Game Vulnerability Researcher | Anti-Cheat Enthusiast
Here are some of my favorite projects I've worked on
Have you ever wanted to create a malware analysis lab? Maybe you want to work on malware development, reverse engineering, or just want to run malware to see what it does to a machine without harming your own?
Keep reading, and we'll walk through downloading the .ISO files for your VMs, downloading FlareVM for Windows, and how to setup your network, so that your VMs can only internally communicate with one another.
This walkthrough was designed to rely heavily upon commands instead of setting up a network through a specific virtualization software such as VMware or VirtualBox to avoid confusion on setting up a lab environment.
Please hover over any words highlighted in purple to get a description of what they mean!
I am going to skip over installing VMWare or Virtual Box as it is a very self explanitory process.
As well, any screenshots and descriptions will be from within the context of Virtual Box. Similar setups can be found in VMWare but exact wording may vary.
For our Windows 10 lab, we will be initializing a Windows 10 environment, installing Flare-VM, and setup our network configurations
The first thing we'll want to do is install an ISO file. This file will contain a copy of the Windows 10 installation media and will allow for our VM to install Windows through this file.
You can download the file from here: Create Windows 10 Installaton Media (ISO)
You can find the instructions to download the ISO file within the "Using the tool to create installation media..." drop down section.
Within VirtualBox, in the top left corner, you can click on Machine > New. This will open up a Create Virtual Machine prompt.
While these option will vary from user to user, a base setup you can later change is as follows:
You can set as high of a Hard Disk size as you'd like. As long as Pre-allocate full size isn't checked, the amount of storage that is taken up by your VDI will expand as is needed until the limit you set is reached.
As well I suggest at minimum 100 GB of storage. As you need room to install Windows on the VM as well as an additional 60 GB to install Flare-VM, due to the amount of tools it installs.
After finishing these configurations, you can launch the VM and go through the Windows setup process. I personally suggest keeping a simple username and password as well as turning off any unneeded settings (Such as privacy tracking, cortana, additional keyboards, etc...)
Flare-VM is a collection of software installation scripts for Windows systems that allows you to setup and maintain a reverse engineering environment on a virtual machine.
You can find out more about Flare-VM along with installation instructions from their GitHub repository: Mandiant/Flare-VM
There are a few things that are super important that you have setup, but can be a bit tricky due to security features implemented by Microsoft.
I will list out things you need to verify are setup prior to installation and what helped me with getting these changes to stick.
Pre-Installation Steps
This is a simple check. Just verify within your VM's properties that your network adapter is set to NAT and your host machine is connected to the internet.
Disabling Windows Defender can be very finicky. Obviously Microsoft has a lot of defenses in place to stop you from disabling it's built-in Anti-Malware. I will list out what worked for me below.
I HIGHLY suggest following this article posted by Windows OSHub on permanently disabling Microsoft Defender. It is the only thing that has worked for me as per Windows 10 22H2:
How to Permanently Disable Microsoft Defender Antivirus on Windows 11 and 10
As well disable the listed group policies ("Turn off Microsoft Defender Antivirus" and "Turn off real-time protection") then run GPUpdate /force and restart your machine one last time. Then proceed to the installation step.
As mentioned above, you'll want to navigate to the Flare-VM github page and run the listed PowerShell commands in order to download and execute the script properly.
As a heads up, you'll want to make sure that your VM/Host Machine will be kept on for anywhere from an hour to several hours... There is a lot of content to download, some blog posts speaking on Flare-VM have stated it can take up to 12 hours. From my personal experience, it takes around 2-4 hours.
Almost finished with our Windows VM. I'm sure at this point it'll feel like a super long process, especially with the Flare-VM download, but you're so close!
It's advised to go ahead and take a snapshot of your VM post Flare-VM download just incase you need to go back to this point. After you take the screenshot go ahead and shut down your machine and navigate to the network settings within the VM's properties.
From here, we're just going to swap adapter one from NAT to Internal Network, and set the new field that appears Name to malware-net
There are a few things that we need to check and setup. You can change the IP address and network setup if you'd prefer!
In order to set a static IP address, I personall prefer to utilize PowerShell just because it's easier to write out one long command then go through a bunch of GUI pages. Below you can find the command I use:
$if="Ethernet"; New-NetIPAddress -InterfaceAlias $if -IPAddress 192.168.100.10 -PrefixLength 24 -DefaultGateway 192.168.100.1 -AddressFamily IPv4; Set-DnsClientServerAddress -InterfaceAlias $if -ServerAddresses 192.168.100.1
An issue I ran into while setting up my lab was once my Linux VM was setup. I was able to ping Windows > Linux but I couldn't ping from Linux > Windows. After looking into several things, I found that the issue was that within Windows Defender Firewall > Advanced Settings > Inbound Rules. You are looking for File and Printer Sharing (Echo Request - ICMPv4-In), there should be two, one for the Private profile and one for the Domain Profile. You'll want to make sure both of these are enabled!
After these steps, your Windows VM should be setup successfully!
Fortunately the setup for the Linux doesn't take nearly as long but from my experience is a bit more compliacted to setup the network configurations.
For this instance, I am trying out Remnux. I usually use Kali Linux, and may switch to it in the future, but I wanted to try playing around with something new.
Remnux provides us with a great page on their installation process. Please follow the instructions listed there to download and import the machine into your virtualization software of choice.
Install the Remnux Distro
What's cool about importing remnux this way (Through an OVA file) instead of an ISO file. Is that instead of going through an installation process, once imported, you have a fully setup Linux VM!
All we have left to do on it, is finish setting up the network configurations and you will have successfully built a Malware Analysis Environment
Similar to our Windows installation, go ahead and shut down your Linux VM. Then navigate to the Network section within the VM's properties.
This time we'll have two adapters. One will allow us to communicate with the internet and the other will be responsbile for communicating within our internal network.
Go ahead and make sure that Adapter 1 is set to NAT and that Adapter 2 is set to Internal Network with the Name being malware-net
Now all that's left is to run some commands to finish configuring our Network settings and we'll be finished!
Disclaimer: This process took me a lot of troubleshooting to setup successfully as it was my first time. I fully reinstalled the remnux machine and ran these commands again to verify it would work successfully on my installation. If you run into any issues, please google around the errors you're getting to find potential solutions!
Please run the follow commands in order:
// You should see enp0s3 and enp0s8 or something similar to that name convention within the devices listed. If you don't make sure you setup the VM adapters correctly.
sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
sudo nmcli connection add type ethernet ifname enp0s8 con-name malware-net ipv4.addresses 192.168.100.1/24 ipv4.method manual
sudo nmcli connection modify malware-net ipv4.never-default yes ipv6.method ignore
sudo nmcli connection modify malware-net ipv4.never-default yes ipv6.method ignore
sudo nmcli connection modify malware-net connection.autoconnect yes
sudo nmcli connection modify malware-net ipv4.never-default yes
sudo nmcli connection up malware-net
// If any of those commands show an error around an "device is strictly unmanaged", use the follow command. If not, skip this command.
sudo nano /etc/NetworkManager/NetworkManager.conf
// Within here you'll want to change the [ifupdown] value from false to true
[ifupdown] [ifupdown]
managed=false -> managed=true // Then press ctrl+s -> ctrl+x
// Resume from these commands
sudo systemctl restart NetworkManager
sudo nmcli device set enp0s3 managed yes
sudo nmcli connection add type ethernet ifname enp0s3 con-name "NAT Connection" autoconnect yes
sudo nmcli connection up "NAT Connection"
After you run those commands, your internal network should be setup! You can now ping your Windows VM (192.168.100.10) as well as other online sources such as Googles DNS Primary Server (8.8.8.8)
That was a lot of steps, and given the time to download Flare-VM may have taken a while, but I hope everything worked and was installed for you successfully!
I had never setup a virtual internal network prior to setting up this lab, so while it may have been frustrating to troubleshoot. I am happy that I was able to learn how IP Route tables and manually setting IPs work, especially in Linux.
I hope you were able to learn something as well and were successfully able to setup your malware analysis lab if you were following along!
I'm excited to start experimenting with malware development as well as malware analysis in the future! I continue to learn more and more around scripting and analysis of malware. I am excited to document that learning journey and hopefully inspire or teach other people in the community about what I've learned.
Please take care, take some time to learn something new, and happy game hacking!
NitoTech