REQUIREMENTS ------------ PyBox requires: - Windows XP - Python 2.7 If malware samples are analyzed, it is recommended that PyBox is run in a virtual machine. In order to analyze malware samples PyBox executes and analyzes them during run-time. A virtual machine can be set back to a clean and uninfected state after an analysis run. INSTALLATION ------------ 1. Execute the PyBox installer: The PyBox installer "PyBox-Setup.exe" copies all files required to run PyBox to a folder that can be specified by the user. The default installation folder is "C:\Program Files\PyBox". The installer checks whether or not Python version 2.7 is installed. If not, the installer launches the installation of Python version 2.7.2. 2. Configure hooks: In order to determine which behavior, i.e. which API function calls, are observed, the configuration file "hooks.cfg" has to be edited. In order to install a certain hook the value "Intercept" has to be set to 1. If the API function is supposed to return a customized value "PreventReturn" has to be set to 1 and the Return value is specified via "ReturnValue". 3. Configure PyBox: PyBox requires some general information that must be specified in the file "pybox.cfg". The path to the target executable has to be determined in "EXE_TARGET". The path to the hook library has to be determined in "LIB_PBMONITOR". The path to the hooks configuration file of step 2 has to be determined in "CFG_HOOKS". Additionally, an output folder has to be specified in "LOG_FOLDER". The final reports will be stored in this folder after each analysis run. It is necessary to specify the full paths to the respective files or folders. RUNNING PYBOX ------------- PyBox can be run via command-line. The "pybox.cfg" configuration file is passed as an argument. Example: C:\> python PyBox.py "C:\Program Files\PyBox\pybox.cfg" UNINSTALL PYBOX --------------- The PyBox installation folder contains an uninstaller. In order to remove PyBox execute the file "unins000.exe".