If you’d like to start experimenting with malware analysis in your own lab, here’s how to download and set up a free Windows virtual machine:
Step 1: Install Virtualization Software
While i wanted to learn up reverse engineering, I started hunting up for blogs, I wish to share the links which i came across with respect to categorization. Reverse engineering may refer to any. User #3375374 's Windbg and IDA PRO Cheat Sheet. Commands available in Windbg. Nice cheat sheet. A white background version would be more printer friendly. The Python section is a bit less useful than the others, and might be better used for something else. Calling conventions? IDA Pro Shortcuts: IDA Pro is the big name in disassemblers (and also decompilers). 1.8.2 IDA Pro tutorials. 1.1 Introduction The hardest part of learning x86 assembly in 2013 is finding good tutorials. As the popularity of low level languages decreases the incitement to create fresh up to date tutorials is limited.
Install virtualization software that you feel comfortable configuring and troubleshooting. VirtualBox and Hyper-V are good free options. If you want to set up a headless server for your lab, you’ll probably like VMware vSphere Hypervisor (formerly called ESXi), which is also free.
If using VMware Workstation, you’ll need the commercial version: Workstation Pro for Windows and Linux or Fusion Pro for macOS. The free versions don’t support snapshots. You’ll want snapshots when examining malware, so you can revert the VM’s state to start a new investigation or backtrack an analysis step. VMware provides a free 30-day trial.
Step 2: Get a Windows Virtual Machine
If you don’t have a licensed version of Windows for your virtual machine, you can download a free Windows 10 VM from Microsoft. Go to the Microsoft Edge page for downloading virtual machines. Select “MSEdge on Win 10 (x64)” and pick the virtualization platform that matches the one you have:
If using macOS, you might be unable to extract the zip file’s contents unless you download a file extractor such as The Unarchiver.
After downloading and extracting the archive, follow the steps appropriate for your virtualization software to start the VM. For example, for VMware you’d extract the files into a dedicated folder, then launch the file named “MSEdge – Win10.vmx”.
The Windows OS in this VM expires after 90 days. Microsoft recommends “setting a snapshot when you first install the virtual machine which you can roll back to later.”
The password Microsoft assigned to this virtual machine is “Passw0rd!” You won’t need it for starting the VM, which will automatically log you in, but you might need to supply it when configuring the OS or installing software.
Step 3: Update the VM and Install Malware Analysis Tools
When you first boot the VM, it will be able to connect to the internet, assuming your physical host has internet access. You can use this connection to update the OS to the latest patch level and install malware analysis tools.
Next, install malware analysis tools. Here are some of my favorite free Windows tools for examining malicious software in a lab:
- Behavioral analysis: Process Monitor, ProcDOT, Process Hacker, Wireshark
- Code analysis: PeStudio, IDA Freeware, x64dbg, Scylla
You can also automatically install lots of free malware analysis tools using the FLARE VM distribution:
If you wish, install in the VM utilities such as VirtualBox Guest Additions and VMware Tools, which come with your virtualization software. They will make it convenient to share clipboard contents and files between your physical host and the VM. However, their presence slightly increases the chances that malware might detect the virtualized environment or manage to escape.
If you won’t be using the file sharing methods supported by your virtualization software, decide how you’ll transfer files in and out of the VM. Accessing a USB key from within the VM is a reasonable option. Another one is SFTP: You can enable the SSH server built into Windows, then access it from your physical host or from another VM using an SFTP client, such as WinSCP.
Step 4: Isolate the Analysis VM and Disable Windows Defender AV
Shut down your VM.
Consider disabling shared folders for the virtual machine, to make it harder for malware to escape. For example, to do that in VMware Workstation Pro, go to VM > Settings… > Options > Shared Folders and click Disabled.
Change the network settings for the VM so it doesn’t have any network access. For instance, in VMware Workstation Pro you could put it into Host-Only mode by going to VM > Settings… > Hardware > Network Adapter and selecting Host-Only:
Ida Pro Cheat Sheet Printable
A host-only network makes it possible for the VM to communicate with the virtual adapter of your physical host. For better isolation, consider defining a dedicated virtual network just for your virtual machine, then configure the VM to use that custom network. If you do this, then you won’t be able to use SFTP to transfer files between the VM and your physical host.
Start your VM, now that it’s no longer connected to the physical network.
Disable Windows Defender Antivirus inside the virtual machine, so the AV doesn’t interfere with your malware analysis efforts. Use Group Policy to do this to avoid Windows periodically re-enabling AV. Optionally, use Group Policy to disable Windows Updates.
Once the VM is configured the way you like it, take a snapshot.
Be careful to avoid infecting the wrong system when analyzing malware and to minimize the chances that your specimen will escape. Strongly consider dedicating a physical host to such research; don’t use this system for other tasks and don’t connect it to a production network.
Download Ida Pro
Step 5: Analyze Some Malware
You’re ready to analyze some malware! I created lots of free resources for people looking to start learning malware analysis, in addition to the Reverse-Engineering Malware course I teach at SANS Institute:
Ida Pro Cheat Sheet 2020
Happy learning!