onigiri copied to clipboard
onigiri - remote malware triage script
onigiri - remote malware triage script
Check my blog about the purpose.
Install Python
- You need both of Python x86 (for volatility) / x64 (for F-Response COM DLLs) if installed F-Response binaries are 64-bit
- Set the x86 python path to g_x86_python_path or specify -p option
Install the following Python packages
Install Volatility Framework and openioc_scan
Volatility Installation
- Set the vol.py/plugins paths to g_vol_path and g_vol_plugins_path or specify -o and -l options
- openioc_scan
Download FTK Imager CLI version
FTK Imager CLI version
- Set the path to g_ftk_path or specify -t option
Open TCP ports
- examiner: tcp/5681
- victim: tcp/3260-3261 (Consultant), tcp/445 (Consultant+Covert, Enterprise)
Configure F-Response
- Set examinerIP/username/password for iSCSI authentication and enable PhysicalMemory/FlexdiskAPI
- Save fresponse.ini on F-Response Consultant Connector (consultant and Consultant+Covert only)
- Run F-Response License Manager Monitor on the examiner machine then start it
- Run R-Response agent program on the victim machine then start it using GUI tools (consultant and Consultant+Covert only)
- Run this script and check the result
- Type -h for help
- Specify the folder path including fresponse.ini (consultant and Consultant+Covert only). fresponse.ini should be generated on Consultant Connector, not Enterprise Management Console
- Specify credentials of domain admin or local built-in Administrator account (Enterprise only)
- Type -h for help
Trouble Shooting
COM Errors
If any errors about win32com, try following:
Check the COM DLL (e.g., FCCCTRLx64.dll, FEMCCTRLx64.dll) architecture. You need x64 python and win32com for x64 DLL.
Check the COM API CLSIDs in registry (e.g., search FCCCTRL or FEMCCTRL). If not found, register COM Dlls using regsvr32 command. You need x86 regsvr32 (under C:\Windows\SysWOW64) if your COM DLL is 32-bit version.
regsvr32 "C:\Program Files\F-Response\FEMCCTRLx64.dll"
Memory Acquisition Failure of Win8.1 x64 machines
I checked physical memory acquisition through F-Response didn't work on some conditions:
- The target OS is Win8.1 x64
- The RAM size is big (e.g., 8GB or 16GB)
Specifically, process data structures (_EPROCESS) become null. I sent the report to F-Response and I'm waiting for the reply.
If you have DumpIt commercial version, you can use it combined with PsExec for secure memory acquisition (specify -a option and more).
Exception when getting "Targets"
Unless you start GUI application (Consultant Connector or Enterprise Management Console), you may encounter the following exception.
Traceback (most recent call last):
File "onigiri.py", line 476, in <module>
File "onigiri.py", line 463, in main
fres.acquire(args.ram, file_cats, args.scan, args.alternative)
File "onigiri.py", line 260, in acquire
self.acquire_ram(computer, alternative)
File "onigiri.py", line 53, in acquire_ram
targets = victim.Targets
File "C:\Python27_x64\lib\site-packages\win32com\client\dynamic.py", line 511, in __getattr__
ret = self._oleobj_.Invoke(retEntry.dispid,0,invoke_type,1)
pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, u'FEMCCTRL.Machine.1', u'iSCSI failed with a non-standard error, please contact support and provide the HRESULT code indicated.', None, 0, -268500930), None)
Please run GUI app before using onigiri.
What's "Onigiri"?
Onigiri is a Japanese soul food, made with plain rice, wrapped in nori (seaweed), sometimes filled with pickled ume (umeboshi), kombu, tarako, or any other salty or sour ingredient as a natural preservative. Onigiri makes rice portable and easy to eat as well as preserving it. I named this tool after its convenience, inspired by Noriben.