NokiMo
oalabs
oalabs

patreon


Reverse Engineering Lab Setup

If you are just getting started with reverse engineering this the place to start. In this tutorial we provide an overview the current setup that we currently run, this is also the same setup used in all of our live streams and tutorials.

About FlareVM

If you have been with us for a while you may remember that we used to recommend FlareVM. It's still a great idea, and if you want to use their full suite of tools you can follow their install guide here FLARE-VM. However, after a few years of troubleshooting buggy installs (mostly NOT the fault of the installer) we realized that we actually only use about 5 tools out of the 100 installed.

About MacOS Mx ARM Hosts

If you have a Mac host that is running an ARM Mx series CPU you will need to take a few points into consideration. First, we highly recommend that you use ARM Windows 11 as your VM guest, and that you use the VMWare Fusion hypervisor. This setup has given us the least amount of issues, and for your static analysis VM the difference will be mostly unnoticeable. However, for dynamic analysis, specifically debugging Intel x64 malware, there are some gotchas. We will be discussion this in more detail soon but for now you can refer to our most recent (and still relevant) explainer M1 Mac Malware Analysis VM Setup with Windows 11, and our older (slightly out of date) tutorial Apple M1 Mac Malware Analysis Lab (Windows 11).

Hypervisor Setup

We recommend using VMWare, it is what we use locally, but it is a commercial product that costs a bit so if you want to put in the effort (QEMU) or deal with the bugs (VBOX) there are alternatives.

We do use QEMU in production and if you ware interested in putting in a bit of effort up front we can highly recommend this install tutorial from c3rb3ru5,  Kernel Virtual Machine (KVM) TLS Decryption Tips and Favourite Tools.

⚠️ UPDATE:  Since Broadcom purchased VMWare they have made it very difficult to download the product, however the non-pro versions are now FREE! You can use the following links to find the VMWare products on the Broadcom site -- you must be logged in with a (free) Broadcom account first!

Fusion

https://support.broadcom.com/group/ecx/productdetails?productName=VMware%20Fusion

Workstation (Windows)

https://support.broadcom.com/group/ecx/productdetails?productName=VMware%20Workstation%20Pro

Windows OS Setup

Windows media can be downloaded from the following sources. We recommend Windows 10 as disabling Defender is simpler and the OS is better understood but personally we use both.

Disable Windows Defender

Since you will be storing and running malware on your VMs we strongly recommend disabling Windows Defender. We used to include guides on disabling defender that quickly became out of date as new patches were released. Currently the best way to find a guide is to just google with the Windows version and service pack that you have installed. Be warned, later builds of Windows 10 are tricky and Windows 11 is even worse! The following are some references that may be of assistance.

Disable Windows Updates

We recommend disabling windows updates on your VMs as this will ensure a stable repeatable environment, and it will prevent the update traffic and processes from cluttering up your dynamic analysis results. Much like Defender updates have become increasingly tricky to disable, googling with the Windows version and service pack is likely to yield the best results. The following are some references that may be of assistance.

Tools

The following list provides links for the tools we discuss in the tutorial. If any of the links are broken please reach out to use on Discord.

Services

The following malware analysis services are highly recommended.

Reverse Engineering Lab Setup

Comments

We are starring engines here, great and organized video. Love them.

Pronoun

I used it for a proyect, its the same as dnspy, but it has a debugger*, and more robust features. I love dnsspy. You only have 3 files and you ready to go, and not install a 300mb package.

Pronoun

Yeh sadly I can't update the videos things keep changing for ARM/VMWare lol

OALABS

Quick tip, as of this may VMware Workstation/Fusion Pro are available for free (for personal use).

Rétro-ingénieur Maliciel

Whatever works for you, personally I just drag and drop from the host, but you can also just revert your snapshot and use the internet as you mentioned.

OALABS

Just wondering, if dynamic analysis VM having no shared drives, no Internet so how you uploading malware samples there? Drag and drop is ok from static to dynamic? What I'm doing now is on clean dynamic VM connect Internet, download samples and shut down Internet back.

REdoslaw

Never used it, pretty much the only .NET analysis tool I use now is dnspy. Keep in mind the tutorial is just the baseline, different languages, files etc. sometimes require custom tooling, but in general dnspy is probably all you need

OALABS

Hello. What about .NET decompiler from JetBrains - dotPeek?

REdoslaw

both if possible thanks

OALABS

I can forward you the email if you like or DM a screenshot. Which would you prefer?

Raymond Forbes

Patreon support is asking for a copy of the email, or a screenshot of it, would you be able to dm me one?

OALABS

The reason why there is no post on this is because we are currently investigating, it's not so straight forward. I can give you some info but it may be incorrect so you can't really rely on it. Basically if you have an ARM Mac you should (need to) run ARM Windows. The tutorials I linked are all still correct, and everything works completely fine for static analysis, but as you noted debugging does have some issues. There reason is the windows ARM JIT... so ARM windows uses a translation layer much like WOW64 to run intel apps... the thing is they have on the fly JITing that will just randomly translate to arm in the middle of your code then back again And they have a JIT cache that will run the JIT for stuff it already knows about Explains a lot https://www.ffri.jp/assets/files/research/research_papers/Koh_Nakagawa_Appearances_are_deceiving_English.pdf but this is no good if you are debugging x86! You will lose control when it runs an ARM JIT. In practice this mostly works fine for 32bit because this actually runs under WOW64 and so the JITing happens on a lower level, but when you are debugging intel X64 code you will randomly lose control. Like I said it's a work in progress and I think this should be solvable but for now that's what is going on. When I have more answers I will make a proper post. Also if you are wondering "should I buy an Mx Mac" I personally have been using one for all my travel for the past 2 years and it's totally fine, but I do have an intel box a home just in case...

OALABS

What the heck! Vimeo is our video hosting platform but it shouldn't be exposed at all. Thanks for the quick info I'll open a bug.

OALABS

Thanks for the video. I've read a lot of people have issues running debuggers on M1s. I was going to buy a M Mac but worried the debuggers won't work. Do these work OK for 32/64 bit application? I saw you said there were some gotchas coming soon but can I get a summary please?

Andrew Miles

Link in the email was for this: vimeo[.]com/930792849 but if you clicked it, it brings you here

Andrew Miles

Oh no! Could you PM the link that was sent? I will forward it to Patreon and open a bug. Glad you enjoyed the tutorial! : ))

OALABS

This was so good! Thank you for making this. The link in the email does not work, btw. The link to Vimeo.

Raymond Forbes


Related Creators