Saving the Virtual Machine¶
Now you should be ready to save the virtual machine to a snapshot state.
Before doing this make sure you rebooted it softly and that it’s currently running, with CAPE’s agent running and with Windows fully booted.
Now you can proceed saving the machine. The way to do it obviously depends on the virtualization software you decided to use.
If you follow all the below steps properly, your virtual machine should be ready to be used by CAPE.
You can check here how to simple create virtual machine with virt-manager
- Create virtual machine with virt-manager aka GUI client
- `Advanced KVM preparation for malware analysis`_
If decided to adopt KVM, you must first of all be sure to use a disk format for your virtual machines which supports snapshots. By default libvirt tools create RAW virtual disks, and since we need snapshots you’ll either have to use QCOW2 or LVM. For the scope of this guide we adopt QCOW2, which is easier to setup than LVM.
The easiest way to create such a virtual disk correctly is using the tools
provided by the libvirt suite. You can either use
virsh if you prefer
command-line interfaces or
virt-manager for a nice GUI.
You should be able to directly create it in QCOW2 format, but in case you have
a RAW disk you can convert it like this:
$ cd /your/disk/image/path $ qemu-img convert -O qcow2 your_disk.raw your_disk.qcow2
Now you have to edit your VM definition as follows:
$ virsh edit "<Name of VM>"
Find the disk section, it looks like this:
<disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/your/disk/image/path/your_disk.raw'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' unit='0'/> </disk>
And change “type” to qcow2 and “source file” to your qcow2 disk image, like this:
<disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/your/disk/image/path/your_disk.qcow2'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' unit='0'/> </disk>
KVM by default will pass through a feature flag, viewable in ECX as the 31st bit after executing the CPUID instruction with EAX set to 1. Some malware will use this unprivileged instruction to detect its execution in a VM. One way to avoid this is to modify your VM definition as follows: find the following line:
Change it to:
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
Then within the domain element, add the following:
<qemu:commandline> <qemu:arg value='-cpu'/> <qemu:arg value='host,-hypervisor'/> </qemu:commandline>
Instead of using “host”, you can also choose a number of other CPU models from the list displayed with the “qemu-system-i386 -cpu help” command (SandyBridge, Haswell, etc).
Now test your virtual machine, if everything works prepare it for snapshotting while running CAPE’s agent. This means the virtual machine needs to be running while you are taking the snapshot. Then you can shut it down. You can finally take a snapshot with the following command:
$ virsh snapshot-create "<Name of VM>" $ virsh snapshot-create-as --domain "<Name of VM>" --name "<Name of snapshot>"
Having multiple snapshots can cause errors.
ERROR: No snapshot found for virtual machine VM-Name
VM snapshots can be managed using the following commands.
$ virsh snapshot-list “VM-Name”
$ virsh snapshot-delete “VM-Name” 1234567890
If you are going for VirtualBox you can take the snapshot from the graphical user interface or from the command line:
$ VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
After the snapshot creation is completed, you can power off the machine and restore it:
$ VBoxManage controlvm "<Name of VM>" poweroff $ VBoxManage snapshot "<Name of VM>" restorecurrent
If you decided to adopt VMware Workstation, you can take the snapshot from the graphical user interface or from the command line:
$ vmrun snapshot "/your/disk/image/path/wmware_image_name.vmx" your_snapshot_name
Where your_snapshot_name is the name you choose for the snapshot. After that power off the machine from the GUI or from the command line:
$ vmrun stop "/your/disk/image/path/wmware_image_name.vmx" hard
If you decided to adopt XenServer, the XenServer machinery supports starting virtual machines from either disk or a memory snapshot. Creating and reverting memory snapshots require that the Xen guest tools be installed in the virtual machine. The recommended method of booting XenServer virtual machines is through memory snapshots because they can greatly reduce the boot time of virtual machines during analysis. If, however, the option of installing the guest tools is not available, the virtual machine can be configured to have its disks reset on boot. Resetting the disk ensures that malware samples cannot permanently modify the virtual machine.
The Xen guest tools can be installed from the XenCenter application that ships with XenServer. Once installed, restart the virtual machine and ensure that the CAPE agent is running.
Snapshots can be taken through the XenCenter application and the command line interface on the control domain (Dom0). When creating the snapshot from XenCenter, ensure that the “Snapshot disk and memory” is checked. Once created, right-click on the snapshot and note the snapshot UUID.
To snapshot from the command line interface, run the following command:
$ xe vm-checkpoint vm="vm_uuid_or_name" new-name-label="Snapshot Name/Description"
The snapshot UUID is printed to the screen once the command completes.
Regardless of how the snapshot was created, save the UUID in the virtual machine’s configuration section. Once the snapshot has been created, you can shutdown the virtual machine.
Booting from Disk¶
If you can’t install the Xen guest tools or if you don’t need to use memory snapshots, you will need to ensure that the virtual machine’s disks are reset on boot and that the CAPE agent is set to run at boot time.
Running the agent at boot time can be configured in Windows by adding a startup item for the agent.
The following commands must be run while the virtual machine is powered off.
To set the virtual machine’s disks to reset on boot, you’ll first need to list all the attached disks for the virtual machine. To list all attached disks, run the following command:
$ xe vm-disk-list vm="vm_name_or_uuid"
Ignoring all CD-ROM and read-only disks, run the following command for each remaining disk to change it’s behavior to reset on boot:
$ xe vdi-param-set uuid="vdi_uuid" on-boot=reset
After the disk is set to reset on boot, no permanent changes can be made to the virtual machine’s disk. Modifications that occur while a virtual machine is running will not persist past shutdown.