Advertisements

FLARE VM – a fully customizable, Windows-based security distribution for malware analysis, incident response & penetration testing

FLARE VM is the first of its kind freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

FLARE VM comes in two flavors – Malware Analysis and Penetration Testing editions. Each edition targets a specific task. For example, FLARE VM – Malware Analysis Edition is optimized for and contains tools specifically for reverse engineering malware. The tools included with FLARE VM distribution were either developed or carefully selected by the members of the FLARE (FireEye Labs Advanced Reverse Engineering) Team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade.

The security distribution works as an easily deployable package that you can install on an existing Windows installation. FLARE VM brings a familiar, easy to manage package management system to quickly deploy and customize the platform to suite your specific needs. After the initial installation, you can easily add, remove and update packages in the FLARE VM package repository.

The project will be released at Blackhat Arsenal on Wednesday, July 26th.

Installation

Create and configure a new Windows 7 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, you need to run an installation script. The installation script is a Boxstarter script which is used to deploy FLARE VM configurations and a collection of chocolatey packages. The easiest way to run the script is to use Boxstarter’s web installer as follows:

  1. On the newly created VM, open the following URL in Internet Explorer (other browsers are not going to work):
    http://boxstarter.org/package/url?[FLAREVM_SCRIPT]
    

    Where FLAREVM_SCRIPT is a path or URL to the respective FLARE VM script. For example to install the malware analysis edition:

    http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1
    

    or if you have downloaded and copied the installation script to the local C drive:

    http://boxstarter.org/package/url?C:\flarevm_malware.ps1
    
  2. Copy install.bat and flarevm_malware.ps1 on the newly created VM and execute install.bat.

Installing a new package

FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:

cinst x64dbg

Staying up to date

Type the following command to update all of the packages to the most recent version:

cup all

Malware Analysis with FLARE VM

Please see a blog at https://www.fireeye.com/blog/threat-research.html for an example malware analysis session using FLARE VM.

Installed Tools

Debuggers

  • OllyDbg + OllyDump + OllyDumpEx
  • OllyDbg2 + OllyDumpEx
  • x64dbg
  • WinDbg

Disassemblers ====

  • IDA Free
  • Binary Ninja Demo

Java ====

  • JD-GUI

Visual Basic ====

  • VBDecompiler

Flash ====

  • FFDec

.NET ====

  • ILSpy
  • DNSpy
  • DotPeek
  • De4dot

Office ====

  • Offvis

Hex Editors ====

  • FileInsight
  • HxD
  • 010 Editor

PE ====

  • PEiD
  • ExplorerSuite (CFF Explorer)
  • PEview
  • DIE

Text Editors ====

  • SublimeText3
  • Notepad++
  • Vim

Utilities ====

  • MD5
  • 7zip
  • Putty
  • Wireshark
  • RawCap
  • Wget
  • UPX
  • Sysinternals Suite
  • API Monitor
  • SpyStudio
  • Checksum
  • Unxutils

Python, Modules, Tools ====

  • Python 2.7
  • Hexdump
  • PEFile
  • Winappdbg
  • FakeNet-NG
  • Vivisect
  • FLOSS
  • FLARE_QDB
  • PyCrypto
  • Cryptography

Other ====

  • VC Redistributable Modules (2008, 2010, 2012, 2013)

For more information and assistance with setup read up Fireeye’s blog post

Advertisements

One thought on “FLARE VM – a fully customizable, Windows-based security distribution for malware analysis, incident response & penetration testing

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements
Advertisements
Advertisements
Advertisements
%d bloggers like this: