July 26th, 2017



  • projectsFLARE-VM

    Download Not Available
    Size Not Available
    DateJuly 26th, 2017
      ______ _               _____  ______   __      ____  __ 
     |  ____| |        /\   |  __ \|  ____|  \ \    / /  \/  |
     | |__  | |       /  \  | |__) | |__ _____\ \  / /| \  / |
     |  __| | |      / /\ \ |  _  /|  __|______\ \/ / | |\/| |
     | |    | |____ / ____ \| | \ \| |____      \  /  | |  | |
     |_|    |______/_/    \_\_|  \_\______|      \/   |_|  |_|
                             Developed by                     
                          Peter Kacherginsky                  
           FLARE (FireEye Labs Advanced Reverse Engineering)  

    Welcome to FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

    Please see https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html for a blog on installing and using the FLARE VM.

    Legal Notice

    This download configuration script is provided to assist cyber security analysts
    in creating handy and versatile toolboxes for malware analysis environments. It
    provides a convenient interface for them to obtain a useful set of analysis
    tools directly from their original sources. Installation and use of this script
    is subject to the Apache 2.0 License.

    You as a user of this script must review, accept and comply with the license terms of each downloaded/installed package listed below. By proceeding with the installation, you are accepting the license terms of each package, and acknowledging that your use of each package will be subject to its respective license terms.

    List of package licenses:

    http://www.ollydbg.de/download.htm, http://www.ollydbg.de/download.htm, https://github.com/x64dbg/x64dbg/blob/development/LICENSE, http://go.microsoft.com/fwlink/?LinkID=251960, https://www.hex-rays.com/products/ida/support/download_freeware.shtml, https://docs.binary.ninja/about/license/#demo-license, https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt, https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt, https://www.jetbrains.com/decompiler/download/license.html, https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt, http://www.oracle.com/technetwork/java/javase/terms/license/index.html, https://github.com/java-decompiler/jd-gui/blob/master/LICENSE, https://www.vb-decompiler.org/license.htm, http://kpnc.org/idr32/en/, https://www.free-decompiler.com/flash/license/, https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx, https://mh-nexus.de/en/hxd/license.php, https://www.sweetscape.com/010editor/manual/License.htm, http://www.ntcore.com/exsuite.php, http://wjradburn.com/software/, http://ntinfo.biz, https://www.sublimetext.com, https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE, http://vimdoc.sourceforge.net/htmldoc/uganda.html, http://www.gnu.org/licenses/gpl-2.0.html, https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE, http://www.7-zip.org/license.txt, http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html, http://www.gnu.org/copyleft/gpl.html, https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt, https://www.gnu.org/copyleft/gpl.html, http://upx.sourceforge.net/upx-license.html, http://technet.microsoft.com/en-us/sysinternals/bb469936, http://www.rohitab.com/apimonitor, http://whiteboard.nektra.com/spystudio/spystudio_license, http://www.slavasoft.com/hashcalc/license-agreement.htm, http://www.gnu.org/licenses/gpl-2.0.html, http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/, http://exeinfo.atwebpages.com, https://www.python.org/download/releases/2.7/license/, https://www.microsoft.com/en-us/download/details.aspx?id=44266, https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt, http://msdn.microsoft.com/en-US/cc300389.aspx, https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE, http://svn.code.sf.net/p/processhacker/code/2.x/trunk/LICENSE.txt

    Installation (Install Script)

    Create and configure a new Windows 7 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, download and copy install.ps1 on your analysis machine. On the analysis machine open PowerShell as an Administrator and enable script execution by running the following command:

    Set-ExecutionPolicy Unrestricted

    Finally, execute the installer script as follows:


    The script will set up the Boxstarter environment and proceed to download and install the FLARE VM environment. You will be prompted for the Administrator password in order to automate host restarts during installation.

    Installation (Manually)

    First, install boxstarter. All commands are expected to be executed with Administrator privileges.

    If you are using PowerShell V2:

    Set-ExecutionPolicy Unrestricted iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); get-boxstarter -Force

    And PowerShell V3 or newest:

    Set-ExecutionPolicy Unrestricted . { iwr -useb http://boxstarter.org/bootstrapper.ps1 } | iex; get-boxstarter -Force

    Next, you can deploy FLARE VM environment as follows

    Install-BoxstarterPackage -PackageName https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1

    NOTE: The old installation method using the webinstaller link is now deprecated.

    Installing a new package

    FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:

    cinst x64dbg

    Staying up to date

    Type the following command to update all of the packages to the most recent version:

    cup all

    Malware Analysis with FLARE VM

    Please see a blog at https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html for an example malware analysis session using FLARE VM.

    Installed Tools


    • OllyDbg + OllyDump + OllyDumpEx
    • OllyDbg2 + OllyDumpEx
    • x64dbg
    • WinDbg


    • IDA Free
    • Binary Ninja Demo


    • JD-GUI
    • dex2jar

    Visual Basic

    • VBDecompiler


    • FFDec


    • ILSpy
    • DNSpy
    • DotPeek
    • De4dot


    • Offvis

    Hex Editors

    • FileInsight
    • HxD
    • 010 Editor


    • PEiD
    • ExplorerSuite (CFF Explorer)
    • PEview
    • DIE
    • PeStudio

    Text Editors

    • SublimeText3
    • Notepad++
    • Vim


    • MD5
    • 7zip
    • Putty
    • Wireshark
    • RawCap
    • Wget
    • UPX
    • Process Hacker
    • Sysinternals Suite
    • API Monitor
    • SpyStudio
    • Checksum
    • Unxutils

    Python, Modules, Tools

    • Python 2.7
    • Hexdump
    • PEFile
    • Winappdbg
    • FakeNet-NG
    • Vivisect
    • FLOSS
    • PyCrypto
    • Cryptography


    • VC Redistributable Modules (2008, 2010, 2012, 2013, 2015)



    Download fakenet1.3.zip
    Size 6.8 MB
    DateAugust 3rd, 2016

    FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.

    The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware's functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG's configurable interception engine and modular framework highly useful when testing application's specific functionality and prototyping PoCs. Read more.

    heap overflows for humans - 102 - exercise solution

    Heap Overflows For Humans is a series of articles by Steven Seeley that explore heap exploitation on Windows. In this article I will go over the exact reasoning and exploitation steps for an exercise created by Steven in the second article of the series. Read more.

    ida sploiter

    Download idasploiter-1.0.zip
    Size 25.4 KB
    DateSeptember 14th, 2014

    IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others. Read more.

    ida patcher

    Download idapatcher-1.2.zip
    Size 6.0 KB
    DateSeptember 13th, 2014

    IDA Patcher is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's ability to patch binary files and memory. The plugin is useful for tasks related to malware analysis, exploit development as well as bug patching. IDA Patcher blends into the standard IDA user interface through the addition of a subview and several menu items. Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.