If you ever used or deployed Windows images on VMs and tried to leverage those for malware researching, I'm sure you found yourself in a big hurdle, once you went past 30 days of using it, especially if you made no snapshot.
By default, Windows limits legitimate use of its images for 10 + 30 days, after that it will try and force you to buy a license by doing inconvenient surprises to you:
Changing your background, multiple unannounced reboots throughout the day and sudden shutdown of your machine.
To circumvent that, you could invoke slmgr.exe and you may rearm the expiration date 3 times for an additional 90 days of use.
I found myself having exhausted those 3 shots, and looked for other means to prolong my VM.
Microsoft limits the number of rearms to 3.
Note: If you install a service pack the count will increase by 1.
With this registry key, you can do it 8 times.
Grab a fresh copy of a Windows version of your choice from here:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms
Note: The password to your VM is "Passw0rd!"
After installation, change the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm
Let's check the license status:
Obtaining the key with the reg query command, and then changing it to 0x1 will ensure that license information is deleted and you can rearm it again and again. To my knowledge, the system will remain in grace period, but I'll come back to this post, once I tested this thoroughly.
You can read up on SkipRearm key here:
TechNet SkipRearm:
https://technet.microsoft.com/en-us/library/cc722350(v=ws.10).aspx
UnAttended Sysprep:
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp-skiprearm
Best practises for image building:
https://blogs.technet.microsoft.com/askcore/2011/05/11/sysprep-skiprearm-and-image-build-best-practices
==================
Drafts:
lenny zeltser sandbox
http://unprotect.tdgt.org/images/2/23/Sandbox-Cheatsheet-1.1.pdf
snapshot
net segmentation,hostonly
no patches
word pdfreader apps
2 processor
no VM guest tool
fakenet
Change the default Mac Address. Default first 3
bytes of Mac Address of VMware:
00:0C:29 00:1C:14
00:50:56 00:05:69
Change or remove the following registry keys:
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id
0\“Identifier”;“VMWARE”
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\HARDWARE\Description\System\
"SystemBiosVersion";"VMWARE"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\DriverDesc\“Vmware
SCSI Controller”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\ProviderName\“VMware,
Inc.”
Check the name or remove the following
processes:
VMwareService.exe
Vmwaretray.exe
TPAutoConnSvc.exe
Vmtoolsd.exe
Vmwareuser.exe
Check the name of default paths or files:
system32\drivers\vmmouse.sys
system32\drivers\vmhgfs.sys
Program Files\VMware
Malware can detect a sandbox by different ways. The normal
user activities should be reproducing to avoid detection.
Reproduce or change the following elements to avoid detection:
Mouse movement
Office recent files
Screen resolution
Wallpaper
Memory size
Hard drive size
Installed software
Hostname
USB drive
Printer
Number of processor
Sandboxes can be used for automatic analysis but also for
manual analysis.
Rename the following analysis tools (NB: all the analysis tools
can be detected by malware with the original process name):
Wireshark.exe
Ollydbg.exe
ProcessHacker.exe
TCPview.exe
Autoruns.exe/Autorunsc.exe
filemon.exe
ProcMon.exe
regmon.exe
procexp.exe
HookExplorer.exe
SysInspector.exe
PETools.exe
DumpPcap.exe
sandbox building
choose windows vm image from modern.io or
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
32b vs 64b
slmgr -rearm slmgr -dlv slmgr -ato
snapshot and export sandbox so you can import it later
vm cloning
disable defender and fw
turn off win update
shared folders
By default, Windows limits legitimate use of its images for 10 + 30 days, after that it will try and force you to buy a license by doing inconvenient surprises to you:
Changing your background, multiple unannounced reboots throughout the day and sudden shutdown of your machine.
To circumvent that, you could invoke slmgr.exe and you may rearm the expiration date 3 times for an additional 90 days of use.
I found myself having exhausted those 3 shots, and looked for other means to prolong my VM.
Microsoft limits the number of rearms to 3.
Note: If you install a service pack the count will increase by 1.
With this registry key, you can do it 8 times.
Grab a fresh copy of a Windows version of your choice from here:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms
Note: The password to your VM is "Passw0rd!"
After installation, change the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm
Let's check the license status:
Obtaining the key with the reg query command, and then changing it to 0x1 will ensure that license information is deleted and you can rearm it again and again. To my knowledge, the system will remain in grace period, but I'll come back to this post, once I tested this thoroughly.
You can read up on SkipRearm key here:
TechNet SkipRearm:
https://technet.microsoft.com/en-us/library/cc722350(v=ws.10).aspx
UnAttended Sysprep:
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp-skiprearm
Best practises for image building:
https://blogs.technet.microsoft.com/askcore/2011/05/11/sysprep-skiprearm-and-image-build-best-practices
==================
Drafts:
lenny zeltser sandbox
http://unprotect.tdgt.org/images/2/23/Sandbox-Cheatsheet-1.1.pdf
snapshot
net segmentation,hostonly
no patches
word pdfreader apps
2 processor
no VM guest tool
fakenet
Change the default Mac Address. Default first 3
bytes of Mac Address of VMware:
00:0C:29 00:1C:14
00:50:56 00:05:69
Change or remove the following registry keys:
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id
0\“Identifier”;“VMWARE”
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\HARDWARE\Description\System\
"SystemBiosVersion";"VMWARE"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\DriverDesc\“Vmware
SCSI Controller”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E968-E325-11CE-BFC1-
08002BE10318}\0000\ProviderName\“VMware,
Inc.”
Check the name or remove the following
processes:
VMwareService.exe
Vmwaretray.exe
TPAutoConnSvc.exe
Vmtoolsd.exe
Vmwareuser.exe
Check the name of default paths or files:
system32\drivers\vmmouse.sys
system32\drivers\vmhgfs.sys
Program Files\VMware
Malware can detect a sandbox by different ways. The normal
user activities should be reproducing to avoid detection.
Reproduce or change the following elements to avoid detection:
Mouse movement
Office recent files
Screen resolution
Wallpaper
Memory size
Hard drive size
Installed software
Hostname
USB drive
Printer
Number of processor
Sandboxes can be used for automatic analysis but also for
manual analysis.
Rename the following analysis tools (NB: all the analysis tools
can be detected by malware with the original process name):
Wireshark.exe
Ollydbg.exe
ProcessHacker.exe
TCPview.exe
Autoruns.exe/Autorunsc.exe
filemon.exe
ProcMon.exe
regmon.exe
procexp.exe
HookExplorer.exe
SysInspector.exe
PETools.exe
DumpPcap.exe
sandbox building
choose windows vm image from modern.io or
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
32b vs 64b
slmgr -rearm slmgr -dlv slmgr -ato
snapshot and export sandbox so you can import it later
vm cloning
disable defender and fw
turn off win update
shared folders
Comments
Post a Comment