VMCloak 0.3: Totally revamped & Office support
[To quickly summarize - VMCloak is a tool for automatically creating, cloning,
and cloaking Virtual Machines to be used for Cuckoo Sandbox].
Earlier of this year I released VMCloak 0.2. Now the time has come
for the next release, 0.3. Most notable about this release is the revamped
command-line usage, the improvements with regards to installing dependencies
in the Virtual Machine, and the latest dependency, Office 2007. Thanks to
LookingGlass Cyber Solutions for supporting the development towards
this release including the Microsoft Office 2007 integration.
So what about it?
The new command-line interface feels a bit more hipster and less obtuse
compared to how its usage used to be. Most importantly, setting up a Virtual
Machine is no longer a one-shot action. Instead there are now a couple of
different subcommands, each to fulfill their own task.
In addition to that the new VMCloak version utilizes the new
Cuckoo Agent – it is less Cuckoo-specific and features more general
purpose uses, allowing easier communication between the VM and the various
VMCloak subcommands.
The subcommands.
As a few new commands are now available it does make sense to elaborate on
them a little bit. So here goes. Note that all commands can be ran either by
calling vmcloak-xyz or vmcloak xyz on the command-line.
vmcloak-init is the new command to initialize a new Virtual Machine. One
can specify a couple of flags, but the most important one is whether this is
going to be a Windows XP VM or a Windows 7 VM, and in the case of Windows 7
whether it will 32-bit or 64-bit (32-bit being the default).
So to get started we can run the following command to create a new 64-bit
Windows 7 VM. Note that this will be a VM internal to VMCloak – it can not
be used right away in Cuckoo. For Windows XP setups a serial key is also
required, on Windows 7 a serial key is optional (by default a dummy key
provided by Microsoft is used). And also, just like before you
still have to mount the Windows ISO file and setup vboxnet0.
# Install the latest vmcloak. sudo pip install vmcloak --upgrade # Mount the Windows 7 Installer ISO. sudo mkdir -p /mnt/win7 sudo mount -o loop,ro win7.iso /mnt/win7 # Ensure the hostonly adapter is up. vmcloak-vboxnet0 # Actually initialize the 64-bit Windows 7 VM. vmcloak init --win7x64 seven0
Fast-forward 15 to 20 minutes Windows has now been installed in your VM, the
VM has been shutdown, and the VM has been removed from the VirtualBox
interface. All that remains is a VirtualBox harddisk file (.vdi file) in
~/.vmcloak/image and an entry about this new VM in VMCloaks new sqlite3
database.
Moving forward it is time to install a couple of software packages in the VM.
Using vmcloak-install we will now install all of the currently supported
dependencies. The first parameter represents the name of our VM followed by
all the dependencies that should be installed.
vmcloak install seven0 adobe9 wic pillow dotnet40 java7
Now to install Office 2007, assuming you have a valid ISO and serial key, one
can achieve to do so as follows. The ISO path and serial key have to be
provided as options to the dependency.
vmcloak install seven0 office2007 \ office2007.isopath=/path/to/a.iso \ office2007.serialkey=ABC-DEF
If required one can also easily do manual changes to VMCloak VMs now. By
calling vmcloak-modify with the VM name as only parameter it is possible
to change everything to your likings and simply by shutting the VM down, from
within Windows, the changes are made persistent. If you are running VMCloak
locally then the –vm-visible argument makes sense. For remote interaction
with the VM you should enable VRDE support on the VM and connect to it (e.g.,
through rdesktop -KPz ip:3389).
Finally there is the vmcloak-snapshot command which makes a snapshot of
your VM. There are a couple of options available for this command, but it is
mostly providing the name of the VMCloak VM, the name of the resulting VM as
it will be used by Cuckoo, and the static IP address to assign.
vmcloak snapshot seven0 cuckoo1 192.168.56.101
It is important to understand that after creating a snapshot of a VMCloak VM,
as one does by running the vmcloak-snapshot command on it, the VMCloak VM
becomes immutable. That is, you will no longer be able to run
vmcloak-install or vmcloak-modify on it. The reasoning behind this is to
save on valuable resources. Filling your harddisk is quite easy when you have
twenty Windows 7 VMs which each take up to 10GB.
If one decides he or she would like to update a VMCloak VM that is of course
still possible. For now the only way down that road is by cloning that
particular VMCloak VM. In the following example we clone seven0 to
seven0p1 (or, seven0 with one patch applied).
vmcloak clone seven0 seven0p1
I hope to have shed some light on the latest release. Going at it one step at
a time, life has just gotten slightly easier again.