Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) #562
Comments
|
did you compile systemtap and started it? you always need to enforce timeout on linux samples |
|
|
So as you can see no systemtap module, thats why you dont have behaviour
El dom., 22 ago. 2021 16:42, Octavian ***@***.***> escribió:
… did you compile systemtap and started it? you always need to enforce
timeout on linux samples
***@***.***:~$ sudo patch /usr/share/systemtap/tapset/linux/sysc_execve.stp < expand_execve_envp.patch
patching file /usr/share/systemtap/tapset/linux/sysc_execve.stp
Hunk #1 FAILED at 33.
Hunk #2 FAILED at 57.
Hunk #3 FAILED at 75.
Hunk #4 FAILED at 97.
patch: **** Can't reopen file /usr/share/systemtap/tapset/linux/sysc_execve.stp : No such file or directory
***@***.***:~$ sudo patch /usr/share/systemtap/tapset/uconversions.stp < escape_delimiters.patch
patching file /usr/share/systemtap/tapset/uconversions.stp
Hunk #1 FAILED at 95.
Hunk #2 FAILED at 359.
Hunk #3 FAILED at 439.
Hunk #4 FAILED at 967.
Hunk #5 FAILED at 1002.
5 out of 5 hunks FAILED -- saving rejects to file /usr/share/systemtap/tapset/uconversions.stp.rej
***@***.***:~$ apt-cache show systemtap
Package: systemtap
Priority: optional
Section: universe/devel
Installed-Size: 2753
Maintainer: Ubuntu Developers ***@***.***>
Original-Maintainer: Ritesh Raj Sarraf ***@***.***>
Architecture: i386
Version: 2.9-2ubuntu2
Depends: systemtap-runtime (= 2.9-2ubuntu2), libavahi-client3 (>= 0.6.16), libavahi-common3 (>= 0.6.16), libc6 (>= 2.15), libdw1 (>= 0.158), libelf1 (>= 0.142), libgcc1 (>= 1:4.2), libnspr4 (>= 2:4.9-2~) | libnspr4-0d (>= 1.8.0.10), libnss3 (>= 2:3.13.4-2~) | libnss3-1d (>= 3.12.6), libsqlite3-0 (>= 3.5.9), libstdc++6 (>= 5.2), systemtap-common (= 2.9-2ubuntu2), make
Suggests: systemtap-doc, vim-addon-manager
Filename: pool/universe/s/systemtap/systemtap_2.9-2ubuntu2_i386.deb
Size: 961442
MD5sum: a4760202cf2cbd2d50b144713c90a82e
SHA1: 188cb9d30a636ca5d2829ca571a86729b2382c99
SHA256: e1c23af278a23423221b22a55aa86204d3e15f0699d87a25c941813e6d33c86f
Description-en: instrumentation system for Linux
SystemTap provides infrastructure to simplify the gathering of
information about the running Linux system.
This assists diagnosis of a performance or functional problem.
SystemTap eliminates the need for the developer to go through the
tedious and disruptive instrument, recompile, install, and reboot
sequence that may be otherwise required to collect data.
.
SystemTap provides a simple command line interface and scripting
language for writing instrumentation for a live running system.
Description-md5: 0aaa66102baf710a00ed98dc88fd7534
Homepage: http://sourceware.org/systemtap/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
`
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#562 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH35RL7I4XFL4IS3U5FLT6EEEDANCNFSM5CN3XA7A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>
.
|
|
@doomedraven Tried to patch it but failed with those mentioned errors |
|
well as you can see in docs systemtap patches is done for ubuntu 17.10(dead not LTS), they doesn't work on any other version, so if you need you need to update the systemtap patches for ubuntu 18/20(LTS) |
Let alone Ubuntu 18.04, I tried on Ubuntu 16.04 and I am not sure what things I should modify inside the patches (expand_execve_envp.patch & escape_delimiters.patch) in order to make them work for another distro. 17.10 is no longer supported and you cannot update it with |
|
yes we aware of that, it wasn't written by us, it was written by one ex cuckoo devs. so as i told it mostly only useful for networking traffic. if you really need it, i would suggest you to investigate what changes is required to systemtap |
|
i guess we can close as original issue is solved |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
Receive a detailed analysis (static, dynamic) after detonating elf/bash scripts on a Linux guest (32-bits)
Current Behavior
I only receive information about VirusTotal. I suspect the files are not detonated.
Analysis works perfectly well with Win7 and Win10 guests but I am unable to receive a meaningful result after detonating elf (32-bits) files or bash scripts inside Linux (Ubuntu 18.04 32-bits) guest.
The VM starts and stops in less then 3 seconds. I suspect the file is not executed. I tried chmod +x OR chmod 777 but nothing changed
Failure Information (for bugs)
`2021-08-19 08:41:32,901 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2021-08-19 08:42:17,208 [lib.cuckoo.core.scheduler] INFO: Task #25: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_zm06lyhx/shell32.elf'
2021-08-19 08:42:17,235 [lib.cuckoo.core.scheduler] INFO: Task #25: acquired machine ubuntu (label=/root/vmware/Ubuntu/Ubuntu.vmx, platform=linux)
2021-08-19 08:42:27,485 [lib.cuckoo.core.scheduler] INFO: Enabled route 'none'
2021-08-19 08:42:27,510 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 18642 (interface=vmnet2, host=172.16.18.129, dump path=/opt/CAPEv2/storage/analyses/25/dump.pcap)
2021-08-19 08:42:27,537 [lib.cuckoo.core.guest] INFO: Starting analysis #25 on guest (id=ubuntu, ip=172.16.18.129)
2021-08-19 08:42:28,639 [lib.cuckoo.core.guest] INFO: Guest is running CAPE Agent 0.11 (id=ubuntu, ip=172.16.18.129)
2021-08-19 08:42:36,477 [lib.cuckoo.core.guest] INFO: Uploading support files to guest (id=ubuntu, ip=172.16.18.129)
2021-08-19 08:42:37,528 [lib.cuckoo.core.guest] INFO: ubuntu: analysis completed successfully
2021-08-19 08:42:38,719 [lib.cuckoo.core.scheduler] INFO: Task #25: analysis procedure completed
2021-08-19 09:03:39,034 [lib.cuckoo.core.scheduler] INFO: Task #26: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_836l0b2a/myscript.sh'
2021-08-19 09:03:39,047 [lib.cuckoo.core.scheduler] INFO: Task #26: acquired machine ubuntu (label=/root/vmware/Ubuntu/Ubuntu.vmx, platform=linux)
2021-08-19 09:03:49,062 [lib.cuckoo.core.scheduler] INFO: Enabled route 'none'
2021-08-19 09:03:49,095 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 20263 (interface=vmnet2, host=172.16.18.129, dump path=/opt/CAPEv2/storage/analyses/26/dump.pcap)
2021-08-19 09:03:49,126 [lib.cuckoo.core.guest] INFO: Starting analysis #26 on guest (id=ubuntu, ip=172.16.18.129)
2021-08-19 09:03:50,248 [lib.cuckoo.core.guest] INFO: Guest is running CAPE Agent 0.11 (id=ubuntu, ip=172.16.18.129)
2021-08-19 09:03:52,934 [lib.cuckoo.core.guest] INFO: Uploading support files to guest (id=ubuntu, ip=172.16.18.129)
2021-08-19 09:03:53,983 [lib.cuckoo.core.guest] INFO: ubuntu: analysis completed successfully
2021-08-19 09:03:55,138 [lib.cuckoo.core.scheduler] INFO: Task #26: analysis procedure completed
Steps to Reproduce
Context
| OS version | Ubuntu 18.04 32-bits (Guest), Ubuntu 20.04 64-bits (Host)
Failure Logs
cuckoo.txt
processing.txt
vmware.txt
web.txt
The text was updated successfully, but these errors were encountered: