Guest Configuration for Windows
This page will detail how to properly configure a Windows guest for recording with REVEN.
- Guest system requirements
- Enabling the OSSI feature
- Optimizing the guest for analysis
- Maximizing the symbol coverage
- Final touches
- More details about version support
Guest system requirements
REVEN supports guests running Windows from version 7 to 10, both 32-bit and 64-bit editions, up to the latest releases.
For more details, see the section below
Enabling the OSSI feature
In order to ensure the OS-Specific Information (OSSI) work on recorded scenario, you must disable certain OS features manually. Below are instructions on how to do so.
Disabling the KPTI protections
KPTI (Kernel Page-Table Isolation) protections were introduced with the meltdown patches. If they are enabled, OSSI will be available only on ring 0 or admin processes, so you must disable them.
Therefore, you must disable KPTI protections. You can either:
- During the
Configure the guest
step of the VM Import Wizard:- In the Project Manager, click on
Insert Windows 10 lightener CDROM
. - In the VM, open a file explorer to the CD-ROM drive.
- Right-click on the file
disable-kpti.bat
and selectRun as administrator
. - Wait for the VM to reboot.
- In the Project Manager, click on
- Outside the VM Import Wizard, you can run this manually. Microsoft's support provides the following steps to do so, to run in an Administrator shell:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f shutdown -r
Disabling the CompactOS Windows 10 option
On Windows 10, the CompactOS feature lets you run the operating system
from compressed files to maintain a small footprint. However, this feature
is not compatible with the Prepare
stage of the REVEN workflow, which is
required by the OSSI features.
Therefore, you must disable CompactOS. To do so, issue the following command as the Administrator user:
> Compact.exe /CompactOS:never
Uncompressing OS binaries /
Completed uncompressing OS binaries.
15483 files within 11064 directories were uncompressed.
Note you can check the status of that feature with Compact.exe /CompactOS:query
, and if necessary for your particular use-case and if you know what you are doing, reactivate it with Compact.exe /CompactOS:always
.
Optimizing the guest for analysis
In order to optimize scenario recording and replay performance, it is strongly recommended to remove system features that are not useful to your scenarios. We call this operation ligthening the snaphost.
Indeed, a default installation of Windows 10 is quite busy by default, and makes the experience poorer than it needs to be: any background or superfluous task or program that runs on the VM while recording a scenario will negatively impact both the recording experience (the VM runs slower than it needs to) and scenario size and replay time (REVEN will analyze unnecessary code execution).
The following two sub-sections will detail two different approaches you can take:
- Either use the provided powershell script - this option is recommended by default,
- Or use the NTLite template - this option can be even more effective, and is recommended if you have an NTLite license.
Note that you can also simply deactivate things manually yourself - look at what the script does for inspiration.
Using the provided Powershell script
This script is available from the Downloads page of the Project Manager.
IMPORTANT: This script is provided to REVEN's users as-is,
without any guarantee, as a convenient tool. Therefore, it must be
considered for what it is - an example. It is strongly recommended to backup
any VM before running the script on it. Besides, the script may require
modifications to fit your specific configurations. For example, non-English VMs
may require some translation in the script, such as administrator
to
administrateur
in a French VM.
IMPORTANT: By default, running this script will disable the network. See below for how to reactivate it.
Before using the script, apply the following configuration:
- Disable Windows Defender and optionally the firewall:
- As an Administrator, launch
gpedit.msc
. - Navigate to "Local Computer Policy\Computer Configuration\Administrative
Templates\Windows Components\Windows Defender\Turn off Windows Defender" and
set the
Enabled
radio button. - Navigate to "Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced Security" and
set it to
Off
.
- As an Administrator, launch
On Windows 10, in an administrator Powershell console, you can:
-
Get help about the script's capabilities and usage:
> Get-Help windows10_lightener.ps1
-
Run the script to disable a maximum of services:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -All
Manually disable the following services:
-
Print spooler
-
DPS
-
Themes
-
Workstation (SMB protocol) IMPORTANT: In order to enable networking, reactivate the following services:
-
Windows Event Log
-
Network Connections
-
Network List Service IMPORTANT: Anti-virus disabling as done by this script is not persistent after a VM reboot, which is is why we recommended disabling it via groups policies above. Alternatively, the script may be executed after each reboot to disable the AV services again:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -DisableAV
-
-
Run the script to disable basic services only:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -Basic
Using the provided NTLite template
NTLite is a tool easing the process of customizing
Windows. It can be used on either a running system, such as a VM, or on an
installation ISO. The way the provided template is supposed to be used is on a
live, running system.
You will need at least a NtLite Home license to modify your VM.
Please follow the instructions below during the "Configuration of the windows guest" step of the "VM setup" wizard:
- Install NTLite on the VM. You can transfer the NTLite setup file through the "file CDROM" feature.
- Activate your NTLite license on this VM.
- Load the current Windows installation into NTLite.
- Load the provided template by inserting the "Windows 10 lightener CDROM".
- Apply the changes required by the template. A few reboots may be required to fully apply all the modifications.
- You will be done when all the changes will have a green bullet in the "Apply" section of NTLite.
NOTE: Installing NTLite on the VM may require an active internet connection. Please refer to NTLite's documentation for more information about how to install NTLite.
Maximizing the symbol coverage
For Microsoft Windows systems, OSSI can be derived from binaries and Program Data Base files, also known as PDBs.
REVEN will automatically download PDBs, provided:
- the binaries executed in your scenarios are in the prepared file system (see More about preparing snapshots)
- It has access to a PDB source (by default REVEN knows about microsoft's PDB servers and a few others)
This automatic download will either occur during Replay or if Enable live PDB download
in the scenario's analysis page is checked
(although the latter option is not recommended as it will freeze the GUI during each new PDB download)
Final touches
Finally, here are a few recommendations to make the overall experience smoother:
- Install all .NET & MSVC runtimes: you will need them.
- Force .NET precompilation with commands such as
%windir%\microsoft.net\framework64\v4.0.30319\ngen.exe update /force
- otherwise it may consume CPU time when you least want it to (see Microsft's support about that issue) - Setup autologon (use Autologon) - this makes creating live snapshots smoother, as you don't have to login everytime.
- Install all the software you may want:
- Process explorer / hacker
- Your favorite web browser
- Etc.
More details about version support
We support and test REVEN against new Windows 10 major updates when they get released, however if you have problems against a specific version, please contact the support.
We occasionally test against Insider Preview builds in a best-effort fashion.
Please note that we consider Windows 10 64-bit a priority, and as a result there are features that do not support older Windows versions or 32-bit editions. Here is a summary of those features:
Feature | Perimeter |
---|---|
Automatic binary recording (excl. ASM-stub recording) | Windows 10 64-bit |
Snapshot ligthening | Windows 10 64-bit & 32-bit (Not mandatory on Windows 7) |
PCAP network activity reconstruction | Windows 10 64-bit |