View all files | ||||
Builds malware analysis Windows virtual machines so that you don’t have to.
Python 3.3+
VirtualBox or an vSphere / ESXi server
Install git and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
Install vagrant from their website : https://www.vagrantup.com/downloads.html (Installing from some distributions' packaging tools have caused issues).
pip install malboxes:
|
Note
|
Starting with Windows 10 Hyper-V is always running below the operating system. Since VT-X needs to be operated exclusively by only one Hypervisor this causes VirtualBox (and malboxes) to fail. To disable Hyper-V and allow VirtualBox to run, issue the following command in an administrative command prompt then reboot: bcdedit /set hypervisorlaunchtype off |
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
Install dependencies:
Refresh the console
Install malboxes:
Install VirtualBox, Vagrant and git
Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\
Install Python 3 (make sure to add Python to your environment variables)
Open a console (Windows-Key + cmd)
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
You can also list all supported templates with:
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
The configuration section contains further information about what can be configured with malboxes.
This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:
By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.
For example:
Malboxes can upload and interact with a VM on the Amazon Web serivces. To do so, follow these steps:
Malboxes will need a S3 bucket on AWS to upload the VM before converting it to an AMI (Amazon Machine Image). If you don’t have one, create one now.
Your instance also requires a security group with at least a rule allowing inbound connections for WinRM (Type: WinRM-HTTP, Protocol: TCP, Port Range: 5985, Source: host’s public IP).
Next, you need a vmimport service role configured. Follow the section named VM Import Service Role of this guide. These steps must be performed with an account that has iam:CreateRole and iam:PutRolePolicy permissions.
If the default config is used, change the hypervisor to aws and fill the mandatory options related. Otherwise, be sure to add all the options about AWS to your custom config.
Finally, you can follow the same steps described in the Box creation and the Per analysis instances sections to launch your instance!
|
Note
|
The AMI import can take a very long time (about an hour), however you can verify the status of the task by doing this. At the moment, only one AMI can be build per template. |
Install awscli using pip:
Configure awscli with:
Then run:
To connect to an instance on the cloud using RDP, run this command at the same location of your Vagrantfile:
For this to work, the instance will require a security group allowing RDP inbound connections (Type: RDP, Protocol: TCP, Port Range: 3389, Source: host’s public IP).
|
Note
|
You can safely ignore the following error because rsync is not yet implemented: No host IP was given to the Vagrant core NFS helper. This is an internal error that should be reported as a bug. |
Malboxes' configuration is located in a directory that follows usual operating system conventions:
Linux/Unix: ~/.config/malboxes/
Mac OS X: ~/Library/Application Support/malboxes/
Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\
The file is named config.js and is copied from an example file on first run. The example configuration is documented.
Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.
We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.
Currently, Malboxes does not support the automatic creation of the security groups, so you’ll have to use the AWS console to create yours. However, using the library Boto3 there should be a way to implement this.
malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse
Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.
After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.
I found the packer-malware repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.