Skip to content

Latest commit

 

History

History
275 lines (216 loc) · 22.9 KB

README.md

File metadata and controls

275 lines (216 loc) · 22.9 KB

DissectingMalwa.re Lab VMs

This repository contains my download/setup script for the Windows virtual machines I use for Malware Analysis and Software Reverse Engineering. If you are looking for a Linux VM you should check out Remnux or Tsurugi.

Table of Contents

Features

  • The purpose of the script is to download tools, not install them. This leaves the choice of what and where to install it to the user.
  • No BoxStarter/Chocolatey trouble!
  • Separate Static Code Analysis and Dynamic Analysis VMs. YMMV but this is the approach I prefer!
  • Option to skip tools that are not licensed for professional use
  • Apply system modifications like: disable ASLR, fix Explorer file/folder views
  • Download hypervisor-hiding scripts that match your setup
  • Preload debugging symbols for offline use (more on this in the Installation section below)

The tool lists will be updated on a monthly basis!

Screenshots

Static Code Analysis VM

Dynamic Analysis VM

Requirements

  • A host machine capable of running both VMs at the same time would be optimal
  • 4-8GB+ of RAM and 64GB+ storage per VM
  • A hypervisor of your choice
  • Windows ISOs (Win 7 SP1, Win 8.1 or Win 10) and matching license keys

Installation

  1. Setup a fresh Windows VM with the Hypervisor you trust or download a modern.ie VM (note that this script is meant to run on x64 VMs). I'm using Windows 7 Ultimate x64 for my VMs, but I also have a secondary debugging VM running Windows 10 Pro to stay up-to-date ;-)

A few tips for fresh Windows 7 Installs:

  • You might need to install KB3138612 to be able to run Windows Update
  • Please install .NET 4.8 and afterwards WMF 5.1 before running the Powershell script
  • If you want to do yourself a favour: Install a proper Browser right away. Browsing with the old IE is a pain and this install script will open a few Microsoft pages where you will have to click 'Download' :D
  1. I'd recommend to create a snapshot or export an .ova/.ovf file of the clean VM.

  2. Open a Powershell prompt as an Administrator and run Set-ExecutionPolicy Unrestricted to allow for Powershell scripts to be run on the system without interference.

  3. Download/clone this repository and run vm_setup.ps1 with PowerShell (an elevated prompt is necessary for setting Registry Keys)

Arguments: .\vm_setup.ps1 -argument

  • -nonCommercial $False - skip tools that don't allow commercial use in their licensing terms
  • -symbols $True - this is a post-installation step, make sure to install the "Build Tools for Visual Studio" first. If you just need the most common symbols let it run for a few minutes (< 5-10min) and cancel with Ctrl+C. Going through all the symbols for files present in System32 will take a long time and fill up your drive.
  1. Once the script successfully exited you can close the Powershell window and install the downloaded software. By default the files will be saved to a subdirectory called downloads in the same directory as the vm_setup.ps1 script you executed.

  2. Open a new command prompt (Run as Administrator!) and try to upgrade pip first py.exe -m pip install --upgrade pip. Once that is done you can install the Python tools via py.exe -m pip install -r python-packages.txt

  3. Once again take a snapshot/backup of the state of the VM with all the tools installed.

FAQ

Why not FLARE-VM etc.?

As I mentioned below I am not a big fan of the Boxstarter/Chocolatey install mechanism. Furthermore I prefer to download the tools directly from the developer if possible and choose the e.g. installation path myself. Lastly I like to separate my Static Code Analysis VM from my Dynamic Analysis VM for a couple of reasons: less clutter, faster snapshot restore times, parallel working, to prevent license key theft and so on...

Nevertheless other VM setup scripts might work better for you, so choose whatever floats your boat and (mis)trust your tools!

Here are some great alternatives to my script:

Customization

Again, there might be one or two tools missing or superfluous for your workflow. Should this be the case you can simply add/remove them to/from the .json files after cloning the repository to your machine. Feel free to contribute useful tools (see below)!

The tool lists are json files with the following structure: {"name": "7Zip", "url": "https://www.7-zip.org/a/7z1900-x64.exe", "nonCommercial": true, "manual": false},

  • name = Name of the tool
  • url = Download URL
  • nonCommercial = Professional use allowed? Yes -> true, No -> false
  • manual = Requires manual download

Tips & Tricks

This section will be expanded should there be any Issues while installing or running one of the tools.

Show me!
  • BinaryNinja is not officially supported on Windows 7 and will produce a graphics driver error when run in VBox/VMware. You can fix this by disabling 3D acceleration. Here is the official Documentation.

Tools and Licensing

In the collapsible section below you can find a list of all tools available to download via the script.

Warning: Please check the Licenses/Terms and Conditions of the tools before you download any of them! It is the responsiblilty of the user to read, accept and comply with the terms set by the respective developers.

There are a few commercial tools that do have Trial/Demo versions, but I chose not to include them in this download script. I'll install Microsoft Office, Cerbero Suite, Binary Ninja, VB-Decompiler Pro etc. manually.

🧰 Click to expand! 🛠️

Static Code Analysis

Tool License
010editor Link
7Zip Link
Amazon Corretto JDK11 Link
apktool Link
AutoIT Extractor Link
Autopsy Link
BiffView Link
Bindiff Link
Cryptotester n/a (Copyright Demonslay335)
Cutter Link
de4dot-cex Link
DependencyWalker Link
Detect it easy Link
dnspyEx Link
dotPeek Link
Everything Link
exiftool Link
fileinsight Link
fileinsight-plugins Link
FLARE capa Link
FLARE FLOSS Link
Ghidra Link
Git for Windows Link
Golang Link
Hashcalc Link
IDA Free Link
IDR Link
ILSpy Link
ImHex Link
innoextract Link
IrfanView Link
IrfanView Plugins Link
jadx Link
jd-gui Link
lifer Link
LINQPad Link
Manalyze Link
NASM Link
oledump.py Link
PDFStreamDumper Link
PEBear Link
PEid Link
PEStudio Link
PortEx Analyzer Link
ProcDot Link
ProcessHacker Link
protectionID Link
PyInstaller Extractor Link
Python3 Link
qpdf Link
Recaf Link
Reflexil Link
Relyze Desktop Link
ResourceHacker Link
retdec Link
SSView Link
UniExtract2 Link
UPX Link
VBdec Link
Volatility Link
WinSCP Link
xorsearch Link
Yara Link

Dynamic Analysis

Tool License
010editor Link
7Zip Link
API-Monitor Link
CheatEngine Link
DbgChild Link
ErrorLookup Link
Everything Link
Fake Sandbox Artifacts Link
FileTest Link
HxD Link
LordPE Link
NetworkMiner Link
NoVMP Link
ODbgScriptv2 Link
OllyDbg Link
OllyDumpEx Link
OllySubScript Link
PEBear Link
PESieve Link
ProcessHacker Link
PSDecode Link
Python3 Link
Registry Explorer Link
Regshot Link
scdbg Link
Telerik Fiddler Classic Link
ThreadTear Link
VBoxCloak Link
VMwareCloak Link
WinSCP Link
Wireshark Link
x64dbg Link
xAnalyzer Link

Python Tools

Tool License
hexdump Link
malduck Link
msoffcrypto-tool Link
olefile Link
oletools Link
pefile Link
pycryptodome Link
requests Link
uncompyle6 Link
XLMMacroDeobfuscator Link
xortool Link
yara-python Link

Microsoft Utilities

Tool License
Build Tools for Visual Studio 2019 Link
Sysinternals Link
Visual C++ Redistributable 2013 Link
Visual C++ Redistributable 2015,2017,2019 Link
Visual Studio Code Link
Windows 10 SDK Link

Contributing

If you have any suggestions for awesome tools that are missing on these lists and that everyone would profit from or you spot an error somewhere: feel free to open an Issue or send a Pull Request. Same goes for outdated links to packages! Thank you :)

A few guidelines:

  • Directly link to the original download site provided by the developer whenever possible
  • Remember to insert the tool and license link into the Readme
  • Please stick to the static/dynamic compartmentalization
  • Please make sure that Python Tools run on Python3 and are (somewhat) actively maintained
  • Be excellent to each other in Issues/PRs