Summary #
Continuing on where we left off, this next blog post will cover how to successfully emulate macOS using the UTM virtualisation platform.
I really wanted to include this software that was introduced to me by a fellow reverse engineer and good friend of mine. It’s a bit of a special platform because it uses QEMU to enable you to virtualise legacy x86 operating systems such as Windows XP, Windows 2003 and so on. There are a few bugs at present that exist within this program that make it harder to network your machines (and at times you’re unable to at all, despite the functionality being there to do so). But, the work the devs are doing to build out this virtualisation platform is amazing - and they don’t charge much to get a full copy of the product either ($9.99 USD when I last checked). I’ve included the link to the App store in the tool list below, but for now, let’s walk through how to set up a legacy operating system successfully on an ARM based computer!
But first, let’s start with the basics - creating a macOS VM.
Creating a macOS VM - UTM #
Quite an easy process compared to our Windows journey via VMWare.
- Download a macOS
.ispwfile from the Apple developer trove (it will require an account). Choose whatever operating system you desire (macOS 12 and above). I personally went for Sonoma, the latest release at the time of writing this. - Once downloaded, open UTM and select
File > New, selecting virtualise as your option (you can also download from the UTM gallery, but this catalog doesn’t currently include macOS) - Select macOS 12+. It will prompt you to download a recovery IPSW, which we already have from step one.
- Drop the file into the window, and it will automatically move to the next step of the installation process
- Select your memory (I just went with the default)
- Select the size of your HDD (I again went with the default)
- Name your virtual machine (something like mac malware analysis) and tick
open vm settingsbefore proceeding. - (Optional but helpful), with the VM settings open you can add a shared path to interface with your host machine
- Now proceed through the standard macOS set up process by turning on your newly created machine (this might take a while). I’d also skip the input of your AppleID as we did with Windows.
- Congratulations, you now have a working macOS VM!
Installing tools #
There are a few more configuration steps that we should go through prior to calling this one complete. I generally like to set up brew and ghidra for my macOS.
- Brew can be downloaded from
here. Simply copy the handy dandy string
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)into your terminal and relax as it installs.
Pay attention to the output of brew once it has successfully installed. You’ll need to add some things into your path. The commands should look similar to the ones below. Note that there will be an identical requirement when you install ghidra, gradle, and openjdk
(echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Users/User/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv)"
- Next is ghidra. This can be installed using your newly installed brew! Simply type the following commands, paying close attention to the version specified else ghidra might not work
brew install ghidra gradle@7 openjdk@17
brew install python3
# into your ~/.zshrc
eval $(brew shellenv)
export PATH="/opt/homebrew/opt/openjdk@17/bin/":$PATH
export PATH="/opt/homebrew/opt/gradle@7/bin/":$PATH
export GHIDRA_INSTALL_DIR="/opt/homebrew/Caskroom/ghidra/11.0-20231222/ghidra_11.0_PUBLIC"
# then in the terminal
source ~/.zshrc
cd ${GHIDRA_INSTALL_DIR}/support
# this will stop gatekeeper from denying you access to the decompiler and other important bits of ghidra
./buildNatives
- Once complete, we need to download Ghidrathon and make a minor adjustment to the gradle file that is created when unzipped. Many thanks to @cyberkaida for the awesome tip in one of their fantastic streams on twitch and for the commit on Ghidra.
cd /ghidra_scripts/
git clone https://github.com/mandiant/Ghidrathon.git
# cd into the ghidrathon dir
pip3 install --upgrade pip
# change the python variable in ghidrathon's build.gradle to python3 otherwise build will fail
vim Ghidrathon/build.gradle
# search for the string python and change to value as below
...
else {
pythonBin = "python3" # this will be python by default
}
# write and quit the file
gradle
# your build should have been successful
# file output to Ghidrathon-3.0.2/dist
# move file into your ghidra_scripts folder
MacOS has removed python2 from the OS, so you only have python3 available.
Completing the above steps allows you to install extensions such as
Ghidrathoninto Ghidra. Because you have changed the python dependency to python3, when you enable this and deselect the old python2 interface, you’ll be good to go immediately (instead of internally raging as to why it isn’t working).
- Open Ghidra using
ghidraRunto verify that the installation was successful. (I would also open a random binary in Ghidra as well to test that gatekeeper is no longer blocking aspects of Ghidra) - On the new project page, select
File > Install Extensionsand select Ghidrathon. Note that if you have created a non-standard ghidra scripts folder, you will have to search for the extension using the green plus button.
- Restart Ghidra when prompted.
- Next, open your new project and load a binary.
- Select
File > Configure > Configure Coreand selectGhidrathon Plugin. Then scroll down in the list and findPython Plugin. Turn this off, as we are now using python3. - Finally, navigate to
Windows > Ghidrathonand pop the new console down the bottom in place of the old python2 module. Remember to save your layout (File > Save Layout) so that every time you open Ghidra, you don’t need to redo your preferred layout.
For now, this is the bare-bones basics we require to perform analysis on macOS malware. Small celebrations here until we move onto installing legacy systems via UTM.
It’s normally at this point that I will clone this VM and title it MacOS Malware - Clean and additionally disconnect the live machine from the internet. You can always leverage your shared drive to transfer malware (or turn the internet back on to facilitate this, just remember to turn it back off!).
Note that instead of cloning the VM you can also make it into a template that you can continually deploy. Just follow the steps available in the UTM documentation!
Using UTM for legacy operating systems #
As mentioned above, UTM does support virtualisation for x86 systems.
UTM - Windows #
The following section requires UTM to be installed on your MacBook. Note that UTM is a paid program available on the App store. If you don’t have the budget or feel comfortable spending the money, use this section to evaluate whether this program would be beneficial to your malware analysis environment.
- Select
File > New > Emulate - Select your UTM Template downloaded Windows ISO file
- Once completed, double click on the UTM template and it will set up a Windows VM for you
- From the turned off VM screen, scroll down to the CD/DVD option and select your downloaded iso
en_windows_7_ultimate_with_sp1_x64_dvd_u_677332.iso(or something similar) - Launch your VM and navigate through the Windows 7 installation process. Note that you will be prompted to enter a product key, if you don’t have one, press the skip button
- (Optional) Install FlareVM on this machine as per the instructions on the previous series post. Note that you will have to turn off your VM and adjust the HDD size for your Windows box to ensure you have enough room to install Flare successfully.
Congratulations! You are now emulating a legacy x86_64 Windows machine on your ARM processor. How cool is that!?
UTM - REMnux Linux #
This nix distro is perhaps my favourite in existence. However, it currently isn’t available for ARM :(. UTM provides us with the capability to use all functions within this distro on an ARM based processor, which is pretty neat.
This one is a bit of an interesting case. I generally use the base operating system from UTM gallery to enable this install and then follow the instructions on the REMnux website for the more manual process of setting this VM up (so in short, it can take a little while longer to prep).
| Resource | Description |
|---|---|
| Ubuntu Image | Ubuntu 20.04.3 desktop image download for REMnux installation |
| REMnux Installation Instructions | Instructions for install of REMnux onto Ubuntu 20.04 |
Note that the emulated devices will not perform as quickly as your virtualised ones, due to the QEMU wrapping its doing to enable x86_64 emulation
- Just like Windows, select
File > New > Emulate - Select your downloaded Ubuntu 20.04 ISO and select next
- Continue through the VM setup process as is tradition. I left most of mine on defaults, bar the name of the machine
- Now to install Ubuntu. Progress through the installation process and don’t stress if the VM is taking a bit more time to boot, I promise you it is. You can use whatever username and password combination you’d like, REMnux recommends the following:
Full Name: REMnux User
username: remnux
password: malware
Note: when the installation has completed, eject the ISO media by selecting the disk drive on the top right-hand corner of the UTM VM screen and clicking eject ubuntu iso, otherwise you’ll eternally be in a boot loop for the installer
- Once completed, continue with the REMnux installation guide
# open a terminal
wget https://REMnux.org/remnux-cli
# validate the SHA hash
# 88cd35b7807fc66ee8b51ee08d0d2518b2329c471b034ee3201e004c655be8d6
sha256sum remnux-cli
# set up REMnux
mv remnux-cli remnux
chmod +x remnux
sudo mv remnux /usr/local/bin
# install dependencies
sudo apt update
sudo apt install -y gnupg curl
# run installer
sudo /usr/local/bin/remnux install
# reboot the system
sudo reboot
It might take a while to install REMnux, so now is the optimal time to have a coffee, tea, or go for a walk
Congratulations! You now have a fully fledged REMnux install! You can proceed through the inetsim guide up from the previous post in this series, but bear in mind that at the time of writing this article, networking is still slightly borked… so it might not work as planned.
Just like your macOS and Windows VM, now is a really good time to template or clone this VM, switch off the internet and sigh with relief at all your hardwork.
VMWare Fusion vs UTM #
The use cases to install these programs are fundamentally different from each other. The following table attempts to highlight the positives and negatives associated with each program.
| Program | Postiives | Negatives |
|---|---|---|
| VMWare Fusion | Available for free. Allows you to take snapshots of your VMs. Networking between machines is fluid and easy. Easy to install ARM based operating systems | No support for legacy x86 operating systems No support for virtualising MacOS |
| UTM | Allows virtualisation of x86 platformsAllows virtualisation of MacOS | Paid program available via the App Store. No snapshot functions for VMs (but is coming very soon) Networking is currently tedious to set up and sometimes does not work between systems |
To get around the lack of screenshots currently, I clone a clean image of my UTM VMs that have been configured with the basic malware analysis tools I require. It’s a bit annoying, yes, but I honestly have so much time and faith in this product and the developers. I really think as the Apple Virtualisation Framework continues to improve and more people move over to ARM based processors, this program will become a real gem in the RE community.
References #
| Resource | Description |
|---|---|
| UTM Documentation | Official documentation for UTM as released by the developers. Quite comprehensive, although some aspects are a little light on details (such as enabling sharing and copy/paste). |
| UTM | Link to the official UTM application download on the app store. |
| Ubuntu Image | Ubuntu 20.04.6 server image download for REMnux installation |
| REMnux Installation Instructions | Instructions for install of REMnux onto Ubuntu 20.04 |
| Windows 7 ISO | Link to a Windows ultimate iso for installation onto VM |
| Ghidrathon | Link to the Ghidrathon repo |