“VMCloak is a tool for automatically creating, cloning, and cloaking Virtual Machines to be used for Cuckoo Sandbox”
JBremer’s vmcloak introductory post is here: http://jbremer.org/vmcloak3/
You can install the latest vmcloak via pip “pip install vmcloak”
Or checkout via git here: https://github.com/jbremer/vmcloak
If you’ve spent any time with Cuckoo, getting VMs spun up can be time consuming. If you build them one at a time, you could easily be customizing VMs full time. With VMCloak, we can create one image and create unlimited VMs each with unique IPs and names. It’s helped me stay sane.
Think of vmcloak as a disk image manager. This helped me understand the different parts of the system. There are several CLI tools that together allow you to manage a disk image and all the VMs built from it. Some of the VMCloak terminology can be confusing if you’ve spent time with Virtualbox commands. I’ll summarize commands and provide examples that will help flatten the learning curve.
Vmcloak-init creates the disk image. There are a number of commands that help customize the inital install.
usage: vmcloak-init [-h] [–winxp] [–win7] [–x64] [–win7x64] [–vm VM]
[–iso-mount ISO_MOUNT] [–serial-key SERIAL_KEY]
[–ip IP] [–port PORT] [–adapter ADAPTER]
[–netmask NETMASK] [–gateway GATEWAY] [–dns DNS]
[–cpus CPUS] [–tempdir TEMPDIR]
[–resolution RESOLUTION] [–vm-visible] [-d] [-v]
vmcloak-init –winxp –iso-mount /mnt/winxp –serial-key SERIALKEY –netmask 255.255.255.0 –gateway 192.168.56.1 –dns 192.168.56.1 –resolution 1024×768 –cpus 2 example_image
You can set an IP or not, a later step will set the IP for the created VM. Setting multiple CPUs can help evade malware anti-vm checks. Once the command completes, you can install software that has
Vmcloak-modify allows modification of the disk image. If executed with –vm-visible, once can edit settings, install and configure software that has modules configured. You can build your own modules, but there are several that com pre-packages that streamline the process. LookingGlass sponsored work that automates the installation of Office2007. The command below installs Acrobat, WIC, Pillow, dotnet4.0 and java7. These can be stacked like below, or installed with separate commands.
vmcloak-install test adobe9 wic pillow dotnet40 java7
The Office 2007 command below only installs office. It’s possible to add –vm-visible if there is an issue during the install for troubleshooting. It’s very handy.
vmcloak-install example_image office2007 office2007.isopath=/mnt/office2007.iso office2007.serialkey=SERIALKEY
I like to automate repetitive tasks, so a couple of the installers remove popups and disable things like System Restore. The command below executes those as well as installing chrome and firefox. If you’re so inclined, committing dependencies you custom built back to the vmcloak repo is always welcome.
vmcloak-install test removetooltips windows_cleanup chrome firefox_41
Now that out disk image is created and our apps installed, we still have some manual work to do. We can open the image and set homepages, open apps for the first time and make our VM look like it has users.
vmcloak-modify –vm-visible example_image
Once our image is ready, shut it down and proceed to the VM creation step.
Vmcloak-snapshot creates clones from the disk image and saves a snapshot as vmcloak. Once this step is done, the disk image is immutable. This method allows for one big disk image and multiple vms that use that image and only store changes. The main benefit is less disk space used. A side benefit is that creating VMs is faster, because the install is only performed once. When mass producing VMs, this is a HUGE timesaver. If you have a Cuckoo farm, you want to minimize the time spent configuring VMs. The command below creates a single VM with some hardware and network configuration.
vmcloak-snapshot example_image example_image_80 192.168.56.80 –resolution 1024×768 –cpus 2 –ramsize 2048
Once you have this process down manually, it’s trivial to script it for automation. We’ve taken the process of creating hundreds of VMs from days to hours. Not only is the amount of time needed to create VMs reduced, but with scripting, we can kick off a build and walk away. Using tags, we can customize our VMs and tag them to create a variety of VMs with different apps, languages and operating systems.