A directory analysis(folder submission for analysis)

45 views
Skip to first unread message

alex.g...@gmail.com

unread,
Jun 18, 2015, 1:01:14 PM6/18/15
to bitblaz...@googlegroups.com
Hi all,
I started to use TEMU binary platform and hence new to this area.
I have a directory which includes 5000 malware samples. I want to know how can I run all of them in TEMU and getting their instruction traces automatically?
Because I only use one sample to test the TEMU platform and I do not know how can I do analysis on a directory in a automatic way?

Thanks in advance,
Alex

Stephen McCamant

unread,
Jun 18, 2015, 2:10:50 PM6/18/15
to bitblaz...@googlegroups.com
>>>>> "AG" == alex <alex.g...@gmail.com> writes:

AG> Hi all,

AG> I started to use TEMU binary platform and hence new to this area.
AG> I have a directory which includes 5000 malware samples. I want to
AG> know how can I run all of them in TEMU and getting their
AG> instruction traces automatically?
AG> Because I only use one sample to test the TEMU platform and I do
AG> not know how can I do analysis on a directory in a automatic way?

TEMU doesn't have support for automating this sort of process all on
its own. I think what we've found to work well is a combination of
scripting inside and outside of the VM.

* If you're analyzing malware, you probably want each sample to run in
the same clean environment, so you probably want to use QEMU/TEMU's
snapshot feature.

* As a side note, be careful about the network access of the VM if
it's running malicious software. You don't want it to have full
network access, lest the malware infect or damage other machines on
your network or the Internet.

* To automate a process that's repetitive but depends on a varying
piece of input data, you can make a VM snapshot where code inside
the VM is about to read some data from the network and then operate
on it, and then rerun the snapshot with different simulated network
inputs. So for instance for malware testing, you could have a script
inside the VM that reads a file from the network and then tries to
execute it. Then you could repeatedly restart the VM from the
snapshot, varying the network input.

* TEMU and Tracecap have some specific support for executing certain
operations right after performing a "loadvm" operation, which is
intended for situations like this. Look into the "-after-loadvm"
option, which takes a parameter of the form:

<pid>:<traceFilename>:<detectMask>::<pidToSignal>:<processName>

(c.f. tracecap/commands.c:788).

Hope this helps,

-- Stephen

alex.g...@gmail.com

unread,
Jun 18, 2015, 5:06:39 PM6/18/15
to bitblaz...@googlegroups.com, mcca...@cs.umn.edu
Thanks so much. I will try that soon. Maybe I still need your help in the future.

alex.g...@gmail.com

unread,
Jul 8, 2015, 10:47:23 AM7/8/15
to bitblaz...@googlegroups.com, mcca...@cs.umn.edu
Hi Stephen,
I am still struggling with TEMU automation. As you said I tried to use -after-loadvm option but I did not get anything.
I use the following command:
./tracecap/temu -snapshot -monitor stdio -m 512 /home/hossein/windowsxp.qcow -after-loadvm  :foo.trace::::foo.exe
Then vm started and  I manually run the foo.exe in vm but I did not get any trace output.
Could you please help me what should I do?
Also I am thinking in manual tracing that I need to load_plugin tracecap.so and the use "tracebyname foo.exe foo.trace" and finally "trace_stop". So when I using -after-loadvm option do not I need to load_plugin or trace_stop?? and If I need them how can I add it in my automation process?

I also saw this error when I use -after-loadvm option.
Could not open '/dev/kqemu' - QEMU acceleration layer not activated: No such file or directory



On Thursday, June 18, 2015 at 3:10:50 PM UTC-3, Stephen McCamant wrote:

Stephen McCamant

unread,
Jul 8, 2015, 12:53:23 PM7/8/15
to bitblaz...@googlegroups.com
>>>>> "AG" == alex <alex.g...@gmail.com> writes:

AG> Hi Stephen,
AG> I am still struggling with TEMU automation. As you said I tried to
AG> use -after-loadvm option but I did not get anything.
AG> I use the following command:
AG> ./tracecap/temu -snapshot -monitor stdio -m 512
AG> /home/hossein/windowsxp.qcow -after-loadvm :foo.trace::::foo.exe
AG> Then vm started and I manually run the foo.exe in vm but I did not
AG> get any trace output.
AG> Could you please help me what should I do?

I think the most basic issue is that the -after-loadvm option is
intended to be used together with the -loadvm option. The terminology
is a bit confusing, because both what the -snapshot option does and
what the loadvm/savevm commands/options do are called snapshots, but
they're actually incompatible. The idea of a loadvm/savevm snapshot
mechanism is to save a running state of the VM, so that rather than
repeatedly booting it, you can just start it running right from right
before you're going to do something new. This is particularly valuable
because booting under TEMU can be quite slow.

AG> Also I am thinking in manual tracing that I need to load_plugin
AG> tracecap.so and the use "tracebyname foo.exe foo.trace" and
AG> finally "trace_stop". So when I using -after-loadvm option do not
AG> I need to load_plugin or trace_stop?? and If I need them how can I
AG> add it in my automation process?

If you do savevm after a plugin has been loaded, TEMU will remember
the plugin in the information and automatically reload it when you
loadvm.

To automate calling trace_stop, TEMU has a few pieces of functionality
that may be applicable. In at least some cases I think it will know to
automatically stop tracing when the corresponding process exits in the
guest OS. Plus there's a more flexible detection system which can take
one of several actions on one of several events using the "detect" and
"action" commands.

AG> I also saw this error when I use -after-loadvm option.
AG> Could not open '/dev/kqemu' - QEMU acceleration layer not
AG> activated: No such file or directory

This warning is common when running on modern systems. KQEMU was a
kernel-based acceleration module that used to allow TEMU (and other
old versions of QEMU) to run faster when the guest and host had the
same architecture. However it has been superseded in modern QEMU
versions and kernels with KVM and so is usually no longer available.

alex.g...@gmail.com

unread,
Jul 8, 2015, 3:55:17 PM7/8/15
to bitblaz...@googlegroups.com, mcca...@cs.umn.edu
Thanks so much for your helpful info Stephen. I do the process as you said. Now I can load tracecap plugin and enable_emulation using savevm and loadvm.
The problem is that I am still could not take a trace by using after-loadvm option.
I am using this command:
 ./tracecap/temu -monitor stdio -m 512 -loadvm vmsnapshot -after-loadvm  :foo.trace::::foo.exe  /home/hossein/windowsxp.qcow
It is supposed to take a trace when I run foo.exe on the guest without doing any other commands such as tracebyname but when I run the foo.exe I did not get any thing!

This is the only one that I got from terminal and I did not see any thing after running foo.exe
(qemu) general/trace_only_after_first_taint is disabled.
general/log_external_calls is disabled.
general/write_ops_at_insn_end is disabled.
general/save_state_at_trace_stop is disabled.
tracing/tracing_table_lookup is enabled.
tracing/tracing_tainted_only is disabled.
tracing/tracing_single_thread_only is disabled.
tracing/tracing_kernel is disabled.
tracing/tracing_kernel_tainted is disabled.
tracing/tracing_kernel_partial is disabled.
network/ignore_dns is disabled.
Enabled: 0x00 Proto: 0x00 Sport: 0 Dport: 0 Src: 0.0.0.0 Dst: 0.0.0.0
Loading plugin options from: /home/bitblaze/temu-1.0/tracecap/ini/hook_plugin.ini
Loading plugins from: /home/bitblaze/temu-1.0/shared/hooks/hook_plugins
Cannot determine file system type
Cannot determine file system type
Cannot determine file system type
./tracecap/tracecap.so is loaded successfully!
Emulation is now enabled


Am I missing something? Or make a mistake?
Reply all
Reply to author
Forward
0 new messages