“这也就是REMnux被设计出来的原因。这款操作系统是一个轻量级的Ubuntu版本,作为一个虚拟机软件发行。它可以在多种虚拟机平台上启
动,或通过X-Windows启动。
REMnux
是一个轻量级的Linux协助逆向工程恶意软件分析师恶意软件分发。 The distribution is based on Ubuntu
and is maintained by Lenny Zeltser.分配是基于Ubuntu
的维护,是泽尔策尔莱尼。 About REMnux关于REMnux
REMnux
is designed for running services that are useful to emulate within an
isolated laboratory environment when performing behavioral malware
analysis. REMnux是专为运行服务,这是有益的学习环境,在一个孤立的实验室时,执行恶意行为分析。 As
part of this process, the analyst typically infects another laboratory
system with the malware sample and directs potentially-malicious
connections to the REMnux system that's listening on the appropriate
ports.作为这一进程的一部分,分析师通常会感染恶意软件样本的另一个实验室系统和指挥潜在恶意的连接到REMnux系统的相应的端口
上侦听。
REMnux is also useful for analyzing web-based
malware, such as malicious JavaScript, Java programs, and Flash files.
REMnux也是有用的分析,如恶意的JavaScript,Java程序基于Web的恶意软件,以及Flash文件。 It
also has tools for analyzing
malicious documents , such as Microsoft Office and Adobe PDF files,
and utilities for reversing malware through memory forensics.它包含
了对工具分
析恶意文件档案,如Microsoft Office和Adobe PDF和取证工具,用于内存扭转恶意软件通过。 In
these cases, malware may be loaded onto REMnux and analyzed directly on
the REMnux system without requiring other systems to be present in the
lab.在这种情况下,恶意软件可能会装上REMnux和分析系统的REMnux直接而不需要其他系统将在实验室中。
You
can learn about malware analysis techniques that make use of the tools
installed and pre-configured on REMnux by taking my course on Reverse-Engineering
Malware (REM) at SANS Institute.您可以了解恶意软件的分析技术,就和预配置上REMnux由
课程以我使用的工具安装了逆
向工程恶意软件 (快速眼动)在SANS研究所。
What
REMnux Is Not不是什么REMnux
REMnux
isn't a fancy distribution that was built from scratch...
REMnux不是幻想分配这是从头开始建立... In simple terms, it's a virtual machine that
runs Ubuntu and has various useful malware tools set up on it.简单来
说,它是一个虚拟机运行Ubuntu和具有多种有益的恶意软件设置它的工具。
REMnux
does not aim to include all malware analysis tools in existence.
REMnux并不旨在把所有存在的恶意软件分析工具。 Many
of these tools are designed to work on Windows, and investigators prefer
to use Windows systems for running such tools.这些工具有很多的设计工作在
Windows,和调查员更愿意使用这些工具来运行Windows系统。 If you
are interested in running Windows analysis tools on a Linux platform,
take a look at the Zero
Wine project .如果您感兴趣的平台在Linux上运行的Windows的分析工具,采取了看零
Wine项目 。
If you are looking for a more full-featured
Linux distribution focused on forensic analysis, take a look at SANS
Investigative Forensic Toolkit (SIFT) Workstation .如果你是分布在寻找一
个更全功能的Linux操作系统集中在法医分析,看一看在SANS的调查法医
工具包(SIFT特征)工作站 。
Downloading REMnux下载REMnux
You
can download
the REMnux distribution as a VMware virtual machine, which is
encapsulated in a zip archive file.您可以下载REMnux分布作
为VMware虚拟机,这是文件封装在一个zip档案。 The file's MD5 hash is
dc28330411acafc6b7f595a11e8b7ea4.该文件的MD5哈希是
dc28330411acafc6b7f595a11e8b7ea4。
Note
that at the moment, REMnux is only available as a virtual machine.请
注意,目前,REMnux只是作为一个虚拟机可用。 If you'd like to help turn it into an ISO image
of a Live DVD, please let me know.如果您愿意帮助变为一个Live DVD
ISO映像,请让我知道。
Questions on and Improvements to REMnux并改
进问题要REMnux
Do you have recommendations for making REMnux
more useful?你有更多有益的建议作出REMnux? If so,
please let me know. You can contact me via email
through my website or via
Twitter .如果是的话,请让我知道。您可以通过我联系我
的网站通过电子邮件或通
过Twitter 。
You're welcome to get in touch with me if you
have questions regarding using REMnux.欢迎您与我取得联系,如果您有问题关于使用REMnux。
Another,
and sometimes faster, option is to use the REMnux
discussion forum on SourceForge.另一个,有时快,方法是使用REMnux
论坛在SourceForge。
A Brief User Guide To REMnux简用户指南REMnux
Since
REMnux is an Ubuntu-based Unix distribution, you need to be familiar
with the basic aspects of using Linux to make use of REMnux.由于
REMnux是一个基于Ubuntu的Unix的发行,您需要与使用Linux利用REMnux熟悉使用的基本方面。 The
good news is that you don't need to know how to perform system
administration tasks to find REMnux useful, since many malware analysis
tools are already preinstalled on REMnux.好消息是,你不需要知道如何执行系统管理任务,以找
到REMnux有用,因为许多恶意软件分析工具已经在REMnux预装。 Below
are some notes to help you get started with becoming comfortable in
REMnux.下面是一些说明,以帮助您REMnux开始成为舒适。
Getting
Started With REMnux随着REMnux入门
REMnux
is distributed as a VMware virtual machine. REMnux分布作为VMware虚拟机。
The
easiest way to boot up REMnux is to use a VMware product, such as VMware
Player , VMware
Server , or VMware
Workstation .最简单的方法是启动了REMnux使用的产品,如VMware的VMware
播放器 , VMware
服务器或VMware
工作站 。 You
should be able to use other virtualization software, such as VirtualBox
, which is able to import VMware virtual machine images.您应该能够使用软
件,如其他虚拟化VirtualBox
的 ,这是能够导入VMware虚拟机的图像。
Download
the REMnux
distribution zip file .下载REMnux分布zip文件
。 Extract
the file's contents into a dedicated directory.解压缩文件的内容到一个专用目录。
Open
the .vmx file using the virtualization tool, such as VMware Player.打
开。vmx文件使用如VMware Player中的虚拟化工具。 The REMnux virtual machine should start up.该
REMnux虚拟机应该启动。
To log into REMnux, use the username "remnux"
and the password "malware".登录到REMnux,使用用户名“remnux”和密码“恶意软件”。
You
cannot login directly as "root".你不能直接登陆的“根”。 If the
command you wish to run, login as "remnux" and use " sudo
" to run the privileged command.如果你想运行的命令,登录为“remnux”和使用“ sudo
的 “运行特权命令。 REMnux is designed with the expectation that you
will run all tools and commands while logged in as the "remnux" user.
REMnux是设计的期望,你将所有的工具和运行时记录为“remnux”用户命令。 (If
you want to get a root shell, simply run " sudo bash ".)
(如果你想要得到一个root shell,只需运行“命令庆典 ”。)
REMnux
is distributed with the US keyboard layout. REMnux分布与美国键盘布局。
To
switch the layout on the console, run " sudo dpkg-reconfigure
console setup ".要切换,运行在控制台上的布局“命令dpkg -
reconfigure重新设置控制台 ”。 To switch the layout in X, use the " setxkbmap
" command; for instance, to switch to a German keyboard layout, use " setxkbmap
de ".要切换在X布局,使用“setxkbmap”命令,例如,切换到德语键盘布局,使用“setxkbmap
得 ”。
The X Environment On REMnux在X环境论REMnux
REMnux
starts up in a text-only console mode. REMnux开始在一个纯文本的控制台模式。
After
logging in as the "remnux" user from the console, type " startx
" to launch X Window System.登录后系统为“remnux窗口”用户从控制台,键入“startx
启动 ”启动的X。
REMnux uses the Enlightenment
window manager, rather than the more popular, but "heavy" GNOME or KDE.
REMnux使用启
蒙窗口管理器,而不是更受欢迎,但“沉重”的GNOME或KDE。 This
is to keep the footprint of the virtual machine as small as possible.这
是为了保持虚拟机的足迹尽可能小。
When you minimize a window in Enlightenment, it
will "fall" into the small icon container at the bottom right corner of
the screen.当你最小化的启示窗口,它将“落入容器的小图标”,在屏幕的右下角。 To
restore the window, click on its icon in the container.要恢复窗口,它在容器
图标。
To change the resolution of the REMnux screen in
X, run " xrandr " to see supported resolutions, then run " xrandr
-s " to specify the desired resolution, such as " xrandr -s
1024x768 ".若要更改屏幕分辨率的X在REMnux,运行“xrandr”看到支持的分辨率,然后
运行“xrandr - S”以指定诸如“xrandr所需的分辨率,- S的分辨率1024X768”。
Another
option is to install
VMware Tools , which will allow auto-changing the resolution to
match the geometry of the VMware window.另一种方法是安
装VMware工具 ,这将允许自动更改分辨率,以配合窗口几何在VMware。
To
launch programs in REMnux, type the commands into an XTerm window.要
启动方案REMnux,键入一个xterm窗口中的命令。 If you closed all XTerm windows and wish to open
a new one, click on the desktop, select User Application List and click
XTerm.如果您关闭所有的xterm窗口,并希望打开一个新的,在桌面上单击,选择用户申请表,然后按一下xterm的。
If you
wish to launch an XTerm with a scroll bar, run " xterm -sb ".如
果你想启动一个xterm滚动条与运行“ 的xterm锑 ”。
Malware
Analysis Tools Set Up On REMnux恶意软件分析工具成立REMnux
Analyzing
Flash malware: swftools
, flasm
, flare分
析闪光恶意软件: swftools
, flasm
的 , 耀
斑
Analyzing IRC bots: IRC server ( Inspire
IRCd ) and client ( Irssi
).分析IRC僵尸:IRC服务器( 启
发的ircd )和客户端( 的irssi
)。 To
launch the IRC server, type " ircd start "; to shut it down " ircd
stop ".要启动IRC服务器,键入“ 的ircd启动 ”;将其关闭“ 的ircd停止
”。 To
launch the IRC client, type " irc ".要启动IRC客户端,键入“ 体育
馆 ”。
Network-monitoring and interactions: Wireshark
, Honeyd
, INetSim
, fakedns
and fakesmtp scripts, NetCat网络监测和相互作用: Wireshark
的 , Honeyd
的 , INetSim
, fakedns和
fakesmtp脚本,netcat的
JavaScript deobfuscation: Firefox with Firebug
, NoScript
and JavaScript
Deobfuscator extensions, Rhino
debugger , two versions of patched SpiderMonkey
, Windows
Script Decoder , Jsunpack-n
JavaScript的deobfuscation:用Firefox 萤
火虫 , NoScript
的和JavaScript
的Deobfuscator扩展, 犀
牛调试 ,两个补丁版本的SpiderMonkey
的 , Windows
脚本解码器 , Jsunpack
- ñ
Interacting with web malware in the lab: TinyHTTPd
, Paros
proxy恶意软件与网络交互实验室在: TinyHTTPd
, 帕
罗代理
Analyzing shellcode: gdb
, objdump
, Radare
(hex editor+disassembler), shellcode2exe分
析的shellcode: gdb
的 , objdump
, Radare
(十六进制编辑器+反汇编), shellcode2exe
Dealing
with protected executables: upx
, packerid
, bytehist
, xorsearch
, TRiD处
理受保护的可执行文件: UPX
压缩 , packerid
, bytehist
, xorsearch
, 论
坛报
Malicious
PDF analysis : Didier's
PDF tools , Origami
framework , Jsunpack-n
, pdftk
恶
意PDF格式分析 : 迪
迪埃的PDF工具 , 折
纸框架 , Jsunpack
氮 , pdftk
的
Memory forensics: Volatility
Framework and malware-related plugins记
忆取证: 波动性框架和
恶意软件相关的插
件
Miscellaneous: unzip, strings, ssdeep
, feh
image viewer, SciTE
text editor, OpenSSH
server杂项:解压缩,字符串, ssdeep
, 食
物及环境卫生图像浏览器, 赛
特文本编辑器, OpenSSH
的服务器
Notes On Running Some REMnux Tools And Commands注
释在运行一些REMnux工具和命令
To use Honeyd, edit its configuration file in
/etc/honeypot/honeyd.conf using " sudo scite
/etc/honeypot/honeyd.conf ". Honeyd的使用,编辑其配置文件在/ etc /蜜罐/
honeyd.conf使用“sudo的赛特的/ etc /蜜罐/ honeyd.conf”。 To
launch Honeyd, run "farpd start" and "honeyd start"; to shut it down,
run " honeyd stop " and " farpd start "".要启动
Honeyd的,运行“farpd开始”和“Honeyd的开始”;将其关闭,运行“Honeyd的停止 ”和“farpd启
动 ”“。
To use the built-in web server, launch it with "
httpd start "; shut it down with " httpd stop ".使
用内置的Web服务器,推出“它与”httpd的启动 ;关闭一站式 “它打倒” 的httpd。
To
provide web browsers in your lab the files of your choosing, place the
files in /var/www.在您的实验室提供您选择,地点在/ var文件/ WWW的网页浏览器中的文件。
To
launch the SSH server, type " sshd start "; to shut it down,
type " sshd stop ".要启动SSH服务器,键入“sshd的启动
”,将其关闭,键入“sshd的停止 ”。
REMnux
is configured to automatically start a DHCP client.
REMnux配置为自动启动一个DHCP客户端。 To determine which IP address was assigned to
your instance of the REMnux virtual machine, type " myip ".要
确定哪些IP地址被分配给您的机器的REMnux虚拟实例,键入“myip”。 To
reacquire your network configuration, type " restart-network ".为
了重新获得您的网络配置,键入“ 重新启动网络 ”。
To
reboot your REMnux system, type " reboot "; to shut it down,
type " shutdown ".为了重新启动REMnux系统,键入“ 重新启动
”;在关闭它,键入“ 关闭 ”。
The
~remnux/.bash_aliases file contains various "shortcuts" that may save
you time when invoking the most commonly-used tools and commands.在〜
remnux / .bash_aliases文件包含各种“捷径”,可能节省您的时间时,调用最常用的工具和命令。
To use
the Volatility Framework, switch to the directory where it is
installed: ~remnux/volatility.要使用波动性框架,切换到那里的安装目录:〜remnux /波动。
To use
Jsunpack-n, switch to the directory where it is installed:
~remnux/jsunpack-n.若要使用Jsunpack氮,切换到那里的安装目录:〜remnux / jsunpack -
N的。 Prior
to using the tool for a new experiment, run " make clean " in
its directory to remove the files from the previous experiment.在此
之前使用新的实验工具1,运行“ 使干净的目录”在以前的实验中删除的文件从。
To
install additional tools from the Ubuntu software repository, use apt-get
after connecting your REMnux virtual machine to the Internet.要安装
额外的软件仓库从Ubuntu的工具,使用的apt -
get的连接后,您REMnux虚拟机到Internet。
