Norimaci:一款针对macOS的轻量级恶意软件分析沙箱
关于Norimaci
Norimaci是一款针对macOS的轻量级恶意软件分析沙箱,Norimaci使用了OpenBSM和Monitor.app的功能来监控macOS操作系统的活动(没有使用Sysinternals进程监视器procmon。在该工具的帮助下,广大研究人员可以轻松监控macOS下的恶意软件活动情况。
Norimaci主要由下列三个Python脚本组成:
norimaci.py : 主功能脚本 openbsmconv.py : OpenBSM审计日志转换器 monitorappconv.py : Monitor.app日志转换器
OpenBSM是一个专门用于审计macOS互动的框架,而Monitor.app这是FireEye开发的一款免费工具。
工具要求
OS X 10.6或更高版本(已在macOS 10.13 - 10.15上进行过测试) VMware Fusion、Parallels、VirtualBox等 Python 3.5或更高版本 Monitor.app(可选) py-applescript PyObjC dnslib
准备工作
构建虚拟机来执行恶意软件
我们需要构建一个macOS虚拟机来执行恶意软件样本。除此之外,我们建议构建另一个虚拟机来建立伪造的网络连接。此时可以使用PolarProxy和INetSim可以提供伪造的HTTP/HTTPS以及DNS服务。
编辑/etc/security/audit_control
如果你使用OpenBSM来监控系统活动,则需要按照下列方式修改/etc/security/audit_control文件:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
minfree:5
naflags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated工具安装
广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/mnrkbys/norimaci.git工具使用
结合OpenBSM使用
1、使用sudo运行norimaci.py; 2、运行恶意软件样本; 3、等待一会儿...; 4、适当的时候在Norimaci运行的终端窗口中按下Ctrl+C; 5、此时将生成两类报告,即Norimaci_dd_Mon_yy__hh_mm_ffffff.txt和Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv; 6、确认报告可用;
$ sudo python3 ./norimaci.py -m openbsm -o ./out/
Password:
--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
[*] Launching OpenBSM agent...
[*] When runtime is complete, press CTRL+C to stop logging.
^C
[*] Termination of OpenBSM agent commencing... please wait
[*] Converting OpenBSM data ...
[*] Loading converted macOS activity data ...
[*] Saving report to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219.txt
[*] Saving timeline to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219_timeline.csv结合Monitor.app使用
注意:Monitor.app无法在macOS 10.15上运行,但支持macOS 10.14及之前版本。
1、使用sudo运行norimaci.py; 2、Norimaci启动Monitor.py后输入密码,因为Monitor.app需要密码来安装它的kext文件; 3、运行一个恶意软件样本; 4、等待一段时间...; 5、适当的时候在Norimaci运行的终端窗口中按下Ctrl+C; 6、此时将生成两类报告,即Norimaci_dd_Mon_yy__hh_mm_ffffff.txt和Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv; 7、确认报告可用;
脚本帮助信息
norimaci.py
$ python3 ./norimaci.py -h
--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
usage: norimaci.py [-h] [-m MONITOR] [-j JSON] [-bl OPENBSM_LOG] [-p PROCLIST]
[-ml MONITORAPP_LOG] [-o OUTPUT] [--force] [--debug]
Light weight sandbox which works with OpenBSM or Fireeye's Monitor.app
optional arguments:
-h, --help show this help message and exit
-m MONITOR, --monitor MONITOR
Specify a program to monitor macOS activity. You can
choose 'openbsm' or 'monitorapp'.
-j JSON, --json JSON Path to a JSON file which is converted by
'openbsmconv.py' or 'monitorappconv.py'.
-bl OPENBSM_LOG, --openbsm-log OPENBSM_LOG
Path to an OpenBSM log file.
-p PROCLIST, --proclist PROCLIST
Path to a process list file to process OpenBSM log
file. A file which has ".proclist" extnsion would be
used, if this option is not specified.
-ml MONITORAPP_LOG, --monitorapp-log MONITORAPP_LOG
Path to a Monitor.app data file.
-o OUTPUT, --output OUTPUT
Path to an output directory.
--force Enable to overwrite output files.
--debug Enable debug mode.openbsmconv.py
$ python3 ./openbsmconv.py -h
usage: openbsmconv.py [-h] [-f FILE] [-p PROCLIST] [-o OUT] [-c] [-rp]
[--with-failure] [--with-failure-socket] [--force]
[--debug]
Converts OpenBSM log file to JSON format.
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path to a bsm log file
-p PROCLIST, --proclist PROCLIST
Path to a process list file
-o OUT, --out OUT Path to an output file
-c, --console Output JSON data to stdout.
-rp, --use-running-proclist
Use current running process list instead of a existing
process list file. And, the process list is saved to a
file which places in the same directory of '--file' or
to a file which specified '--proclist'.
--with-failure Output records which has a failure status too.
--with-failure-socket
Output records which has a failure status too (related
socket() syscall only).
--force Enable to overwrite an existing output file.
--debug Enable debug mode.monitorappconv.py
$ python3 ./monitorappconv.py -h
usage: monitorappconv.py [-h] [-f FILE] [-o OUT] [-c] [--force] [--debug]
Parses data of Fireeye Monitor.app and converts it to JSON format. Please note
that strings in JSON data are saved as UTF-8.
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path to a saved data of Monitor.app.
-o OUT, --out OUT Path to an output file.
-c, --console Output JSON data to stdout.
--force Enable to overwrite an output file.
--debug Enable debug mode.工具使用演示
https://image.3001.net/images/20220706/1657104485_62c568657f6e4a6d413ac.gif
许可证协议
本项目的开发与发布遵循Apache-2.0开源许可证协议。
项目地址
https://github.com/mnrkbys/norimaci
参考资料
https://github.com/Rurik/Noriben
http://www.trustedbsd.org/openbsm.html
https://www.fireeye.com/services/freeware/monitor.html
https://github.com/rdhyee/py-applescript
https://bitbucket.org/ronaldoussoren/pyobjc
https://bitbucket.org/paulc/dnslib/
https://www.netresec.com/?page=Blog&month=2019-12&post=Installing-a-Fake-Internet-with-INetSim-and-PolarProxy
精彩推荐
腾讯云开发者
