How to Build a Research Lab for Reverse Engineering — 4 Ways

Malware analysis is an important part of a security researcher’s job. However, working with malicious samples is dangerous. You need a dedicated tool to record your activity and a safe environment to prevent unintentional damage.

However, manual lab setup and configuration has proven to be a tedious and time-consuming process.

In this article, we look at four ways to create a reverse engineering lab, discuss how to save time and improve detection rates using cloud services, and provide a recommended list of tools for a comprehensive setup. indicate.

What is Malware Analysis Lab?

Essentially, a malware analysis lab provides a safe, isolated space to inspect malware.

Setups range from simple virtual machines using VirtualBox to more complex networks of interconnected machines and real network hardware.

However, for this article, we are looking at building a lab tuned for static analysis, so we need a safe environment where we can run disassemblers, edit binary files, and debug.

There are several ways to create it.

1 — virtualization

Perhaps the easiest way to create a safe, isolated environment is with a virtual machine.

A popular option is Oracle’s open source software, Virtual Box. If you’re using Linux, use the following command to install: sudo apt install virtualboxAnother popular choice is VMWare. This is a commercial program, but it has a free tier.

Setup is easy — download and install the software, create a virtual machine, make sure there is no network access or shared folders with the host, then boot with the .ISO file of your operating system of choice. .

However, this approach has some drawbacks. You should establish custom detection rules to identify suspicious or malicious entities, independently research new technologies, maintain configurations, and use available tools to determine logging policies. This increased focus on maintenance and configuration undermines the time spent on analysis.

Strong Points

• Available for free or at a low price
• Easy to set up
• Provides an isolated environment when properly configured

Cons

• performance takes a hit
• Limited scalability where the CPU is the bottleneck
• Malware can escape to the host
• Requires manual configuration of detection rules

2 — dedicated hardware

If you have an old laptop lying around, or have the means to acquire or build a PC, this is definitely an option. No need to break the bank. 11th to 13th generation Intel processors make even affordable machines more than a viable option.

The main advantage of choosing a physical computer is that you can be sure that the machine is completely isolated from all devices and networks, thus improving performance and security.

Strong Points:

• Best performing option
• Fully isolated environment
• Infinitely Customizable

Cons:

• High-end hardware is expensive
• Requires software and hardware maintenance
• Must be configured to work

3 — Cloud Lab

Creating a malware lab in the cloud isn’t as difficult as it sounds. It’s also free! All you need is an AWS or equivalent cloud service provider account and a machine to connect to it. Setup may be a little more complicated than with a local virtual machine, but there are many tutorials available to guide you.

If you use AWS, find Kali on the marketplace to set up a Kali Linux virtual machine. To use the GUI, create a VNC server and use a tool such as VNC Viewer to connect to the lab.

One drawback of this approach is that it’s free until it’s free. Exceeding the free tier boundaries can quickly inflate your cloud bill.

In some cases, cloud providers restrict malware execution, posing legal risks. Additionally, cloud his machines require support and strain IT operations. Although suitable for novice independent researchers, this approach presents drawbacks in an enterprise setting. Importantly, it lacks the ability to counter his VM detection of malware and bypass anti-evasion tactics.

Strong Points:

• Scalability
• No hardware maintenance
• Isolate from network for added security

Cons:

• Potential legal risk.
• difficult to set up
• Must be configured to work
• Latency kills work
• Advanced setup is expensive
• Susceptible to anti-Avastin technology

4 — Sandbox as a Service

One of the great benefits of cloud-based sandbox services is their built-in resilience to VM discovery. This makes it less likely that a malware sample will know it’s inside a virtual machine and stop running. This is a feature that requires manual configuration in other sandboxes.

Such services also draw on their vast malware and threat intelligence databases to create detection rules by experts. As a result, the software can enrich the analysis with methodologies and IOCs, producing a more comprehensive output compared to raw data from cloud or on-premises VMs.

Additionally, a cloud-based sandbox service streamlines environment configuration. For example, instead of creating separate snapshots on the VM, ANY.RUN cloud service An easy-to-use menu makes it easy to set up your environment every time you start a lab.

Strong Points

• save time
• ease of use
• Secure and completely isolated from the network
• Hardening against VM detection
• Simple configuration of execution environment

Cons

• Not optimized to work with toolset
• Certain solutions on the market may be delayed
• Virtual machine instances are time limited

Using an online interactive sandbox such as ANY.RUN instead of a lab is more convenient and faster. Useful for automating parts of static analysis, such as malware configuration extraction.

If you want to try ANY.RUN for yourself, we have a special promotion going on right now for Hacker News readers.

Types of software for reverse engineering

Here are some important tools to help reverse engineer malware:

• Disassembler. A disassembler is a must-have for reverse engineering. Being able to translate machine language into human-readable assembly his code gives us insight into how malware works. IDA Pro, Ghidra, and Binary Ninja are all popular disassemblers. To run Ghidra on Linux, first install the JDK and download Ghidra itself to your machine. No installation required. Just run the following command inside the Ghidra directory: chmod +x ghirdRun and ./ghirdaRun.

• Decompiler. A decompiler is similar to a disassembler in that it can transform machine code into source code. It helps you understand the architecture of malware and understand its specific functions and modules. Common decompilers include IDA Pro, Ghidra, and Hex-Rays.

• Debugger. Debuggers help programmers find and troubleshoot errors by going through code line by line, setting breakpoints, and observing how malware works. Some of the most commonly used debuggers are OllyDbg, x64dbg, and WinDbg. x64dbg is currently one of the most popular options. Free download from x64dbg.com.

• HEX editor. The Hex editor can help you scrutinize binary files, understand how files are arranged, find specific values, and manipulate files to see how the virus reacts. Common hex editors include HxD and Hex Workshop.

• Network analysis tool. Certain malware requires an online connection in order to work. A network analysis program like Wireshark can help identify and examine the traffic sent and received by the malware.

Important Malware Analysis Tool

It’s up to the analyst to decide which software to install, but in our opinion the list of must-have tools looks like this:

• Easy detection. to determine the file type
• process hackerHelps monitor system resources, debug software, and detect malware
• process monitorA monitoring tool for Windows that displays real-time file system, registry, and process/thread activity
• wire shark. for analyzing network activity
• x64dbg and guide. Required for both static and dynamic analysis.

Oh, and if you want to get pre-configured labs, you can use a dedicated distribution kit like Remnux. Remnux comes with most of these programs already installed.

There is also a FLARE VM. This is a collection of software installation scripts for Windows-based systems that make it easy to set up and maintain a reverse engineering environment on a virtual machine.

summary

We’ve covered four different ways to create an analytical lab. use virtualization, build dedicated machines, deploy cloud labs, sandbox as a service.

Each of these approaches has its own advantages and disadvantages, and the correct choice depends on what you are trying to achieve and the resources available.

Thankfully, most of these options are completely free.