New Windows 10 versions

README.adoc

@@ -35,7 +35,7 @@ https://github.com/gosecure/malboxes
 == Requirements
 
 * Python 3.3+
-* packer: https://www.packer.io/docs/install/index.html
+* https://www.packer.io/docs/install/index.html[Packer]
 * vagrant: https://www.vagrantup.com/downloads.html
 * https://www.virtualbox.org/wiki/Downloads[VirtualBox] or an vSphere / ESXi server
 
@@ -132,15 +132,15 @@ include it in a Vagrantfile afterwards.
 
 For example:
 
-    malboxes build win10_64_analyst
+    malboxes build win10_x64_analyst
 
 <<_configuration,The configuration section>> contains further information about
 what can be configured with malboxes.
 
 
 === Per analysis instances
 
-    malboxes spin win10_64_analyst <name>
+    malboxes spin win10_x64_analyst <name>
 
 This will create a `Vagrantfile` prepared to use for malware analysis. Move it
 into a directory of your choice and issue:
@@ -152,7 +152,7 @@ can be changed by commenting the relevant part of the `Vagrantfile`.
 
 For example:
 
-    malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
+    malboxes spin win7_x86_analyst 20160519.cryptolocker.xyz
 
 === To deploy on AWS (optional)
 

docs/windows-licenses.adoc

@@ -10,18 +10,53 @@ If you want to use a trial version make sure you have the following in your
 
     "trial": true
 
-=== Windows 10 32-bit
+=== Windows 10
+
+==== 1903 May 2019 Update (19H1)
+
+===== x64
+
+* filename: 18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso
+* sha1sum: 743FC483BB8BF1901C0534A0AE15208A5A72A3C5
+* download link: https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso
+
+===== x86
+
+* filename: 18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso
+* sha1sum: d0373ab9d590ff3d512d9e91b7e3d458026ea1c6
+* download link: https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso
+
+
+==== 1703 Creators Update (Redstone 2)
+
+===== x64
+
+* filename: 15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO
+* sha1sum: 6c60f91bf0ad7b20f469ab8f80863035c517f34f
+* download link: http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO
+
+===== x86
+
+* filename: 15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO
+* sha1sum: 1aa6d3c4451e79e69e84118ec629ad99e2ad36e7
+* download link: http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO
+
+
+==== 1607 Anniversary Update (Redstone 1)
+
+===== x86
 
 * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO
 * sha1 checksum: 0b8e56772c71dc7bb73654c61e53998a997e1e4d
 * download link: http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO
 
-=== Windows 10 64-bit
+===== x64
 
 * filename: 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO"
 * sha1 checksum: a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a
 * download link: http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO"
 
+
 === Windows 7 32-bit
 
 * filename: 7600.16385.090713-1255_x86fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD.iso

malboxes/installconfig/windows10/Autounattend.xml

@@ -49,7 +49,7 @@
                 <UILanguage>en-US</UILanguage>
                 <WillShowUI>Never</WillShowUI>
             </SetupUILanguage>
-            <InputLocale>{{ input_locale or 'en-US' }}</InputLocale>
+            <InputLocale>{{ input_locale or 'en-US' }}</InputLocale>
             <SystemLocale>en-US</SystemLocale>
             <UILanguage>en-US</UILanguage>
             <UILanguageFallback>en-US</UILanguageFallback>
@@ -62,13 +62,20 @@
         </component>
     </settings>
     <settings pass="oobeSystem">
-        {% if proxy %}
-        <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
-            <POLICYProxySettingsPerUser>0</POLICYProxySettingsPerUser>
-            <HKLMProxyEnable>true</HKLMProxyEnable>
-            <HKLMProxyServer>{{ proxy }}</HKLMProxyServer>
-        </component>
-        {% endif %}
+        <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <InputLocale>en-US</InputLocale>
+            <SystemLocale>en-US</SystemLocale>
+            <UILanguage>en-US</UILanguage>
+            <UILanguageFallback>en-US</UILanguageFallback>
+            <UserLocale>en-US</UserLocale>
+        </component>
+        {% if proxy %}
+        <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
+            <POLICYProxySettingsPerUser>0</POLICYProxySettingsPerUser>
+            <HKLMProxyEnable>true</HKLMProxyEnable>
+            <HKLMProxyServer>{{ proxy }}</HKLMProxyServer>
+        </component>
+        {% endif %}
         <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>

malboxes/installconfig/windows10_64/Autounattend.xml

@@ -49,7 +49,7 @@
                 <UILanguage>en-US</UILanguage>
                 <WillShowUI>Never</WillShowUI>
             </SetupUILanguage>
-            <InputLocale>{{ input_locale or 'en-US' }}</InputLocale>
+            <InputLocale>{{ input_locale or 'en-US' }}</InputLocale>
             <SystemLocale>en-US</SystemLocale>
             <UILanguage>en-US</UILanguage>
             <UILanguageFallback>en-US</UILanguageFallback>
@@ -62,13 +62,20 @@
         </component>
     </settings>
     <settings pass="oobeSystem">
-        {% if proxy %}
-        <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
-            <POLICYProxySettingsPerUser>0</POLICYProxySettingsPerUser>
-            <HKLMProxyEnable>true</HKLMProxyEnable>
-            <HKLMProxyServer>{{ proxy }}</HKLMProxyServer>
-        </component>
-        {% endif %}
+        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <InputLocale>en-US</InputLocale>
+            <SystemLocale>en-US</SystemLocale>
+            <UILanguage>en-US</UILanguage>
+            <UILanguageFallback>en-US</UILanguageFallback>
+            <UserLocale>en-US</UserLocale>
+        </component>
+        {% if proxy %}
+        <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
+            <POLICYProxySettingsPerUser>0</POLICYProxySettingsPerUser>
+            <HKLMProxyEnable>true</HKLMProxyEnable>
+            <HKLMProxyServer>{{ proxy }}</HKLMProxyServer>
+        </component>
+        {% endif %}
         <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>

malboxes/malboxes.py

@@ -159,8 +159,17 @@ def prepare_packer_template(config, template_name):
 
     # write to temporary file
     f = create_cachefd('{}.json'.format(template_name))
-    packer_config = template.render(config) # pylint: disable=no-member
-    f.write(packer_config)
+
+    # load packer config as JSON
+    packer_config = json.loads(template.render(config)) # pylint: disable=no-member
+
+    # merge special _malboxes key into config and get rid of it
+    # packer doesn't like unknown keys yet we need to pass info from template to malboxes
+    if packer_config.get('_malboxes'):
+        config.update(packer_config['_malboxes'])
+        packer_config.pop('_malboxes')
+
+    json.dump(packer_config, f, indent=4)
     f.close()
 
     if DEBUG:
@@ -544,6 +553,11 @@ def spin(parser, args):
     print("Vagrantfile generated. You can move it in your analysis directory "
           "and issue a `vagrant up` to get started with your VM.")
 
+    if config.get("windows_defender", "false") == "false" \
+        and config.get("os") == "Windows10" and config.get("os_version") >= 1903:
+        _r = resource_stream(__name__, 'messages/defender-1903.txt')
+        print(_r.read().decode())
+
 
 def prepare_profile(template, config):
     """Converts the profile to a powershell script."""

malboxes/messages/defender-1903.txt

@@ -0,0 +1,7 @@
+
+Starting with Windows 10 May 2019 Update (version 1903) Windows Defender has a Tamper Protection enabled by default. This protection is meant to be unremovable without user intervention (if you know how let us know). If you need Defender disabled it is advised that you manually disable it and then run as Administrator the batch script provided in C:\Tools of the VM. This is only required once.
+
+Instructions to disable Windows Defender Tamper Protection:
+https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-windows-defender-antivirus.html
+
+Batch script to run as Administrator in the VM: C:\Tools\disable_defender.bat

malboxes/scripts/windows/disable_defender.bat

@@ -0,0 +1,53 @@
+@echo off
+rem A modified version of the disable defender script from: https://pastebin.com/kYCVzZPz
+
+@echo on
+rem ==========================================
+rem This section will Disable Windows Defender
+rem You can ignore error messages
+rem 1 - Disable Real-time protection
+reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
+
+rem 0 - Disable Logging
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
+
+rem Disable WD Tasks
+schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
+schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
+schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
+schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
+schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
+
+rem Disable WD systray icon
+reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
+reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
+
+rem Remove WD context menu
+reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
+reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
+reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
+
+rem Disable WD services
+reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
+reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
+reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
+reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
+reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
+
+rem Force success exit code
+exit /b 0
+rem ==========================================

malboxes/templates/snippets/provision_powershell.json → malboxes/templates/snippets/provision_win10_common.json

@@ -1,9 +1,19 @@
+{% if not windows_defender == "true" %}
+	{
+		"type": "windows-shell",
+		"script": "{{ dir }}/scripts/windows/disable_defender.bat"
+	},
+	{
+		"type": "file",
+		"source": "{{ dir }}/scripts/windows/disable_defender.bat",
+		"destination": "C:\\Tools\\disable_defender.bat"
+	},
+{% endif %}
 	{
 		"type": "powershell",
 		"scripts": [
 			"{{ dir }}/scripts/windows/allow-WinRM-public.ps1",
 			{% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %}
-			{% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %}
 			{% if hypervisor == "virtualbox" %}
 				"{{ dir }}/scripts/windows/vmtools.ps1",
 			{% endif %}

malboxes/templates/snippets/provision_powershell_win7.json → malboxes/templates/snippets/provision_win7_common.json

@@ -1,9 +1,14 @@
 {# Needed a different provision script due to chocolatey / .Net 4.0 install issues on Windows 7 (gh#59) #}
+{% if not windows_defender == "true" %}
+	{
+		"type": "windows-shell",
+		"script": "{{ dir }}/scripts/windows/disable_defender.bat"
+	},
+{% endif %}
 	{
 		"type": "powershell",
 		"scripts": [
 			{% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %}
-			{% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %}
 			{% if hypervisor == "virtualbox" %}
 				"{{ dir }}/scripts/windows/vmtools.ps1",
 			{% endif %}

malboxes/templates/win10_64_analyst.json → malboxes/templates/snippets/win10_x64_analyst.json

@@ -10,10 +10,10 @@
 		{% endif %}
 
 		"iso_urls": [
-			"file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO",
-			"http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO"
+			"file://{{ iso_path }}/{{ iso_filename }}",
+			"{{ iso_url }}"
 		],
-		"iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a",
+		"iso_checksum": "{{ iso_checksum }}",
 		"iso_checksum_type": "sha1",
 
 		"floppy_files": [
@@ -30,7 +30,7 @@
 
 	"provisioners": [
 
-		{% include 'snippets/provision_powershell.json' %}
+		{% include 'snippets/provision_win10_common.json' %}
 
 		{% if tools_path %},
 			{% include 'snippets/tools.json' %}
@@ -45,4 +45,3 @@
 			{% endfor %}
 		{% endif %}
 	]
-}

malboxes/templates/win10_32_analyst.json → malboxes/templates/snippets/win10_x86_analyst.json

@@ -10,10 +10,10 @@
 		{% endif %}
 
 		"iso_urls": [
-			"file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO",
-			"http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO"
+			"file://{{ iso_path }}/{{ iso_filename }}",
+			"{{ iso_url }}"
 		],
-		"iso_checksum": "0b8e56772c71dc7bb73654c61e53998a997e1e4d",
+		"iso_checksum": "{{ iso_checksum }}",
 		"iso_checksum_type": "sha1",
 
 		"floppy_files": [
@@ -28,7 +28,7 @@
 
 	"provisioners": [
 
-		{% include 'snippets/provision_powershell.json' %}
+		{% include 'snippets/provision_win10_common.json' %}
 
 		{% if tools_path %},
 			{% include 'snippets/tools.json' %}
@@ -42,4 +42,3 @@
 			{% endfor %}
 		{% endif %}
 	]
-}

malboxes/templates/win10_1607_x64_analyst.json

@@ -0,0 +1,6 @@
+{% set iso_filename = '14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO' %}
+{% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO' %}
+{% set iso_checksum = 'a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a' %}
+{% include 'snippets/win10_x64_analyst.json' %}
+    , "_malboxes": {"os": "Windows10", "os_version": 1607}
+}

malboxes/templates/win10_1607_x86_analyst.json

@@ -0,0 +1,6 @@
+{% set iso_filename = '14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO' %}
+{% set iso_url = 'http://download.microsoft.com/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO' %}
+{% set iso_checksum = '0b8e56772c71dc7bb73654c61e53998a997e1e4d' %}
+{% include 'snippets/win10_x86_analyst.json' %}
+    , "_malboxes": {"os": "Windows10", "os_version": 1607}
+}

malboxes/templates/win10_1903_x64_analyst.json

@@ -0,0 +1,6 @@
+{% set iso_filename = '18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso' %}
+{% set iso_url = 'https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso' %}
+{% set iso_checksum = '743FC483BB8BF1901C0534A0AE15208A5A72A3C5' %}
+{% include 'snippets/win10_x64_analyst.json' %}
+    , "_malboxes": {"os": "Windows10", "os_version": 1903}
+}