Skip to content

DyLaiT/Linux-qemu-GDB-container

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

.gitignore

.gitignore

 
 

Architectures.png

Architectures.png

 
 

README.md

README.md

 
 

qemu_sandbox

qemu_sandbox

 
 

Repository files navigation

Linux qemu GDB container

using qemu with GDB server to dynamic analysis malware

Dynamically Analyze Virtual Machine Architectures

IDA pro: host only

GDB server: host only & NAT

image

Usage

1. Build docker image

docker build -t your_image_name - < qemu_sandbox

2. Up container.

Up container in host

  • make sure your network already used VPN before your start gdbserver.
docker run -it --net=host -v $PWD/output:/output/ -v your_malware_path:/sample/:Z --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined your_image_name

Start Tshark network traffic in container

tshark -w /output/pg.pcap -F pcap &

Using qemu start gdbserver in container

qemu-YOUR_FILE_CORE-static -g [GDBSERVER_PORT] [YOUR_SAMPLE_PATH] &
  • The core of your file can be confirmed using the machine field of readelf. 
    readelf -a malware_file

3. Switch to IDA PRO

  • Setting IDA remote options to malware file path in container.
  • Setting IDA remote options to this vm ip and you want listen port on gdbserver.

Reference

Build image of arm architecture on x86 machine https://zhuanlan.zhihu.com/p/106054643

About

using qemu to dynamic analysis malware

Topics

reverse-engineering malware qemu dynamic-analysis malware-analysis gdbserver

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

qemu-sandbox-ubuntu22.04 Latest
Jul 18, 2023

Packages

No packages published