^{_{Icon by Freepik}}

malvm

Build non detectable Virtual Machines for malware analysis.

We currently only support Linux!

The tool malvm is used to create sanitized virtual environments, such that a malware is not able to determine, if it's in a virtual environment or not. Create and integrate your own analysis images:

• Build: OS images with Packer and deploy them with Vagrant. All centralized controlled by malvm.
• Configure: Set your settings such as logging and default VM configuration. Predefine your environment in malvm_config.yaml and build + deploy it with malvm up.
• Integrate: Add your own characteristic fixes and let malvm run them inside your VM.
• Extendable: The entire project is build very modular, you can integrate your own hypervisor, view and (sub-)controller.

1. Prerequisite
2. Installation
3. Quick start: Create your first VM
4. Quick start: Check and Fix your VM-Environment
5. Implementation of characteristics
6. Configuration file

Please make sure that the following dependencies are installed:

0. Make sure your host runs on a linux os.
1. Python3
2. git
3. Vagrant
4. Packer (malvm v0.0.1 tested with packer 1.5.6; malvm v0.0.2 tested with packer 1.6.5)
5. VirtualBox

Please make sure that you have installed all packages in Prerequisite.

You need to create a personal access token.

Scope needed: read_api

Read more

pip install --extra-index-url https://YOUR_ACCESS_TOKEN_NAME:YOUR_ACCESS_TOKEN@gitlab.com/api/v4/projects/18734431/packages/pypi/simple malvm

git clone git@gitlab.com:shk_fkie/analysevm.git

cd analysevm

2.1 Install package (Normal User)

python setup.py install

2.1 Install package (Developer)

source bootstrap.sh

In the following we are going to create a Windows 10 VM called "malwareVM". We use two commands chained together.

malvm box build windows_10
malvm box start malwareVM windows_10

First malware box build windows_10 builds the Windows 10 image for Vagrant. Next malvm box start malwareVM windows_10 spins up a Virtual Machine instance of the previously created image.

Both commands can be chained into a single command:

malvm box build windows_10 start malwareVM windows_10

Malvm analyses its environment. It includes Characteristics which reveal the existence of being in a VM-environment.

Those characteristics can be checked with:

malvm check

If those failed ones should be fixed, simply run:

malvm fix

malvm uses different characteristics, each having its own check and fix method. All Characteristic definitions are in src/malvm/characteristics/ defined. All modules in this package will be dynamically loaded.

Each Module defines a characteristic and consists of a class, which inherits from Characteristic class in src/malvm/characteristics/abstract_characteristic.py.

Each Characteristic-Module can have multiple Sub-Characteristics. In the example of FilesCharacteristic - each File would be its own Sub-Characteristic.

The configfile is usually located at ~/.local/share/malvm/malvm_config.yaml. You are able to configure syslog, logging path and Base Images/ Virtual Machines. A default Virtual Machine has to exist at any time, which will be used for malvm box start ... After configuring malvm_config.yaml you are able to build and defined Base Images/ VMs via the command malvm up.

Note:

• disk_size needs a size prefix such as GB
• memory does not need a prefix, it is MB by default

logging:
  syslog_address: /dev/log
  rotating_file_path: ~/.local/share/malvm/logs/malvm.log
base_images:
  malvm-win-10:
    template: windows_10
    username: max
    password: 123456
    computer_name: Computer
    language_code: de-De
virtual_machines:
  default:
    base_image: malvm-win-10
    disk_size: 120GB
    memory: 2048
    choco_applications: [ ]
    pip_applications: [ ]
  fkieVM:
    base_image: malvm-win-10
    disk_size: 120GB
    memory: 4096
    choco_applications: [adobereader, firefox, 7zip.install]
    pip_applications: [requests]