The tool malvm is used to create sanitized virtual environments, such that a malware is not able to determine, if it's in a virtual environment or not. Create and integrate your own analysis images:
- Build: OS images with Packer and deploy them with Vagrant. All centralized controlled by malvm.
- Configure: Set your settings such as logging and default VM configuration.
Predefine your environment in malvm_config.yaml and build + deploy it with
malvm up. - Integrate: Add your own characteristic fixes and let malvm run them inside your VM.
- Extendable: The entire project is build very modular, you can integrate your own hypervisor, view and (sub-)controller.
- Prerequisite
- Installation
- Quick start: Create your first VM
- Quick start: Check and Fix your VM-Environment
- Implementation of characteristics
- Configuration file
Please make sure that the following dependencies are installed:
- Make sure your host runs on a linux os.
- Python3
- git
- Vagrant
- Packer (malvm v0.0.1 tested with packer 1.5.6; malvm v0.0.2 tested with packer 1.6.5)
- VirtualBox
Please make sure that you have installed all packages in Prerequisite.
You need to create a personal access token.
Scope needed: read_api
pip install --extra-index-url https://YOUR_ACCESS_TOKEN_NAME:YOUR_ACCESS_TOKEN@gitlab.com/api/v4/projects/18734431/packages/pypi/simple malvmgit clone git@gitlab.com:shk_fkie/analysevm.gitcd analysevm2.1 Install package (Normal User)
python setup.py install2.1 Install package (Developer)
source bootstrap.shIn the following we are going to create a Windows 10 VM called "malwareVM". We use two commands chained together.
malvm box build windows_10
malvm box start malwareVM windows_10First malware box build windows_10 builds the Windows 10 image for Vagrant.
Next malvm box start malwareVM windows_10 spins up a Virtual Machine instance of the
previously created image.
Both commands can be chained into a single command:
malvm box build windows_10 start malwareVM windows_10Malvm analyses its environment. It includes Characteristics which reveal the existence of being in a VM-environment.
Those characteristics can be checked with:
malvm checkIf those failed ones should be fixed, simply run:
malvm fixmalvm uses different characteristics, each having its own check and fix method.
All Characteristic definitions are in src/malvm/characteristics/ defined.
All modules in this package will be dynamically loaded.
Each Module defines a characteristic and consists of a class, which inherits from Characteristic class in
src/malvm/characteristics/abstract_characteristic.py.
Each Characteristic-Module can have multiple Sub-Characteristics.
In the example of FilesCharacteristic - each File would be its own
Sub-Characteristic.
The configfile is usually located at ~/.local/share/malvm/malvm_config.yaml.
You are able to configure syslog, logging path and Base Images/ Virtual Machines.
A default Virtual Machine has to exist at any time, which will be used for malvm box start ...
After configuring malvm_config.yaml you are able to build and defined Base Images/ VMs
via the command malvm up.
Note:
- disk_size needs a size prefix such as GB
- memory does not need a prefix, it is MB by default
logging:
syslog_address: /dev/log
rotating_file_path: ~/.local/share/malvm/logs/malvm.log
base_images:
malvm-win-10:
template: windows_10
username: max
password: 123456
computer_name: Computer
language_code: de-De
virtual_machines:
default:
base_image: malvm-win-10
disk_size: 120GB
memory: 2048
choco_applications: [ ]
pip_applications: [ ]
fkieVM:
base_image: malvm-win-10
disk_size: 120GB
memory: 4096
choco_applications: [adobereader, firefox, 7zip.install]
pip_applications: [requests]