Merge pull request #2415 from cccs-mog/patch-4

Update cloning.rst

analyzer/windows/modules/auxiliary/disguise.py

@@ -30,7 +30,6 @@
 from lib.common.rand import random_integer, random_string
 
 log = logging.getLogger(__name__)
-PERSISTENT_ROUTE_GATEWAY = "192.168.1.1"
 si = subprocess.STARTUPINFO()
 si.dwFlags |= subprocess.STARTF_USESHOWWINDOW
 
@@ -243,18 +242,18 @@ def randomizeUUID(self):
             # Replace the UUID with the new UUID
             SetValueEx(key, "MachineGuid", 0, REG_SZ, createdUUID)
 
-    def add_persistent_route(self):
+    def add_persistent_route(self, gateway: str):
         self.run_as_system(
-            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "add", "0.0.0.0", "mask", "0.0.0.0", PERSISTENT_ROUTE_GATEWAY]
+            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "add", "0.0.0.0", "mask", "0.0.0.0", gateway]
         )
         self.run_as_system(
-            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "change", "0.0.0.0", "mask", "0.0.0.0", PERSISTENT_ROUTE_GATEWAY]
+            ["C:\\Windows\\System32\\ROUTE.exe", "-p", "change", "0.0.0.0", "mask", "0.0.0.0", gateway]
         )
 
     def start(self):
         if self.config.windows_static_route:
             log.info(f"Config for route is: {str(self.config.windows_static_route)}")
-            self.add_persistent_route()
+            self.add_persistent_route(self.config.windows_static_route_gateway)
         self.change_productid()
         self.set_office_mrus()
         self.ramnit()

conf/default/auxiliary.conf.default

@@ -22,6 +22,9 @@ browser = yes
 curtain = no
 digisig = yes
 disguise = yes
+# This is only useful in case you use KVM's dnsmasq. You need to set windows_static_route_gateway. Disguise must be enabled
+windows_static_route = no
+windows_static_route_gateway = 192.168.1.1
 evtx = no
 human_windows = yes
 human_linux = no
@@ -38,8 +41,6 @@ permissions = no
 pre_script = no
 during_script = no
 filecollector = yes
-# This is only useful in case you use KVM's dnsmasq. You need to change your range inside of analyzer/windows/modules/auxiliary/disguise.py. Disguise must be enabled
-windows_static_route = no
 tracee_linux = no
 sslkeylogfile = no
 # Requires setting up browser extension, check extra/browser_extension
@@ -80,6 +81,6 @@ enabled = no
 
 [Mitmdump]
 # Enable or disable the use of mitmdump (mitmproxy) to get dump.har [yes/no].
-# This module requires installed mitmproxy see install_mitmproxy 
+# This module requires installed mitmproxy see install_mitmproxy
 # (https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L1320)
 enabled = no

docs/book/src/installation/guest/cloning.rst

@@ -14,3 +14,7 @@ There is a `Python command-line utility`_ available that can automate this proce
 The new virtual machine will also contain all of the settings of the original one,
 which is not good. Now you need to proceed by repeating the steps explained in
 :doc:`network`, :doc:`agent`, and :doc:`saving` for this new machine.
+
+One alternative to manually make the clones unique is to enable the disguise auxiliary module, windows_static_route and windows_static_route_gateway in conf/auxiliary.conf.
+The auxiliary option is applicable to dnsmasq user which can't set the default gateway there because of the usage of an isolated routing in kvm.
+One could run it once and snapshot to apply the modification or running the auxiliary module at every analysis.

tests/test_analysis_manager.py

@@ -353,6 +353,7 @@ def test_build_options(
             "upload_max_size": 100000000,
             "usage": False,
             "windows_static_route": False,
+            "windows_static_route_gateway": "192.168.1.1",
         }
 
     def test_build_options_pe(
@@ -414,6 +415,7 @@ def test_build_options_pe(
             "upload_max_size": 100000000,
             "usage": False,
             "windows_static_route": False,
+            "windows_static_route_gateway": "192.168.1.1",
         }
 
     def test_category_checks(