virtualenv pyrebox-env
source pyrebox-env/bin/activate
cd pyrebox
pip install -r requirements.txt
./build.sh
iced-x86 python binding
- Build trigger:
check build_trigger.sh - Start pyrebox:
bash run_pyrebox.sh
- Load tracer script:
import_module my_tracer - Open python shell:
sh - See running proc:
ps - Starting monitering
custom monitor <pgd> - After confirmed data write:
custom start_trace <pgd>custom set_folder <folder_path>custom dump_dll
- Stop tracing:
unload_module 1 - Quit:
q
- Install libguestfs:
apt install libguestfs-tools - Convert vhdx to qcow2:
qemu-img convert -p -f vhdx -O qcow2 /hyper_v_virtual_disk_directory.vhdx /hyper_v_virtual_disk_directory.qcow2 - Mount guest image:
sudo guestmount -a win.qcow2 -m /dev/sda2 <host_mount_point> - Unmount guest image:
sudo guestunmount <host_mount_point> - List snapshots:
qemu-img snapshot -l <img.qcow2>
agent.copy_file('./samples/aes_cfb.exe', 'C:\\Users\\cocowang\\Desktop\\exec.exe')
python3 postprocessing.py records/aes_cfb_2/0.txt > records/aes_cfb_2/0_out.txt
cd datasec_dump
python3 dump.py ../records/aes_cfb # Run this command in datasec_dump
cd ..
cat records/aes_cfb/*.dump > records/aes_cfb/datasec_dump.dump