 108 | # Anti-VM detection, DMI BIOS information (type 1) 109 | dmitmp = runcmd(["sudo","dmidecode","-t1"]) 110 | dmi['DmiSystemVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 111 | dmi['DmiSystemProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 112 | dmi['DmiSystemVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 113 | dmi['DmiSystemSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 114 | dmi['DmiSystemSKU'] = re.search("SKU Number: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 115 | dmi['DmiSystemFamily'] = re.search("Family: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 116 | dmi['DmiSystemUuid'] = re.search("UUID: ([0-9A-Z\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 117 | 118 | # Anti-VM detection, DMI BIOS information (type 2) 119 | MotherboardTypes = [ 120 | "Unknown", 121 | "Other", 122 | "Server Blade", 123 | "Connectivity Switch", 124 | "System Management Module", 125 | "Processor Module", 126 | "I/O Module", 127 | "Memory Module", 128 | "Daughter Board", 129 | "Motherboard", 130 | "Processor+Memory Module", 131 | "Processor+I/O Module", 132 | "Interconnect Board" 133 | ] 134 | 135 | dmitmp = runcmd(["sudo","dmidecode","-t2"]) 136 | 137 | dmi['DmiBoardVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 138 | dmi['DmiBoardProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.\\-/]+)", dmitmp, re.I | re.S | re.M).group(1) 139 | dmi['DmiBoardVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 140 | dmi['DmiBoardSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1) 141 | try: 142 | dmi['DmiBoardAssetTag'] = re.search("Asset Tag: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 143 | except: 144 | print "Failed to get Asset Tag" 145 | try: 146 | dmi['DmiBoardLocInChass'] = re.search("Location In Chassis: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1) 147 | except: 148 | print "Failed to get Location in Chassis" 149 | try: 150 | dmi['DmiBoardBoardType'] = str(MotherboardTypes.index(re.search("Type: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 151 | except: 152 | print "Failed to get Motherboard Type" 153 | # Anti-VM detection, DMI system enclosure or chassis (type 3) 154 | ChassiTypes = [ 155 | "Other", 156 | "Unknown", 157 | "Desktop", 158 | "Low Profile Desktop", 159 | "Pizza Box", 160 | "Mini Tower", 161 | "Tower", 162 | "Portable", 163 | "Laptop", 164 | "Notebook", 165 | "Hand Held", 166 | "Docking Station", 167 | "All In One", 168 | "Sub Notebook", 169 | "Space-saving", 170 | "Lunch Box", 171 | "Main Server Chassis", 172 | "Expansion Chassis", 173 | "Sub Chassis", 174 | "Bus Expansion Chassis", 175 | "Peripheral Chassis", 176 | "RAID Chassis", 177 | "Rack Mount Chassis", 178 | "Sealed-case PC", 179 | "Multi-system", 180 | "CompactPCI", 181 | "AdvancedTCA", 182 | "Blade", 183 | "Blade Enclosing" 184 | ] 185 | 186 | dmitmp = runcmd(["sudo","dmidecode","-t3"]) 187 | dmi['DmiChassisVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 188 | dmi['DmiChassisType'] = str(ChassiTypes.index(re.search("Type: ([0-9A-Z\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1))+1) 189 | dmi['DmiChassisVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 190 | dmi['DmiChassisSerial'] = "string:" + re.search("Serial Number: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 191 | dmi['DmiChassisAssetTag'] = re.search("Asset Tag: ([A-Z0-9\\ \\.\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 192 | 193 | # Anti-VM detection, DMI processor informatiion (type 4) 194 | dmitmp = runcmd(["sudo","dmidecode","-t4"]) 195 | dmi['DmiProcManufacturer'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1) 196 | dmi['DmiProcVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.\\(\\)\\-]+)", dmitmp, re.I | re.S | re.M).group(1) 197 | 198 | for key, value in dmi.iteritems(): 199 | if value == None: 200 | del dmi[key] 201 | else: 202 | if isinstance( value, ( int, long ) ): 203 | dmi[key] = str(value) 204 | else: 205 | dmi[key] = value.strip() 206 | return dmi 207 | 208 | dmi = None 209 | try: 210 | fh = open('/data/dmi.txt', 'r') 211 | if fh: 212 | dmi = json.load(fh) 213 | fh.close() 214 | except Exception: 215 | dmi = getdmi() 216 | 217 | with open('/data/dmi.txt', 'w') as outfile: 218 | json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': ')) 219 | print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': ')) 220 | 221 | 222 | 223 | for target in sys.argv[1:]: 224 | # Globals, of sorts 225 | DSDT_BIN="/data/%sdsdt.bin" % (target) 226 | VBoxManage = '/usr/bin/VBoxManage' 227 | 228 | # Get the DSDT 229 | if not os.path.exists(DSDT_BIN): 230 | runcmd(['sudo','dd','if=/sys/firmware/acpi/tables/DSDT','of=%s' % DSDT_BIN]) 231 | 232 | # Configure all the virtual BIOS setings 233 | for key, value in dmi.iteritems(): 234 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value]) 235 | 236 | # Configure DSDT 237 | if os.path.exists(DSDT_BIN): 238 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/acpi/0/Config/CustomTable",DSDT_BIN]) 239 | 240 | # Setting guest MAC 241 | #newmac = getnewmac(target) 242 | newmac = cloneMAC() 243 | runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac]) 244 | 245 | hd = gethd() 246 | for key, value in hd.iteritems(): 247 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/" + key,value]) 248 | 249 | cd = getcd() 250 | for key, value in cd.iteritems(): 251 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/" + key,value]) 252 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer",""]) 253 | runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev",""]) 254 | 255 | -------------------------------------------------------------------------------- /volatility-2.4.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wmetcalf/buildcuckoo-trusty/cecae7aa14f8f090596cc7705d65bbf485c737c9/volatility-2.4.tar.gz --------------------------------------------------------------------------------