Tool Release: FLARE VM — The Windows Malware Analysis Distribution

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years.

To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM. It is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

Check out my blog post discussing the release in detail here:

Also, stop by the Arsenal section of BlackHat to see a live demo of the Virtual Machine and a sample malware reverse engineering session:

You can download the latest version of the FLARE VM installation script at the following Github repo: