Sandbox within vmware workstation, is it possible? - virtual-machine

What I want to be able to do is that, run a vmware machine on workstation, windows xp or 7 for instance. But all the changes I make while I am running the machine e.g. create a file, install something etc, I don't want them to be written to the system/image. Instead it should act like even the image itself is sandboxed, and when I shut down the machine, the image stays the same.
Now, I know about the snapshots functionality, but I basically want to save the time that is expended while reverting an image, on every power down session. Instead it should be such that the changes aren't written to the image/system in the first place (and instead are done in something like memory or a temporary location etc), and thus there is no need to revert when the system is powered off.
Now, is this possible to achieve with just vmware workstation itself? if not than is it possible with some third party tool or something of the sort? if yes then specifically which tool? or if this is possible utilizing any other concepts, say ramdisks etc or anything at all really?
Any help at all is really appreciated!

If I understand your you correctly, defining the VM's disks as nonpersistant should help.

Related

How do small teams do secure backups of source code?

First of all, I don't mean version control such as git.
I do use git locally but, I'm trying to determine the best way to do back-ups of source code (as well as other app assets) in case of hardware failure or such.
I was thinking I could set up a script to tar my project folders, and encrypt them with gpg. I would then save the encrypted tar to external hard drives and to 1 or more off-site locations using a service such as amazon drive or dropbox.
Currently, I'm a sole developer so my thinking was that this method should be okay. But I wanted to get some input to make sure I'm doing this the best/most reliable way possible.
If there is a better approach to this that may be more applicable to small teams, then please let me know, as I'm more than happy to do the extra work implementing the approach.
There are much of ways of doing that.
But, if you always work local and you need a simple way of doing that, you may take a look at run scripts if some specific usb device is plugged in.
Meaning that a simple backup script with tar would run if you plug in your specific backup hdd.
Take a look at udev rules in linux.
udev is a generic device manager running as a daemon on a Linux system and listening (via a netlink socket) to uevents the kernel sends out if a new device is initialized or a device is removed from the system. The udev package comes with an extensive set of rules that match against exported values of the event and properties of the discovered device. A matching rule will possibly name and create a device node and run configured programs to set up and configure the device.
Take a look at these posts:
https://unix.stackexchange.com/questions/65891/how-to-execute-a-shellscript-when-i-plug-in-a-usb-device
&
https://askubuntu.com/questions/401390/running-a-script-on-connecting-usb-device
If you plan to go further, to extend the team or even to keep your code for a while in other words, if you want to be professional, I would go with a scalable and reliable tool designed for this: use a real backup and restore tool and don't use scripts. A lot of people, small (and even not so small) companies are doing it and they end up in trouble: maintenance, scalabolity, update, and so on.
There are plenty of backup & restore tools for different purposes and/or platforms, prices and so on. https://en.wikipedia.org/wiki/List_of_backup_software would be a good start :)
Cheers
Werlan

Running Malware In VirtualBox

For a project I am working on I want to collect data of malware in a virtualbox for 30 seconds and then revert the VirtualBox back to its original state and repeat this process 500 times for 500 different malware links that I have in a txt file. Before I revert to the normal VirtualBox state, I want to collect data from a program that is monitoring that malware. What is the best way to do this?
Edit: I'd also like to point out that I have code to read the opcodes that are being used by the application. All I would like to do is automate this process for the virtualbox.
I am not aware of such a feature in virtualbox or vmware but you can always use third party tools to compare the state of the different parts (like registry) before and after the execution of malwares.
I heard Ashampoo unistaller is a great tool to do the job but personally never tested it before.
Another option is to use sanboxes like sandboxie or cuckoo sandbox to capture the changes.
Another option is to use online sandboxes like hybrid-analysis which is perfect for what you want to do.
Just keep in mind that most malwares use anti-VM techniques to prevent execution in VMs so you probably will not be able to capture all the features of the malwares.
Hope it helps.

Using Cuckoo sandbox platform for dynamically analyzing multiple file samples

I'm trying to run more than one sample at the same time in a single guest VM, for efficiency reasons, something that will be even more efficient than the distributed cuckoo solution, or using a few guest VMs.
For example, to submit a few URLs, so they will be opened in a few tabs(in IE or FF) in Cuckoo, so I won't need to run a clean VM for each URL.
Then, if any malicious activity is detected in any of the URLs, I'll find the malicious URL, and will make a deeper inspection of its activity using all other cuckoo plugins and modules, etc.
Can you think of a way to make it using cuckoo? or any workaround?
My use-case is that I have A LOT of samples, but only very few are malicious, so to run a VM for every one of them would be a waste of resources.
Cuckoo monitors malwares activity in system, record them and create report in a language like JSON. if you try several suspicious links probably malware in one VM, you cant track which part of JSON report (features) belong to which link (possibility malware). I believe you need to run different suspicious links/files in different VM. you can run few VM at the same time though.

How do you create a multiboot SCCM task sequence USB Stick?

I need to dual boot 2 different task sequences (Win7 images) for different Pc types which require different drivers, we have 2 images one for staff and student which can be added to a particular task sequence.
I need to create a portable solution for cloning without the network using 2 different SCCM (System Center Configuration Manager) task sequences. At the moment I go through the usual steps of creating a boot media via the Configuration manager, but there seems to be know way to create a script that changes the task media on the fly so you can select which OS image.
I was looking at a possible solution using YUMI (a Usb boot tool) but each bootable image requires an ISO. The task sequence image is around 8GIG.
We use SCCM 2007. (Still awaiting for a budget to upgrade to 2012 :) )
It sounds like you want to boot two different .WIM images.
Out of the box, I haven't found any tool from MS that will allow this. I have gotten around this discrepancy by renaming the .WIM I want to use to BOOT.WIM in the \SOURCES directory.
That is the name of the .WIM that gets used by all the default settings. You have to rename the file before you attempt to boot from the USB device, but it doesn't take long and could be scripted without much effort.
Theoretically, it should be possible to configure the BCD on the USB device (\EFI\MICROSOFT\BOOT\BCD or BOOT\BCD, depending on how the computer is configured to boot) so that you could choose which .WIM to use at boot time without the need to do any messy renaming. I haven't gotten this to work yet (mostly due to lack of time/urgency), but I did write down what I had done so far. I found some useful information about booting to .WIM's from windowsitpro.com.

Run application from documents instead of program files

I'm working on creating a self updating application and one issue I'm running into on Vista and Windows 7 is needing to have admin privileges in order to update the client. I've run into issues with clients that have their users running under restricted permissions and they would have to have IT log onto every machine that needed to update the client since the users were not able to.
A possible work around I'm considering is to have the launcher application installed into Program Files as normal, and having the real application that it updates installed in the users documents somewhere, so that they could update and run new versions without IT becoming involved.
I'm wondering what potential gotchas I'm missing here or what I should be aware of before heading down this path. I'm aware that click-once does something very similar, and I'd be using it, except I need the ability to do silent updates, without any user interaction.
This is how it is supposed to be. The last thing most IT departments want is a user randomly updating a piece of software. This could have all sorts of unintentional side effects such as incompatibility with the older version's files, new and possibly insecure functionality, etc. This is why IT departments disable Windows Update and do their updates manually in a controlled fashion.
If the users want an updated version of the software they should be requesting it from their IT department. Those computers and infrastructure don't belong to them, they're simply borrowing time on them from the company they work for so they can do their job.
Is there an issue with having only one installation of your program? Is it particularly large, for example?
Do you require admin privileges to run your program?
If not, odds are you don't need the Program Files folder.
I suggest you forgo installing to Program Files entirely and just install your program into the user's folder system at <userfolder>\AppData\ProgramName.
If you happen to be using .NET, look into the ClickOnce deployment mechanism. It's got a great self-updating feature that'd probably make your life a lot easier.
Edit: Just saw your last sentence. ClickOnce can force the user to update.
A couple of things:
If you decide to move your app to some place in documents, make sure that your application writes data transparently to where your program is installed, e.g. if there are hard coded paths anywhere in the code that are pointing to bad places. Perhaps this is not an issue for you, but might be something to keep in mind.
We solved this in pretty much the same way when we decided to implement a "live update" feature. But instead we installed a service which is running with administrator rights. This service in turn can run installers once the program needs to be updated. With this type of solution you don't even have to move your applicaton out of program files.
Cheers !
Edit:
Another neat thing with having a service running as administrator. Is that you could create a named pipe communication with it and have it do things for you, like you wouldn't be able to do as a normal user.
A loader stub is a good way to go. The only gotcha is when you have to update the loader; the same initial problem applies (though that should be pretty infrequent).
One problem that I can think of off the top of my head is that you're stepping outside the entire idea of keeping things more "secure." Since your executable exists in a location that should be completely accessible to a non-administrator, it's possible that something else could slam your exe thus subverting security.
You can probably leverage AppLocker. It may only be for Win7 though I'm not running Vista any more. ;)