Using KVM and guestfish for dynamic malware analysis on Windows


After the news that FireEye was affected by the VENOM vulnerability it got me thinking that how hard can it be to do this in KVM. This article will give you a start on how to do sort of dynamic analysis, or at least get you going. I will probably update it later on when I do more.


This guide requires that you have already installed a CentOS 7.1 system with KVM support and a Windows XP machine installed. This machine is named “winxp” and will be used further down in the guide. The system has to be configured with IDE drives and qcow2 format. Make sure you have two disks, one disk called “windows_xp.qcow2” mounted at C: and one called “windows_xp_data.qcow2” mounted at E: on the machine. The size of the disks should be at least 80GB or so per disk. Other things like memory should be fine at 2GB.

Let’s kick off! Make sure you have a snapshot on the vm called “ready”. We will use this as default state before starting the machine. So to sum up.

1. Install a VM Windows XP guest with 2gb of ram and qcow2 disks so that we can use snapshots
2. Make sure it has two disks, one at C: at 80GB and one at E: at 80GB. These qcow2 images are saved in the folder /vm/
3. Create a snapshot called “ready” when you have installed it.
4. Done!

Let’s start!

Everything we configure from now on will be done on the KVM host. That is the mother machine running the guest machines (the Windows XP system is a guest)

1. Install the epel repo. You will need this for the packages.

2. Install some packages from epel. They are required to mount the NTFS volume offline

3. The is an issue on current (2015-06-08) CentOS 7.1 with winsupport. You have to manually download the rpm and install it using yum localinstall. This is used to be able to mount NTFS drives.
Read more here:
Download here

4. Create the folder /root/files/

5. That should be it. Test it with the script in the next step.

Before you run it you have to know what it does. As you cannot insert files on a live system without (potentially) damaging the filesystem we will make sure the guest is shut down first. We will use destroy since we do not want to wait for a graceful shutdown. After the machine is shut down, we mount the disk called “windows_xp_data.qcow2” which is our E: on the winxp system and then upload all files in the folder “/root/files” to E:\files\ on the Windows XP system.

6. The startup script on the vm host.

7. When the machine now has booted you should find the files on E:\files. What you can do now is to implement a python application running at startup on the Windows XP machine that looks in the folder and then uses something like a custom cfg file to perhaps first install a older version of adobe and then launch your pdf file in files. As you can manipulate the filesystem before you boot the machine you may be able remove some or all traces of QEMU or KVM to perhaps “dodge” the vm awareness in some malware.

Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *