To take full advantage of the latest features of Viper, update the version of the tool included with REMnux using the instructions below. Some of the features available in the updated version of Viper are:
The introduction of projects
Additional processing and reporting modules
Multiple fixes (see Github history for more info)
Make sure you're running the latest version of Viper (see update instructions below), then run it using the "viper.py" command.
Getting to Know Viper
Viper presents its user with an interactive shell. Type "help" in the Viper's shell to see a listing of the available commands:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-shell.png"></a>
You will also see a listing of the more interesting commands that Viper calls "modules":
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-modules.png"></a>
You can download a sample and directly add it to your repository using the "open" command:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-open1.png"></a>
You can quickly tag a sample for easier reference in the future using the "tags" command:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-tags1.png"></a>
You can examine the current PE sample for shellcode characteristics using the "shellcode" module:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-shellcode.png"></a>
You can analyze a binary Microsoft Office document for OLE details using the "office" module:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-office.png"></a>
You can locate scripts within an HTML sample using the "html" module:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-html.png"></a>
You can look up the current sample's hash on VirusTotal using the "virustotal" module:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-virustotal.png"></a>
You can also look up the sample on on Malwr.com using the "reports malwr" command:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-malwr1.png"></a>
It's worth noting the API that Viper makes available to its users. At the moment, the API is pretty basic, you can perform the following:
Query for a hash
Upload a file
List current tags within the repo
Download a given file
To activate Viper's API engine, go to the directory where it's installed (on REMnux that's /usr/local/viper) and run "python api.py" as the root user:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/viper-api1.png"></a>
install bottle".
Updating Viper on REMnux
Remove the current set of Viper files and download the latest version using the following steps:
Modify Viper's configuration in the /usr/local/viper/modules/pe.py fileto point it to the packer signatures database. To do this, run "scite /usr/local/viper/modules/pe.py".
Then change from:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/UserDB-before1.png"></a>
To:
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/UserDB-after.png"></a>
Also, modify Viper's configuration in the /usr/local/viper/modules/yarascan.py file to point to the location of Yara signatures. To do this, run "scite /usr/local/viper/modules/yarascan.py" and changing "data/yara/index.yara" to "/usr/local/viper/data/yara/index.yara":
<a href="http://blogs.sans.org/computer-forensics/files/2014/06/index.yara-after1.png"></a>
Next, install new dependency to be used with OLE plugin by running the following command:
If you haven't already installed Bottle, as indicated above, to so by running "pip install bottle".
Lastly, create the directory where Viper will store its projects data by running:
After this, exit the root shell ("exit") and run Viper ("viper.py") as a non-root user. You should run Viper from the directory to which the "remnux" user has write
access, such as this user's home directory.
Viper is a promising tool for managing and exploring malware samples in your collection. Based on the projects that Viper's developers have created previously (most
this tool has a bright future as part of a malware analyst's toolkit.
![最小化DevOps自動化流程(Golang)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)