FLARE VM is the first of its kind freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.
FLARE VM comes in two flavors – Malware Analysis and Penetration Testing editions. Each edition targets a specific task. For example, FLARE VM – Malware Analysis Edition is optimized for and contains tools specifically for reverse engineering malware. The tools included with FLARE VM distribution were either developed or carefully selected by the members of the FLARE (FireEye Labs Advanced Reverse Engineering) Team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade.
The security distribution works as an easily deployable package that you can install on an existing Windows installation. FLARE VM brings a familiar, easy to manage package management system to quickly deploy and customize the platform to suite your specific needs. After the initial installation, you can easily add, remove and update packages in the FLARE VM package repository.
The project will be released at Blackhat Arsenal on Wednesday, July 26th.
Installation
Create and configure a new Windows 7 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, you need to run an installation script. The installation script is a Boxstarter script which is used to deploy FLARE VM configurations and a collection of chocolatey packages. The easiest way to run the script is to use Boxstarter’s web installer as follows:
- On the newly created VM, open the following URL in Internet Explorer (other browsers are not going to work):
http://boxstarter.org/package/url?[FLAREVM_SCRIPT]
Where
FLAREVM_SCRIPT
is a path or URL to the respective FLARE VM script. For example to install the malware analysis edition:http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1
or if you have downloaded and copied the installation script to the local C drive:
http://boxstarter.org/package/url?C:flarevm_malware.ps1
- Copy
install.bat
andflarevm_malware.ps1
on the newly created VM and executeinstall.bat
.
Installing a new package
FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:
cinst x64dbg
Staying up to date
Type the following command to update all of the packages to the most recent version:
cup all
Malware Analysis with FLARE VM
Please see a blog at https://www.fireeye.com/blog/threat-research.html for an example malware analysis session using FLARE VM.
Installed Tools
Debuggers
- OllyDbg + OllyDump + OllyDumpEx
- OllyDbg2 + OllyDumpEx
- x64dbg
- WinDbg
Disassemblers ====
- IDA Free
- Binary Ninja Demo
Java ====
- JD-GUI
Visual Basic ====
- VBDecompiler
Flash ====
- FFDec
.NET ====
- ILSpy
- DNSpy
- DotPeek
- De4dot
Office ====
- Offvis
Hex Editors ====
- FileInsight
- HxD
- 010 Editor
PE ====
- PEiD
- ExplorerSuite (CFF Explorer)
- PEview
- DIE
Text Editors ====
- SublimeText3
- Notepad++
- Vim
Utilities ====
- MD5
- 7zip
- Putty
- Wireshark
- RawCap
- Wget
- UPX
- Sysinternals Suite
- API Monitor
- SpyStudio
- Checksum
- Unxutils
Python, Modules, Tools ====
- Python 2.7
- Hexdump
- PEFile
- Winappdbg
- FakeNet-NG
- Vivisect
- FLOSS
- FLARE_QDB
- PyCrypto
- Cryptography
Other ====
- VC Redistributable Modules (2008, 2010, 2012, 2013)
For more information and assistance with setup read up Fireeye’s blog post