Quickly build a lightweight Docker container to bundle tools for dynamic Linux malware analysis.
When dynamically analyzing malware, it is important to properly isolate the analysis environment from the host machine. To do this, you need to have a dedicated machine for your malware analysis. This container is designed to be run from within your malware analysis machine to bundle and pre-install common Reverse Engineering tools. It also provides an easy mechanism to quickly reset container state for samples requiring repetitive analysis.
❗ Important! Only run this from within a secure malware analysis environment! Many Docker container escapes exist in the wild.
- Case 1: Reseting directories for ransomware analysis without having to fully revert the entire host upon each execution of the malware
- Case 2: Bundling Reverse Engineering tools to share between malware analysis machines that might be lacking dependencies
Simply run the bash script to build and start the Docker container. Pass any files you would like copied to the container as command line arguments:
linux_malware_analysis_container.sh MY_FILE_1 MY_FILE_2
This will build and start the Docker container and copy the target files into the container at /home/app. Once built, it opens an interactive shell where you can begin your analysis process. The container is based on Ubuntu meaning that the interactive shell will accept standard Linux commands and be able to dynamically run ELF binaries. The following list contains suggested commands for common Reverse Engineering tasks. These tools come pre-installed in the container along with many more:
- strace
- strings
- gdb
- objdump
- file
Once you have completed your analysis, enter exit as the command. This will automatically kill and remove the container.