Virtual Machines Setup Notes
Various notes on desktop and mobile virtualization
Last updated
Was this helpful?
Various notes on desktop and mobile virtualization
Last updated
Was this helpful?
For sophisticated malware sample, or mission critical reverse engineering tasks where target sample has advanced anti-VM capabilities or virtualization-based evasions (like an Hypervisor Ransomware) a Type 1 Hypervisor is suggested such as QEMU KVM, VMWare vSphere, Microsoft Hyper-V or Proxmox and nested virtualization enabled.
For scenarios that involve Reverse Engineering internet-based samples (Malware Analysis or Commercial Reverse Engineering) is needed to setup Remnux ( or any linux distro ) as default gateway in order to inspect every network package emitted.
REMNux:
NAT network
Internal Network
Windows:
Internal Network
Internal Network name must be the same in both machines
With this configuration Windows machine won't be able to access any asset outside the internal network.
In order to make REMNux forward network packages we must set the following option:
And also for IPv6 protocol
Host-Only shouldn't be used in the Windows machine because it will be possible to communicate with the host directly, instead we need to setup an internal network so Windows gets completely isolated.
REMNux first interface will be able to setup outband connections, but the second interface will handle the traffic coming from the Windows VM and redirect them to the NAT network, so we can enforce iptables rules that block unwanted connections.
Configure the ip address in the Remnux VM, to /etc/netplan/01-netcfg.yaml
Use iptables to forward network packages from internal network interface to NAT interface:
And do it the same for IPv6, note that IPv6 does not uses NAT so we need only to forward outgoing and incoming traffic without masquerading the IP address.
Internal network as internal_interface and NAT network as external_interface
If you want to redirect traffic to a mitm proxy or another packet inspector:
Iptables can also redirect udp protocol, update accordingly to your requirements.
If you want to change the destination host, as if you were using inetsim or fakenet and the connection is made without DNS resolution (direct IP address connection), use the action -j DNAT, with the --to-destination host:port , this will change the IP destination and port of the outgoing packet, so your server will be contacted.
VMWare sets up virtual machines with disabled promiscuous mode, edit the .vmx file of the VM and add the following lines per each n etwork interface
You can persist the iptables rules by saving them:
Then in the Windows Virtual Machine set up the default gateway and the default DNS server:
Later iptables could be configured to redirect the HTTP/HTTPs traffic to any MITM proxy.
Wireshark, Tshark and TCPdump can be used to inspect traffic flow going through internal network interface:
When using tshark or wireshark you can use "not http and not dns", so you can filter out http and dns requests, leaving all other TCP and UDP packets.
GenericCloud image .qcow2 for QEMU:
GenericCloud images for CentOS don't have a root password setup so we need libguestfs-tools package for adding it
Start virtual machine from virtual disk image and setup a virtual network emulating a E1000 chipset, then forward port from guest 22 to host 2222, setup the monitor to standard input output console so we can manage snapshots and use the QEMU serial terminal.
If using -nographic setup the guest serial terminal will attach to current tty session, so is needed to redirect monitor terminal to telnet port.
All CentOS (EOL) releases need to be updated to use vault mirrrolists from centos
This scenario implies that you want to setup your custom virtual machines images that aren't in the cloud image marketplace (i.e Amazon Marketplace) and leverage cloud resources for that.
I strongly suggest to avoid this option if your budget is limited since i got charged up to 1k usd per month while using a top-notch setup like this. Avoid keeping the instances up and running if not needed, disks can be expensive tho.
Amazon does not support nested virtualization so you will need to allocate a bare-metal instance, which also does not support GPUs. 🤷♂️
For MacOS virtualization Amazon has M1 chips and MacOS Amazon Machine Images (haven't tried it)
Some series support nested virtualization and some few of them has also GPU. D-series (v3, v4, including both standard and storage-optimized variants), E-series (v3, v4, including both standard and memory-optimized variants), F-series (v2, focusing on a balance of CPU and memory), the FX-series (specialized for high compute performance), and the M-series (optimized for memory and CPU performance)
You will need to setup a Windows Server 2022 VM image, since neither Windows 10 or 11 can run Hyper-V.
I suggest picking up a disk that has 12,000 max. uncached IO/s since nested virtual machines are likely to go slow with less that 6,000 IO/s
As mentioned before macOS can be virtualized in AWS, but if you're looking to explore and use experimental features or trying to virtualize iOS outside the xcode iphone simulator keep going
There's work going on in fully virtualized iBoot chain, some useful links to get started:
Corellium offers the Corellium Solo product that charges 3/usd per hour for virtualization instances of iOS (the unique solution in the market)
More or less depends on the final end and what you're trying to achieve, but the best and stealthier approach is using a physical device, yes, that's out of the scope of this article, and yes, sometimes you're going to need root privileges in the physical device, and since rooting in android is a cat-mouse game against protectors, packers and antiVM solutions the best approach is using a clean physical device, in order to achieve root-level execution you'll need to
a) Deploy a kernel exploit if the kernel of your device is vulnerable to one
b) Dump the NAND memory, modify it, and flash it back.
The second solution is preferable as it is an universal solution but hardware technical skills are needed and invest some pennies on tools.
Setups that does not need root can be done using commercial emulators if you're in Windows for example Bluestacks.
On Mac M1 the only decent alternative to Android Virtual Device is Genymotion which does not support rootless environment.
In Linux, Android Emulator that has Google Play option are instances without root by default.
For downloading APK files directly from Google Play you need to setup your account (some applications are geo-based, for those you will need to setup a VPN in the host machine, some emulators support toggling locale settings so google play will initiate with the targeted country.
Patching the manifest file for the apk to accept user-level CA certificates can be done for HTTPs interception. Android accepts certificates encoded in base64.
Depending on the setup, some emulators has option for setting up a proxy, android system-wide proxy can be used also if host is reachable from the emulated device, some apps might not be proxy-aware so a workaround is using an application that configures a VPN service to HTTPs proxy like SuperProxy, if the host OS isn't reachable from the emulator you can use adb reverse command for exposing a local port from the OS into the localhost of the emulator device.
All Android Emulator instances without Google Play by default are rooted.
Android x86_64 and x86 images can be used with VirtualBox, use VBoxVGA and disable 3D acceleration in order to use the GUI, if not you'll boot directly to cli-mode.
QEMU can be used for emulating ARM but for performance reasons I highly discourage from doing it, use a Mac with Apple Chip or use Android 11 and later android versions with ARM Translation Tools enabled, some apk files aren't shipped with x86 native binaries/libraries for various reasons but ARM translation tools will interpret the ARM opcodes into x86 opcodes (which comes with performance limitations).
Bluestacks 4 supports root-mode, you need to modify the Bluestacks.conf file to enable the root-access globally or per instance.
AVD can be modified to accept mounting /system directory in read-write mode. Also Bluestacks by tweaking the XML descriptor for the VDI files, accesing the VDI files is possible also in the host system. Almost everything can be tweaked with the system directory mounted, including root CA, so you can add your custom CA and it will be trusted by default.
SSL pinning mechanism vary between applications, also Firebase libraries enforce security checks when trying to reach some endpoints , but that's out of scope in this article.
Start fakedns in RENMux. You will need to use an alternative version of the default one shipped with REMnux: this version supports a lot more features including round-robin and DNS-text request commonly used in Cobalt Strike or Sliver implants, it also supports rebinding, when a query does not matches the regular expression stated in the config file it just acts as a proxy and returns the IP address resolved by the gateway's nameserver.
You probably need to practice your soldering skills a little bit before doing this. For dumping NAND memory you can follow up with the next guide: For writing back
