Hyper-V Malware Analysis Part #2

I have been in the process of setting my Dell server up with Windows Server 2016. I had ESXI earlier but with Windows Server I can add a Wireless adapter. The router is upstairs and my room is downstairs so WiFi card is much better than running wiring.

In Hyper-V management when you open the virtual switch manager you can bind a interface card or wifi adapter to your external network.

Once you select it and allow management OS to share the adapter. The actual adapter will get an IP address, this will allow communication between VM’s and host.

I am in the process of setting up a lab for malware analysis I have a VM setup with two virtual interfaces, that acts as a router. It does NAT but communication can still happen between hosts to my internal home subnet. A firewall rule is setup to not allow any communication to my internal network except to my home router. This actual works well and blocks management OS communication.

Of course I would much rather turn off any management OS sharing with that adapter. So I have unchecked the “Allow management OS to share this network adapter” check box.

What does this mean?

On my host it shows I am connected to my wifi card but shows no internet and IP address. My host now isn’t getting a DHCP lease from my home router. My guest VM does since that adapter is shared and it is able to communicate to my WiFi router. I just have turned off the host from being able to get an IP address.

Another way to think of this is as a passive passthrough where the phsyical NIC or WiFi card is now only allowing communication with guest VM’s.

This is perfect for Malware analysis since my VM’s won’t be communicating with the Host VM. Of course they will traverse to my home router, but that is where firewall rules come in to only allow access to my home router.

Leave a Reply

Your email address will not be published. Required fields are marked *