Skip to content

Latest commit

 

History

History
90 lines (63 loc) · 4.59 KB

README.md

File metadata and controls

90 lines (63 loc) · 4.59 KB

onigiri

onigiri - remote malware triage script

Check my blog about the purpose.

Preparation

Install Python

  • You need both of Python x86 (for volatility) / x64 (for F-Response COM DLLs) if installed F-Response binaries are 64-bit
    • Set the x86 python path to g_x86_python_path or specify -p option

Install the following Python packages

Install Volatility Framework and openioc_scan

Download FTK Imager CLI version

Open TCP ports

  • examiner: tcp/5681
  • victim: tcp/3260-3261 (Consultant), tcp/445 (Consultant+Covert, Enterprise)

Configure F-Response

  • Set examinerIP/username/password for iSCSI authentication and enable PhysicalMemory/FlexdiskAPI
  • Save fresponse.ini on F-Response Consultant Connector (consultant and Consultant+Covert only)

Usage

  1. Run F-Response License Manager Monitor on the examiner machine then start it
  • Run R-Response agent program on the victim machine then start it using GUI tools (consultant and Consultant+Covert only)
  • Run this script and check the result
    • Type -h for help
      • Specify the folder path including fresponse.ini (consultant and Consultant+Covert only). fresponse.ini should be generated on Consultant Connector, not Enterprise Management Console
      • Specify credentials of domain admin or local built-in Administrator account (Enterprise only)

Trouble Shooting

COM Errors

If any errors about win32com, try following:

  • Check the COM DLL (e.g., FCCCTRLx64.dll, FEMCCTRLx64.dll) architecture. You need x64 python and win32com for x64 DLL.

  • Check the COM API CLSIDs in registry (e.g., search FCCCTRL or FEMCCTRL). If not found, register COM Dlls using regsvr32 command. You need x86 regsvr32 (under C:\Windows\SysWOW64) if your COM DLL is 32-bit version.

    regsvr32 "C:\Program Files\F-Response\FEMCCTRLx64.dll"

Memory Acquisition Failure of Win8.1 x64 machines

I checked physical memory acquisition through F-Response didn't work on some conditions:

  • The target OS is Win8.1 x64
  • The RAM size is big (e.g., 8GB or 16GB)

Specifically, process data structures (_EPROCESS) become null. I sent the report to F-Response and I'm waiting for the reply.

If you have DumpIt commercial version, you can use it combined with PsExec for secure memory acquisition (specify -a option and more).

Exception when getting "Targets"

Unless you start GUI application (Consultant Connector or Enterprise Management Console), you may encounter the following exception.

Traceback (most recent call last):
  File "onigiri.py", line 476, in <module>
    main()
  File "onigiri.py", line 463, in main
    fres.acquire(args.ram, file_cats, args.scan, args.alternative)
  File "onigiri.py", line 260, in acquire
    self.acquire_ram(computer, alternative)
  File "onigiri.py", line 53, in acquire_ram
    targets = victim.Targets
  File "C:\Python27_x64\lib\site-packages\win32com\client\dynamic.py", line 511, in __getattr__
    ret = self._oleobj_.Invoke(retEntry.dispid,0,invoke_type,1)
  pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, u'FEMCCTRL.Machine.1', u'iSCSI failed with a non-standard error, please contact support and provide the HRESULT code indicated.', None, 0, -268500930), None)

Please run GUI app before using onigiri.

What's "Onigiri"?

Onigiri is a Japanese soul food, made with plain rice, wrapped in nori (seaweed), sometimes filled with pickled ume (umeboshi), kombu, tarako, or any other salty or sour ingredient as a natural preservative. Onigiri makes rice portable and easy to eat as well as preserving it. I named this tool after its convenience, inspired by Noriben.

License

GNU GPLv2