FLARE VM is the first of its kind freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

FLARE VM comes in two flavors – Malware Analysis and Penetration Testing editions. Each edition targets a specific task. For example, FLARE VM – Malware Analysis Edition is optimized for and contains tools specifically for reverse engineering malware. The tools included with FLARE VM distribution were either developed or carefully selected by the members of the FLARE (FireEye Labs Advanced Reverse Engineering) Team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade.

The security distribution works as an easily deployable package that you can install on an existing Windows installation. FLARE VM brings a familiar, easy to manage package management system to quickly deploy and customize the platform to suite your specific needs. After the initial installation, you can easily add, remove and update packages in the FLARE VM package repository.

The project will be released at Blackhat Arsenal on Wednesday, July 26th.

Installation

Create and configure a new Windows 7 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, you need to run an installation script. The installation script is a Boxstarter script which is used to deploy FLARE VM configurations and a collection of chocolatey packages. The easiest way to run the script is to use Boxstarter’s web installer as follows:

On the newly created VM, open the following URL in Internet Explorer (other browsers are not going to work): http://boxstarter.org/package/url?[FLAREVM_SCRIPT] Where FLAREVM_SCRIPT is a path or URL to the respective FLARE VM script. For example to install the malware analysis edition: http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1 or if you have downloaded and copied the installation script to the local C drive: http://boxstarter.org/package/url?C:\flarevm_malware.ps1 Copy install.bat and flarevm_malware.ps1 on the newly created VM and execute install.bat .

Installing a new package

FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:

cinst x64dbg

Staying up to date

Type the following command to update all of the packages to the most recent version:

cup all

Malware Analysis with FLARE VM

Please see a blog at https://www.fireeye.com/blog/threat-research.html for an example malware analysis session using FLARE VM.

Installed Tools

Debuggers

OllyDbg + OllyDump + OllyDumpEx

OllyDbg2 + OllyDumpEx

x64dbg

WinDbg

Disassemblers ====

IDA Free

Binary Ninja Demo

Java ====

JD-GUI

Visual Basic ====

VBDecompiler

Flash ====

FFDec

.NET ====

ILSpy

DNSpy

DotPeek

De4dot

Office ====

Offvis

Hex Editors ====

FileInsight

HxD

010 Editor

PE ====

PEiD

ExplorerSuite (CFF Explorer)

PEview

DIE

Text Editors ====

SublimeText3

Notepad++

Vim

Utilities ====

MD5

7zip

Putty

Wireshark

RawCap

Wget

UPX

Sysinternals Suite

API Monitor

SpyStudio

Checksum

Unxutils

Python, Modules, Tools ====

Python 2.7

Hexdump

PEFile

Winappdbg

FakeNet-NG

Vivisect

FLOSS

FLARE_QDB

PyCrypto

Cryptography

Other ====

VC Redistributable Modules (2008, 2010, 2012, 2013)

For more information and assistance with setup read up Fireeye’s blog post