opensourcemirror
/
malware_training_vol1
mirror of https://github.com/hasherezade/malware_training_vol1.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
malware_training_vol1/exercises/setup
History
hasherezade 88c7aeb37f
Update install_apps.bat 		2021-03-24 15:01:22 +01:00
..
img Added the lab setup for exercises 2021-03-22 21:29:28 +01:00
README.md [setup] Install x64dbg as standalone (not via Chocolatey) 2021-03-24 15:00:39 +01:00
install_apps.bat Update install_apps.bat 2021-03-24 15:01:22 +01:00
install_choco.bat Added the lab setup for exercises 2021-03-22 21:29:28 +01:00

README.md

Table of contents

Prepare the VM

To download

  1. Download and install Virtual Box from here
  2. Download Windows 10 test machine from here - version for Virtual Box

Setting up the VM

  1. Unpack the MSEdge.Win10.VirtualBox.zip. You will find there MSEdge - Win10.ova. It is a Virtual Box Appliance.
  2. Run the Virtual Box and import the appliance:

Wait for it to import...

  1. Few options should be edited before the first run

3.1. Display Settings:

  • Increase the default Video Memory (move the slider to the green area)

  • Change the Graphics Controller to VBoxSVGA

3.2. Add Optical Drive (Empty)

3.3. Add a shared folder

  • named training_shared
  • mapped to a Mount point Z
  • set to Auto-mount

  1. Run the Virtual Machine for the first time

Log into the system. The password is Passw0rd!.

  1. Install the Guest Additions.

Reboot the machine after installation:

  1. Resize the disk

We will be installing a lot of tools that are going to consume space, and the disk given by default with this appliance is not sufficient. We need to resize it (to 80 GB).

  • Ensure that at this step your VM doesn't have any snapshots. If it has, they must be deleted before you can continue.

  • Shut down the VM

  • Resize the disk to 80GB:

    • Option 1) from command line

Go to the directory where your Virtual Disk is located (in MSEdge - Win10). Type the command (assuming that Win10-disk001.vdi is the disk of our VM):

VBoxManage modifyhd "MSEdge - Win10-disk001.vdi" --resize 81920

  • Option 2) from GUI:

File -> Virtual Media Manager

Select the disk related to our VM. Set the slder to 80 GB. Click Apply.

After it is done, we need to resize the partition that is accessible to the VM.

  • Start the VM
  • From the menu, search "partitions"

  • Click "Extend Volume"

Go through and accept the default settings. The accessible partition should expand to fill all the space:

  1. Make a snapshot in the "Fresh" state.

After reboot, log into the VM again. Make a snapshot.

Improve the performance

VM changes

  • Remote display: Enable Server: Off
  • System -> Motherboard -> Increase Base Memory (choose the limit according to capabilities of your physical machine)
  • Display -> Screen -> Increase Video Memory (choose the limit according to capabilities of your physical machine)

System changes

Windows 10 is pretty bulky and resource-demanding. So, you may want to improve the performance of you VM by making some additional changes.

  1. Uninstall redundant apps:
  • Microsoft News
  • Microsoft Silverlight
  • Skype
  • Feedback Hub
  1. Use minimalistic UI

Open Advanced system settings -> System Properties. On the Advanced tab under Performance, click Settings.... On the tab Visual effects choose Adjust for best performance.

  1. Disable redundant startup apps.

Open Task Manager, then on the tab Startup disable everything except the Virtual Box addons.

  1. Changes in Windows Settings:

  • Background apps (important to disable):

    • Let apps run in the background: Off

  • General: Off (everyhing)

    • Let app use advertising ID to make ads [...]: Off
    • Let websites provide localy relevant content[...]: Off
    • Let Windows track app launches: Off

  • Diagnostics & feedback:

    • Set to "Basic"
    • Tailored experiences: Off
    • Improve inking and typing: Off

  • Inking and typing: Off

  • Call history:

    • Allow apps to access your call history: Off

  • Microphone:

    • Allow apps to access your microphone: Off

  • Camera:

    • Allow apps to access your camera: Off

Turn off Windows Defender

Disable Defender Firewall

  1. Search defender

  1. Disable firewall for both Public and Private networks:

Disable Defender Antivirus

  1. Search "virus & threat protection"
  2. Choose "Manage settings"
  3. Turn off: Real-time protection, Cloud-delivered protection, Automatic sample submissions

Via local group policy

  1. Search "gpedit.msc"
  2. In window "Local Group Policy Editor":
  • Select: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus

  • Edit: Turn off Windows Defender Antivirus -> select: Enabled -> click OK

Install Visual Studio and programming utilities

To download

Setting up the Visual Studio

  1. Run the installer (vs_community__<version>.exe)
  2. Select:
  • .NET desktop development
  • Desktop development with C++

From Individual components select the last version of the Windows 10 SDK (Win10SDK_10.0.19041)

Add SDK

From Individual components (under the category Compilers, build tools, and runtimes) select the last version of the C++ x64/x86 Spectre-mitigated libs (MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.26))

From Individual components: select all available versions of Python (Python 2: 32 and 64 bit, and Python3: 32 and 64 bit).

  1. After that, go through the default steps and let it install:

Setting up the Windows Driver Kit

  1. Run the WDK setup downloaded from the given link. Go through the default installation steps:

  1. You will be asked if you want to install the extension for Visual Studio. Select it and install:

Setting up the Windows Debugger (WinDbg)

  1. Run the Windows SDK setup downloaded from the given link

Select Windows Debugging Tools, and follow the default steps to install the WinDbg.

Add symbols

Once we have WinDbg installed. we should add Symbols. In order to do this, we just need to add an environment variable, to which WinDbg will automatically refer:

_NT_SYMBOL_PATH

… and fill it with the link from where it can download symbols.

https://msdl.microsoft.com/download/symbols

Full variable content may look like this (downloaded symbols will be stored in C:\Symbols):

SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols

Edit environment variables and set it.

Enable Local Kernel Debugging.

During our training we will be viewing some system's internals under WinDbg. In order to do so, we need to have Local Kernel Debugging enabled. First, make sure that you followed the previous section about adding symbols. Then, follow the instructions:

  • Run commandline as Administrator.
bcdedit /debug on

  • Reboot the machine.

  • Run WinDbg (x64) as Administrator. File -> Kernel Debug. Select the tab Local. A window with Local Kernel Debugger (lkd) will appear.

(If the command prompt is not showing up, from the main menu choose: Debug -> Break).

Among the displayed string you should see your symbols path mentioned:

Symbol search path is: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols

Deploy a sample command to check if everything works fine:

dt nt!_EPROCESS

Install Reverse Engineering Utilities

  • Install Chocolatey, Download the script install_choco.bat and run it as Administrator. Reboot the machine after the installation.
  • Install the applications via Chocolatey. Download the script install_apps.bat and run it as Administrator.

Additionally, you need to install the following applications (not via Chocolatey):

Post-installation configuration

x64dbg

Make sure that the normal user has the full access to the directory where the debugger was installed. Otherwise you will not be able to save your analysis DB as a normal user.

Save the VM state

After having all the tools installed, don't forget to make a snapshot. Create a new stapshot named: "Fresh with tools".