Setup windows 10 tools for RE Forensics

A Tutorial Setups.md

0. Download Tools
1. Install winget-cli
2. Install Visual C++ for Python 2.7
3. Update drive (using Dirver Easy)
4. Enable run .ps1 at Powershell Administrators: Set-ExecutionPolicy Unrestricted;
5. Install IDA
6. Install tools (using zEssentialTools.ps1)
7. Edit env change Python 3 path higher than Python 2 path
8. Setup Python IDA
9. Setup IDA plugina, capa-rules(rules author: herrcore)
10. Setup x64dbg Plugin
11. Setup procdot
12. Setup cuckoo init

Additional setting:

• Setup vim .vimrc
• Setup Everything startup with system and setup shortcut for toggle
• Add C:\tools\DidierStevensSuite to env

zEssentialTools.ps1

function installBoxStarter()
{
  <#
  .SYNOPSIS
  Install BoxStarter on the current system
  .DESCRIPTION
  Install BoxStarter on the current system. Returns $true or $false to indicate success or failure. On
  fresh windows 7 systems, some root certificates are not installed and updated properly. Therefore,
  this funciton also temporarily trust all certificates before installing BoxStarter.
  #>

  # See: https://chocolatey.org/docs/installation#completely-offline-install
  # Attempt to set highest encryption available for SecurityProtocol.
  # PowerShell will not set this by default (until maybe .NET 4.6.x). This
  # will typically produce a message for PowerShell v2 (just an info message though)
  try {
    # Set TLS 1.2 (3072), then TLS 1.1 (768), then TLS 1.0 (192), finally SSL 3.0 (48)
    # Use integers because the enumeration values for TLS 1.2 and TLS 1.1 won't
    # exist in .NET 4.0, even though they are addressable if .NET 4.5+ is
    # installed (.NET 4.5 is an in-place upgrade).
    [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 -bor 48
  } catch {
    Write-Output 'Unable to set PowerShell to use TLS 1.2 and TLS 1.1 due to old .NET Framework installed. If you see underlying connection closed or trust errors, you may need to upgrade to .NET Framework 4.5+ and PowerShell v3+.'
  }

  # Try to install BoxStarter as is first, then fall back to be over trusing only if this step fails.
  try {
    if ($PSVersionTable -And $PSVersionTable.PSVersion.Major -ge 5) {
      . { iwr -useb https://boxstarter.org/bootstrapper.ps1 } | iex; Get-Boxstarter -Force
    } else {
      iex ((New-Object System.Net.WebClient).DownloadString('https://boxstarter.org/bootstrapper.ps1')); Get-Boxstarter -Force
    }
    return $true
  } catch {
    Write-Host "Failed to install boxstarter. Trying again."
  }

  # https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
  # Allows current PowerShell session to trust all certificates
  # Also a good find: https://www.briantist.com/errors/could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
  try {
  Add-Type @"
  using System.Net;
  using System.Security.Cryptography.X509Certificates;
  public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
      ServicePoint srvPoint, X509Certificate certificate,
      WebRequest request, int certificateProblem) {
      return true;
    }
  }
"@
  } catch {
      Write-Host "Failed to add new type"
  }

  try {
    # Become overly trusting
    $prevCertPolicy = [System.Net.ServicePointManager]::CertificatePolicy
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    # Download and install boxstarter
    if ($PSVersionTable -And $PSVersionTable.PSVersion.Major -ge 5) {
      . { iwr -useb https://boxstarter.org/bootstrapper.ps1 } | iex; Get-Boxstarter -Force
    } else {
      iex ((New-Object System.Net.WebClient).DownloadString('https://boxstarter.org/bootstrapper.ps1')); Get-Boxstarter -Force
    }
    # Restore previous trust settings for this PowerShell session
    # Note: SSL certs trusted from installing BoxStarter above will be trusted for the remaining PS session
    [System.Net.ServicePointManager]::CertificatePolicy = $prevCertPolicy

    return $true
  } catch {
    Write-Host "Failed to install boxstarter a second time."
    return $false
  }
}


function installPortableTools{
    param ([string]$ExtractPath, [string]$Url)

    if( -Not (Test-Path -Path $ExtractPath ) )
    {
        New-Item -ItemType directory -Path $ExtractPath
    }

    $DownloadZipFile = "C:\Tools\" + $(Split-Path -Path $Url -Leaf)

    (New-Object Net.WebClient).Downloadfile($Url, $DownloadZipFile)

    #Invoke-WebRequest $Url -OutFile $DownloadZipFile

    $ExtractShell = New-Object -ComObject Shell.Application
    $ExtractFiles = $ExtractShell.Namespace($DownloadZipFile).Items()
    $ExtractShell.NameSpace($ExtractPath).CopyHere($ExtractFiles) 
    
    #Start-Process $ExtractPath

    Remove-Item -path $DownloadZipFile
}


$DesktopPath = [Environment]::GetFolderPath("Desktop")

function GenShortcut {
    param ([string]$TargetFile, [string]$ShortcutFile)
    $WScriptShell = New-Object -ComObject ("WScript.Shell")
    $Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
    $Shortcut.TargetPath = $TargetFile
    $Shortcut.Save()
}

function CreateShortcutDesktop {
    param ([string]$TargetFile, [string]$ShortcutName)
    $ShortcutLnk = "$($ShortcutName).lnk"
    $ShortcutPath = Join-Path $DesktopPath $ShortcutLnk
    if( -Not (Test-Path -Path $ShortcutPath) -And (Test-Path -Path $TargetFile) )
    {
        GenShortcut $TargetFile $ShortcutPath
    }
}


Write-Host "[+] Installing Boxstarter"
$rc = installBoxStarter
if ( -Not $rc ) {
  Write-Host "[ERR] Failed to install BoxStarter`n" -ForegroundColor Red
  Read-Host  "`tPress ANY key to continue..."
  exit
}
refreshenv
Write-Host "[v] Boxstarter installed"

# Boxstarter options
$Boxstarter.RebootOk = $true # Allow reboots?
$Boxstarter.NoPassword = $false # Is this a machine with no login password?
$Boxstarter.AutoLogin = $true # Save my password securely and auto-login after a reboot
Set-BoxstarterConfig -NugetSources "https://www.myget.org/F/fireeye/api/v2;https://chocolatey.org/api/v2"

Write-Host "[v] Boxstarter setup done"

# Basic setup
Update-ExecutionPolicy Unrestricted
Set-WindowsExplorerOptions -EnableShowProtectedOSFiles -EnableShowFileExtensions -EnableShowHiddenFilesFoldersDrives
Disable-BingSearch


# Winget install essential tools
winget install -e --id=7zip.7zip
winget install -e --id=vim.vim
winget install -e --id=Notepad++.Notepad++
winget install -e --id=Git.Git
winget install -e --id=WerWolv.ImHex
winget install -e --id=OpenJS.NodeJS.LTS
winget install -e --id=Microsoft.VisualStudioCode --scope machine
winget install -e --id=Mozilla.Firefox.ESR
#winget install -e --id=Microsoft.OpenJDK.11

refreshenv
npm install --global yarn

# Set up Chocolatey
choco feature enable -n allowGlobalConfirmation
choco feature enable -n allowEmptyChecksums

choco install -y choco-cleaner
choco install -y vcredist-all
choco install -y python3 --version=3.7.9
#choco install -y 7zip notepadplusplus vim git imhex nodejs-lts
#choco install -y vscode
#choco install -y FirefoxESR
choco install -y sysinternals
choco install -y hxd fzf cmder
choco install -y checksum
choco install -y dnspyex
choco install -y PeStudio --ignore-checksums
choco install -y pebear die
choco install -y apimonitor processhacker
choco install -y wireshark Graphviz
choco install -y x64dbg.portable
choco install -y windows-sdk-10-version-1903-windbg

$fireeyeFeed = "https://www.myget.org/F/fireeye/api/v2"
iex "choco sources add -n=fireeye -s $fireeyeFeed --priority 1"
refreshenv

choco install -y common.fireeye
#choco install -y cyberchef.flare
choco install -y exeinfope.flare lordpe.flare explorersuite.flare peid.flare resourcehacker.flare
choco install -y ImpRec.fireeye
choco install -y windump.fireeye procdot.fireeye
choco install -y bytecode-viewer.flare dex2jar.flare jd-gui.flare
choco install -y DotNetToJScript.fireeye
choco install -y py2exedecompiler.flare
choco install -y flare-qdb.python.flare
#choco install -y spystudio.flare dnsd.flare
choco install -y fakenet-ng.python.flare
choco install -y scdbg.flare
choco install -y metasploit.flare ncat.flare nmap.flare

choco-cleaner

# vim-plug
iwr -useb https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim |`
    ni $HOME/vimfiles/autoload/plug.vim -Force

py -2 -m pip install --no-cache-dir -U pip
py -2 -m pip install --no-cache-dir -U setuptools
py -2 -m pip install --no-cache-dir vivisect
py -2 -m pip install --no-cache-dir cuckoo==2.0.5

py -3 -m pip install --no-cache-dir -U pip
py -3 -m pip install --no-cache-dir -U setuptools
py -3 -m pip install --no-cache-dir wheel requests six flare-capa keystone-engine pyqt5 pyqt5-tools pycryptodome oletools yara

py -3 -m pip cache purge

installPortableTools -ExtractPath "C:\Tools\" -Url "https://github.com/crypto2011/IDR/archive/refs/tags/27_01_2019.zip"
installPortableTools -ExtractPath "C:\Tools\xpeviewer" -Url "https://github.com/horsicq/XPEViewer/releases/download/0.04/xpeviewer_win64_portable_0.04.zip"
installPortableTools -ExtractPath "C:\Tools\" -Url "https://didierstevens.com/files/software/DidierStevensSuite.zip"
installPortableTools -ExtractPath "C:\Tools\CyberChef" -Url "https://gchq.github.io/CyberChef/CyberChef_v9.46.0.zip"

if( -Not (Test-Path -Path "C:/Tools/Stegsolve") )
{
    New-Item -ItemType directory -Path "C:/Tools/Stegsolve/"
}
(New-Object Net.WebClient).Downloadfile("http://www.caesum.com/handbook/Stegsolve.jar", "C:/Tools/Stegsolve/Stegsolve.jar")

git clone --single-branch -b v3 https://github.com/mandiant/capa-rules.git "C:\Tools\capa-rules"

refreshenv

########################################

$sysinternalsPath = "C:\ProgramData\chocolatey\lib\sysinternals\tools"

CreateShortcutDesktop "$($sysinternalsPath)\procexp64.exe" "procexp"
CreateShortcutDesktop "$($sysinternalsPath)\Procmon64.exe" "Procmon"
CreateShortcutDesktop "$($sysinternalsPath)\Autoruns64.exe" "Autoruns"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\apimonitor\tools\API Monitor (rohitab.com)\apimonitor-x64.exe" "apimonitor x64"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\spystudio\tools\SpyStudio.exe" "SpyStudio"
CreateShortcutDesktop "C:\Program Files\Wireshark\Wireshark.exe" "Wireshark"
CreateShortcutDesktop "C:\Tools\procdot\win64\procdot.exe" "procdot"

CreateShortcutDesktop "C:\Tools\CyberChef\CyberChef_v9.46.0.html" "CyberChef"
CreateShortcutDesktop "C:\Tools\Stegsolve\Stegsolve.jar" "Stegsolve"

CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\dnsd.flare\tools\DNSD.exe" "DNSD"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\dnspyex\tools\dnSpy.exe" "dnSpy"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\exeinfope.flare\tools\ExeinfoPe\exeinfope.exe" "exeinfope"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\jd-gui.flare\tools\jd-gui-windows-1.6.6\jd-gui.exe" "JD-GUI"

CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\PeStudio\tools\pestudio\pestudio.exe" "PeStudio"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\lordpe.flare\tools\LordPE.EXE" "lordpe"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\pebear\tools\PE-bear.exe" "PE-bear"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\peid.flare\tools\PEiD.exe" "PEiD"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\py2exedecompiler.flare\tools\Py2ExeDecompiler.exe" "Py2ExeDecompiler"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\resourcehacker.flare\tools\ResourceHacker.exe" "ResourceHacker"
CreateShortcutDesktop "C:\Program Files\NTCore\Explorer Suite\CFF Explorer.exe" "CFF Explorer"
CreateShortcutDesktop "C:\ProgramData\chocolatey\lib\die\tools\die.exe" "Detect It Easy"
CreateShortcutDesktop "C:\Tools\ImpRec\ImpREC 1.7e\ImportREC.exe" "ImportREC"
CreateShortcutDesktop "C:\Tools\IDR-27_01_2019\Idr.exe" "IDR"
CreateShortcutDesktop "C:\Tools\xpeviewer\xpeviewer.exe" "xpeviewer"

CreateShortcutDesktop "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" "windbg.x86"
CreateShortcutDesktop "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" "windbg.x64"
CreateShortcutDesktop "C:\ProgramData\chocolatey\bin\x96dbg.exe" "x96dbg"

CreateShortcutDesktop "C:\Program Files\HxD\HxD.exe" "HxD"
CreateShortcutDesktop "C:\Program Files\ImHex\imhex.exe" "ImHex"
CreateShortcutDesktop "C:\Tools\Bytecode-Viewer\Bytecode-Viewer.jar" "Bytecode-Viewer"

CreateShortcutDesktop "C:\Program Files\Hex-Rays IDA Pro 7.7\ida.exe" "IDA.x86"
CreateShortcutDesktop "C:\Program Files\Hex-Rays IDA Pro 7.7\ida64.exe" "IDA.x64"