• Stars
    star
    1,028
  • Rank 44,809 (Top 0.9 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Builds malware analysis Windows VMs so that you don't have to.

Malboxes

Requirements

Minimum specs for the build machine

  • At least 5 GB of RAM

  • VT-X extensions strongly recommended

Fedora

dnf install ruby-devel gcc-c++ zlib-devel
vagrant plugin install winrm winrm-fs

Debian

apt install vagrant git python3-pip

Ubuntu

apt install git python3-pip

ArchLinux

pacman -Sy vagrant packer python-pip git

Installation

Linux/Unix

  • Install git and packer using your distribution’s packaging tool (packer is sometimes called packer-io)

  • Install vagrant from their website : https://www.vagrantup.com/downloads.html (Installing from some distributions' packaging tools have caused issues).

  • pip install malboxes:

    sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Windows

Note
Starting with Windows 10 Hyper-V is always running below the operating system. Since VT-X needs to be operated exclusively by only one Hypervisor this causes VirtualBox (and malboxes) to fail. To disable Hyper-V and allow VirtualBox to run, issue the following command in an administrative command prompt then reboot: bcdedit /set hypervisorlaunchtype off

Using Chocolatey

The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.

  • Install dependencies:

    choco install python vagrant packer git virtualbox
  • Refresh the console

    refreshenv
  • Install malboxes:

    pip3 install setuptools
    pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Manually

  • Install VirtualBox, Vagrant and git

  • Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\

  • Install Python 3 (make sure to add Python to your environment variables)

  • Open a console (Windows-Key + cmd)

    pip3 install setuptools
    pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes

To deploy on AWS (optional)

Run this command after normal installation:

vagrant plugin install vagrant-aws
Note
The AWS feature has only been tested on Linux for the moment and EC2 does not support 32-bit desktop version of Windows 10.

Usage

Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.

Run:

malboxes build <template>

You can also list all supported templates with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_x64_analyst

The configuration section contains further information about what can be configured with malboxes.

Per analysis instances

malboxes spin win10_x64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_x86_analyst 20160519.cryptolocker.xyz

To deploy on AWS (optional)

Malboxes can upload and interact with a VM on the Amazon Web serivces. To do so, follow these steps:

  1. Malboxes will need a S3 bucket on AWS to upload the VM before converting it to an AMI (Amazon Machine Image). If you don’t have one, create one now.

  2. Your instance also requires a security group with at least a rule allowing inbound connections for WinRM (Type: WinRM-HTTP, Protocol: TCP, Port Range: 5985, Source: host’s public IP).

  3. Next, you need a vmimport service role configured. Follow the section named VM Import Service Role of this guide. These steps must be performed with an account that has iam:CreateRole and iam:PutRolePolicy permissions.

  4. If the default config is used, change the hypervisor to aws and fill the mandatory options related. Otherwise, be sure to add all the options about AWS to your custom config.

  5. Finally, you can follow the same steps described in the Box creation and the Per analysis instances sections to launch your instance!

Note
The AMI import can take a very long time (about an hour), however you can verify the status of the task by doing this. At the moment, only one AMI can be build per template.

AMI import status

Install awscli using pip:

pip install awscli

Configure awscli with:

aws configure

Then run:

aws ec2 describe-import-image-tasks

RDP

To connect to an instance on the cloud using RDP, run this command at the same location of your Vagrantfile:

vagrant rdp -- /cert-ignore

For this to work, the instance will require a security group allowing RDP inbound connections (Type: RDP, Protocol: TCP, Port Range: 3389, Source: host’s public IP).

Note
You can safely ignore the following error because rsync is not yet implemented: No host IP was given to the Vagrant core NFS helper. This is an internal error that should be reported as a bug.

Stopping an Instance

To stop an instance on the cloud, run this command at the same location of your Vagrantfile:

vagrant halt

Configuration

Malboxes' configuration is located in a directory that follows usual operating system conventions:

  • Linux/Unix: ~/.config/malboxes/

  • Mac OS X: ~/Library/Application Support/malboxes/

  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

The file is named config.js and is copied from an example file on first run. The example configuration is documented.

ESXi / vSphere support

Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.

Profiles

We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.

AWS security groups

Currently, Malboxes does not support the automatic creation of the security groups, so you’ll have to use the AWS console to create yours. However, using the library Boto3 there should be a way to implement this.

More information

Videos

Introduction video

0

Presentations

malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse

License

Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.

Credits

After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.

I found the packer-malware repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.

More Repositories

1

pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
Python
1,483
star
2

dtd-finder

List DTDs and generate XXE payloads using those local DTDs.
Kotlin
601
star
3

WSuspicious

WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
C#
338
star
4

php7-opcache-override

Security-related PHP7 OPcache abuse tools and demo
Python
306
star
5

pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
Python
286
star
6

csp-auditor

Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Java
135
star
7

DLLPasswordFilterImplant

DLL Password Filter Implant with Exfiltration Capabilities
C
133
star
8

template-injection-workshop

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.
CSS
118
star
9

xxe-workshop

Workshop given at Hack in Paris 2019
JavaScript
118
star
10

ldap-scanner

Checks for signature requirements over LDAP
Python
92
star
11

frida-xamarin-unpin

A Frida script to bypass Xamarin certificate pinning implementations
C#
65
star
12

advanced-binary-analysis

Materials for the Binary Analysis Workshop presented at NorthSec 2020
HTML
63
star
13

break-fast-serial

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
Python
54
star
14

security-cheat-sheet

Minimalist cheat sheet for developpers to write secure code
HTML
54
star
15

xfsc

eXtensions for Financial Services (XFS) proof of concept client to explore and issue commands directly to the devices that support the protocol. Force ATMs to dispense cash if you have code execution on them.
C
53
star
16

gophish-cli

Gophish Python cli to perform huge phishing campaigns
Python
40
star
17

linkedin-osint

A simple proof of concept that demonstrate how emails can easily be tie to LinkedIn profile
Python
36
star
18

presentations

Material from presentations done by GoSecure researchers
HTML
32
star
19

burp-ntlm-challenge-decoder

Burp extension to decode NTLM SSP headers and extract domain/host information
Kotlin
32
star
20

request-smuggling-workshop

Python
22
star
21

Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
Python
21
star
22

unicode-pentester-cheatsheet

An easy to navigate list of unicode characters that have risky transformations 💥
HTML
20
star
23

zap-autodecode-view

ZAP plugin demonstrating custom view for WebSocket messages.
Kotlin
13
star
24

goinsecure-deserialization

Accompanying material needed for the workshop
Java
11
star
25

LansweeperPasswordRecovery

Lansweeper Password Recovery Tool
C#
11
star
26

malware-ioc

Indicators of Compromise (IOCs) for malware we have researched
YARA
10
star
27

44con-code-review-workshop

References, tools and sample payloads
10
star
28

hackfest-deserialization-workshop

8
star
29

jenkins-fsb

Jenkins instance with preconfigured jobs to analyze Java binaries using Find Security Bugs.
Shell
6
star
30

orange-code-widget

🍊 Widget for Orange to visualize code sample
Python
6
star
31

request-smuggling-nsec-demo

PHP
5
star
32

burp-fuzzy-encoding-generator

Quickly test various encoding for a given value in Burp Intruder
Kotlin
5
star
33

malware_investigation_template

Because .idb files should be version controlled.
Shell
4
star
34

fq-pyrdp

fq format for parsing PyRDP replays
Go
4
star
35

owasp-workshop-zap

Atelier pratique sur le développement d'extension ZAP / Workshop on ZAP extension development
HTML
4
star
36

caplets

Fork of caplets with RDP proxy caplet
JavaScript
3
star
37

confoo-xss-bypass-demos

Demonstration for the presentation Modern XSS
3
star
38

java-hostname-verification-poc

Java
2
star
39

missing-security-controls

HTML
1
star
40

notebooks

Cybersecurity Research Jupyter Notebooks for the Community
Jupyter Notebook
1
star
41

gosecure.github.io

HTML
1
star