Guest Configuration for Windows

This page will detail how to properly configure a Windows guest for recording with REVEN.

Guest system requirements

REVEN supports guests running Windows from version 7 to 10, both 32-bit and 64-bit editions, up to the latest releases.

For more details, see the section below

Enabling the OSSI feature

In order to ensure the OS-Specific Information (OSSI) work on recorded scenario, you must disable certain OS features manually. Below are instructions on how to do so.

Disabling the KPTI protections

KPTI (Kernel Page-Table Isolation) protections were introduced with the meltdown patches. If they are enabled, OSSI will be available only on ring 0 or admin processes, so you must disable them.

Therefore, you must disable KPTI protections. You can either:

  1. During the Configure the guest step of the VM Import Wizard:
    1. In the Project Manager, click on Insert Windows 10 lightener CDROM.
    2. In the VM, open a file explorer to the CD-ROM drive.
    3. Right-click on the file disable-kpti.bat and select Run as administrator.
    4. Wait for the VM to reboot.
  2. Outside the VM Import Wizard, you can run this manually. Microsoft's support provides the following steps to do so, to run in an Administrator shell:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    shutdown -r
    

Disabling the CompactOS Windows 10 option

On Windows 10, the CompactOS feature lets you run the operating system from compressed files to maintain a small footprint. However, this feature is not compatible with the Prepare stage of the REVEN workflow, which is required by the OSSI features.

Therefore, you must disable CompactOS. To do so, issue the following command as the Administrator user:

> Compact.exe /CompactOS:never
Uncompressing OS binaries /
Completed uncompressing OS binaries.

15483 files within 11064 directories were uncompressed.

Note you can check the status of that feature with Compact.exe /CompactOS:query, and if necessary for your particular use-case and if you know what you are doing, reactivate it with Compact.exe /CompactOS:always.

Optimizing the guest for analysis

In order to optimize scenario recording and replay performance, it is strongly recommended to remove system features that are not useful to your scenarios. We call this operation ligthening the snaphost.

Indeed, a default installation of Windows 10 is quite busy by default, and makes the experience poorer than it needs to be: any background or superfluous task or program that runs on the VM while recording a scenario will negatively impact both the recording experience (the VM runs slower than it needs to) and scenario size and replay time (REVEN will analyze unnecessary code execution).

The following two sub-sections will detail two different approaches you can take:

  • Either use the provided powershell script - this option is recommended by default,
  • Or use the NTLite template - this option can be even more effective, and is recommended if you have an NTLite license.

Note that you can also simply deactivate things manually yourself - look at what the script does for inspiration.

Using the provided Powershell script

This script is available from the Downloads page of the Project Manager.

IMPORTANT: This script is provided to REVEN's users as-is, without any guarantee, as a convenient tool. Therefore, it must be considered for what it is - an example. It is strongly recommended to backup any VM before running the script on it. Besides, the script may require modifications to fit your specific configurations. For example, non-English VMs may require some translation in the script, such as administrator to administrateur in a French VM.

IMPORTANT: By default, running this script will disable the network. See below for how to reactivate it.

Before using the script, apply the following configuration:

  • Disable Windows Defender and optionally the firewall:
    • As an Administrator, launch gpedit.msc.
    • Navigate to "Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn off Windows Defender" and set the Enabled radio button.
    • Navigate to "Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security" and set it to Off.

On Windows 10, in an administrator Powershell console, you can:

  • Get help about the script's capabilities and usage:

    > Get-Help windows10_lightener.ps1
    
  • Run the script to disable a maximum of services:

    > Set-ExecutionPolicy Unrestricted
    (confirm)
    > windows10_lightener.ps1 -All
    

    Manually disable the following services:

    • Print spooler

    • DPS

    • Themes

    • Workstation (SMB protocol) IMPORTANT: In order to enable networking, reactivate the following services:

    • Windows Event Log

    • Network Connections

    • Network List Service IMPORTANT: Anti-virus disabling as done by this script is not persistent after a VM reboot, which is is why we recommended disabling it via groups policies above. Alternatively, the script may be executed after each reboot to disable the AV services again:

    > Set-ExecutionPolicy Unrestricted
    (confirm)
    > windows10_lightener.ps1 -DisableAV
    
  • Run the script to disable basic services only:

    > Set-ExecutionPolicy Unrestricted
    (confirm)
    > windows10_lightener.ps1 -Basic
    

Using the provided NTLite template

NTLite is a tool easing the process of customizing Windows. It can be used on either a running system, such as a VM, or on an installation ISO. The way the provided template is supposed to be used is on a live, running system.
You will need at least a NtLite Home license to modify your VM.

Please follow the instructions below during the "Configuration of the windows guest" step of the "VM setup" wizard:

  1. Install NTLite on the VM. You can transfer the NTLite setup file through the "file CDROM" feature.
  2. Activate your NTLite license on this VM.
  3. Load the current Windows installation into NTLite.
  4. Load the provided template by inserting the "Windows 10 lightener CDROM".
  5. Apply the changes required by the template. A few reboots may be required to fully apply all the modifications.
  6. You will be done when all the changes will have a green bullet in the "Apply" section of NTLite.

NOTE: Installing NTLite on the VM may require an active internet connection. Please refer to NTLite's documentation for more information about how to install NTLite.

Maximizing the symbol coverage

For Microsoft Windows systems, OSSI can be derived from binaries and Program Data Base files, also known as PDBs.

REVEN will automatically download PDBs, provided:

  • the binaries executed in your scenarios are in the prepared file system (see More about preparing snapshots)
  • It has access to a PDB source (by default REVEN knows about microsoft's PDB servers and a few others)

This automatic download will either occur during Replay or if Enable live PDB download in the scenario's analysis page is checked (although the latter option is not recommended as it will freeze the GUI during each new PDB download)

Final touches

Finally, here are a few recommendations to make the overall experience smoother:

  • Install all .NET & MSVC runtimes: you will need them.
  • Force .NET precompilation with commands such as %windir%\microsoft.net\framework64\v4.0.30319\ngen.exe update /force - otherwise it may consume CPU time when you least want it to (see Microsft's support about that issue)
  • Setup autologon (use Autologon) - this makes creating live snapshots smoother, as you don't have to login everytime.
  • Install all the software you may want:
    • Process explorer / hacker
    • Your favorite web browser
    • Etc.

More details about version support

We support and test REVEN against new Windows 10 major updates when they get released, however if you have problems against a specific version, please contact the support.

We occasionally test against Insider Preview builds in a best-effort fashion.

Please note that we consider Windows 10 64-bit a priority, and as a result there are features that do not support older Windows versions or 32-bit editions. Here is a summary of those features:

FeaturePerimeter
Automatic binary recording
(excl. ASM-stub recording)
Windows 10 64-bit
Snapshot ligtheningWindows 10 64-bit & 32-bit
(Not mandatory on Windows 7)
PCAP network activity reconstructionWindows 10 64-bit