Installing Rudra to analyze PCAPs and PE files
Every malware analyst struggles now and then to analyze PE files in a hopefully mostly automated way. While PEStudio is definitely capable of doing this in a semi-automated way at least in my opinion it is highly unstable.
Luckily, I found a project on GitHub called Rudra which does an awesome job in analyzing PE files and PCAPs. Since it took me some time to figure out all dependencies I thought it would be a good idea to create a post to help fellow security guys installing this beast.
# sudo apt-get update
First of all switch to the rudra directory you created at the beginning and eit the requirements.txt to delete the last line saying
# sudo pip install utils fileutils cigma arrow
# sudo pip uninstall yara
At least in my environment I was unable to run r.py because it threw the following error:
What I did was to comment out the line which threw the error in
Open it up in your favourit editor and change it the following way;
and comment out line 187 that it looks like this:
Note: Due to this change you won't be able to analyze TTP packets within PCAPs (https://en.wikipedia.org/wiki/Time-Triggered_Protocol)
# sudo nano /usr/local/lib/python2.7/dist-packages/aayudh-0.1-py2.7.egg/aayudh/utils.py
Was changed to:
This should create a directory "reports" with a super fancy HTML report and a huge JSON-Report with tons of information about the PE file:
Luckily, I found a project on GitHub called Rudra which does an awesome job in analyzing PE files and PCAPs. Since it took me some time to figure out all dependencies I thought it would be a good idea to create a post to help fellow security guys installing this beast.
Prerequisites
While you can surely install it on Windows using Python I highly recommend a Linux server for this purpose. In my tutorial I'll use a Ubuntu Server 18.04 to get the job done.
After installing the server, don't forget to run
# sudo apt-get upgrade
# git clone https://github.com/7h3rAm/rudra
# wget https://jon.oberheide.org/files/pynids-0.6.1.tar.gz
# tar xfz pynids-0.6.1.tar.gz
# rm pynids-0.6.1.tar.gz
# cd pynids-0.6.1
# python setup.py build
# sudo python setup.py install
Afterwards you can install yara-python:
# sudo pip install yara-python
CFLAGS="${CFLAGS} -Wstrict-prototypes -Wno-unused-local-typedefs"
# sudo nano /etc/ld.so.conf.d/libemu.conf
# sudo ldconfig
# mkdir aayudh
# cd ayudh
# git clone https://github.com/7h3rAm/aayudh.git
# mkdir cigma
# cd cigma
# git clone https://github.com/7h3rAm/cigma
# cd cigma
# sudo python setup.py install
# mkdir exiftool# cd exiftool
# git clone https://github.com/smarnach/pyexiftool.git
# mkdir pydasm
# cd pydasm
# git clone https://github.com/axcheron/libdasm
Getting Rudra
Clone the Rudra Repository from GitHub to your Ubuntu Server
Installing the prerequesites
To be honest, this is where the pain begins so I suggest you to take a snapshot if you are running your server withing a virtualized environment.
Afterwards you may start installing all prerequsites:
# sudo apt-get install python-dev libfuzzy-dev libpcap-dev pkg-config libgtk2.0-dev libnet1-dev libpcre3 libpcre3-dev libgeoip-dev libtool python-cairosvg wkhtmltopdf libxml2-dev libxslt-dev
Due to the number of packages to install this may take some minutes. Afterwards create a subfolder to house all dependencies we have to download manually:
Due to the number of packages to install this may take some minutes. Afterwards create a subfolder to house all dependencies we have to download manually:
# mkdir rudra/depends cd rudra/depends
pynids 0.6.1
# tar xfz pynids-0.6.1.tar.gz
# rm pynids-0.6.1.tar.gz
# cd pynids-0.6.1
# python setup.py build
# sudo python setup.py install
yara 3.7.1
# sudo apt-get install yarayara-python-3.7.0
If not installed yet, you may have to install pip before installing yara-python:
# sudo apt-get install python-pip python3-pip
Afterwards you can install yara-python:
# sudo pip install yara-python
libemu
# mkdir ../libemu
# cd ../libemu
# git clone https://github.com/gento/libemu
# cd libemu
# sudo autoreconf -v -i
Important: You have to edit the configure file to get rid of "locally defined but not used [-Werror=unused-local-typedefs]"
To achieve this you have to add -Wno-unused-local-typedefs to CFLAGS section in line 14084 so it reads:
Afterwards you save the file, and run:
# ./configure --prefix=/opt/libemu; sudo make install
After this you have to create the following file:
After this you have to create the following file:
# sudo nano /etc/ld.so.conf.d/libemu.conf
and add the following file to it:
/opt/libemu/lib/
Save it and run the following command:pylibemu
# sudo pip install pylibemu
aayudh
Create a directory in your depends directory and clone the corresponding GIT repository:
# cd ayudh
# git clone https://github.com/7h3rAm/aayudh.git
# cd aayudh
# sudo pip install -r requirements.txt
# python setup.py build
# sudo python setup.py install
# python setup.py build
# sudo python setup.py install
cigma
Create a directory in your depends directory and clone the corresponding GIT repository:
# cd cigma
# git clone https://github.com/7h3rAm/cigma
# cd cigma
# sudo python setup.py install
exiftool
Create a directory in your depends directory and clone the corresponding GIT repository:# git clone https://github.com/smarnach/pyexiftool.git
# cd pyexiftool
# python setup.py build
# sudo python setup.py install
pydasm
Create a directory in your depends directory and clone the corresponding GIT repository:
# cd pydasm
# git clone https://github.com/axcheron/libdasm
# cd libdasm/pydasm
# sudo python setup.py build_ext
# sudo python setup.py install
Installing remaining rudra requirements through requirements.txt
If you made it to this point, grab yourself a cold beer and relax for a minute. We only have a few dependencies left. Yay!First of all switch to the rudra directory you created at the beginning and eit the requirements.txt to delete the last line saying
yara=1.7.7
since we installed a newer version already. Don't forget to save the file afterwards!
Afterwards, install the requirements:
# sudo pip install -r requirements.txt
Afterwards, install the requirements:
# sudo pip install -r requirements.txt
Unfortunately, there are still some dependencies left:
# sudo pip install utils fileutils cigma arrow
# sudo pip uninstall yara
Fixing pcapanalysis.py
Traceback (most recent call last):
File "/home/rudra/rudra/r.py", line 5, in <module>
from lib.core import config, rudra
File "/home/rudra/rudra/lib/core/rudra.py", line 1, in <module>
from aayudh.pcapanalysis import PCAPAnalysis
File "/usr/local/lib/python2.7/dist-packages/aayudh-0.1-py2.7.egg/aayudh/pcapanalysis.py", line 8, in <module>
import dpkt
File "/usr/local/lib/python2.7/dist-packages/dpkt/__init__.py", line 24, in <module>
import ethernet
File "/usr/local/lib/python2.7/dist-packages/dpkt/ethernet.py", line 128, in <module>
__load_types()
File "/usr/local/lib/python2.7/dist-packages/dpkt/ethernet.py", line 122, in __load_types
mod = __import__(modname, g)
File "/usr/local/lib/python2.7/dist-packages/dpkt/ip6.py", line 95, in <module>
import ip
File "/usr/local/lib/python2.7/dist-packages/dpkt/ip.py", line 255, in <module>
__load_protos()
File "/usr/local/lib/python2.7/dist-packages/dpkt/ip.py", line 252, in __load_protos
IP.set_proto(v, getattr(mod, name.upper()))
AttributeError: 'module' object has no attribute 'TTP'
/usr/local/lib/python2.7/dist-packages/dpkt/ip.py
# sudo nano /usr/local/lib/python2.7/dist-packages/dpkt/ip.py
# IP_PROTO_TTP = 84 # TTP
Fixing utils.py
This file seems to have a bug in line 394 so I changed the return value to "None". I'll have a look into it soon to get this fixed:
return # pydeep.hash_buf(data)
In my case i commented out "inputfiles" so I can pass the input file dynamically to it with the following command:
FINISHED
You should be now able to test a binary file so make yourself comfortable with the config file under
rudra.conf
# python r.py -f input_file.exe
Test your installation
Download a binary file and let rudra create a report:
# wget https://7-zip.org/a/7z1805.exe
# python r.py -f 7z1805.exe
Kommentare
Kommentar veröffentlichen