Earlier this year I wanted to get into malware analysis, I prefer learning things hands on so I asked one of my professors to recommend resources that were suitable, he told me to check out Practical Malware Analysis by Andrew Honig & Michael Sikorski.
Personally I had a lot of fun with this book, while the book is quite old, I believe the information covered (within the scope of this blog) are foundational and provide a good stepping stone into one’s malware journey.
The book is quite interesting and did deliver in the sense of being practical, however while going through the book I sometimes had a bit of trouble setting up the labs right and finding the right resources, so I’m writing this blog with a step by step instruction on setting up the labs for upto Chapter 3 in the book.
During malware analysis it is a given that one must use a VM, here I will be using VMware Workstation to handle the machines.
Setting Up VMs
We use 2 virtual machines here, a Windows XP VM and a Debian VM. First lets go over configuring VMware, you can install it here, you’ll need to create an account before installation. After the setup is done you should see a screen similar to this,
Now download the Windows XP VM, Microsoft no longer supports an official download for this but I looked around a little and found someone hosting it on Github, After downloading the .ova file, you can just select the
Open a Virtual Machine option and open the ova file, you now have a working Windows XP VM. This is where the malware will be analysed.
For the Windows VM select
Edit virtual machine settings under
Network Adapter and set it to
Host-Only, most malware requires networking capabilities so this is done to make sure the malware cannot attack your actual network.
The Debian VM will be used to simulate a network for basic dynamic analysis, the .vmdk file can be found here I would suggest picking the 64 bit Desktop version.
To create the Debian VM, select
Create a New Virtual Machine, For the Operating System select
I will install the operating system later, for the operating system type select
Debian 10.x, the remaining options are upto you, you may leave the default settings.
After that is done select
Edit virtual machine settings for the Debian VM, under
Hard Disk, then at the very bottom select the
Add option, adding a new Hard Disk, select the recommended Disk Type, when it prompts to select a disk, use an existing disk and browse to the downloaded Debian .vmdk file, save this as the new Hard Disk.
You can now boot up the VM , the username and password for this VM are both
Setting Up Labs
Now with the VMs in place lets get our labs, you can downloaded the binaries here, however don’t unzip it yet. Being a book for beginners quite a few of these binaries are old and therefore are automatically removed if detected on newer computers. You cannot download it directly to the Windows VM due to the network settings.
What you should do this use a USB to transfer files between the VM & main computer, this is how I installed most of the required tools as well. Unzipping the files in the Windows VM should leave all the labs intact for you to play with.
Finally the tools, most of these are quite easy to find online and their purposes are explained throughout the book. I’ve compiled a zipped version of the tools required for chapters 0-3 , of the files here
INETSIM is to used on the Debian VM, the others should be installed on Windows VM. Download the tools here.
You’re all ready for Practical Malware Analysis, this guide should set you up and (hopefully) you won’t have to scavenge the Internet to download things, I hope you have as much as fun as I did with this book!