Prologue from the Girl

withbadge

The Holiday break is over and we are now on with mighty joint!  Sigh, no one makes movies like Mel Brooks.

Anyway, in deference to my wife and daughter who just weren’t ready for the social stress of me presenting female at the family gathering, I spent 6 miserable days in Atlanta as “the reluctant drag king.”  I will NEVER do that again.  I have come way too far.  It’s hard on them I know, but the reality is that we have all resolved to stay together through this.  We all have a lot of adjusting to do.  That being said, they are the greatest just for trying to make this work and I love them with all of my heart.  My boys too.

On the lighter side, our CIO and HR department sent me flowers about a week after I started transitioning in the workplace.  It really was amazing.

We have gone to see The Force Awakens twice since my last post.  Yay!!! Rey is cool.  I think I’m in love with Daisy Ridley, in a movie star kind of way.  I think she put Finn in the friend zone at the end, so there may be hope. Ha ha. . . I’m pretty sure she’s straight.  Not to mention I’m married and I like having a head on my shoulders.

 

Moving on to our topic at hand, Installing Windows on our system for reverse engineering.

Installing Windows on our Virtual Box Setup

A couple of items of note.  When we create this windows virtual machine we need to start the process using NAT networking.  This is important for a few reasons.  First and foremost, we need to activate windows.  Secondly, we have some tools that we need to download and install.  Patching the system isn’t my primary concern as we will be using generally “off-line” anyway.  The scope of these tutorials is to focus on malicious binary analysis.  Web based exploits like cross-site scripting (XSS) and JavaScript obfuscation will wait for a later date.

Go ahead and create a new virtual machine in VirtualBox.  I call mine REM Windows 8.  I chose Windows 8 (64-bit).  We’ll assume that you are using Windows 8 64-bit for the purposes of this tutorial.  The same essential approach applies to Windows 10 as well in terms of Machine set up.  Obviously, you would choose Windows 10 in that case.

windows-8-vm-create-1

I have a copy of the Windows 8.1 Pro ISO as I purchased that from Microsoft.  If you haven’t had a chance to create a Windows 8.1 ISO, you’ll need to do so from a Microsoft Windows machine.  If you don’t have one, go to a friend’s house.  You can use the Windows Media created located at the following address to create your ISO.

http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

Go ahead and give the VM 2 GB of RAM.  You shouldn’t need much more than that to do effective reverse engineering.  If so, you can always increase it later.  If you don’t have much RAM in your reversing workstation, then there will be performance degradation as the host system will swap your VM processes to disk in order to accommodate larger RAM settings.

windows-8-vm-create-2.png

For the hard disk, choose Create virtual hard disk now.  Don’t worry about where it says 25.00GB, we’ll be setting the hard disk size later.

windows-8-vm-create-3.png

I choose VDI format for the disk.  This is the native image format for VirtualBox.  I typically choose it in this instance to make sure that any future releases that may have new goodies we can do with the disk are compatible.  You can choose VMDK if you want a VMWare compatible disk, but I don’t see any value in this instance.  If you want to move the VM, you can export it to an OVA.

windows-8-vm-create-4

I typically choose dynamically allocated for the disk, this incurs a minor performance hit during processing, but allows us to create the disk quickly and for our purposes, the performance hit is negligible.

windows-8-vm-create-5

Finally, I am going to select 100GB in this instance for the disk size.  Mind you virtual box will only allocate what is needed as it is used because we selected dynamic allocation.

windows-8-vm-create-6

And Click Create.

Now, before we start up the vm, we need to open the settings and make two changes.

  • Change the Networking to NAT. windows-8-vm-create-7
  • Attach the Windows 8 ISO to the virtual machine so it boots and installs windows 8.windows-8-vm-create-8windows-8-vm-create-9

Installing Windows 7/8/10

I will NOT go through the details of the windows installation for two reasons.  One, this is a vanilla installation, it shouldn’t require rocket science.  Two, if you can’t handle a basic windows installation inside of Virtual Box, then these guides probably aren’t for you.  We’re going to get into advanced topics in these guides like assembly, code obfuscation, and data/code encryption.  You really need to have a solid background in computing to do this.  I recommend some background in forensics or at least some training.

I use the local username of REM for the windows username by the way.

Make sure you have your activation key handy, you are in NAT networking mode, and you activate the system.  This last is vitally important as we only want to do this once.  Once windows is installed, we’re going to download the tools listed below.

Reversing Software

Java 1.7
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u80-oth-JPR

ExeInfo PE
http://sourceforge.net/projects/exeinfope/files/

Capture Bat
https://www.honeynet.org/node/315

OllyDbg (get both versions 1 and 2)
http://www.ollydbg.de/

Scylla
https://tuts4you.com/download.php?view.3503

CFF Explorer
http://www.ntcore.com/exsuite.php

RegShot
http://sourceforge.net/projects/regshot/

Fiddler
http://www.telerik.com/fiddler

Bintext
http://www.mcafee.com/us/downloads/free-tools/bintext.aspx

Process Hacker
http://processhacker.sourceforge.net/

SSView
http://www.mitec.cz/ssv.html

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

PE Studio
https://www.winitor.com/

ProcDot
http://www.procdot.com/

Mandiant Redline
https://www.fireeye.com/services/freeware/redline.html

HashTab
http://implbits.com/products/hashtab/

SetDLLCharacteristics
http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

ActivePython
http://www.activestate.com/activepython

IDA Pro Freeware

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Firefox

https://www.mozilla.org/en-US/firefox/new/

Wireshark

http://www.wireshark.org/

Update:  I missed a few dependencies.

GraphViz

http://graphviz.org

WinDump

http://winpcap.org/windump

 

Once we’ve activated the system and downloaded the tools above, go ahead and install the VirtualBox Additions per the VirtualBox instructions.

Now, set the networking to internal, use the name “intnet” for the network name.

windows-8-vm-create-10

Once you’ve done that, go ahead and create your clean snapshot.

windows-8-vm-create-11

Aaaaaaand. . . .you’re done.  Next time, we’ll look at some basic behavioral analysis techniques.

 

Advertisements

One thought on “Danielle Eve’s Guide to Malware Reverse Engineering Day 3: Installing Windows for REM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s