1. Cuckoo使用的第三方工具及库
Yara:http://plusvic.github.io/yara/
Pydeep:https://github.com/kbandla/pydeep
Yara是用来扫描文件的Pattern的工具;
Pydeep是用来计算一段缓存或者一个文件的摘要,以及根据摘要来分析两个文件的相似度的工具。
Pydeep是根据ssdeep项目改写的Python版本,而ssdeep是根据下面的论文开发的:
http://dfrws.org/2006/proceedings/12-Kornblum.pdf
- Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
- Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
- Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
- Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
- Pymongo (Optional): for storing the results in a MongoDB database.
- Yara and Yara Python (Optional): for matching Yara signatures (use release 1.7 or above or the svn version).
- Libvirt (Optional): for using the KVM machine manager.
- Bottlepy (Optional): for using the api.py or web.py utility (use release 0.10 or above).
- Django (Optional): for using the web interface (use release 1.5 or above).
- Pefile (Optional): used for static analysis of PE32 binaries.
- Volatility (Optional): used for forensic analysis on memory
- MAEC Python bindings (Optional): used for MAEC reporting (use release 4.0 or above).
- Chardet (Optional): used for detecting string encoding.
- 来自:http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/
2. 在Windows上安装Cuckoo Host
参考:http://www.cnblogs.com/long123king/p/3494011.html中使用pip的教程
http://www.lfd.uci.edu/~gohlke/pythonlibs/#pip
pip install sqlalchemy bson