diff --git a/TODO.adoc b/TODO.adoc
index 97a504e..b4d0828 100644
--- a/TODO.adoc
+++ b/TODO.adoc
@@ -2,9 +2,7 @@
== Minimal malware analyst use case
-* user/pass from config.js
* vagrant: punch hole through NAT for IDA in firewall
-* disable Windows Defender
* vagrant no net, NAT
* doc: vagrant update box + send on network (archiving)
* doc: vagrant team workflow
diff --git a/config-example.js b/config-example.js
index ef76ade..3d0808a 100644
--- a/config-example.js
+++ b/config-example.js
@@ -19,16 +19,28 @@
//"trial": "false",
//"product_key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
- // VM username and password
- // TODO. It doesn't work now.
- //"username": "vagrant",
- //"password": "vagrant",
+ // VM settings
+ "username": "malboxes",
+ "password": "malboxes",
+ "computername": "dirty",
+ // disk size is in megabytes
+ "disk_size": "15360",
+
+ // Windows Defender: true means enabled, false means disabled. Default is false.
+ //"windows_defender": "false",
+ // Windows Updates: true means enabled, false means disabled. Default is false.
+ //"windows_updates": "false",
+
+ // Chocolatey packages to install on the VM
+ "choco_packages": "sysinternals dependencywalker windbg wireshark 7zip putty fiddler4 processhacker regshot apm",
// Setting the IDA Path will copy the IDA remote debugging tools into the guest
//"ida_path": "/path/to/your/ida",
// Setting Tools Path will copy all the files under the given path into the guest.
// Useful to copy proprietary or unpackaged tools.
+ // Note: packer's file provisonning is really slow, avoid having more than
+ // 100 megabytes in there.
//"tools_path": "/path/to/your/tools",
"_comment": "last line must finish without a comma for file to be valid json"
diff --git a/docs/Autounattend-fixing.adoc b/docs/Autounattend-fixing.adoc
index dadf2e3..79b6b34 100644
--- a/docs/Autounattend-fixing.adoc
+++ b/docs/Autounattend-fixing.adoc
@@ -23,6 +23,10 @@ installation of the OS:
https://technet.microsoft.com/en-us/library/dd744547%28WS.10%29.aspx
+== List of all settings
+
+https://msdn.microsoft.com/en-us/library/windows/hardware/dn958623(v=vs.85).aspx
+
== Installation is not automated and stalls at Windows variant selection
The image specified in the Autounattended.xml doesn't match what's on the DVD
@@ -50,9 +54,16 @@ Then put the Windows CD in.
[...]
+== Windows 10 Enterprise Evaluation Quirks
+
+* AIK is called ADK (Assesment and Deployment Kit)
+* Catalog needs to be created which requires the install CD and some space
+* From x64 you can't edit a x86 profile
+
== References
* https://github.com/m-dwyer/packer-malware/issues/2
* ImageX doc: https://technet.microsoft.com/en-au/library/cc749447%28v=ws.10%29.aspx
* Windows 7 AIK: http://www.microsoft.com/en-ca/download/details.aspx?id=5753
+* Windows 10 ADK: https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx
* Windows Timezones: https://technet.microsoft.com/en-us/library/ff715394%28WS.10%29.aspx
diff --git a/malboxes/installconfig/windows10/Autounattend.xml b/malboxes/installconfig/windows10/Autounattend.xml
index b310a5b..9a15d69 100644
--- a/malboxes/installconfig/windows10/Autounattend.xml
+++ b/malboxes/installconfig/windows10/Autounattend.xml
@@ -27,7 +27,7 @@
true
- vagrant
+ {{ username }}
@@ -65,13 +65,13 @@
- vagrant
+ {{ password }}
<![CDATA[true</PlainText>
</Password>
<Enabled>true</Enabled>
- <Username>vagrant</Username>
+ <Username>{{ username }}</Username>
</AutoLogon>
- <RegisteredOwner>vagrant</RegisteredOwner>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
@@ -87,8 +87,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
- <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine>
- <Description>Disable password expiration for user vagrant</Description>
+ <CommandLine>cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE</CommandLine>
+ <Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
@@ -100,18 +100,18 @@
</FirstLogonCommands>
<UserAccounts>
<AdministratorPassword>
- <Value>vagrant</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
- <Value>vagrant</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
- <DisplayName>vagrant</DisplayName>
+ <DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
- <Name>vagrant</Name>
+ <Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
@@ -119,9 +119,9 @@
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <ComputerName>win10victim</ComputerName>
- <RegisteredOwner>vagrant</RegisteredOwner>
+ <ComputerName>{{ computername }}</ComputerName>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
</component>
</settings>
- <cpi:offlineImage cpi:source="wim:c:/users/zara/desktop/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
+ <cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x86/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
diff --git a/malboxes/installconfig/windows10_64/Autounattend.xml b/malboxes/installconfig/windows10_64/Autounattend.xml
index 216be3f..b4186da 100644
--- a/malboxes/installconfig/windows10_64/Autounattend.xml
+++ b/malboxes/installconfig/windows10_64/Autounattend.xml
@@ -27,7 +27,7 @@
</DiskConfiguration>
<UserData>
<AcceptEula>true</AcceptEula>
- <FullName>vagrant</FullName>
+ <FullName>{{ username }}</FullName>
</UserData>
<ImageInstall>
<OSImage>
@@ -65,13 +65,13 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
- <Value>vagrant</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
- <Username>vagrant</Username>
+ <Username>{{ username }}</Username>
</AutoLogon>
- <RegisteredOwner>vagrant</RegisteredOwner>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
@@ -87,8 +87,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
- <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine>
- <Description>Disable password expiration for user vagrant</Description>
+ <CommandLine>cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE</CommandLine>
+ <Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
@@ -100,18 +100,18 @@
</FirstLogonCommands>
<UserAccounts>
<AdministratorPassword>
- <Value>vagrant</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
- <Value>vagrant</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
- <DisplayName>vagrant</DisplayName>
+ <DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
- <Name>vagrant</Name>
+ <Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
@@ -119,9 +119,9 @@
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <ComputerName>win10victim</ComputerName>
- <RegisteredOwner>vagrant</RegisteredOwner>
+ <ComputerName>{{ computername }}</ComputerName>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
</component>
</settings>
- <cpi:offlineImage cpi:source="wim:c:/users/zara/desktop/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
+ <cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x64/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
diff --git a/malboxes/installconfig/windows7/Autounattend.xml b/malboxes/installconfig/windows7/Autounattend.xml
index a5af85b..fd0d4e6 100644
--- a/malboxes/installconfig/windows7/Autounattend.xml
+++ b/malboxes/installconfig/windows7/Autounattend.xml
@@ -51,8 +51,6 @@
<WillShowUI>OnError</WillShowUI>
</ProductKey>
<AcceptEula>true</AcceptEula>
- <FullName>Vagrant Administrator</FullName>
- <Organization>Vagrant Inc.</Organization>
</UserData>
</component>
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
@@ -76,11 +74,11 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
- <Value>dgBhAGcAcgBhAG4AdABQAGEAcwBzAHcAbwByAGQA</Value>
- <PlainText>false</PlainText>
+ <Value>{{ password }}</Value>
+ <PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
- <Username>vagrant</Username>
+ <Username>{{ username }}</Username>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
@@ -91,8 +89,8 @@
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Order>2</Order>
- <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine>
- <Description>Disable password expiration for user vagrant</Description>
+ <CommandLine>cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE</CommandLine>
+ <Description>Disable password expiration for user {{ username }}</Description>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
@@ -110,29 +108,29 @@
</OOBE>
<UserAccounts>
<AdministratorPassword>
- <Value>dgBhAGcAcgBhAG4AdABBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFAAYQBzAHMAdwBvAHIAZAA=</Value>
- <PlainText>false</PlainText>
+ <Value>{{ password }}</Value>
+ <PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
- <Value>dgBhAGcAcgBhAG4AdABQAGEAcwBzAHcAbwByAGQA</Value>
- <PlainText>false</PlainText>
+ <Value>{{ password }}</Value>
+ <PlainText>true</PlainText>
</Password>
- <DisplayName>vagrant</DisplayName>
+ <DisplayName>{{ username }}</DisplayName>
<Group>Administrators</Group>
- <Name>vagrant</Name>
+ <Name>{{ username }}</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
- <RegisteredOwner>vagrant</RegisteredOwner>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <RegisteredOwner>vagrant</RegisteredOwner>
- <ComputerName>win7dirty</ComputerName>
+ <RegisteredOwner>{{ username }}</RegisteredOwner>
+ <ComputerName>{{ computername }}</ComputerName>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:e:/sources/install.wim#Windows 7 PROFESSIONAL" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
diff --git a/malboxes/installconfig/windows_7x64/Autounattend.xml b/malboxes/installconfig/windows_7x64/Autounattend.xml
index fb5a317..ae913ea 100644
--- a/malboxes/installconfig/windows_7x64/Autounattend.xml
+++ b/malboxes/installconfig/windows_7x64/Autounattend.xml
@@ -21,25 +21,25 @@
<AutoLogon>
<Enabled>true</Enabled>
<LogonCount>5</LogonCount>
- <Username>Administrator</Username>
+ <Username>{{ username }}</Username>
<Password>
- <Value>cuckoo</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
</AutoLogon>
<UserAccounts>
<AdministratorPassword>
- <Value>cuckoo</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
- <Value>malboxes</Value>
+ <Value>{{ password }}</Value>
<PlainText>true</PlainText>
</Password>
- <Name>malboxes</Name>
- <DisplayName>malboxes</DisplayName>
+ <Name>{{ username }}</Name>
+ <DisplayName>{{ username }}</DisplayName>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
@@ -67,9 +67,6 @@
<ComputerName>Malboxes</ComputerName>
<ShowWindowsLive>false</ShowWindowsLive>
</component>
- <component name="Security-Malware-Windows-Defender" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <DisableAntiSpyware>true</DisableAntiSpyware>
- </component>
<component name="Networking-MPSSVC-Svc" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DisableStatefulFTP>true</DisableStatefulFTP>
<DisableStatefulPPTP>true</DisableStatefulPPTP>
@@ -90,13 +87,6 @@
</SetupUILanguage>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <Diagnostics>
- <OptIn>false</OptIn>
- </Diagnostics>
- <DynamicUpdate>
- <Enable>false</Enable>
- <WillShowUI>OnError</WillShowUI>
- </DynamicUpdate>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
@@ -140,7 +130,11 @@
<InstallFrom>
<MetaData wcm:action="add">
<Key>/IMAGE/NAME</Key>
+ {% if trial != 'true' %}
<Value>Windows 7 PROFESSIONAL</Value>
+ {% else %}
+ <Value>Windows 7 ENTERPRISE</Value>
+ {% endif %}
</MetaData>
</InstallFrom>
<InstallTo>
@@ -150,11 +144,13 @@
</OSImage>
</ImageInstall>
<UserData>
- <AcceptEula>true</AcceptEula>
<ProductKey>
- <Key>33PXH-7Y6KF-2VJC9-XBBR8-HVTHH</Key>
+ {% if trial != 'true' %}
+ <Key>{{ product_key }}</Key>
+ {% endif %}
<WillShowUI>OnError</WillShowUI>
</ProductKey>
+ <AcceptEula>true</AcceptEula>
</UserData>
</component>
<component name="Microsoft-Windows-TCPIP" processorArchitecture="x64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py
index e66dc54..8234a12 100755
--- a/malboxes/malboxes.py
+++ b/malboxes/malboxes.py
@@ -186,6 +186,20 @@ def prepare_packer_template(config, template_name):
return f.name
+def _prepare_vagrantfile(config, source, fd_dest):
+ """
+ Creates Vagrantfile based on a template using the jinja2 engine. Used for
+ spin and also for the packer box Vagrantfile. Based on templates in
+ vagrantfiles/.
+ """
+ filepath = resource_filename(__name__, "vagrantfiles/")
+ env = Environment(loader=FileSystemLoader(filepath))
+ template = env.get_template(source)
+
+ fd_dest.write(template.render(config)) # pylint: disable=no-member
+ fd_dest.close()
+
+
def prepare_config(profile):
"""
Prepares Malboxes configuration and merge with Packer profile configuration
@@ -353,6 +367,7 @@ def build(parser, args):
print("Generating configuration files...")
config, packer_tmpl = prepare_config(args.profile)
prepare_autounattend(config)
+ _prepare_vagrantfile(config, "box_win.rb", create_cachefd('box_win.rb'))
print("Configuration files are ready")
if not args.skip_packer_build:
@@ -392,24 +407,20 @@ def build(parser, args):
def spin(parser, args):
"""
- Creates a Vagrantfile based on a template using the jinja2 engine
+ Creates a Vagrantfile meant for user-interaction in the current directory.
"""
- config, _ = prepare_config(args.profile)
-
- print("Creating a Vagrantfile")
- filepath = resource_filename(__name__, "vagrantfiles/")
- env = Environment(loader=FileSystemLoader(filepath))
- template = env.get_template("analyst_single.rb")
-
if os.path.isfile('Vagrantfile'):
print("Vagrantfile already exists. Please move it away. Exiting...")
sys.exit(5)
+ config, _ = prepare_config(args.profile)
+
config['profile'] = args.profile
config['name'] = args.name
+ print("Creating a Vagrantfile")
with open("Vagrantfile", 'w') as f:
- f.write(template.render(config)) # pylint: disable=no-member
+ _prepare_vagrantfile(config, "analyst_single.rb", f)
print("Vagrantfile generated. You can move it in your analysis directory "
"and issue a `vagrant up` to get started with your VM.")
diff --git a/malboxes/profiles/snippets/builder_virtualbox_windows.json b/malboxes/profiles/snippets/builder_virtualbox_windows.json
index af38151..ad11a55 100644
--- a/malboxes/profiles/snippets/builder_virtualbox_windows.json
+++ b/malboxes/profiles/snippets/builder_virtualbox_windows.json
@@ -1,9 +1,10 @@
"type": "virtualbox-iso",
"guest_additions_mode": "attach",
- "headless": "false",
+ {# headless = true now due to issue #10. Will revisit later. #}
+ "headless": "true",
"communicator": "winrm",
- "winrm_username": "{{ '{{user `winrm_user`}}' }}",
- "winrm_password": "{{ '{{user `winrm_pass`}}' }}",
+ "winrm_username": "{{ username }}",
+ "winrm_password": "{{ password }}",
"winrm_timeout": "30m",
"shutdown_command": "shutdown /s /f /t 10",
"vboxmanage": [
@@ -11,5 +12,5 @@
["modifyvm", "{{ '{{.Name}}' }}", "--cpus", "1"]
],
"boot_wait": "10s",
- "disk_size": "15360",
+ "disk_size": "{{ disk_size }}",
"output_directory": "builds"
diff --git a/malboxes/profiles/snippets/postprocessor_vagrant.json b/malboxes/profiles/snippets/postprocessor_vagrant.json
index d174e6f..68f8749 100644
--- a/malboxes/profiles/snippets/postprocessor_vagrant.json
+++ b/malboxes/profiles/snippets/postprocessor_vagrant.json
@@ -1,5 +1,5 @@
"post-processors": [{
"type": "vagrant",
"output": "boxes/{{ profile_name }}.box",
- "vagrantfile_template": "{{ dir }}/vagrantfiles/box_win.rb"
+ "vagrantfile_template": "{{ cache_dir }}/box_win.rb"
}]
diff --git a/malboxes/profiles/snippets/provision_powershell.json b/malboxes/profiles/snippets/provision_powershell.json
new file mode 100644
index 0000000..eb8b4d3
--- /dev/null
+++ b/malboxes/profiles/snippets/provision_powershell.json
@@ -0,0 +1,18 @@
+ {
+ "type": "powershell",
+ "scripts": [
+ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %}
+ {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %}
+ "{{ dir }}/scripts/windows/vmtools.ps1",
+ "{{ dir }}/scripts/windows/malware_analysis.ps1",
+ "{{ dir }}/scripts/windows/installtools.ps1"
+ ]
+ }
+{% if choco_packages %},
+ {
+ "type": "windows-shell",
+ "inline": [
+ "choco install {{ choco_packages }} -y"
+ ]
+ }
+{% endif %}
diff --git a/malboxes/profiles/win10_32_analyst.json b/malboxes/profiles/win10_32_analyst.json
index 53157e3..33763fc 100644
--- a/malboxes/profiles/win10_32_analyst.json
+++ b/malboxes/profiles/win10_32_analyst.json
@@ -1,10 +1,4 @@
{
- "variables": {
- "winrm_user": "vagrant",
- "winrm_pass": "vagrant",
- "name": "win10_32_analyst"
- },
-
"builders": [{
"guest_os_type": "Windows10",
@@ -26,19 +20,16 @@
{% include 'snippets/postprocessor_vagrant.json' %},
- "provisioners": [{
- "type": "powershell",
- "scripts": [
- "{{ dir }}/scripts/windows/vmtools.ps1",
- "{{ dir }}/scripts/windows/malware_analysis.ps1",
- "{{ dir }}/scripts/windows/installtools.ps1"
- ]
- }
+ "provisioners": [
+
+ {% include 'snippets/provision_powershell.json' %}
+
{% if tools_path %},
{% include 'snippets/tools.json' %}
{% endif %}
{% if ida_path %},
{% include 'snippets/ida_remote_32.json' %}
{% endif %}
+
]
}
diff --git a/malboxes/profiles/win10_64_analyst.json b/malboxes/profiles/win10_64_analyst.json
index 6525d32..a8ee7eb 100644
--- a/malboxes/profiles/win10_64_analyst.json
+++ b/malboxes/profiles/win10_64_analyst.json
@@ -1,10 +1,4 @@
{
- "variables": {
- "winrm_user": "vagrant",
- "winrm_pass": "vagrant",
- "name": "win10_64_analyst"
- },
-
"builders": [{
"guest_os_type": "Windows10_64",
{% include 'snippets/builder_virtualbox_windows.json' %},
@@ -24,14 +18,10 @@
{% include 'snippets/postprocessor_vagrant.json' %},
- "provisioners": [{
- "type": "powershell",
- "scripts": [
- "{{ dir }}/scripts/windows/vmtools.ps1",
- "{{ dir }}/scripts/windows/malware_analysis.ps1",
- "{{ dir }}/scripts/windows/installtools.ps1"
- ]
- }
+ "provisioners": [
+
+ {% include 'snippets/provision_powershell.json' %}
+
{% if tools_path %},
{% include 'snippets/tools.json' %}
{% endif %}
@@ -39,5 +29,6 @@
{% include 'snippets/ida_remote_64.json' %},
{% include 'snippets/ida_remote_32.json' %}
{% endif %}
+
]
}
diff --git a/malboxes/profiles/win7_32_analyst.json b/malboxes/profiles/win7_32_analyst.json
index a9e2c5a..97133b5 100644
--- a/malboxes/profiles/win7_32_analyst.json
+++ b/malboxes/profiles/win7_32_analyst.json
@@ -1,10 +1,4 @@
{
- "variables": {
- "winrm_user": "vagrant",
- "winrm_pass": "vagrant",
- "name": "win7_32_analyst"
- },
-
"builders": [{
"guest_os_type": "Windows7",
{% include 'snippets/builder_virtualbox_windows.json' %},
@@ -21,19 +15,16 @@
{% include 'snippets/postprocessor_vagrant.json' %},
- "provisioners": [{
- "type": "powershell",
- "scripts": [
- "{{ dir }}/scripts/windows/vmtools.ps1",
- "{{ dir }}/scripts/windows/malware_analysis.ps1",
- "{{ dir }}/scripts/windows/installtools.ps1"
- ]
- }
+ "provisioners": [
+
+ {% include 'snippets/provision_powershell.json' %}
+
{% if tools_path %},
{% include 'snippets/tools.json' %}
{% endif %}
{% if ida_path %},
{% include 'snippets/ida_remote_32.json' %}
{% endif %}
+
]
}
diff --git a/malboxes/scripts/windows/disable_auto-updates.ps1 b/malboxes/scripts/windows/disable_auto-updates.ps1
new file mode 100644
index 0000000..9cf88a5
--- /dev/null
+++ b/malboxes/scripts/windows/disable_auto-updates.ps1
@@ -0,0 +1,32 @@
+# Disables Automatic Updates on Windows 10
+# Credit: https://4sysops.com/archives/disable-windows-10-update-in-the-registry-and-with-powershell/
+
+# Setup
+$WindowsUpdatePath = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\"
+$AutoUpdatePath = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
+If(Test-Path -Path $WindowsUpdatePath) {
+ Remove-Item -Path $WindowsUpdatePath -Recurse
+}
+New-Item -Path $WindowsUpdatePath
+New-Item -Path $AutoUpdatePath
+
+# Never check for updates
+Set-ItemProperty -Path $AutoUpdatePath -Name NoAutoUpdate -Value 1
+
+# Notify for download and notify for install
+#Set-ItemProperty -Path $AutoUpdatePath -Name NoAutoUpdate -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name AUOptions -Value 2
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallDay -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallTime -Value 3
+
+# Auto download and notify for install
+#Set-ItemProperty -Path $AutoUpdatePath -Name NoAutoUpdate -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name AUOptions -Value 3
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallDay -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallTime -Value 3
+
+# Auto download and schedule the install
+#Set-ItemProperty -Path $AutoUpdatePath -Name NoAutoUpdate -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name AUOptions -Value 4
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallDay -Value 0
+#Set-ItemProperty -Path $AutoUpdatePath -Name ScheduledInstallTime -Value 3
diff --git a/malboxes/scripts/windows/disable_defender.ps1 b/malboxes/scripts/windows/disable_defender.ps1
new file mode 100644
index 0000000..97570b3
--- /dev/null
+++ b/malboxes/scripts/windows/disable_defender.ps1
@@ -0,0 +1,3 @@
+# Disable Windows Defender on Windows 10
+Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1
+Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1
diff --git a/malboxes/scripts/windows/installtools.ps1 b/malboxes/scripts/windows/installtools.ps1
index e7c7738..0ac483d 100644
--- a/malboxes/scripts/windows/installtools.ps1
+++ b/malboxes/scripts/windows/installtools.ps1
@@ -1,17 +1,5 @@
iex ((New-Object Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
-cinst sysinternals -y
-cinst dependencywalker -y
-cinst windbg -y
-
# For some reason, AutoHotkey.portable wasn't working with WinPcap, so use the full installation
cinst autohotkey -y
$env:Path = "$($env:Path)C:\Program Files\AutoHotkey;"
-
-cinst wireshark -y -i
-cinst 7zip -y
-cinst putty -y
-cinst fiddler -y
-cinst processhacker -y
-cinst regshot -y
-cinst apm -y
diff --git a/malboxes/vagrantfiles/box_win.rb b/malboxes/vagrantfiles/box_win.rb
index e45e1e5..be60bd4 100644
--- a/malboxes/vagrantfiles/box_win.rb
+++ b/malboxes/vagrantfiles/box_win.rb
@@ -1,6 +1,8 @@
Vagrant.configure(2) do |config|
config.vm.guest = :windows
config.vm.communicator = :winrm
+ config.winrm.username = "{{ username }}"
+ config.winrm.password = "{{ password }}"
# Giving plenty of times for updates
config.vm.boot_timeout = 600
]]></plaintext></password></autologon></component></osimage></imageinstall></span>