merge master into flare-vm-2.0

Nhan Huynh · Nhan Huynh · commit adbbab763b3b · 2018-10-29T11:12:45.000-05:00
diff --git a/flarevm_malware.ps1 b/flarevm_malware.ps1
@@ -0,0 +1,291 @@
+# FLARE VM - Malware Analysis Edition
+
+Write-Host "  ______ _               _____  ______   __      ____  __ "
+Write-Host " |  ____| |        /\   |  __ \|  ____|  \ \    / /  \/  |"
+Write-Host " | |__  | |       /  \  | |__) | |__ _____\ \  / /| \  / |"
+Write-Host " |  __| | |      / /\ \ |  _  /|  __|______\ \/ / | |\/| |"
+Write-Host " | |    | |____ / ____ \| | \ \| |____      \  /  | |  | |"
+Write-Host " |_|    |______/_/    \_\_|  \_\______|      \/   |_|  |_|"
+Write-Host "      M A L W A R E   A N A L Y S I S   E D I T I O N     "
+Write-Host "                                                          "
+Write-Host "                         Version  1.0                     "
+Write-Host "  ________________________________________________________"
+Write-Host "                         Developed by                     "
+Write-Host "                      Peter Kacherginsky                  "
+Write-Host "       FLARE (FireEye Labs Advanced Reverse Engineering)  "
+Write-Host "  _______________________________________________________ "
+Write-Host "                                                          "
+Write-Host "This download configuration script is provided to assist cyber security analysts"
+Write-Host "in creating handy and versatile toolboxes for malware analysis environments. It"
+Write-Host "provides a convenient interface for them to obtain a useful set of analysis"
+Write-Host "tools directly from their original sources. Installation and use of this script"
+Write-Host "is subject to the Apache 2.0 License."
+Write-Host " "
+Write-Host "You as a user of this script must review, accept and comply with the license"
+Write-Host "terms of each downloaded/installed package listed below. By proceeding with the"
+Write-Host "installation, you are accepting the license terms of each package, and"
+Write-Host "acknowledging that your use of each package will be subject to its respective"
+Write-Host "license terms."
+Write-Host ""
+Write-Host "List of package licenses:"
+Write-Host ""
+Write-Host "http://www.ollydbg.de/download.htm, http://www.ollydbg.de/download.htm,"
+Write-Host "https://github.com/x64dbg/x64dbg/blob/development/LICENSE,"
+Write-Host "http://go.microsoft.com/fwlink/?LinkID=251960,"
+Write-Host "https://www.hex-rays.com/products/ida/support/download_freeware.shtml,"
+Write-Host "https://docs.binary.ninja/about/license/#demo-license,"
+Write-Host "https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt,"
+Write-Host "https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt,"
+Write-Host "https://www.jetbrains.com/decompiler/download/license.html,"
+Write-Host "https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt,"
+Write-Host "http://www.oracle.com/technetwork/java/javase/terms/license/index.html,"
+Write-Host "https://github.com/java-decompiler/jd-gui/blob/master/LICENSE,"
+Write-Host "https://www.vb-decompiler.org/license.htm, http://kpnc.org/idr32/en/,"
+Write-Host "https://www.free-decompiler.com/flash/license/,"
+Write-Host "https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx,"
+Write-Host "https://mh-nexus.de/en/hxd/license.php,"
+Write-Host "https://www.sweetscape.com/010editor/manual/License.htm,"
+Write-Host "http://www.ntcore.com/exsuite.php, http://wjradburn.com/software/,"
+Write-Host "http://ntinfo.biz, https://www.sublimetext.com,"
+Write-Host "https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE,"
+Write-Host "http://vimdoc.sourceforge.net/htmldoc/uganda.html,"
+Write-Host "http://www.gnu.org/licenses/gpl-2.0.html,"
+Write-Host "https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE,"
+Write-Host "http://www.7-zip.org/license.txt,"
+Write-Host "http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html,"
+Write-Host "http://www.gnu.org/copyleft/gpl.html,"
+Write-Host "https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt,"
+Write-Host "https://www.gnu.org/copyleft/gpl.html,"
+Write-Host "http://upx.sourceforge.net/upx-license.html,"
+Write-Host "http://technet.microsoft.com/en-us/sysinternals/bb469936,"
+Write-Host "http://www.rohitab.com/apimonitor,"
+Write-Host "http://whiteboard.nektra.com/spystudio/spystudio_license,"
+Write-Host "http://www.slavasoft.com/hashcalc/license-agreement.htm,"
+Write-Host "http://www.gnu.org/licenses/gpl-2.0.html,"
+Write-Host "http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/,"
+Write-Host "http://exeinfo.atwebpages.com,"
+Write-Host "https://www.python.org/download/releases/2.7/license/,"
+Write-Host "https://www.microsoft.com/en-us/download/details.aspx?id=44266,"
+Write-Host "https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt,"
+Write-Host "http://msdn.microsoft.com/en-US/cc300389.aspx,"
+Write-Host "https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE"
+Write-Host "https://blog.didierstevens.com/programs/xorsearch/"
+Write-Host "http://sandsprite.com/iDef/MAP/"
+Write-Host "http://sandsprite.com/iDef/SysAnalyzer/"
+Write-Host "http://virustotal.github.io/yara/"
+Write-Host "http://www.novirusthanks.org/products/kernel-mode-driver-loader/"
+Write-Host "http://www.woodmann.com/collaborative/tools/index.php/LordPE"
+Write-Host "https://github.com/gchq/CyberChef"
+Write-Host "http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html"
+Write-Host "http://retdec.com"
+Write-Host "http://www.cygwin.com/"
+Write-Host "https://portswigger.net/burp"
+Write-Host "https://bytecodeviewer.com/"
+
+###############################################################################
+# Configure system
+###############################################################################
+
+# Boxstarter options
+$Boxstarter.RebootOk=$true # Allow reboots?
+$Boxstarter.NoPassword=$false # Is this a machine with no login password?
+$Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot
+
+# Basic setup
+Update-ExecutionPolicy Unrestricted
+Disable-MicrosoftUpdate
+Set-WindowsExplorerOptions -EnableShowProtectedOSFiles -EnableShowFileExtensions -EnableShowHiddenFilesFoldersDrives
+Set-TaskbarOptions -Size Small
+Disable-BingSearch
+
+###############################################################################
+# Install Chocolatey packages
+###############################################################################
+
+# Configure FLARE chocolatey feed
+$flare = "https://www.myget.org/F/flare/api/v2"
+
+$cache = "$env:userprofile\AppData\Local\ChocoCache"
+New-Item -Path $cache -ItemType directory -Force
+
+# Make a FLARE desktop folder
+$startPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLARE"
+
+if( -not (Test-Path -path $startPath) ) { New-Item -Path $startPath -ItemType directory }
+
+$desktopShortcut = Join-Path ${Env:USERPROFILE} "Desktop\FLARE.lnk"
+
+Install-ChocolateyShortcut -shortcutFilePath $desktopShortcut -targetPath $startPath
+
+###############################################################################
+# Install packages
+
+# Set up Chocolatey
+cmd.exe /c choco sources add -n=flare -s "https://www.myget.org/F/flare/api/v2" --priority 1
+cmd.exe /c choco feature enable -n allowGlobalConfirmation
+cmd.exe /c choco feature enable -n allowEmptyChecksums
+
+cinst cmdermini.flare -s $flare     --cacheLocation $cache #
+
+# Packages requiring reboot
+cinst powershell                    --cacheLocation $cache
+cinst dotnet4.7.2                   --cacheLocation $cache
+
+# Visual C++ Redistributable Packages
+cinst vcredist2005 --cacheLocation $cache
+cinst vcredist2008 --cacheLocation $cache
+cinst vcredist2010 --cacheLocation $cache
+cinst vcredist2012 --cacheLocation $cache
+cinst vcredist2013 --cacheLocation $cache
+cinst vcredist2015 --cacheLocation $cache
+
+
+# Debuggers
+cinst ollydbg -s $flare             --cacheLocation $cache    # OllyDbg 1.10
+cinst ollydbg.ollydump    -s $flare --cacheLocation $cache # OllyDump plugin
+cinst ollydbg.ollydumpex  -s $flare --cacheLocation $cache # OllyDumpEx plugin
+
+cinst ollydbg2 -s $flare            --cacheLocation $cache # OllyDbg 2.0
+cinst ollydbg2.ollydumpex -s $flare --cacheLocation $cache # OllyDumpEx plugin
+
+cinst x64dbg -s $flare              --cacheLocation $cache # x64dbg
+cinst x64dbg.py -s $flare           --cacheLocation $cache # Python Scripting Engine for x64dbg
+cinst windbg -s $flare              --cacheLocation $cache # WinDbg x86, x64, .NET
+cinst windbg.kenstheme    -s $flare --cacheLocation $cache # Ken's WinDbg theme
+cinst windbg.ollydumpex   -s $flare --cacheLocation $cache # OllyDumpEx plugin
+cinst windbg.pykd         -s $flare --cacheLocation $cache
+cinst scdbg               -s $flare --cacheLocation $cache
+cinst retdec              -s $flare --cacheLocation $cache
+# Disassemblers
+if(Get-OSArchitectureWidth -Compare 64) {
+    # IDA 7.0 is only 64bit
+    cinst idafree70 -s $flare   --cacheLocation $cache # IDA Free 7.0
+}
+cinst idafree       -s $flare   --cacheLocation $cache # IDA Free
+cinst binaryninja   -s $flare   --cacheLocation $cache # Binary Ninja Demo
+cinst radare2.flare -s $flare   --cacheLocation $cache # Radare2 framework
+cinst cutter.flare  -s $flare   --cacheLocation $cache # Cutter is a GUI for radare2
+
+# .NET
+cinst ilspy.flare   -s $flare   --cacheLocation $cache # ILSpy
+cinst dnspy.flare   -s $flare   --cacheLocation $cache # dnSpy
+cinst dotpeek.flare -s $flare   --cacheLocation $cache # dotPeek
+cinst de4dot        -s $flare   --cacheLocation $cache # de4dot
+
+# Java
+cinst javaruntime               --cacheLocation $cache # JRE
+cinst jd-gui        -s $flare   --cacheLocation $cache # JD-GUI
+cinst bytecode-viewer.flare -s $flare --cacheLocation $cache # ByteCodeViewer
+cinst dex2jar                   --cacheLocation $cache # dex2jar
+
+# VB
+cinst vbdecompiler  -s $flare   --cacheLocation $cache # VB Decompiler Lite
+
+# Delphi
+cinst idr.small     -s $flare   --cacheLocation $cache # IDR (small edition)
+
+# Flash
+cinst ffdec         -s $flare   --cacheLocation $cache # FFDec
+
+# Hex Editors
+cinst fileinsight   -s $flare   --cacheLocation $cache # FileInsight
+cinst hxd.flare     -s $flare   --cacheLocation $cache # HxD
+cinst 010editor     -s $flare   --cacheLocation $cache # 010 Editor
+
+# Web
+cinst burp.free.flare -s $flare   --cacheLocation $cache
+
+# PE
+cinst peid          -s $flare   --cacheLocation $cache # PEiD
+cinst explorersuite -s $flare   --cacheLocation $cache # CFF Explorer
+cinst peview        -s $flare   --cacheLocation $cache # PEview
+cinst die           -s $flare   --cacheLocation $cache # DIE
+cinst pestudio      -s $flare   --cacheLocation $cache # PEStudio
+cinst resourcehacker.flare -s $flare --cacheLocation $cache # Resource Hacker
+
+# Text Editors
+cinst sublimetext3  -s $flare   --cacheLocation $cache # Sublime Text 3
+cinst notepadplusplus           --cacheLocation $cache
+
+# Utilities
+cinst unxutils                      --cacheLocation $cache # Unix Utils
+cinst checksum                      --cacheLocation $cache # Hash Calculator
+cinst 7zip.install                  --cacheLocation $cache # 7-Zip
+cinst putty                         --cacheLocation $cache # Putty
+cinst wireshark.flare     -s $flare --cacheLocation $cache # WireShark
+cinst winpcap                       --cacheLocation $cache
+cinst rawcap                        --cacheLocation $cache                      # RawCap
+cinst wget                          --cacheLocation $cache # Wget
+cinst upx                           --cacheLocation $cache # UPX
+cinst processhacker.flare -s $flare --cacheLocation $cache # Process Hacker
+cinst sysinternals.flare  -s $flare --cacheLocation $cache # Sysinternals wrapper
+cinst apimonitor          -s $flare --cacheLocation $cache # API Monitor
+cinst spystudio.flare     -s $flare --cacheLocation $cache # SpyStudio
+cinst hashcalc            -s $flare --cacheLocation $cache # HashCalc
+cinst regshot             -s $flare --cacheLocation $cache # RegShot
+cinst exeinfope           -s $flare --cacheLocation $cache # ExeInfo PE
+cinst hashmyfiles                   --cacheLocation $cache # HashMyFiles
+cinst ncat                -s $flare --cacheLocation $cache # Ncat
+cinst shellcode_launcher  -s $flare --cacheLocation $cache # shellcode_launcher
+cinst xorsearch  -s $flare          --cacheLocation $cache
+cinst xorstrings -s $flare          --cacheLocation $cache
+cinst yara.flare -s $flare          --cacheLocation $cache
+cinst kmdloader.flare -s $flare     --cacheLocation $cache
+cinst lordpe.flare -s $flare       --cacheLocation $cache
+cinst cyberchef.flare -s $flare     --cacheLocation $cache
+cinst py2exedecompiler -s $flare    --cacheLocation $cache
+cinst cygwin.flare  -s $flare    --cacheLocation $cache
+
+# Malcode Analyst Pack
+cinst MAP -s $flare --cacheLocation $cache
+cinst SysAnalyzer -s $flare --cacheLocation $cache
+
+# Practical Malware Analysis Labs
+cinst pmalabs -s $flare --cacheLocation $cache
+
+# Office
+cinst offvis              -s $flare --cacheLocation $cache # OffVis
+cinst officemalscanner    -s $flare --cacheLocation $cache # OfficeMalScanner
+
+# PDF
+cinst pdfid             -s $flare --cacheLocation $cache
+cinst pdfparser         -s $flare --cacheLocation $cache
+cinst pdfstreamdumper   -s $flare --cacheLocation $cache
+
+# Android
+cinst apktool             -s $flare --cacheLocation $cache # ApkTool
+
+# Python
+cinst python3
+cinst python2 --package-parameters '/InstallDir:"C:\Program Files\Python27"' --cacheLocation $cache # Python 2.7 - Using private version
+cinst python -s $flare --version 2.7.14 --cacheLocation $cache
+choco pin add -n=python --version 2.7.14
+
+cinst vcpython27    --cacheLocation $cache        # Microsoft Visual C++ Compiler for Python 2.7
+
+# PyKD requires installation of 32-bit Python in 64-bit systems in order to function properly
+if(Get-OSArchitectureWidth -Compare 64) {
+    cinst python2.nopath -s $flare --x86 --package-parameters '/InstallDir:"C:\Program Files (x86)\Python27"' --cacheLocation $cache
+}
+
+# Python Modules
+cinst hexdump          -source python --cacheLocation $cache
+cinst pefile           -source python --cacheLocation $cache
+cinst winappdbg        -source python --cacheLocation $cache
+cinst pycrypto         -source python --cacheLocation $cache # Cryptographic modules for Python
+cinst cryptography     -source python --cacheLocation $cache # Cryptography for humans
+cinst https://github.com/williballenthin/vivisect/zipball/master     -source python --cacheLocation $cache # Vivisect
+cinst capstone-windows -source python --cacheLocation $cache
+cinst unicorn          -source python --cacheLocation $cache
+
+# Python Tools
+cinst oletools -source python --cacheLocation $cache # Python tools to analyze OLE and MS Office files
+cinst fakenet-ng.python -s $flare --cacheLocation $cache # FakeNet-NG
+cinst floss.python -s $flare      --cacheLocation $cache # FLOSS
+cinst https://github.com/fireeye/flare-qdb/zipball/master            -source python --cacheLocation $cache # FLARE-QDB
+
+# clean up the cache directory
+Remove-Item $cache -Recurse
+
+# Install flarevm last to avoid cleaning up temporary resource used by flarevm
+cinst flarevm -s $flare             --cacheLocation $cache # FLARE VM specific configurations
