Last active
September 9, 2021 02:15
-
-
Save gabemarshall/cec452231db177f551599cd75df6268a to your computer and use it in GitHub Desktop.
Modified version of the flare-vm installer to add a few additional installations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################### | |
# | |
# FLARE VM Installation Script | |
# | |
# To execute this script: | |
# 1) Open powershell window as administrator | |
# 2) Allow script execution by running command "Set-ExecutionPolicy Unrestricted" | |
# 3) Execute the script by running ".\install.ps1" | |
# | |
########################################### | |
Write-Host " ______ _ _____ ______ __ ____ __ " | |
Write-Host " | ____| | /\ | __ \| ____| \ \ / / \/ |" | |
Write-Host " | |__ | | / \ | |__) | |__ _____\ \ / /| \ / |" | |
Write-Host " | __| | | / /\ \ | _ /| __|______\ \/ / | |\/| |" | |
Write-Host " | | | |____ / ____ \| | \ \| |____ \ / | | | |" | |
Write-Host " |_| |______/_/ \_\_| \_\______| \/ |_| |_|" | |
Write-Host " I N S T A L L A T I O N " | |
Write-Host " ________________________________________________________" | |
Write-Host " Developed by " | |
Write-Host " Peter Kacherginsky " | |
Write-Host " FLARE (FireEye Labs Advanced Reverse Engineering) " | |
Write-Host " _______________________________________________________ " | |
Write-Host " " | |
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() ) | |
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
Write-Host "[ * ] Installing Boxstarter" | |
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); get-boxstarter -Force | |
# Get user credentials for autologin during reboots | |
Write-Host "[ * ] Getting user credentials ..." | |
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds" -Name "ConsolePrompting" -Value $True | |
$cred=Get-Credential $env:username | |
if ($cred) { | |
Install-BoxstarterPackage -PackageName https://gist.githubusercontent.com/gabemarshall/cec452231db177f551599cd75df6268a/raw/53f1dba52a2fd67479a2eaa5c9642cedb11f8e8b/flarevm_malware.ps1 -Credential $cred | |
} else { | |
Install-BoxstarterPackage -PackageName https://gist.githubusercontent.com/gabemarshall/cec452231db177f551599cd75df6268a/raw/53f1dba52a2fd67479a2eaa5c9642cedb11f8e8b/flarevm_malware.ps1 | |
} | |
} else { | |
Write-Host "[ERR] Please run this script as administrator" | |
Read-Host " Press ANY key to continue..." | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# FLARE VM - Malware Analysis Edition | |
Write-Host " ______ _ _____ ______ __ ____ __ " | |
Write-Host " | ____| | /\ | __ \| ____| \ \ / / \/ |" | |
Write-Host " | |__ | | / \ | |__) | |__ _____\ \ / /| \ / |" | |
Write-Host " | __| | | / /\ \ | _ /| __|______\ \/ / | |\/| |" | |
Write-Host " | | | |____ / ____ \| | \ \| |____ \ / | | | |" | |
Write-Host " |_| |______/_/ \_\_| \_\______| \/ |_| |_|" | |
Write-Host " M A L W A R E A N A L Y S I S E D I T I O N " | |
Write-Host " " | |
Write-Host " Version 1.0 " | |
Write-Host " ________________________________________________________" | |
Write-Host " Developed by " | |
Write-Host " Peter Kacherginsky " | |
Write-Host " FLARE (FireEye Labs Advanced Reverse Engineering) " | |
Write-Host " _______________________________________________________ " | |
Write-Host " " | |
Write-Host "This download configuration script is provided to assist cyber security analysts" | |
Write-Host "in creating handy and versatile toolboxes for malware analysis environments. It" | |
Write-Host "provides a convenient interface for them to obtain a useful set of analysis" | |
Write-Host "tools directly from their original sources. Installation and use of this script" | |
Write-Host "is subject to the Apache 2.0 License." | |
Write-Host " " | |
Write-Host "You as a user of this script must review, accept and comply with the license" | |
Write-Host "terms of each downloaded/installed package listed below. By proceeding with the" | |
Write-Host "installation, you are accepting the license terms of each package, and" | |
Write-Host "acknowledging that your use of each package will be subject to its respective" | |
Write-Host "license terms." | |
Write-Host "" | |
Write-Host "List of package licenses:" | |
Write-Host "" | |
Write-Host "http://www.ollydbg.de/download.htm, http://www.ollydbg.de/download.htm," | |
Write-Host "https://github.com/x64dbg/x64dbg/blob/development/LICENSE," | |
Write-Host "http://go.microsoft.com/fwlink/?LinkID=251960," | |
Write-Host "https://www.hex-rays.com/products/ida/support/download_freeware.shtml," | |
Write-Host "https://docs.binary.ninja/about/license/#demo-license," | |
Write-Host "https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt," | |
Write-Host "https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt," | |
Write-Host "https://www.jetbrains.com/decompiler/download/license.html," | |
Write-Host "https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt," | |
Write-Host "http://www.oracle.com/technetwork/java/javase/terms/license/index.html," | |
Write-Host "https://github.com/java-decompiler/jd-gui/blob/master/LICENSE," | |
Write-Host "https://www.vb-decompiler.org/license.htm, http://kpnc.org/idr32/en/," | |
Write-Host "https://www.free-decompiler.com/flash/license/," | |
Write-Host "https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx," | |
Write-Host "https://mh-nexus.de/en/hxd/license.php," | |
Write-Host "https://www.sweetscape.com/010editor/manual/License.htm," | |
Write-Host "http://www.ntcore.com/exsuite.php, http://wjradburn.com/software/," | |
Write-Host "http://ntinfo.biz, https://www.sublimetext.com," | |
Write-Host "https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE," | |
Write-Host "http://vimdoc.sourceforge.net/htmldoc/uganda.html," | |
Write-Host "http://www.gnu.org/licenses/gpl-2.0.html," | |
Write-Host "https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE," | |
Write-Host "http://www.7-zip.org/license.txt," | |
Write-Host "http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html," | |
Write-Host "http://www.gnu.org/copyleft/gpl.html," | |
Write-Host "https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt," | |
Write-Host "https://www.gnu.org/copyleft/gpl.html," | |
Write-Host "http://upx.sourceforge.net/upx-license.html," | |
Write-Host "http://technet.microsoft.com/en-us/sysinternals/bb469936," | |
Write-Host "http://www.rohitab.com/apimonitor," | |
Write-Host "http://whiteboard.nektra.com/spystudio/spystudio_license," | |
Write-Host "http://www.slavasoft.com/hashcalc/license-agreement.htm," | |
Write-Host "http://www.gnu.org/licenses/gpl-2.0.html," | |
Write-Host "http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/," | |
Write-Host "http://exeinfo.atwebpages.com," | |
Write-Host "https://www.python.org/download/releases/2.7/license/," | |
Write-Host "https://www.microsoft.com/en-us/download/details.aspx?id=44266," | |
Write-Host "https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt," | |
Write-Host "http://msdn.microsoft.com/en-US/cc300389.aspx," | |
Write-Host "https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE" | |
Write-Host "https://blog.didierstevens.com/programs/xorsearch/" | |
Write-Host "http://sandsprite.com/iDef/MAP/" | |
Write-Host "http://sandsprite.com/iDef/SysAnalyzer/" | |
Write-Host "http://virustotal.github.io/yara/" | |
Write-Host "http://www.novirusthanks.org/products/kernel-mode-driver-loader/" | |
Write-Host "http://www.woodmann.com/collaborative/tools/index.php/LordPE" | |
Write-Host "https://github.com/gchq/CyberChef" | |
Write-Host "http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html" | |
Write-Host "http://retdec.com" | |
Write-Host "http://www.cygwin.com/" | |
Write-Host "https://portswigger.net/burp" | |
Write-Host "https://bytecodeviewer.com/" | |
############################################################################### | |
# Configure system | |
############################################################################### | |
# Boxstarter options | |
$Boxstarter.RebootOk=$true # Allow reboots? | |
$Boxstarter.NoPassword=$false # Is this a machine with no login password? | |
$Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot | |
# Basic setup | |
Update-ExecutionPolicy Unrestricted | |
Disable-MicrosoftUpdate | |
Set-WindowsExplorerOptions -EnableShowProtectedOSFiles -EnableShowFileExtensions -EnableShowHiddenFilesFoldersDrives | |
Set-TaskbarOptions -Size Small | |
Disable-BingSearch | |
############################################################################### | |
# Install Chocolatey packages | |
############################################################################### | |
# Configure FLARE chocolatey feed | |
$flare = "https://www.myget.org/F/flare/api/v2" | |
$cache = "$env:userprofile\AppData\Local\ChocoCache" | |
New-Item -Path $cache -ItemType directory -Force | |
# Make a FLARE desktop folder | |
$startPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLARE" | |
if( -not (Test-Path -path $startPath) ) { New-Item -Path $startPath -ItemType directory } | |
$desktopShortcut = Join-Path ${Env:USERPROFILE} "Desktop\FLARE.lnk" | |
Install-ChocolateyShortcut -shortcutFilePath $desktopShortcut -targetPath $startPath | |
############################################################################### | |
# Install packages | |
# Set up Chocolatey | |
cmd.exe /c choco sources add -n=flare -s "https://www.myget.org/F/flare/api/v2" --priority 1 | |
cmd.exe /c choco feature enable -n allowGlobalConfirmation | |
cmd.exe /c choco feature enable -n allowEmptyChecksums | |
cinst cmdermini.flare -s $flare --cacheLocation $cache # | |
cinst vim | |
cinst ruby | |
cinst googlechrome | |
cinst nodejs.install | |
# Packages requiring reboot | |
cinst powershell --cacheLocation $cache | |
cinst dotnet4.7.2 --cacheLocation $cache | |
# Visual C++ Redistributable Packages | |
cinst vcredist2005 --cacheLocation $cache | |
cinst vcredist2008 --cacheLocation $cache | |
cinst vcredist2010 --cacheLocation $cache | |
cinst vcredist2012 --cacheLocation $cache | |
cinst vcredist2013 --cacheLocation $cache | |
cinst vcredist2015 --cacheLocation $cache | |
# Debuggers | |
cinst ollydbg -s $flare --cacheLocation $cache # OllyDbg 1.10 | |
cinst ollydbg.ollydump -s $flare --cacheLocation $cache # OllyDump plugin | |
cinst ollydbg.ollydumpex -s $flare --cacheLocation $cache # OllyDumpEx plugin | |
cinst ollydbg2 -s $flare --cacheLocation $cache # OllyDbg 2.0 | |
cinst ollydbg2.ollydumpex -s $flare --cacheLocation $cache # OllyDumpEx plugin | |
cinst x64dbg -s $flare --cacheLocation $cache # x64dbg | |
cinst x64dbg.py -s $flare --cacheLocation $cache # Python Scripting Engine for x64dbg | |
cinst windbg -s $flare --cacheLocation $cache # WinDbg x86, x64, .NET | |
cinst windbg.kenstheme -s $flare --cacheLocation $cache # Ken's WinDbg theme | |
cinst windbg.ollydumpex -s $flare --cacheLocation $cache # OllyDumpEx plugin | |
cinst windbg.pykd -s $flare --cacheLocation $cache | |
cinst scdbg -s $flare --cacheLocation $cache | |
cinst retdec -s $flare --cacheLocation $cache | |
# Disassemblers | |
if(Get-OSArchitectureWidth -Compare 64) { | |
# IDA 7.0 is only 64bit | |
cinst idafree70 -s $flare --cacheLocation $cache # IDA Free 7.0 | |
} | |
cinst idafree -s $flare --cacheLocation $cache # IDA Free | |
cinst binaryninja -s $flare --cacheLocation $cache # Binary Ninja Demo | |
cinst radare2.flare -s $flare --cacheLocation $cache # Radare2 framework | |
cinst cutter.flare -s $flare --cacheLocation $cache # Cutter is a GUI for radare2 | |
# .NET | |
cinst ilspy.flare -s $flare --cacheLocation $cache # ILSpy | |
cinst dnspy.flare -s $flare --cacheLocation $cache # dnSpy | |
cinst dotpeek.flare -s $flare --cacheLocation $cache # dotPeek | |
cinst de4dot -s $flare --cacheLocation $cache # de4dot | |
# Java | |
cinst javaruntime --cacheLocation $cache # JRE | |
cinst jd-gui -s $flare --cacheLocation $cache # JD-GUI | |
cinst bytecode-viewer.flare -s $flare --cacheLocation $cache # ByteCodeViewer | |
cinst dex2jar --cacheLocation $cache # dex2jar | |
# VB | |
cinst vbdecompiler -s $flare --cacheLocation $cache # VB Decompiler Lite | |
# Delphi | |
cinst idr.small -s $flare --cacheLocation $cache # IDR (small edition) | |
# Flash | |
cinst ffdec -s $flare --cacheLocation $cache # FFDec | |
# Hex Editors | |
cinst fileinsight -s $flare --cacheLocation $cache # FileInsight | |
cinst hxd.flare -s $flare --cacheLocation $cache # HxD | |
cinst 010editor -s $flare --cacheLocation $cache # 010 Editor | |
# Web | |
cinst burp.free.flare -s $flare --cacheLocation $cache | |
# PE | |
cinst peid -s $flare --cacheLocation $cache # PEiD | |
cinst explorersuite -s $flare --cacheLocation $cache # CFF Explorer | |
cinst peview -s $flare --cacheLocation $cache # PEview | |
cinst die -s $flare --cacheLocation $cache # DIE | |
cinst pestudio -s $flare --cacheLocation $cache # PEStudio | |
cinst resourcehacker.flare -s $flare --cacheLocation $cache # Resource Hacker | |
# Text Editors | |
cinst sublimetext3 -s $flare --cacheLocation $cache # Sublime Text 3 | |
cinst notepadplusplus --cacheLocation $cache | |
# Utilities | |
cinst unxutils --cacheLocation $cache # Unix Utils | |
cinst checksum --cacheLocation $cache # Hash Calculator | |
cinst 7zip.install --cacheLocation $cache # 7-Zip | |
cinst putty --cacheLocation $cache # Putty | |
cinst wireshark.flare -s $flare --cacheLocation $cache # WireShark | |
cinst winpcap --cacheLocation $cache | |
cinst rawcap --cacheLocation $cache # RawCap | |
cinst wget --cacheLocation $cache # Wget | |
cinst upx --cacheLocation $cache # UPX | |
cinst processhacker.flare -s $flare --cacheLocation $cache # Process Hacker | |
cinst sysinternals.flare -s $flare --cacheLocation $cache # Sysinternals wrapper | |
cinst apimonitor -s $flare --cacheLocation $cache # API Monitor | |
cinst spystudio.flare -s $flare --cacheLocation $cache # SpyStudio | |
cinst hashcalc -s $flare --cacheLocation $cache # HashCalc | |
cinst regshot -s $flare --cacheLocation $cache # RegShot | |
cinst exeinfope -s $flare --cacheLocation $cache # ExeInfo PE | |
cinst hashmyfiles --cacheLocation $cache # HashMyFiles | |
cinst ncat -s $flare --cacheLocation $cache # Ncat | |
cinst shellcode_launcher -s $flare --cacheLocation $cache # shellcode_launcher | |
cinst xorsearch -s $flare --cacheLocation $cache | |
cinst xorstrings -s $flare --cacheLocation $cache | |
cinst yara.flare -s $flare --cacheLocation $cache | |
cinst kmdloader.flare -s $flare --cacheLocation $cache | |
cinst lordpe.flare -s $flare --cacheLocation $cache | |
cinst cyberchef.flare -s $flare --cacheLocation $cache | |
cinst py2exedecompiler -s $flare --cacheLocation $cache | |
cinst cygwin.flare -s $flare --cacheLocation $cache | |
# Malcode Analyst Pack | |
cinst MAP -s $flare --cacheLocation $cache | |
cinst SysAnalyzer -s $flare --cacheLocation $cache | |
# Practical Malware Analysis Labs | |
cinst pmalabs -s $flare --cacheLocation $cache | |
# Office | |
cinst offvis -s $flare --cacheLocation $cache # OffVis | |
cinst officemalscanner -s $flare --cacheLocation $cache # OfficeMalScanner | |
cinst pdfid -s $flare --cacheLocation $cache | |
cinst pdfparser -s $flare --cacheLocation $cache | |
cinst pdfstreamdumper -s $flare --cacheLocation $cache | |
# Android | |
cinst apktool -s $flare --cacheLocation $cache # ApkTool | |
# Python | |
cinst python3 | |
cinst python2 --package-parameters '/InstallDir:"C:\Program Files\Python27"' --cacheLocation $cache # Python 2.7 - Using private version | |
cinst python -s $flare --version 2.7.14 --cacheLocation $cache | |
choco pin add -n=python --version 2.7.14 | |
cinst vcpython27 --cacheLocation $cache # Microsoft Visual C++ Compiler for Python 2.7 | |
# PyKD requires installation of 32-bit Python in 64-bit systems in order to function properly | |
if(Get-OSArchitectureWidth -Compare 64) { | |
cinst python2.nopath -s $flare --x86 --package-parameters '/InstallDir:"C:\Program Files (x86)\Python27"' --cacheLocation $cache | |
} | |
# Python Modules | |
cinst hexdump -source python --cacheLocation $cache | |
cinst pefile -source python --cacheLocation $cache | |
cinst winappdbg -source python --cacheLocation $cache | |
cinst pycrypto -source python --cacheLocation $cache # Cryptographic modules for Python | |
cinst cryptography -source python --cacheLocation $cache # Cryptography for humans | |
cinst https://github.com/williballenthin/vivisect/zipball/master -source python --cacheLocation $cache # Vivisect | |
cinst capstone-windows -source python --cacheLocation $cache | |
cinst unicorn -source python --cacheLocation $cache | |
# Python Tools | |
cinst oletools -source python --cacheLocation $cache # Python tools to analyze OLE and MS Office files | |
cinst fakenet-ng.python -s $flare --cacheLocation $cache # FakeNet-NG | |
cinst floss.python -s $flare --cacheLocation $cache # FLOSS | |
cinst https://github.com/fireeye/flare-qdb/zipball/master -source python --cacheLocation $cache # FLARE-QDB | |
# clean up the cache directory | |
Remove-Item $cache -Recurse | |
# Install flarevm last to avoid cleaning up temporary resource used by flarevm | |
cinst flarevm -s $flare --cacheLocation $cache # FLARE VM specific configurations |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment