Skip to content

Latest commit

 

History

History
194 lines (154 loc) · 12.3 KB

README.md

File metadata and controls

194 lines (154 loc) · 12.3 KB
                                                              .;,                  
                                                            .;oo'                  
                                                          .,ldo,                   
                                                         ,lddo;                    
                                                       'cdddo;                     
                                                     .codddd:.                     
                                                   .:odddodc.                      
                                                 .;oddddddl.                       
                                               .,ldddddddl'                        
                                             .,lddddddddo,                         
                     .;cccccccc;.          .'cdoddddddddolccccccc:.                
                      ,odddddodd:.       .coododddddddddddddddddo;                 
                       ,odddddddd:.    .:odddddddddddddddddddddd:.                 
                        ;odddddddo;  .;oddddddddddddddddddddddd:.                  
                         ;odddddddo; .,::::::::::::codddddddddc.                   
                         .:ddddddddo,              'lddddddddc.                    
                         .cdddddddddo'            .lddddddddl.                     
                        .ckxdddddddddl.          .cdddddddddl.                     
                       .:xkkxdddddddodl.        .:dddddddddxkl.                    
                       :xkkkkxdddddddddc.      .:dddddddddxxkkl.                   
                      ;xkkkkkxxdddddddddc.     ;dddddddddxkkkkkc.                  
                     ;xkkkkkkkxllddddddddc.   ;oddddddddxxkkkkxxc.                 
                    ,dkkkkkkkxc..ldddddddd:..,odddddddoldkkkkkkkx:.                
                   ,dkxkkkkkkl.  'ldddddddoolodddddddo,.;xkkkkkkkx:                
                  'dkkkkxkkkl.    'ododdddddddddddddo;   :xkkkkkxkx;               
                 'dkkkkkkkko.      ,odddddddddddoddo;     :xkkkkkkkx;              
                .okkkkkkxkd'        ,oddddddddddodd:.     .ckkkkkkkkx,             
               .okkkkkkkkd,          ;oddddddddddd:.       .lkkkxkkxkd,            
              .lkkkxkkkkx;            ;oddddddddd:.         .lkkxkkkkkd'           
             .lkkkkkkkkx;              ;odddddddc.           .okkkkkkkkd'          
            .lkkkkkkkkx:               .:odddodc.             .okkkkkkxko.         
           .ckkkkkkkkkc.                .:ddddc.               'dkxxxxxxko.        
           .;c::cc:c:,.                  .:llc.                 'loooooooo;        
           ________________________________________________________________        
                                       Developed by                                
                                   [email protected]                            
                                  FLARE Team at Mandiant                           
           ________________________________________________________________        

FLARE VM

Welcome to FLARE VM - a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a "package" is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.

Updates

Our latest updates make FLARE VM more open and maintainable to allow the community to easily add and update tools and make them quickly available to everyone. We've worked hard to open source the packages (see the VM-packages repo) which detail how to install and configure analysis tools. The FLARE VM project now uses automatic testing, updating, and releasing to make updated packages immediately installable. See this blog for more information regarding recent changes!

Good to Know Now

  • Windows 7 is no longer supported
  • FLARE VM has been tested on Windows 10 1809 x64 and 20H2
    • See mandiant#434 for options on downloaing a Windows VM image
  • Please do a fresh install instead of trying to update an older FLARE VM
  • The installer has a GUI and can also run in CLI-only mode
  • Contributing is encouraged!!

Installation

Note: FLARE VM should ONLY be installed on a virtual machine!

Installer GUI

The installer now features a GUI to enable easy customizations! You may customize:

  • Package selection
  • Environment variable paths

Installer GUI

Installer CLI

To run the installer in CLI-only mode, use the following combination of parameters:

.\install.ps1 -password Passw0rd! -noWait -noGui -noChecks

Get full usage information by running Get-Help .\install.ps1 -Detailed. Below are the CLI parameter descriptions.

PARAMETERS
    -password <String>
        Current user password to allow reboot resiliency via Boxstarter. The script prompts for the password if not provided.

    -noPassword [<SwitchParameter>]
        Switch parameter indicating a password is not needed for reboots.

    -customConfig <String>
        Path to a configuration XML file. May be a file path or URL.

    -noWait [<SwitchParameter>]
        Switch parameter to skip installation message before installation begins.

    -noGui [<SwitchParameter>]
        Switch parameter to skip customization GUI.

    -noReboots [<SwitchParameter>]
        Switch parameter to prevent reboots.

    -noChecks [<SwitchParameter>]
        Switch parameter to skip validation checks (not recommended).

Default FLARE VM Tools

The installer will download config.xml from the FLARE VM repository. This file contains the default list of packages FLARE VM will install. You may use your own list of default packages by specifying the CLI-argument -customConfig and providing either a local file path or URL to your config.xml file. For example:

.\install.ps1 -customConfig "https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml"

Post Installation

Previous versions of FLARE VM attempted to configure Windows settings post-installation with the goal of streamlining the system for malware analysis (e.g., disabling noisy services). This version of FLARE VM does not currently attempt to further configure Windows (e.g., removing bloatware). It is up to the user to manually configure their environment further.

Below are links for post-installation tweaks for Windows 10+.

We do encourage you to download and set your background to the FLARE VM logo!

FLARE VM

Contributing

Want to get started contributing? See the links below to learn how.

Installer

Tool Packages

Troubleshooting

If your installation fails, please attempt to identify the reason for the installation error by reading through the log files listed below on your system:

  • %VM_COMMON_DIR%\log.txt
  • %PROGRAMDATA%\chocolatey\logs\chocolatey.log
  • %LOCALAPPDATA%\Boxstarter\boxstarter.log

Installer Error

If the installation failed due to an issue in the installation script (e.g., install.ps1), file an issue here: https://github.com/mandiant/flare-vm/issues

Note: Rarely should install.ps1 be the reason for an installation failure. Most likely it is a specific package or set of packages that are failing (see below).

Package Error

Packages fail to install from time to time -- this is normal. The most common reasons are outlined below:

  1. Failure or timeout from Chocolatey or MyGet to download a .nupkg file
  2. Failure or timeout due to remote host when downloading a tool
  3. Intrusion Detection System (IDS) or AV product (e.g., Windows Defender) prevents a tool download or removes the tool from the system
  4. Host specific requirement issue
    1. Untested host
    2. Not enough disk space to install tools
  5. Tool fails to build due to dependencies
  6. Old tool URL (e.g., HTTP STATUS 404)
  7. Tool's SHA256 hash has changed from what is hardcoded in the package installation script

Reasons 1-4 are difficult for us to fix since we do not control them. If an issue related to reasons 1-4 is filed, it is unlikely we will be able to assist.

We can help with reasons 5-7 and welcome the community to contribute fixes as well! Please file GitHub issues related to package failures at: https://github.com/mandiant/VM-Packages/issues

Legal Notice

This download configuration script is provided to assist cyber security analysts in creating handy and versatile toolboxes for malware analysis environments. It provides a convenient interface for them to obtain a useful set of analysis tools directly from their original sources. Installation and use of this script is subject to the Apache 2.0 License. You as a user of this script must review, accept and comply with the license terms of each downloaded/installed package. By proceeding with the installation, you are accepting the license terms of each package, and acknowledging that your use of each package will be subject to its respective license terms.