MalwareLab_VM Setup

This repository contains my download/setup script for the Windows virtual machines I use for Malware Analysis and Software Reverse Engineering. If you are looking for a Linux VM you should check out Remnux or Tsurugi.

• Features
• Screenshots
• Requirements
• Installation
• FAQ
• Customization
• Tips & Tricks
• Tools and Licensing
• Contributing

• The purpose of the script is to download tools, not install them. This leaves the choice of what and where to install it to the user.
• No BoxStarter/Chocolatey trouble!
• Separate Static Code Analysis and Dynamic Analysis VMs. YMMV but this is the approach I prefer!
• Option to skip tools that are not licensed for professional use
• Apply system modifications like: disable ASLR, fix Explorer file/folder views
• Download hypervisor-hiding scripts that match your setup
• Preload debugging symbols for offline use (more on this in the Installation section below)

The tool lists will be updated on a monthly basis!

• A host machine capable of running both VMs at the same time would be optimal
• 4-8GB+ of RAM and 64GB+ storage per VM
• A hypervisor of your choice
• Windows ISOs (Win 7 SP1, Win 8.1 or Win 10) and matching license keys

1. Setup a fresh Windows VM with the Hypervisor you trust or download a modern.ie VM (note that this script is meant to run on x64 VMs). I'm using Windows 7 Ultimate x64 for my VMs, but I also have a secondary debugging VM running Windows 10 Pro to stay up-to-date ;-)

A few tips for fresh Windows 7 Installs:

• You might need to install KB3138612 to be able to run Windows Update
• Please install .NET 4.8 and afterwards WMF 5.1 before running the Powershell script
• If you want to do yourself a favour: Install a proper Browser right away. Browsing with the old IE is a pain and this install script will open a few Microsoft pages where you will have to click 'Download' :D

2. I'd recommend to create a snapshot or export an .ova/.ovf file of the clean VM.

3. Open a Powershell prompt as an Administrator and run Set-ExecutionPolicy Unrestricted to allow for Powershell scripts to be run on the system without interference.

4. Download/clone this repository and run vm_setup.ps1 with PowerShell (an elevated prompt is necessary for setting Registry Keys)

Arguments: .vm_setup.ps1 -argument

• -nonCommercial $False - skip tools that don't allow commercial use in their licensing terms
• -symbols $True - this is a post-installation step, make sure to install the "Build Tools for Visual Studio" first. If you just need the most common symbols let it run for a few minutes (< 5-10min) and cancel with Ctrl+C. Going through all the symbols for files present in System32 will take a long time and fill up your drive.

5. Once the script successfully exited you can close the Powershell window and install the downloaded software. By default the files will be saved to a subdirectory called downloads in the same directory as the vm_setup.ps1 script you executed.

6. Open a new command prompt (Run as Administrator!) and try to upgrade pip first py.exe -m pip install --upgrade pip. Once that is done you can install the Python tools via py.exe -m pip install -r python-packages.txt

7. Once again take a snapshot/backup of the state of the VM with all the tools installed.

As I mentioned below I am not a big fan of the Boxstarter/Chocolatey install mechanism. Furthermore I prefer to download the tools directly from the developer if possible and choose the e.g. installation path myself. Lastly I like to separate my Static Code Analysis VM from my Dynamic Analysis VM for a couple of reasons: less clutter, faster snapshot restore times, parallel working, to prevent license key theft and so on...

Nevertheless other VM setup scripts might work better for you, so choose whatever floats your boat and (mis)trust your tools!

Here are some great alternatives to my script:

• Fireeye FLARE-VM
• SentinelLabs RevCore Tools

Again, there might be one or two tools missing or superfluous for your workflow. Should this be the case you can simply add/remove them to/from the .json files after cloning the repository to your machine. Feel free to contribute useful tools (see below)!

The tool lists are json files with the following structure: {"name": "7Zip", "url": "https://www.7-zip.org/a/7z1900-x64.exe", "nonCommercial": true, "manual": false},

• name = Name of the tool
• url = Download URL
• nonCommercial = Professional use allowed? Yes -> true, No -> false
• manual = Requires manual download

This section will be expanded should there be any Issues while installing or running one of the tools.

In the collapsible section below you can find a list of all tools available to download via the script.

Warning: Please check the Licenses/Terms and Conditions of the tools before you download any of them! It is the responsiblilty of the user to read, accept and comply with the terms set by the respective developers.

There are a few commercial tools that do have Trial/Demo versions, but I chose not to include them in this download script. I'll install Microsoft Office, Cerbero Suite, Binary Ninja, VB-Decompiler Pro etc. manually.

If you have any suggestions for awesome tools that are missing on these lists and that everyone would profit from or you spot an error somewhere: feel free to open an Issue or send a Pull Request. Same goes for outdated links to packages! Thank you :)

• Directly link to the original download site provided by the developer whenever possible
• Remember to insert the tool and license link into the Readme
• Please stick to the static/dynamic compartmentalization
• Please make sure that Python Tools run on Python3 and are (somewhat) actively maintained
• Be excellent to each other in Issues/PRs