Government Security
Network Security Resources

Jump to content

Photo

Using Vmware

windows tools
  • Please log in to reply
5 replies to this topic

#1 Little_Dice

Little_Dice

    Staff Sergeant

  • Members
  • 284 posts

Posted 31 July 2007 - 12:45 PM

I know alot of people on here use vmware to test these files. I was just woundering how you do it. Do you have to get a windows xp iso and then run vmware with all your tools like filemon and regmon?

#2 zorin-

zorin-

    Sergeant First Class

  • Sergeant Major
  • 541 posts

Posted 31 July 2007 - 01:28 PM

In VMware you can choose if to boot from an installation CD or locate an .ISO image on your actual computer. I have an XP disk and install it from there, straight to the hard disk (which you can allocate space). You also need to set up a network connection if youre planning on monitoring what the files you are testing do. The safest option is to use bridged networking and then put the virtual machine on the DMZ of your network, some malware can be pretty nasty and will try to spread across not just the Internet, but also your home network (if you have one).

The tools you use are up to you. If you want to monitor connections use a program like Icesword/TCP dump. You can use all kinds of network monitoring tools to see what the machine is doing. Use some registry tools and take a snap shot of the system so you can look afterwards at exactly what has been changed, files created, files changed in any way/shape or form. This should give you a good idea of what is happening, I would take a snapshot of the system before running malicious files so you can revert it back after you have completed the testing. Use sandboxie to monitor changed (hxxp://www.sandboxie.com), I hear that it is very useful, only used it once or twice myself so will not say what I think of it. The tools you mention are good have a collection of them ready. You can get down and dirty with the files by using dissemblers & debuggers, good modern Trojans and such can detect when they are being run in a virtual machine and can then choose an action of what they should use as a payload, some self-terminate and others could launch a malicious payload, seen as there is an exploit out for VMware (see exploit research & development forum) it could be quite devastating. Be careful when doing this, start by sample files and see what they are doing. You have to realize that the system you are running Trojans on could be participating in part of a botnet, therefore could be responsible in a DDoS attack. Your ISP could get annoyed at you for this and contact you, this hardly ever happens but its a possibility, a possibility worth thinking about.

#3 davesgrave

davesgrave

    Private

  • Members
  • 1 posts

Posted 23 October 2009 - 06:27 PM

hay can u help i am unable to connect to the internet on my vmos win xp sp2

#4 sabrodiesel2000

sabrodiesel2000

    Corporal

  • Members
  • 161 posts

Posted 24 October 2009 - 12:25 AM

davesgrave- did you configure your virtual machine to run on bridge mode for ethernet?

#5 Juno

Juno

    Specialist

  • Sergeant Major
  • 142 posts

Posted 08 December 2009 - 02:43 AM

To the OP:

A technique that I have found useful for testing these sorts of files (as you will probably go through one image rather quickly) is to first create a WinXP VMWare image into it's own folder without any trojans/malware on it. Install Java, Adobe reader, and all those miscellaneous apps you find useful, as well as any security updates you want to install (or not, depending on your testing scenario).

Then, once you're done installing everything you need to, close VMware, copy the entire folder containing the .vmdk and .vmx files to another location, and rename it 'Master Copy' or something similar. Now, whenever you need to test out a file, you can just make a folder copy of your master and run the copied version of the OS (If WMware prompts you about the image having changed, just select "I copied it").

It really helps to not have to reinstall an OS for each file you want to test, and helps to ensure forensic integrity, knowing that whatever file changes or damage that is done won't affect the master copy (and thus any subsequent images you may make later).

You probably already know this, but all you need is the free VMWare player. You can create your own images for free at:
http://www.easyvmx.c...w-easyvmx.shtml
Hope this helps.

Cheers,

-J
Hacking The Everyday - My blog blabberings about life, computer security, and everything in-between.
Don't forget to Read the Rules before you post!

#6 infiltrator

infiltrator

    Staff Sergeant

  • Sergeant Major
  • 421 posts

Posted 30 April 2010 - 05:48 PM

In VMware you can choose if to boot from an installation CD or locate an .ISO image on your actual computer. I have an XP disk and install it from there, straight to the hard disk (which you can allocate space). You also need to set up a network connection if you�re planning on monitoring what the files you are testing do. The safest option is to use bridged networking and then put the virtual machine on the DMZ of your network, some malware can be pretty nasty and will try to spread across not just the Internet, but also your home network (if you have one).

The tools you use are up to you. If you want to monitor connections use a program like Icesword/TCP dump. You can use all kinds of network monitoring tools to see what the machine is doing. Use some registry tools and take a snap shot of the system so you can look afterwards at exactly what has been changed, files created, files changed in any way/shape or form. This should give you a good idea of what is happening, I would take a snapshot of the system before running malicious files so you can revert it back after you have completed the testing. Use sandboxie to monitor changed (hxxp://www.sandboxie.com), I hear that it is very useful, only used it once or twice myself so will not say what I think of it. The tools you mention are good� have a collection of them ready. You can get down and dirty with the files by using dissemblers & debuggers, good modern Trojans and such can detect when they are being run in a virtual machine and can then choose an action of what they should use as a payload, some self-terminate and others could launch a malicious payload, seen as there is an exploit out for VMware (see exploit research & development forum) it could be quite devastating. Be careful when doing this, start by sample files and see what they are doing. You have to realize that the system you are running Trojans on could be participating in part of a botnet, therefore could be responsible in a DDoS attack. Your ISP could get annoyed at you for this and contact you, this hardly ever happens but it�s a possibility, a possibility worth thinking about.


Hi Zorin,

In this article of yours, you mentioned about taking snap shots of the system, in order to determine if there has been any change or alteration made to the system.
I was just wondering what tool are you using to accomplish that? Is it the sandbox?

Thank you.





Also tagged with one or more of these keywords: windows, tools