From dfb413ee0a96a5bcd997008ff9faeee6310e38d5 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 15 Aug 2019 15:22:42 -0400 Subject: [PATCH 1/8] Added new malware analysis packages to the default config --- malboxes/config-example.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index 9757720..ce5ec01 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "sysinternals windbg 7zip putty wireshark winpcap", + "choco_packages": "ghidra x64dbg.portable dnspy ollydbg sysinternals windbg 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", From 53831077eb01e6d5cc4bdcc5b0f5dafc7a37a1f6 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 22 Aug 2019 15:23:21 -0400 Subject: [PATCH 2/8] fix for .Net reboot required (pulled by dnspy) --- malboxes/templates/snippets/provision_powershell.json | 3 ++- malboxes/templates/snippets/provision_powershell_win7.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/malboxes/templates/snippets/provision_powershell.json b/malboxes/templates/snippets/provision_powershell.json index c1d0106..fb7e61b 100644 --- a/malboxes/templates/snippets/provision_powershell.json +++ b/malboxes/templates/snippets/provision_powershell.json @@ -17,6 +17,7 @@ "inline": [ "choco install {{ choco_packages }} -y" ], - "valid_exit_codes": [ 0, 404 ] + {# 404 is broken download, 3010 is a .Net reboot required #} + "valid_exit_codes": [ 0, 404, 3010 ] } {% endif %} diff --git a/malboxes/templates/snippets/provision_powershell_win7.json b/malboxes/templates/snippets/provision_powershell_win7.json index dcdc747..908f0c3 100644 --- a/malboxes/templates/snippets/provision_powershell_win7.json +++ b/malboxes/templates/snippets/provision_powershell_win7.json @@ -37,6 +37,7 @@ "choco install npcap --package-parameters '/winpcap_mode=yes' -y", "choco install {{ choco_packages }} -y" ], - "valid_exit_codes": [ 0, 404 ] + {# 404 is broken download, 3010 is a .Net reboot required #} + "valid_exit_codes": [ 0, 404, 3010 ] } {% endif %} From 448781b382db7f081e18ea2386e2c99f4f94be17 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 22 Aug 2019 15:26:17 -0400 Subject: [PATCH 3/8] manual ghidra install w/ explicit deps --- malboxes/config-example.js | 2 +- malboxes/scripts/windows/malware_analysis.ps1 | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index ce5ec01..4daf679 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "ghidra x64dbg.portable dnspy ollydbg sysinternals windbg 7zip putty wireshark winpcap", + "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals windbg 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", diff --git a/malboxes/scripts/windows/malware_analysis.ps1 b/malboxes/scripts/windows/malware_analysis.ps1 index 4bcaa1d..01c71ba 100644 --- a/malboxes/scripts/windows/malware_analysis.ps1 +++ b/malboxes/scripts/windows/malware_analysis.ps1 @@ -6,3 +6,7 @@ netsh advfirewall firewall set rule group="remote desktop" new enable=Yes # IDA Remote Debugging netsh advfirewall firewall add rule name="IDA Remote Debugging" dir=in action=allow protocol=TCP localport=23946 + +# Manual ghidra install (upstream broken until https://github.com/AnthonyMastrean/chocolateypackages/pull/356) +cinst openjdk11 -y +cinst ghidra --ignore-dependencies -y From ba1471971f38f3a8aa06aad076a3651fe7dc01c2 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Fri, 23 Aug 2019 16:23:45 -0400 Subject: [PATCH 4/8] New Tools: Detect It Easy (die) and HxD --- malboxes/config-example.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index 4daf679..b3b02cf 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals windbg 7zip putty wireshark winpcap", + "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals hxd windbg die 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", From ed0f38d726a7b2cd798b29d4965217d0d1711535 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Mon, 26 Aug 2019 14:08:39 -0400 Subject: [PATCH 5/8] New tool: PE-Sieve --- malboxes/config-example.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index b3b02cf..4f12afa 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals hxd windbg die 7zip putty wireshark winpcap", + "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals hxd windbg die pesieve 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", From a0649c8dee861c9a18a6a1545dd3103df75a302a Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Mon, 26 Aug 2019 14:19:10 -0400 Subject: [PATCH 6/8] Dropped Ghidra work-around due to upstream fix See https://github.com/AnthonyMastrean/chocolateypackages/pull/356 --- malboxes/config-example.js | 2 +- malboxes/scripts/windows/malware_analysis.ps1 | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index 4f12afa..7ae7554 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "x64dbg.portable dnspy ollydbg sysinternals hxd windbg die pesieve 7zip putty wireshark winpcap", + "choco_packages": "ghidra x64dbg.portable dnspy ollydbg sysinternals hxd windbg die pesieve 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", diff --git a/malboxes/scripts/windows/malware_analysis.ps1 b/malboxes/scripts/windows/malware_analysis.ps1 index 01c71ba..4bcaa1d 100644 --- a/malboxes/scripts/windows/malware_analysis.ps1 +++ b/malboxes/scripts/windows/malware_analysis.ps1 @@ -6,7 +6,3 @@ netsh advfirewall firewall set rule group="remote desktop" new enable=Yes # IDA Remote Debugging netsh advfirewall firewall add rule name="IDA Remote Debugging" dir=in action=allow protocol=TCP localport=23946 - -# Manual ghidra install (upstream broken until https://github.com/AnthonyMastrean/chocolateypackages/pull/356) -cinst openjdk11 -y -cinst ghidra --ignore-dependencies -y From d43ae0e17b490b6382b7fc4824f368e5f22e5b6e Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Mon, 26 Aug 2019 14:31:33 -0400 Subject: [PATCH 7/8] New Tool: PE-Bear --- malboxes/config-example.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index 7ae7554..d48ce0e 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -56,7 +56,7 @@ // Chocolatey packages to install on the VM // TODO re-add dependencywalker and regshot once upstream choco package provides a checksum // TODO: Re-add processhacker when its fixed for win7_64 - "choco_packages": "ghidra x64dbg.portable dnspy ollydbg sysinternals hxd windbg die pesieve 7zip putty wireshark winpcap", + "choco_packages": "ghidra x64dbg.portable dnspy ollydbg sysinternals hxd windbg die pesieve pebear 7zip putty wireshark winpcap", // Setting the IDA Path will copy the IDA remote debugging tools into the guest //"ida_path": "/path/to/your/ida", From acdf21cb069b340c16737abe8aff26e241a86021 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Mon, 26 Aug 2019 14:31:52 -0400 Subject: [PATCH 8/8] Updated CHANGELOG --- CHANGELOG.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 7b27515..1c77daa 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -8,6 +8,9 @@ For a detailed view of what has changed, refer to the {uri-repo}/commits/master[ == +Enhancements:: +* New tools: Ghidra, x64dbg, ollydbg, dnSpy, Detect It Easy (die), HxD, PE-Sieve, PE-Bear ({uri-issue}9[#9], {uri-issue}125[#125]) + Bug fixes:: * Removed APM from default chocolatey packages ({uri-issue}119[#119]) * Disabled malware protection, cloud and automatic sample submission on Windows 10 ({uri-issue}120[#120])