This repository contains documentation and setup files for creating a malware analysis lab using VMware with both Kali Linux and Windows virtual machines. The lab is designed for analyzing malware in a controlled, isolated environment to understand its behavior, network activity, and overall impact.
This project aims to provide a detailed and structured setup guide for building a safe and functional malware analysis lab. By using VMware, Kali Linux, and Windows, you can perform both static and dynamic malware analysis, all within a secure environment.
Before beginning, ensure you have the following:
- VMware Workstation/Player: Download from the official VMware website.
- Kali Linux ISO: Available at Kali Linux Downloads.
- Windows ISO: Obtain from Microsoft's official site or use a pre-configured Windows virtual machine.
- A computer with sufficient resources (recommended 16 GB RAM, modern multi-core CPU, and SSD storage).
- At least 80 GB of available disk space for both virtual machines.
- Download VMware: Install VMware Workstation or Player from the official site.
- Create Virtual Machines:
- Open VMware and create new virtual machines for both Kali Linux and Windows.
- Use the downloaded ISO files for installation.
- VM Configuration:
- Allocate at least 4 GB of RAM and 2 cores for each VM.
- Configure the network settings to NAT or Host-only to isolate them from the external network.
- Install Kali Linux: Follow the standard installation process with the ISO.
- Update and Upgrade: Run the following to ensure you have the latest updates:
sudo apt update && sudo apt upgrade -y `
Depending on the analysis you want to perform, you may need to install additional tools that are not pre-installed. Some examples of these tools include:
- Cuckoo Sandbox: Automated malware analysis system for sandboxing malware.
- Ghidra: Advanced reverse engineering tool for binary analysis.
See the Tools Used section for more information.
- Set up the Windows virtual machine using your ISO or VM file.
- Configure Windows for malware analysis:
- Disable Windows Defender and real-time protection to allow safe execution of malware.
- Install analysis tools such as Process Monitor and Process Explorer.
- Network Configuration:
- Ensure Windows is isolated from your main network by configuring the VM to use NAT or Host-only mode.
See the Popular Tools for Windows section for additional tool recommendations.
Kali Linux is packed with tools for malware analysis. Here are some important tools you can highlight in your lab:
- Ghidra: Open-source reverse engineering tool.
- Radare2: Binary analysis framework.
- strace: Tool to trace system calls.
- lsof: List open files used by processes.
- netstat: Network statistics tool to monitor connections.
- tcpdump: Captures and analyzes network traffic.
- Wireshark: GUI network protocol analyzer.
- Volatility: Memory forensics framework.
- Cuckoo Sandbox: Automated malware analysis system.
- YARA: Tool for identifying and classifying malware.
For analyzing malware behavior in Windows, you can use the following tools:
- Process Monitor (ProcMon): Real-time file system, registry, and process/thread activity monitoring.
- Process Explorer: Provides detailed information about running processes.
- Wireshark: Network protocol analyzer for Windows.
- ApateDNS: Fakes DNS responses for malware.
- Fakenet-NG: Simulates internet services for malware.
- PEiD: Detects packers, cryptors, and compilers used in executable files.
- RegShot: Takes snapshots of your registry and detects differences.
- Launch the VMs: Start both Kali Linux and Windows VMs.
- Begin Analysis:
- Use Kali Linux for reverse engineering and network monitoring.
- Use Windows for dynamic malware execution and behavioral analysis.
- Network Monitoring: Use tools like Wireshark or tcpdump to capture network traffic and analyze any suspicious connections made by the malware.
- File/System Monitoring: On Windows, run tools like ProcMon to track file and system changes triggered by the malware.
Contributions are welcome! If you have improvements or additional tools that can be useful for the lab, please fork this repository and submit a pull request.