Download Latest Version
zerowine-image-2.0.0.tar.bz2 (153.3 MB)
Get an email when there's a new version of Zero Wine Malware Analysis Tool
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| zerowine.patch | 2010-12-02 | 117.0 kB | |
| README | 2010-12-02 | 2.6 kB | |
| zerowine-image-2.0.0.tar.bz2 | 2010-12-02 | 153.3 MB | |
| zerowine-image-2.0.0.tar.bz2.md5 | 2010-12-02 | 63 Bytes | |
| zerowine-src-2.0.0.tgz | 2010-12-02 | 420.3 kB | |
| Totals: 5 Items | 153.8 MB | 3 | |
ZeroWine Server 2.0
===================
New features
============
* Patched version of Wine (based on 1.2) to get better reports than before.
* XMLRPC listener and sample client.
What file should I download?
============================
If you don't want to hack the code of ZeroWine you should download the file
zerowine-image-2.0.0.tar.bz2. If you're more interested in the Wine's patches
and source code of all the environment you should download the file named
zerowine-src-2.0.0.tgz.
Basic introduction
==================
To use this version of ZeroWine you need to:
1) Run the image found in the "srv" directory using the supplied script with QEmu/KVM
or with your prefered Virtual Machine (VBox, VMWare, etc...).
2) Connect via XMLRPC using the scripts found in the "cli" directory.
Usage example
=============
Run the virtual machine using the supplied script:
$ cd $ZEROWINE_PATH
$ cd srv
$ ./start_img.sh&
When the VM is started up execute the following command:
$ cd $ZEROWINE_PATH
$ cd cli
$ ./xmlrpc_client.py http://localhost:8000/ <your malware sample> <output directory>
After a while a behavior's report, a TGZ with every file created or modified and the
memory dumps of the running processes will be found in this directory.
If you want to test the availability of the node or a list of nodes, edit the file
servers.conf adding the corresponding nodes and execute the command:
$ ./xmlrpc_tester.py
The file servers.conf is also used with xmlrpc_client.py to randomly select a node to
connect to. The command to run would be the following:
$ ./xmlrpc_client.py auto <your malware sample> <output directory>
Example batch usage
===================
Suppose you have 3 nodes (node1, node2 and node3) and a directory with a lot of malware
samples (/samples, for this example). To analyze all of them, simply run the following
commands:
$ mkdir samples_output
$ cat servers.conf
http://node1:8000/
http://node2:8000/
http://node3:8000/
$ ./xmlrpc_tester.py
[Thu Dec 2 13:08:54 2010] Status of server http://node1:8000/ is [ALIVE]
[Thu Dec 2 13:08:54 2010] Status of server http://node2:8000/ is [ALIVE]
[Thu Dec 2 13:08:54 2010] Status of server http://node3:8000/ is [ALIVE]
$ nohup find /sample -type f -exec ./xmlrpc_client.py auto {} output_directory ';' &
And the automation starts. You can check the file nohup.out to see the progress. You may
also use "parallel" instead of "find" to run, for example, the analysis of 3 samples at
the same time instead of one.
License
=======
Licensed under the GNU General Public License Version 2.
Contact
=======
Joxean Koret <admin [AT] joxeankoret [DOT] com>