DissectingMalwa.re Lab VMs
This repository contains my download/setup script for the Windows virtual machines I use for Malware Analysis and Software Reverse Engineering. If you are looking for a Linux VM you should check out Remnux or Tsurugi.
Table of Contents
- Features
- Screenshots
- Requirements
- Installation
- FAQ
- Customization
- Tips & Tricks
- Tools and Licensing
- Contributing
Features
- The purpose of the script is to download tools, not install them. This leaves the choice of what and where to install it to the user.
- No BoxStarter/Chocolatey trouble!
- Separate Static Code Analysis and Dynamic Analysis VMs. YMMV but this is the approach I prefer!
- Option to skip tools that are not licensed for professional use
- Apply system modifications like: disable ASLR, fix Explorer file/folder views
- Download hypervisor-hiding scripts that match your setup
- Preload debugging symbols for offline use (more on this in the Installation section below)
The tool lists will be updated on a monthly basis!
Screenshots
Static Code Analysis VM
Dynamic Analysis VM
Requirements
- A host machine capable of running both VMs at the same time would be optimal
- 4-8GB+ of RAM and 64GB+ storage per VM
- A hypervisor of your choice
- Windows ISOs (Win 7 SP1, Win 8.1 or Win 10) and matching license keys
Installation
- Setup a fresh Windows VM with the Hypervisor you trust or download a modern.ie VM (note that this script is meant to run on x64 VMs). I'm using Windows 7 Ultimate x64 for my VMs, but I also have a secondary debugging VM running Windows 10 Pro to stay up-to-date ;-)
A few tips for fresh Windows 7 Installs:
- You might need to install KB3138612 to be able to run Windows Update
- Please install .NET 4.8 and afterwards WMF 5.1 before running the Powershell script
- If you want to do yourself a favour: Install a proper Browser right away. Browsing with the old IE is a pain and this install script will open a few Microsoft pages where you will have to click 'Download' :D
-
I'd recommend to create a snapshot or export an .ova/.ovf file of the clean VM.
-
Open a Powershell prompt as an Administrator and run
Set-ExecutionPolicy Unrestricted
to allow for Powershell scripts to be run on the system without interference. -
Download/clone this repository and run
vm_setup.ps1
with PowerShell (an elevated prompt is necessary for setting Registry Keys)
Arguments: .\vm_setup.ps1 -argument
-nonCommercial $False
- skip tools that don't allow commercial use in their licensing terms-symbols $True
- this is a post-installation step, make sure to install the "Build Tools for Visual Studio" first. If you just need the most common symbols let it run for a few minutes (< 5-10min) and cancel with Ctrl+C. Going through all the symbols for files present in System32 will take a long time and fill up your drive.
-
Once the script successfully exited you can close the Powershell window and install the downloaded software. By default the files will be saved to a subdirectory called
downloads
in the same directory as thevm_setup.ps1
script you executed. -
Open a new command prompt (Run as Administrator!) and try to upgrade pip first
py.exe -m pip install --upgrade pip
. Once that is done you can install the Python tools viapy.exe -m pip install -r python-packages.txt
-
Once again take a snapshot/backup of the state of the VM with all the tools installed.
FAQ
Why not FLARE-VM etc.?
As I mentioned below I am not a big fan of the Boxstarter/Chocolatey install mechanism. Furthermore I prefer to download the tools directly from the developer if possible and choose the e.g. installation path myself. Lastly I like to separate my Static Code Analysis VM from my Dynamic Analysis VM for a couple of reasons: less clutter, faster snapshot restore times, parallel working, to prevent license key theft and so on...
Nevertheless other VM setup scripts might work better for you, so choose whatever floats your boat and (mis)trust your tools!
Here are some great alternatives to my script:
Customization
Again, there might be one or two tools missing or superfluous for your workflow. Should this be the case you can simply add/remove them to/from the .json
files after cloning the repository to your machine. Feel free to contribute useful tools (see below)!
The tool lists are json files with the following structure:
{"name": "7Zip", "url": "https://www.7-zip.org/a/7z1900-x64.exe", "nonCommercial": true, "manual": false},
name
= Name of the toolurl
= Download URLnonCommercial
= Professional use allowed? Yes -> true, No -> falsemanual
= Requires manual download
Tips & Tricks
This section will be expanded should there be any Issues while installing or running one of the tools.
Show me!
- BinaryNinja is not officially supported on Windows 7 and will produce a graphics driver error when run in VBox/VMware. You can fix this by disabling 3D acceleration. Here is the official Documentation.
Tools and Licensing
In the collapsible section below you can find a list of all tools available to download via the script.
Warning: Please check the Licenses/Terms and Conditions of the tools before you download any of them! It is the responsiblilty of the user to read, accept and comply with the terms set by the respective developers.
There are a few commercial tools that do have Trial/Demo versions, but I chose not to include them in this download script. I'll install Microsoft Office, Cerbero Suite, Binary Ninja, VB-Decompiler Pro etc. manually.
🧰 Click to expand! 🛠️
Static Code Analysis
Tool | License |
---|---|
010editor | Link |
7Zip | Link |
Amazon Corretto JDK11 | Link |
apktool | Link |
AutoIT Extractor | Link |
Autopsy | Link |
BiffView | Link |
Bindiff | Link |
Cryptotester | n/a (Copyright Demonslay335) |
Cutter | Link |
de4dot-cex | Link |
DependencyWalker | Link |
Detect it easy | Link |
dnspyEx | Link |
dotPeek | Link |
Everything | Link |
exiftool | Link |
fileinsight | Link |
fileinsight-plugins | Link |
FLARE capa | Link |
FLARE FLOSS | Link |
Ghidra | Link |
Git for Windows | Link |
Golang | Link |
Hashcalc | Link |
IDA Free | Link |
IDR | Link |
ILSpy | Link |
ImHex | Link |
innoextract | Link |
IrfanView | Link |
IrfanView Plugins | Link |
jadx | Link |
jd-gui | Link |
lifer | Link |
LINQPad | Link |
Manalyze | Link |
NASM | Link |
oledump.py | Link |
PDFStreamDumper | Link |
PEBear | Link |
PEid | Link |
PEStudio | Link |
PortEx Analyzer | Link |
ProcDot | Link |
ProcessHacker | Link |
protectionID | Link |
PyInstaller Extractor | Link |
Python3 | Link |
qpdf | Link |
Recaf | Link |
Reflexil | Link |
Relyze Desktop | Link |
ResourceHacker | Link |
retdec | Link |
SSView | Link |
UniExtract2 | Link |
UPX | Link |
VBdec | Link |
Volatility | Link |
WinSCP | Link |
xorsearch | Link |
Yara | Link |
Dynamic Analysis
Tool | License |
---|---|
010editor | Link |
7Zip | Link |
API-Monitor | Link |
CheatEngine | Link |
DbgChild | Link |
ErrorLookup | Link |
Everything | Link |
Fake Sandbox Artifacts | Link |
FileTest | Link |
HxD | Link |
LordPE | Link |
NetworkMiner | Link |
NoVMP | Link |
ODbgScriptv2 | Link |
OllyDbg | Link |
OllyDumpEx | Link |
OllySubScript | Link |
PEBear | Link |
PESieve | Link |
ProcessHacker | Link |
PSDecode | Link |
Python3 | Link |
Registry Explorer | Link |
Regshot | Link |
scdbg | Link |
Telerik Fiddler Classic | Link |
ThreadTear | Link |
VBoxCloak | Link |
VMwareCloak | Link |
WinSCP | Link |
Wireshark | Link |
x64dbg | Link |
xAnalyzer | Link |
Python Tools
Tool | License |
---|---|
hexdump | Link |
malduck | Link |
msoffcrypto-tool | Link |
olefile | Link |
oletools | Link |
pefile | Link |
pycryptodome | Link |
requests | Link |
uncompyle6 | Link |
XLMMacroDeobfuscator | Link |
xortool | Link |
yara-python | Link |
Microsoft Utilities
Tool | License |
---|---|
Build Tools for Visual Studio 2019 | Link |
Sysinternals | Link |
Visual C++ Redistributable 2013 | Link |
Visual C++ Redistributable 2015,2017,2019 | Link |
Visual Studio Code | Link |
Windows 10 SDK | Link |
Contributing
If you have any suggestions for awesome tools that are missing on these lists and that everyone would profit from or you spot an error somewhere: feel free to open an Issue or send a Pull Request. Same goes for outdated links to packages! Thank you :)
A few guidelines:
- Directly link to the original download site provided by the developer whenever possible
- Remember to insert the tool and license link into the Readme
- Please stick to the static/dynamic compartmentalization
- Please make sure that Python Tools run on Python3 and are (somewhat) actively maintained
- Be excellent to each other in Issues/PRs