Skip to content

obfuscated-loop/wsb-malware-analysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

wsb-malware-analysis

Windows Sandbox (WSB) starter project for malware analysis: automatically provisions a ready-to-use Windows Sandbox environment, including analysis tools, a preconfigured .wsb file, and helper scripts/samples.

Change the MemoryInMB entry in analysis.wsb to something that your system can handle - it is 8GBs of RAM by default; designed for a 16GB machine.

Quick start

  1. Ensure Windows Sandbox is enabled.
  2. Use the preconfigured .wsb file from this repo.
  3. Start the Sandbox and let the installer provision tools automatically. (this will take 10 mins or more depending on internet connection/system speed)

What it installs

The installer uses winget to install the following tools:

Category Tool Winget id
Utilities Everything voidtools.Everything
Compression / archives 7-Zip 7zip.7zip
System / process tooling Sysinternals Suite Microsoft.Sysinternals.Suite
Reverse engineering x64dbg x64dbg.x64dbg
Reverse engineering rizin Rizin.Rizin
.NET reverse engineering dnSpyEx dnSpyEx.dnSpyEx
Browser Helium ImputNet.Helium
Editor / IDE Zed ZedIndustries.Zed
Network analysis Wireshark WiresharkFoundation.Wireshark
Launcher Flow Launcher Flow-Launcher.Flow-Launcher

Taskbar pinning (after installs)

After installation, the script pins these binaries to the taskbar when they exist at their expected locations:

  • Helium (chrome.exe)
  • dnSpyEx (dnSpy.exe)
  • Sysinternals (ProcMon64.exe, procexp64.exe, tcpview64.exe, Autoruns64.exe)
  • x64dbg (x64dbg.exe)
  • Wireshark (Wireshark.exe)

Project layout

  • *.wsb (preconfigured Windows Sandbox file)
  • scripts/
  • samples/
    • A placeholder folder for malware samples

The installer also references: C:\Users\WDAGUtilityAccount\AppData\Local\... and expects Windows Sandbox’s default account profile path.

How the installer functions

The installer is a PowerShell script that:

  1. Creates a simple always-on-top UI

    • Uses WinForms to show a single “console-style” status window.
  2. Installs dependencies via winget

    • Defines a list of WinGetPackages.
    • Iterates each package:
      • Updates the UI text: Installing: <pkg>
      • Runs:
        • winget install <id> --silent --force --accept-source-agreements --disable-interactivity --source winget
  3. Computes install paths inside the Sandbox profile

    • Sets:
      • $AppDataLocal = "C:\Users\WDAGUtilityAccount\AppData\Local\"
    • Builds expected binary paths under:
      • $AppDataLocal\imput\Helium\...
      • $AppDataLocal\Microsoft\WinGet\Packages\...
    • Because winget may place package contents under a versioned folder tail, the script captures:
      • $WinGetPackageTail = "_Microsoft.Winget.Source_8wekyb3d8bbwe"
    • It uses that tail to form paths to Sysinternals + dnSpyEx + x64dbg executables.
  4. Removes pinned Edge from the taskbar

    • Deletes:
      • HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
    • (This is an aggressive reset of the taskbar band settings.)
  5. Restores the classic context menu and restarts Explorer

    • Restores legacy context menu behavior by writing a registry value:
      • HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 (default value)
    • Restarts Explorer:
      • Stop-Process -processname explorer
      • sleep 3
  6. Pins selected tools to the taskbar

  7. Launches Flow Launcher and Helium

  8. Closes the UI and shows a completion toast

Notes

  • Please respect the license of https://github.com/Freenitial/Pin-Taskbar and do not use their tool for commercial use; you can use my work for commercial use but you will need to remove all traces of their project.
  • The installer relies on specific install-path conventions (especially for winget packages inside the sandbox profile). If package layouts differ, you may need to adjust the $WinGetPackageTail and binary paths in install-deps.ps1.
  • The .wsb file is configured to integrate your scripts/ and samples/ directories into the Sandbox session.