PMA 41: Windows 10 or 11 with Analysis Tools (20 pts)

What you need


To set up a Windows 10 or 11 machine with a set of free forensic and malware analysis tools.

The steps below this box explain how to build your own machine, which will take some time.

Mac M1, M2, or M3 Users

If you are using a Mac M1, M2, or M3 machine, you cannot use the process below because you have the newer ARM processor.

Follow these instructions instead.

Here are the choices I recommend during the process:

  • Step 4: Choose Professional
  • Step 8: Choose UEFI
  • Step 9: Choose "Auto Generate Password". Accept the default of "Remember Password and store it in Mac's Keychain".
  • Step 11: Click "Customize Settings".
  • After step 13, change the hard disk size to 150 GB.
  • When first booting the machine, you need to click on the desktop and press Enter to boot from DVD.
  • At the "Activate Windows" screen, click "I don't have a product key".
  • Install "Windows 11 Pro".
  • Perform a Custom installation, not an Upgrade
  • At the "How would you like to set up this device?" screen, click "Set up for personal use"

Get VMware

If you are using a Windows machine, get VMware Player

If you're on MacOS, get VMware Fusion Player

The Fast Way

Windows 11

This is a VMware VM. It has no TPM or encryption.

     Size: 15,135,679,715 bytes (15.15 GB)
     SHA256: 452f47ce0e064cb0d1b067b08079e4c03cc2f4616adaf521f108ab3e314bfbbf

It is a complete VMware virtual machine. Unzip it into a folder.

In VMware, click File, Open and navigate to the .VMX file in that folder.

Log in with these credentials:

  • Username: student
  • Password: P@ssw0rd

Windows 10

License Expired

On Sept 21, 2021, the license on this machine expired.

To activate it for another 90 days,
open an Administrator Command Prompt
and execute this command:

slmgr /rearm
Then restart your machine.

VMware Users

Download this file: Win10_w_Tools_061721a.7z
     Size: 17.46 GB (17,455,336,852 bytes)
     SHA256(Win10_w_Tools_061721a.7z)= bbc4df40f9d334180987c892122851f7d3b7d17471d2aa05d888bc34733ab006

If you are on Windows, you can unzip that file with 7-Zip. If you are on a Mac, use The Unarchiver.

Import the OVF it contains into VMware.
In VMware Workstation Player, use File, Open.


In Aug, 2022 I did this process and the mouse did not work properly in the virtual machine. The solution was to remove VMware tools and install this old version instead.

Download this ZIP file on your host system. Unzip it. Connect the ISO included in it to your virtual machine as a virtual CD ando install it.

VirtualBox Users

Download this file: Win10_w_Tools061721.ova
     Size: 16 GB (17,668,780,032 bytes)
     SHA256(Win10_w_Tools061721.ova)= f0db89dfb633ac86f14e19991e365635959d4bdeb579269feb53086dbf58f7e8

Import it into VirtualBox.

Logging In

Log in with these credentials:
  • Username: IEUser
  • Password: Passw0rd!

Fixing Python

Open an Administrator Command prompt and execute these commands:
cd c:\Windows
mklink /H python.exe c:\python27\python.exe
The hard disk on this virtual machine has already been expanded to 100 GB,
and Windows Defender and SmartScreen have been disabled in Local Group Policy.

Flag PMA 41.1: C: Subfolder (20 pts)

Make sure Immunity Debugger is installed on your Windows virtual machine.

Open File Explorer. In the left pane, expand the C: drive.

The flag is covered by a green box in the image below.

Making your Own Machine

Downloading a Windows 10 VM

In a browser, go to

In the "Virtual Machines" list, select "MSEdge on Win10...", as shown below.

In the Choose a VM platform" list, choose your virtualization software, as shown below.

Download the file. Unzip it and launch it in your virtualization software. For VMware, use File, Import, and customize the virtual machine so it has an 80 GB hard disk.

Log in with these credentials:

Allow Windows to install any updates it wants to.

You may need to install VMware Tools (or the comparable software) manually.

Downloading a Windows 10 or 11 ISO

You can get them here.

If you are installing Windows 11, you may find these pages useful:

Installing Firefox and WinDbg Preview

In your Windows virtual machine, open Edge. Go to

Download and install Firefox.

Install WinDbg Preview
Get it from the Microsoft Store. Do this before disabling Windows Update.

Disabling Windows Update

Click Start. Type Services. Open Services. Scroll down, right-click "Windows Update" and click Properties.

Set the Startup type to Disabled. Click OK.

Adding a Defender Exclusion

Click Start. Type Virus. Open "Virus & threat protection."

In the "Virus & threat protection settings" section, click "Manage settings".

Scroll down and click "Add or remove exclusions". Add a folder exclusion for C:\

Increasing the Hard Disk Size

You need a 100 GB hard disk. If you didn't already increase the hard disk size, you can do it at any time.

Instructions for VMware are here:

Downloading the Installers

To make your own machine, on a Windows machine, download this archive:
     Size: 1.68 GB (1,676,639,482 bytes)
     SHA256: a648709f5a3597bbcdd03fc2b3c1d157b78eb6ba81cc28c0a57706d948248889
It contains all the installers detailed below.

Follow the instructions there to install the programs.

Tools with Installers

Run the installer with the default options.


API Monitor v2r13, 64-bit

Bochs x86 PC emulator

Easy RM to MP3 Converter - Local Buffer Overflow
Run the EXE installer

Explorer Suite (Includes CFF Explorer)
Run the EXE installer

HashCalc No Longer Needed

The download link below no longer works. Instead, to calculate hashes, use PowerShell, like this:
    Get-FileHash -Algorithm SHA1 file.txt
Available algorithms include MD5 and SHA256.



IDA v7.6 (freeware version)

Immunity Debugger (Also installs Python 2.7) -- Copy to "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands"

Java JRE 64-bit



Visual Studio 2019
Double-click vs_community__1715534944.1623934081.exe.
Check "Desktop development with C++" and install the default selection of tools

Also install "Debugging Tools for Windows" and LiveKD as explained in this project. Don't "Set Up Local Kernel-Mode Debugging".

Tools Without Installers

Create a C:\Tools folder. Double-click Drag bintext.exe to C:\Tools. Right-click C:\Tools\bintext.exe, "Pin to Start"

capa v1.6.3
Double-click, drag to C:\Tools

Dependency Walker 2.2
Double-click. Drag all the files to C:\Tools. Right-click the EXE in C:\Tools, "Pin to Start"

Dll Export Viewer

Double-click. Drag all the files to C:\Tools. Right-click the EXE in C:\Tools, "Pin to Start"

JDK 16.0.1 General-Availability Release
Double-click Drag the jdk-16.0.1 folder to C:\Program Files\Java

Ghidra v9.2.4
Double-click Drag the ghidra_9.2.4_PUBLIC folder to "C:\Program Files"
Right-click C:\Program Files\ghidra_9.2.4_PUBLIC\ghidraRun.bat, "Send to", "Desktop (create shortcut)"

Double-click. Drag all the contents to C:\Tools, right-click C:\Tools\ILSpy.exe, "Pin to Start"

Drag jasmin-1.5.8-PC.jar to C:\Tools, right-click, "Send to", "Desktop (create shortcut)"

Launch the installer from an Administrator PowerShell window.
Halfway through, the installer pauses for a minute or two, just wait for it.
On Windows 11, I needed to use this trick: FIX: Can't Install: Setup Wizard ended Prematurely

OllyDbg 1.10
Double-click. Drag all the contents to C:\Tools (skip the readme). Right-click C:\Tools\OLLYDBG.EXE, "Pin to Start"
OllyDbg Plugins: OllyDump
Double-click Drag OllyDump.dll to C:\Tools

Drag all the contents to C:\Tools (skip the readme).
Right-click C:\Tools\PEiD.exe, "Pin to Start"

Double-click Drag the pestudio folder to C:\Program Files(x86)
Right-click C:\Program Files(x86)\pestudio\pestudio.exe, "Pin to Start"

Double-click Drag PEview.exe to C:\Tools, right-click C:\Tools\PEview.exe, "Pin to Start"

Unzip with 7-Zip and the password malware.
Run the EXE. Redirect the output to the Desktop.

Double-click and drag setdllcharacteristics.exe to C:\Tools

Sysinternals Suite
Double-click. Drag all the contents to C:\Tools (skip the readme).
Right-click C:\Tools\Procmon64.exe, "Pin to Start"
Right-click C:\Tools\procexp64.exe, "Pin to Start"

Double-click Double-click the upx-3.96-win64 folder. Drag upx.exe to C:\Tools

Double-click, and copy vulnserver.exe and essfunc.dll to C:\Tools

Extract into a folder.
Rename that folder to x64dbg.
Drag it to C:\Program Files
Right-click C:\Program Files\x64dbg\release\x64\x64dbg.exe and click "Pin to Start".

Double-click Drag copy yara64.exe and yarac64.exe to C:\Tools

In Control Panel, System, "Advanced System Settings", click "Environment Variables".
In "System variables", double-click Path. Add C:\Tools to the Path.


Export a VMWare Fusion virtual machine
7zz Command Line Commands
Installing Windows 11 as a guest OS on VMware Workstation Pro/Player and Fusion

WinDbg Preview download and Install without MS Store

Mac M1 instructions added and bintext changed to local download 1-25-24
Hashcalc deprecated and replace with PowerSheell 1-31-24
OllyDbg install recommended for flag 2-6-24
Immunity Debugger install for flag recommended 2-10-24