Automated Creation and Export of Customized FLARE-VM Builds

virtualbox/README.md

@@ -93,46 +93,46 @@ FLARE-VM.20240808.dynamic 8: Disabled Null
 ![Notification](../Images/vbox-adapter-check_notification.png)
 
 
-## Export snapshots
-
-[`vbox-export-snapshots.py`](vbox-export-snapshots.py) export one or more snapshots in the same VirtualBox VM as .ova, changing the network to a single Host-Only interface.
-It also generates a file with the SHA256 hash of the exported `.ova`.
-This script is useful to export several versions of FLARE-VM after its installation consistently and with the internet disabled by default (desired for malware analysis).
-For example, you may want to export a VM with the default FLARE-VM configuration and another installing in addition the packages `visualstudio.vm` and `pdbs.pdbresym.vm`.
-These packages are useful for malware analysis but are not included in the default configuration because of the consequent increase in size.
-The scripts receives the path of the JSON configuration file as argument.
-See configuration example files in the [`configs`](configs/) directory.
+## Export snapshot
+
+[`vbox-export-snapshot.py`](vbox-export-snapshot.py) exports a VirtualBox snapshot as an Open Virtual Appliance (OVA) file.
+The script configures the exported VM with a single Host-Only network interface, and the resulting OVA file is named after the snapshot.
+A separate file containing the SHA256 hash of the OVA is also generated for verification.
+The script accepts an optional description for the OVA and the name of the export directory within the user's home directory (`$HOME`) where the OVA and SHA256 hash file will be saved.
+If no export directory is provided, the default directory name is `EXPORTED VMS`.
 
 ### Example
 
 ```
-$ ./vbox-export-snapshots.py configs/export_win10_flare-vm.json
-
-Exporting snapshots from "FLARE-VM.testing" {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d}
-Export directory: "/home/anamg/EXPORTED VMS"
+$ ./vbox-export-snapshots.py "FLARE-VM.testing" "FLARE-VM" --description "Windows 10 VM with FLARE-VM default configuration"
 
-VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} state: running. Shutting down VM...
+Exporting snapshot "FLARE-VM" from "FLARE-VM.testing" {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d}...
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ✨ restored snapshot "FLARE-VM"
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} state: saved. Starting VM...
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} state: running. Shutting down VM...
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ⚙️  network set to single hostonly adapter
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} 🔄 power cycling before export... (it will take some time, go for an 🍦!)
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} state: poweroff. Starting VM...
 VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} state: running. Shutting down VM...
-VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} 🚧 exporting "FLARE-VM.20250129.dynamic"... (it will take some time, go for an 🍦!)
-VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ✅ EXPORTED "/home/anamg/EXPORTED VMS/FLARE-VM.20250129.dynamic.ova"
-VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ✅ GENERATED "/home/anamg/EXPORTED VMS/FLARE-VM.20250129.dynamic.ova.sha256": 73c3de4175449987ef6047f6e0bea91c1036a8599b43113b3f990104ab294a47
-
-VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ❌ ERROR exporting "FLARE-VM.full":Command 'VBoxManage snapshot {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} restore FLARE-VM.full' failed: Could not find a snapshot named 'FLARE-VM.full'
-
-Done! 🙃
+VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} 🚧 exporting ... (it will take some time, go for an 🍦!)
+VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ✅ EXPORTED "/home/anamg/None/FLARE-VM.ova"
+VM {2bc66f50-9ecb-4b10-a4dd-0cc329bc383d} ✅ GENERATED "/home/anamg/None/FLARE-VM.ova.sha256": 987eed68038ce7c5072e7dc219ba82d11745267d8ab2ea7f76158877c13e3aa9
 ```
 
 ## Build FLARE-VM
 
-[`vbox-build-flare-vm.py`](vbox-build-flare-vm.py) restores a `BUILD-READY` snapshot, copies files required for the installation (like the IDA Pro installer and the FLARE-VM configuration file) and starts the FLARE-VM installation.
+[`vbox-build-flare-vm.py`](vbox-build-flare-vm.py) automates the creation and export of customized FLARE-VM virtual machines (VMs).
+The script begins by restoring a pre-existing `BUILD-READY` snapshot of a clean Windows installation.
+The script then copies the required installation files (such as the IDA Pro installer, FLARE-VM configuration, and legal notices) into the guest VM.
+After installing FLARE-VM, a `base` snapshot is taken.
+This snapshot serves as the foundation for generating subsequent snapshots and exporting OVA images, all based on the configuration provided in a YAML file.
+This configuration file specifies the VM name, the exported VM name, and details for each snapshot.
+Individual snapshot configurations can include custom commands to be executed within the guest, legal notices to be applied, and file/folder exclusions for the automated cleanup process.
+See configuration example files in the [`configs`](configs/) directory.
+
 The `BUILD-READY` snapshot is expected to be an empty Windows installation that satisfies the FLARE-VM installation requirements and has UAC disabled
 To disable UAC execute in a cmd console with admin rights and restart the VM for the change to take effect:
 ```
 %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
 ```
+

virtualbox/configs/win10_flare-vm.yaml

@@ -0,0 +1,27 @@
+VM_NAME: FLARE-VM.testing
+EXPORTED_VM_NAME: FLARE-VM.Win10
+SNAPSHOTS:
+- extension: ".dynamic"
+  description: "Windows 10 VM with FLARE-VM default configuration + idapro.vm + microsoft-office.vm"
+  cmd: "choco install idapro.vm microsoft-office.vm"
+  legal_notice: "legal_notice_win10.txt"
+- extension: ".full.dynamic"
+  description: "Windows 10 VM with FLARE-VM default configuration + idapro.vm + microsoft-office.vm + pdbs.pdbresym.vm + visualstudio.vm"
+  cmd: "choco install idapro.vm microsoft-office.vm pdbs.pdbresym.vm visualstudio.vm --execution-timeout 10000"
+  legal_notice: "legal_notice_win10.txt"
+- extension: ".EDU"
+  description: "Windows 10 VM with FLARE-VM default configuration + FLARE-EDU materials"
+  cmd: |
+    # Unzip EDU labs
+    VM-Unzip-Recursively;
+    # Install Office 2016. the installation takes 30 minutes
+    $desktop = "C:\Users\flare\Desktop";
+    $path = "$desktop\en_office_professional_plus_2016_x86_x64_dvd_6962141.iso";
+    $drive = (Mount-DiskImage -ImagePath $path | Get-Volume).DriveLetter;
+    Set-Location "$drive`:\";
+    .\setup.exe;
+    Start-Sleep 1800;
+    Dismount-DiskImage -ImagePath $path;
+  legal_notice: "legal_notice_edu.txt"
+  protected_folders: "'ATMA', 'MACC', 'MAF', 'MDA'"
+  protected_files: "'Labs.zip', 'MICROSOFT Windows 10 License Terms.txt', 'MICROSOFT Office 2016 License Terms.txt'"