PMA 41: Windows 10 or 11 with Analysis Tools (20 pts)

What you need

• A computer with VMware or some other hypervisor product installed

Purpose

The steps below this box explain how to build your own machine, which will take some time.

Installing a Hypervisor Install VMware, VirtualBox, or some other virtualization software on your machine. I recommend the VMware Products.

The Fast Way Windows 11 This is a VMware VM. It has a TPM, encrypted with a password of P@ssw0rd If you have an Intel or AMD processor, download this file:       Win11_For_Malware_2025.zip      Size: 19,359,789,868 bytes (19.36 GB)      SHA-1: aebe2c55a08884e354ceeae03ac6d0b264645d09 If you have an ARM processor, download this file:       Win11ARM_w_Tools.zip      Size: 24,169,167,885 bytes (24.18 GB on disk)      SHA-1: 2dad78b1679efb62d7d40e9f53f16beff61b3131 It is a complete VMware virtual machine. Unzip it into a folder. In VMware, click File, Open and navigate to the .VMX file in that folder. Log in with these credentials: Username: student Password: P@ssw0rd In case anyone needs it, here's the previous trial version of Win 11 I made a few years ago. I don't recommend using it anymore. Win11_NoTPM.vmwarevm.zip Windows 10 License Expired On Sept 21, 2021, the license on this machine expired. To activate it for another 90 days, open an Administrator Command Prompt and execute this command: slmgr /rearm Then restart your machine. VMware Users Download this file: Win10_w_Tools_061721a.7z      Size: 17.46 GB (17,455,336,852 bytes)      SHA256(Win10_w_Tools_061721a.7z)= bbc4df40f9d334180987c892122851f7d3b7d17471d2aa05d888bc34733ab006 If you are on Windows, you can unzip that file with 7-Zip. If you are on a Mac, use The Unarchiver. Import the OVF it contains into VMware. In VMware Workstation Player, use File, Open. Troubleshooting In Aug, 2022 I did this process and the mouse did not work properly in the virtual machine. The solution was to remove VMware tools and install this old version instead. Download this ZIP file on your host system. Unzip it. Connect the ISO included in it to your virtual machine as a virtual CD ando install it. VirtualBox Users Download this file: Win10_w_Tools061721.ova      Size: 16 GB (17,668,780,032 bytes)      SHA256(Win10_w_Tools061721.ova)= f0db89dfb633ac86f14e19991e365635959d4bdeb579269feb53086dbf58f7e8 Import it into VirtualBox. Logging In Log in with these credentials: Username: IEUser Password: Passw0rd! Fixing Python Open an Administrator Command prompt and execute these commands: cd c:\Windows mklink /H python.exe c:\python27\python.exe The hard disk on this virtual machine has already been expanded to 100 GB, and Windows Defender and SmartScreen have been disabled in Local Group Policy.

Flag PMA 41.1: C: Subfolder (20 pts) Make sure Immunity Debugger is installed on your Windows virtual machine. Open File Explorer. In the left pane, expand the C: drive. The flag is covered by a green box in the image below.

Making your Own Machine

Mac M1, M2, or M3 Users If you are using a Mac M1, M2, or M3 machine, you cannot use the process below because you have the newer ARM processor. Follow these instructions instead.

Downloading a Windows 10 VM

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

In the "Virtual Machines" list, select "MSEdge on Win10...", as shown below.

In the Choose a VM platform" list, choose your virtualization software, as shown below.

Download the file. Unzip it and launch it in your virtualization software. For VMware, use File, Import, and customize the virtual machine so it has an 80 GB hard disk.

Log in with these credentials:

• Username: IEUser
• Password: Passw0rd!

You may need to install VMware Tools (or the comparable software) manually.

Downloading a Windows 10 or 11 ISO

If you are installing Windows 11, you may find these pages useful:

• How to Bypass Windows 11's TPM, CPU and RAM Requirements
• How to bypass internet connection to install Windows 11

Installing VMware Tools

Installing Firefox

https://getfirefox.com

Download and install Firefox.

Installing WinDbg

Updating PowerShell

Turn off the Firewall

Adjusting Power Settings

Disabling Windows Update

In the right pane, click "Create Basic Task...".

Give the task a descriptive name like PauseWindowsUpdate

Set Trigger to Repeat: Choose "Daily" as the recurrence and set "Repeat task every" to 7 days.

Set Action: Choose "Start a program" and in the "Program/script" field, enter powershell and in the "Add arguments" field, enter

-windowstyle hidden -command "if ((Get-AppxPackage *windowsupdatemodule*)){Add-MpPreference -DisableRealtimeMonitoring $true}; Add-MpPreference -DisableIOAVProtection $true; Add-MpPreference -DisableArchiveScanning $true; Add-MpPreference -DisableScriptScanning $true; Start-ScheduledTask -TaskName 'Pause Updates' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -ErrorAction SilentlyContinue; Start-Sleep -Seconds 30; if ((Get-AppxPackage *windowsupdatemodule*)){Add-MpPreference -DisableRealtimeMonitoring $false}; Add-MpPreference -DisableIOAVProtection $false; Add-MpPreference -DisableArchiveScanning $false; Add-MpPreference -DisableScriptScanning $false"

Finish Task Creation: Click "Finish".

Adding a Defender Exclusion

In the "Virus & threat protection settings" section, click "Manage settings".

Scroll down and click "Add or remove exclusions". Add a folder exclusion for C:\

Increasing the Hard Disk Size

Instructions for VMware are here:

https://docs.vmware.com/en/VMware-Fusion/11/com.vmware.fusion.using.doc/GUID-2CE88716-DB0B-4612-AEFE-726E737E347B.html

Downloading the Installers

WinTools.zip
     Size: 1.68 GB (1,676,639,482 bytes)
     SHA256: a648709f5a3597bbcdd03fc2b3c1d157b78eb6ba81cc28c0a57706d948248889

Follow the instructions there to install the programs.

Tools with Installers

7-zip

API Monitor v2r13, 64-bit

Bochs x86 PC emulator

Easy RM to MP3 Converter 2.7.3.700 - Local Buffer Overflow
Run the EXE installer

Explorer Suite (Includes CFF Explorer)
Run the EXE installer

HashCalc No Longer Needed The download link below no longer works. Instead, to calculate hashes, use PowerShell, like this: Get-FileHash -Algorithm SHA1 file.txt Available algorithms include MD5 and SHA256. Hashcalc

IDA v7.6 (freeware version)

Immunity Debugger (Also installs Python 2.7)
Mona.pyx -- Rename to mona.py and copy to "C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands"

Java JRE 64-bit

For Win 11 on ARM, download the latest Nmap from nmap.org.
This old installer no longer works.
Nmap

For Win 11 on ARM, download the latest Wireshark from wireshark.org.
Wireshark

Visual Studio
Download and install Visual Studio Community 2022 as explained here.

Tools Without Installers

capa v1.6.3
Double-click, drag to C:\Tools

Dependency Walker 2.2
Double-click. Drag all the files to C:\Tools. Right-click the EXE in C:\Tools, "Pin to Start"

Dll Export Viewer

Double-click. Drag all the files to C:\Tools. Right-click the EXE in C:\Tools, "Pin to Start"

JDK 16.0.1 General-Availability Release
Double-click openjdk-16.0.1_windows-x64_bin.zip. Drag the jdk-16.0.1 folder to C:\Program Files\Java

Ghidra v9.2.4
Double-click ghidra_9.2.4_PUBLIC_20210427.zip. Drag the ghidra_9.2.4_PUBLIC folder to "C:\Program Files"
Right-click C:\Program Files\ghidra_9.2.4_PUBLIC\ghidraRun.bat, "Send to", "Desktop (create shortcut)"

ILSpy
Double-click. Drag all the contents to C:\Tools, right-click C:\Tools\ILSpy.exe, "Pin to Start"

Jasmin
Drag jasmin-1.5.8-PC.jar to C:\Tools, right-click jasmin-1.5.8-PC.jar, "Send to", "Desktop (create shortcut)"

Metasploit
Launch the installer from an Administrator PowerShell window.
Halfway through, the installer pauses for a minute or two, just wait for it. This worked on Windows 11 Pro.
On a trial version of Windows 11, I needed to use this trick: FIX: Can't Install: Setup Wizard ended Prematurely

OllyDbg 1.10
Double-click. Drag all the contents to C:\Tools (skip the readme). Right-click C:\Tools\OLLYDBG.EXE, "Pin to Start"
OllyDbg Plugins: OllyDump
Double-click g_ollydump221b.zip. Drag OllyDump.dll to C:\Tools

PEiD
Double-click PEiD-0.95-20081103.zip.
Drag all the contents to C:\Tools (skip the readme).
Right-click C:\Tools\PEiD.exe, "Pin to Start"

pestudio
Double-click pestudio.zip. Drag the pestudio folder to C:\Program Files(x86)
Right-click C:\Program Files(x86)\pestudio\pestudio.exe, "Pin to Start"

PEview
Double-click PEview.zip. Drag PEview.exe to C:\Tools, right-click C:\Tools\PEview.exe, "Pin to Start"

PracticalMalwareAnalysis-Labs
Unzip with 7-Zip and the password malware.
Run the EXE. Redirect the output to the Desktop.

setdllcharacteristics
Double-click setdllcharacteristics_v0_0_0_1.zip and drag setdllcharacteristics.exe to C:\Tools

Sysinternals Suite
Double-click. Drag all the contents to C:\Tools (skip the readme).
Right-click C:\Tools\Procmon64.exe, "Pin to Start"
Right-click C:\Tools\procexp64.exe, "Pin to Start"

Note: if you are using Windows 11 on ARM, download Procmon, unzip it, and replace Procmon64 with Procmon64a.

UPX
Double-click upx-3.96-win64.zip. Double-click the upx-3.96-win64 folder. Drag upx.exe to C:\Tools

Vulnserver
Double-click vulnserver.zip, and copy vulnserver.exe and essfunc.dll to C:\Tools

x64dbg
Extract snapshot_2021-06-14_16-37.zip into a folder.
Rename that folder to x64dbg.
Drag it to C:\Program Files
Right-click C:\Program Files\x64dbg\release\x64\x64dbg.exe and click "Pin to Start".

Yara
Double-click yara-v4.1.1-1635-win64.zip. Drag copy yara64.exe and yarac64.exe to C:\Tools

In Control Panel, System, "Advanced System Settings", click "Environment Variables".
In "System variables", double-click Path. Add C:\Tools to the Path.

References

• Use UEFI Secure Boot
• Set 2 processor cores and 4 GB RAM
• Add this line to the .VMX file:

  managedVM.autoAddVTPM = "software"
  

• When you see the "Is this the right country or region" screen, press Shift+F10 and execute this command:

  start ms-cxh:localonly
  

  This will let you use a username and password to log in instead of a Live account.

Activating Windows

https://massgrave.dev/

Changelog
Disable Updates changed to scheduled task and minor updates 8-5-25
Command to make a local account on Win 11 updated 8-9-25