-
Notifications
You must be signed in to change notification settings - Fork 168
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3dc163f
commit 542dad6
Showing
2 changed files
with
143 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # README # | ||
|
|
||
| A Dockerfile to create decaf running environments. | ||
|
|
||
|
|
||
|
|
||
| ### Share files with the docker image ### | ||
|
|
||
| We use docker volume to share files between docker images and the host system. For example, to create a volume named decaf, use the following command. | ||
|
|
||
| `docker volume create decafvolume` | ||
|
|
||
| The [guest images](https://github.com/sycurelab/DECAFImages "DECAFImages") or malicious samples can be stored in this volume, so the docker image can access it. Or the out put of DECAF plugin can be sotred in this volume, so that we can extract the analysis results. | ||
|
|
||
|
|
||
| ### Build the docker image ### | ||
|
|
||
| `docker build -t decaf ./decaf/` | ||
|
|
||
| ### How to run the docker image? ### | ||
|
|
||
|
|
||
| To run this docker image, | ||
|
|
||
| 1. Copy the guest image to docker volume *decafvolume* | ||
|
|
||
| 2. Start the docker. | ||
|
|
||
|
|
||
| `sudo docker run -it -e DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v $HOME/.Xauthority:/home/db/.Xauthority --net=host --mount source=decafvolume,target=/app decaf` | ||
|
|
||
|
|
||
| ### Control DECAF within Docker image ### | ||
|
|
||
| Within the terminal used to run the docker image, users can input commands of DECAF or DECAF plugins to control DECAF. For example, to load plugin of DECAF(suppose malscalpel is stored in volume decaf, which is named /app/ after mounted, | ||
|
|
||
| `load_plugin /app/malscalpel.so` | ||
|
|
||
| ### Share files between guest os and host system ## | ||
|
|
||
| We use samba to share files. If you read Dockerfile carefully, you will find that we set */app/* as the share folder of samba. When we run this docker image, we mount the created docker volume *decafvolume as */app/*. In windows xp guest OS, the files stored in volume *decafvolume* can be accesed *\\10.0.2.2\qemu*. For example, to upload a file to windows xp guest os, take the following steps. | ||
|
|
||
|
|
||
|
|
||
| 1. Copy shared file and [windows xp image](https://github.com/sycurelab/DECAFImages "DECAFImages") to docker volume *decafvolume* | ||
|
|
||
| 2. Run the docker image and mount the volume to /app/ target. | ||
|
|
||
|
|
||
| `sudo docker run -it -e DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v $HOME/.Xauthority:/home/db/.Xauthority --net=host --mount source=decafvolume,target=/app decaf` | ||
|
|
||
|
|
||
| 3. After guest OS starts, open menu `start-Run` and input the following command. | ||
|
|
||
| `\\10.0.2.2` | ||
|
|
||
| Then you can see the files stored in docker volume decafvolume. | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| FROM ubuntu:16.04 | ||
|
|
||
| RUN apt-get update | ||
| RUN apt-get install libsdl1.2-dev -y | ||
| RUN apt-get install zlib1g-dev -y | ||
| RUN apt-get install libglib2.0-dev -y | ||
| RUN apt-get install libbfd-dev -y | ||
| RUN apt-get install build-essential -y | ||
| RUN apt-get install binutils -y | ||
| RUN apt-get install qemu -y | ||
| RUN apt-get install libboost-dev -y | ||
| RUN apt-get install git -y | ||
| RUN apt-get install libtool -y | ||
| RUN apt-get install autoconf -y | ||
| RUN apt-get install sudo -y | ||
| RUN apt-get install xorg-dev -y | ||
|
|
||
|
|
||
|
|
||
| WORKDIR /decafroot | ||
| RUN git clone https://github.com/sycurelab/DECAF.git | ||
|
|
||
| RUN pwd & ls | ||
| #ADD . /decafroot | ||
|
|
||
| #configure sleuthkit | ||
|
|
||
| WORKDIR /decafroot/DECAF/decaf/shared/sleuthkit | ||
| RUN rm ./config/ltmain.sh | ||
| RUN ln -s /usr/share/libtool/build-aux/ltmain.sh ./config/ltmain.sh | ||
| RUN autoconf | ||
| RUN ./configure | ||
| RUN make | ||
| WORKDIR /decafroot/DECAF/decaf | ||
| RUN ./configure --disable-tcg-taint --target-list=i386-softmmu | ||
|
|
||
| RUN make | ||
|
|
||
| RUN export uid=1000 gid=1000 | ||
| RUN mkdir -p /home/db/ | ||
| RUN echo "db:x:${uid}:${gid}:db,,,:/home/db:/bin/ bash" >> /etc/passwd | ||
| RUN echo "db:x:${uid}:" >> /etc/group | ||
| RUN echo "db ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/db | ||
| RUN chmod 0440 /etc/sudoers.d/db | ||
| RUN chown ${uid}:${gid} -R /home/db | ||
|
|
||
| USER db | ||
| ENV HOME /home/db | ||
|
|
||
|
|
||
| RUN apt-get update | ||
| #setup samba to share file between guest os and host for qemu | ||
| RUN apt-get install samba -y | ||
| WORKDIR /etc/samba/ | ||
| RUN echo "[QEMU]" >> /etc/samba/smb.conf | ||
| RUN echo " path=/app/" >>/etc/samba/smb.conf | ||
| RUN echo " browseable = yes" >> /etc/samba/smb.conf | ||
| RUN echo " guest ok = yes" >> /etc/samba/smb.conf | ||
| RUN echo " writable = yes" >> /etc/samba/smb.conf | ||
| RUN echo " create mask = 777" >> /etc/samba/smb.conf | ||
| RUN cat /etc/samba/smb.conf | ||
| #RUN /etc/init.d/samba start | ||
|
|
||
| WORKDIR /decafroot/ | ||
| RUN apt install wget | ||
| RUN wget https://github.com/google/protobuf/releases/download/v3.5.0/protobuf-all-3.5.0.tar.gz | ||
| RUN tar -xvf protobuf-all-3.5.0.tar.gz | ||
| WORKDIR /decafroot/protobuf-3.5.0 | ||
| RUN ./autogen.sh | ||
| RUN ./configure --prefix=/usr/ | ||
| RUN make | ||
| RUN make install | ||
|
|
||
|
|
||
|
|
||
|
|
||
| WORKDIR /decafroot/DECAF/decaf/i386-softmmu/ | ||
| #CMD ["/bin/bash"] | ||
| CMD export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib/ &/etc/init.d/samba start & ./qemu-system-i386 -monitor stdio -m 256 -net user,smb=/app/ -netdev user,id=mynet -device rtl8139,netdev=mynet /app/winxpsp3_ie6.1.img -s | ||
| #CMD /etc/init.d/samba status |