VMCloak 0.2: Windows 7 Support
A couple of months ago I released the first version of
VMCloak, now it’s time for version 0.2. VMCloak is a tool for
automatically creating and configuring Virtual Machines for
Cuckoo Sandbox.
What’s new?
In this version of VMCloak we introduce the long-awaited Windows 7
support. This means VMCloak can now automatically create and configure
Windows 7 virtual machines for Cuckoo Sandbox.
Usage
Those who have used VMCloak in the past will see that creating Windows 7
virtual machines is now just as easy as creating Windows XP virtual machines.
Creating a Windows 7 virtual machine goes as follows:
# Install the latest vmcloak. sudo pip install vmcloak --upgrade # Mount the Windows 7 Installer ISO. sudo mkdir -p /mnt/win7 sudo mount -o loop,ro win7.iso /mnt/win7 # Ensure VirtualBox' hostonly adapter is up. vmcloak-vboxnet0 # Create a Win7 VM with the name win7_0. # This will take about 15 to 20 minutes. vmcloak -r --win7x64 win7vm
Besides a couple of internal changes, the only thing that changed for Windows
XP support is that you’ll now have to specify –winxp when creating a
Windows XP virtual machine, for example:
vmcloak -r --winxp winxp0 --serial-key AAAAA..EEEEE
32-bit vs 64-bit
With Windows 7 in mind, it makes sense that VMCloak now supports both 32-bit
and 64-bit Windows 7 installations. This mostly means that VMCloak will
install a 64-bit version of the .NET framework, the 64-bit version of the
Microsoft C Runtime, etc.
For this to work, however, you’ll have to inform VMCloak that the 64-bit
libraries should be used instead of the 32-bit ones. This can either be
achieved by passing the –x64 flag to vmcloak, or by combining the
–win7 and –x64 flags straight into the –win7x64 flag.
(The upcoming version of Cuckoo Sandbox, version 1.3, will support
64-bit analysis!)
VMCloak Birds
For those who want to deploy multiple virtual machines in a relatively short
time window while preserving as many resources as possible might like
VMCloak’s bird feature.
VirtualBox has immutable disks, disks that are created once and then never
changed; any changes on top of the immutable disk are then written to a new
VirtualBox disk. VMCloak uses this to create a bird image – a fully
installed and configured Windows installation. Creating a Virtual Machine
ready to be used by Cuckoo Sandbox out of this bird image then consists of a
couple of steps:
- Create a new Virtual Machine.
- Attach the immutable bird image.
- Boot into Windows.
- Configure a unique static IP address for this VM.
- Run Cuckoo and take a snapshot of the VM.
Naturally all these steps are handled by vmcloak-clone.
Bird images are crucial when running a Cuckoo Sandbox instance with more
than a handful of VMs on one machine. Whereas creating a new VM with Windows 7
installed, such as a bird image, takes about 15 minutes of time and almost
10gb of diskspace, creating a clone of a bird image takes less than a minute
and less than 1gb per clone.
Note that you’ll still need the bird image, also after cloning! (Basically
instead of installing Windows 7 10 times for 10 VMs, the bird image allows you
to install Windows 7 once and then re-use this installation).
Following is a quick guide to setting up 10 VMs using a VMCloak bird. Running
these commands should take up to half an hour to finish – just enough to go
for lunch.
# Create the 64-bit Windows 7 Bird.
vmcloak -r --win7x64 --bird win7bird
# Create 10 VMs.
for i in {0..9}; do
vmcloak-clone -r --bird win7bird win7_$i
done
What’s next?
As always further cloaking the VMs is on the roadmap. If anyone has tricks &
tips on known detection vectors that would be useful for VMCloak, please do
let me know. E.g., registry keys containing known values specific to
virtualization software, etc.
Other than that, I’ve been working hard on 64-bit analysis for Cuckoo Sandbox
for a while now, so there’s that 
And a bunch of other new and upcoming
features in Cuckoo.
Contact
For any questions or suggestions, please feel free to
reach out to me.