/flare-vm

Primary LanguagePowerShellApache License 2.0Apache-2.0

  ______ _               _____  ______   __      ____  __ 
 |  ____| |        /\   |  __ \|  ____|  \ \    / /  \/  |
 | |__  | |       /  \  | |__) | |__ _____\ \  / /| \  / |
 |  __| | |      / /\ \ |  _  /|  __|______\ \/ / | |\/| |
 | |    | |____ / ____ \| | \ \| |____      \  /  | |  | |
 |_|    |______/_/    \_\_|  \_\______|      \/   |_|  |_|
                    
  ________________________________________________________
                       Developed by                     
                   flarevm@fireeye.com
      FLARE (FireEye Labs Advanced Reverse Engineering)  
  ________________________________________________________ 

FLARE VM

Welcome to FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

Please see https://www.fireeye.com/blog/threat-research/2018/11/flare-vm-update.html for a blog on installing FLARE VM.

v2.0 Update

Version 2.0 of FLARE VM has introduced breaking changes with previous versions. A fresh installation in a clean Virtual Machine is recommended.

Version 2.0 of FLARE VM now depends on the environment variable FLARE_START. If troubleshooting, please make sure this environment variable is set. Its default value is set to %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\FLARE.

Legal Notice

This download configuration script is provided to assist cyber security analysts
in creating handy and versatile toolboxes for malware analysis environments. It
provides a convenient interface for them to obtain a useful set of analysis
tools directly from their original sources. Installation and use of this script
is subject to the Apache 2.0 License.
 
You as a user of this script must review, accept and comply with the license
terms of each downloaded/installed package listed below. By proceeding with the
installation, you are accepting the license terms of each package, and
acknowledging that your use of each package will be subject to its respective
license terms.

List of package licenses:

http://exeinfo.atwebpages.com
http://go.microsoft.com/fwlink/?LinkID=251960
http://jd.benow.ca/
http://msdn.microsoft.com/en-US/cc300389.aspx
http://ntinfo.biz
https://www.sublimetext.com
http://opensource.org/licenses/MIT
http://progress-tools.x10.mx/dnsd.html
http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html
http://sandsprite.com/iDef/MAP/
http://sandsprite.com/iDef/SysAnalyzer/
http://sandsprite.com/tools.php?id=17
http://svn.code.sf.net/p/processhacker/code/2.x/trunk/LICENSE.txt
http://technet.microsoft.com/en-us/sysinternals/bb469936
http://upx.sourceforge.net/upx-license.html
http://vimdoc.sourceforge.net/htmldoc/uganda.html
http://whiteboard.nektra.com/spystudio/spystudio_license
http://wjradburn.com/software/
http://www.7-zip.org/license.txt
http://www.angusj.com/resourcehacker/
http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html
http://www.gnu.org/copyleft/gpl.html
http://www.gnu.org/licenses/gpl-2.0.html
http://www.novirusthanks.org/products/kernel-mode-driver-loader/
http://www.ntcore.com/exsuite.php
http://wjradburn.com/software/
http://www.ollydbg.de/download.htm
http://www.ollydbg.de/version2.html
http://www.oracle.com/technetwork/java/javase/terms/license/index.html
http://www.radare.org/r/license.html
http://www.rohitab.com/apimonitor
http://www.slavasoft.com/hashcalc/license-agreement.htm
http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/
https://blog.didierstevens.com/programs/pdf-tools/
https://blog.didierstevens.com/programs/xorsearch/
https://bytecodeviewer.com/
https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt
https://docs.binary.ninja/about/license/#demo-license
https://docs.binary.ninja/about/license/index.html#demo-license
https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt
https://github.com/0xd4d/dnSpy
https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt
https://github.com/FarGroup/FarManager/blob/master/LICENSE
https://github.com/clinicallyinane/shellcode_launcher/
https://github.com/enkomio/RunDotNetDll/blob/master/LICENSE.TXT
https://github.com/fireeye/flare-fakenet-ng
https://github.com/fireeye/flare-floss
https://github.com/fireeye/flare-qdb
https://github.com/fireeye/flare-vm
https://github.com/icsharpcode/ILSpy/blob/master/README.txt
https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt
https://github.com/java-decompiler/jd-gui/blob/master/LICENSE
https://github.com/mikesiko/PracticalMalwareAnalysis-Labs
https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE
https://github.com/radareorg/cutter
https://github.com/x64dbg/x64dbg/blob/development/LICENSE
https://github.com/x64dbg/x64dbgpy/blob/v25/LICENSE
https://hshrzd.wordpress.com/pe-bear/
https://github.com/hasherezade/hollows_hunter/blob/master/LICENSE
https://github.com/hasherezade/pe-sieve/blob/master/LICENSE
https://metasploit.com/
https://mh-nexus.de/en/hxd/license.php
https://nmap.org/ncat/
https://portswigger.net/burp
https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt
https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE
https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE
https://retdec.com/
https://svn.nmap.org/nmap/COPYING
https://www.7-zip.org/
https://www.free-decompiler.com/flash/license/
https://www.gnu.org/copyleft/gpl.html
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
https://www.jetbrains.com/decompiler/download/license.html
https://www.kali.org/about-us/
https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=44266
https://www.nirsoft.net/utils/hash_my_files.html
https://www.openssl.org/source/license.html
https://www.python.org/download/releases/2.7/license
https://docs.python.org/3/license.html
https://www.sweetscape.com/010editor/manual/License.htm
https://www.vb-decompiler.org/license.htm
http://kpnc.org/idr32/en/
https://www.vim.org/about.php
https://www.winitor.com
https://raw.githubusercontent.com/NationalSecurityAgency/ghidra/master/LICENSE
https://www.mzrst.com/
https://raw.githubusercontent.com/dscharrer/innoextract/master/LICENSE
http://innounp.sourceforge.net/
https://www.visualstudio.com/en-us/support/legal/mt644918
http://repo.or.cz/w/nasm.git/blob_plain/HEAD:/LICENSE
https://blog.didierstevens.com/programs/oledump-py/
https://lessmsi.activescott.com/
https://cert.at/downloads/software/bytehist_en.html
https://github.com/ReFirmLabs/binwalk
https://github.com/fireeye/SilkETW

Installation (Install Script)

Create and configure a new Windows 7 SP1 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, download and copy install.ps1 on your analysis machine. On the analysis machine open PowerShell as an Administrator and enable script execution by running the following command:

Set-ExecutionPolicy Unrestricted

Finally, execute the installer script as follows:

.\install.ps1

The script will set up the Boxstarter environment and proceed to download and install the FLARE VM environment. You will be prompted for the Administrator password in order to automate host restarts during installation.

Installation (Manually)

First, install BoxStarter. All commands are expected to be executed with Administrator privileges.

If you are using PowerShell v2:

Set-ExecutionPolicy Unrestricted
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); get-boxstarter -Force

And PowerShell v3 or newest:

Set-ExecutionPolicy Unrestricted
. { iwr -useb http://boxstarter.org/bootstrapper.ps1 } | iex; get-boxstarter -Force

Next, you can deploy FLARE VM environment as follows

Install-BoxstarterPackage -PackageName https://raw.githubusercontent.com/fireeye/flare-vm/master/install.ps1

NOTE: The old installation method using the webinstaller link is now deprecated.

Installing a new package

FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:

cinst x64dbg

Staying up to date

Type the following command to update all of the packages to the most recent version:

cup all

Malware Analysis with FLARE VM

For an example malware analysis session using FLARE VM, please see the blog at https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html.

The installation instructions referenced in the above blog post are outdated. For installation instructions, follow the steps outlined in the blog https://www.fireeye.com/blog/threat-research/2018/11/flare-vm-update.html.

Installed Tools

Android

  • dex2jar
  • apktool

Debuggers

  • flare-qdb
  • scdbg
  • OllyDbg + OllyDump + OllyDumpEx
  • OllyDbg2 + OllyDumpEx
  • x64dbg
  • WinDbg + OllyDumpex + pykd

Decompilers

  • RetDec

Delphi

  • Interactive Delphi Reconstructor (IDR)

Developer Tools

  • VC Build Tools
  • NASM

Disassemblers

  • Ghidra
  • IDA Free (5.0 & 7.0)
  • Binary Ninja Demo
  • radare2
  • Cutter

.NET

  • de4dot
  • Dot Net String Decoder (DNSD)
  • dnSpy
  • DotPeek
  • ILSpy
  • RunDotNetDll

Flash

  • FFDec

Forensic

  • Volatility

Hex Editors

  • FileInsight
  • HxD
  • 010 Editor

Java

  • JD-GUI
  • Bytecode-Viewer

Networking

  • FakeNet-NG
  • ncat
  • nmap
  • Wireshark

Office

  • Offvis
  • OfficeMalScanner
  • oledump.py

PDF

  • PDFiD
  • PDFParser
  • PDFStreamDumper

PE

  • PEiD
  • ExplorerSuite (CFF Explorer)
  • PEview
  • DIE
  • PeStudio
  • PEBear
  • ResourceHacker
  • LordPE
  • PPEE(puppy)

Pentest

  • MetaSploit
  • Windows binaries from Kali Linux

Text Editors

  • SublimeText3
  • Notepad++
  • Vim

Visual Basic

  • VBDecompiler

Web

  • BurpSuite Free Edition

Utilities

  • FLOSS
  • HashCalc
  • HashMyFiles
  • Checksum
  • 7-Zip
  • Far Manager
  • Putty
  • Wget
  • RawCap
  • UPX
  • RegShot
  • Process Hacker
  • Sysinternals Suite
  • API Monitor
  • SpyStudio
  • Shellcode Launcher
  • Cygwin
  • Unxutils
  • Malcode Analyst Pack (MAP)
  • XORSearch
  • XORStrings
  • Yara
  • CyberChef
  • KernelModeDriverLoader
  • Process Dump
  • Exe2Aut
  • Innounp
  • InnoExtract
  • UniExtract2
  • Hollows-Hunter
  • PE-sieve

Python, Modules, Tools

  • Py2ExeDecompiler
  • Python 2.7
    • hexdump
    • pefile
    • winappdbg
    • pycryptodome
    • vivisect
    • binwalk
    • capstone-windows
    • unicorn
    • oletools
    • olefile
    • unpy2exe
    • uncompyle6
    • pycrypto
    • pyftpdlib
    • pyasn1
    • pyOpenSSL
    • ldapdomaindump
    • pyreadline
    • flask
    • networkx
    • requests
  • Python 3
    • binwalk
    • unpy2exe
    • uncompyle6

Other

  • VC Redistributable Modules (2005, 2008, 2010, 2012, 2013, 2015, 2017)
  • .NET Framework versions 4.6.2 and 4.7.2
  • Practical Malware Analysis Labs
  • Google Chrome
  • Cmder Mini