Chapter 8. Automation
Many of the actions you perform when analyzing malware can be automated. As a general rule, if you find yourself running the same commands over and over again, then it's probably a good idea to create scripts to automate these tasks. This chapter presents several Python modules that allow you to transfer, execute, and monitor malware in virtual environments such as VirtualBox and VMware. We don't cover all of the possible actions that you may want to automate, but we'll show you enough to get started and point you in the right direction for developing your own extensions. If you're looking for a solution that doesn't require any programming, this chapter presents some preconfigured environments such as ZeroWine and Buster Sandbox Analyzer.
The Analysis Cycle
Figure 8-1 shows the general steps for creating an automated sandbox, whether you're working with virtual machines or physical machines. Before starting an analysis, you'll create a baseline of the system on which you plan to execute malware. The baseline consists of existing files (names, hashes, timestamps), registry contents, memory contents, and so on.
Begin in a clean state. If you're working with virtual machines, you must revert the VM to the baseline snapshot at the beginning of each analysis so you can start with a clean system. If you're working with physical machines, then this step is where you re-image the machine's disk with a baseline image (see the Truman and FOG recipes in Chapter 7).
Transfer ...
Get Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.