This is a followup post to show all of the steps I took to get this tool going in Vmware and it's default QEmu. This post illustrates a Windows configuration but will still work on Linux for the most part.
The first step we need to take is to download Zerowine. You can download it here. This comes as a prebuilt QEmu image.
The next step is to download Qemu for windows. You can download it here.
Once you have both of these files and have extracted them both you will need to try and run the Virtual Machine. (If you don't want to run this in QEmu at all skip the next paragraph)
To call a QEmu virtual machine you use a batch file. QEmu is somewhat like Dynamips for those of you who are familiar with this type of Virtual Machine usage. We will need to create a batch file to call the qemu.exe. This batch file will vary from computer to computer. Specifically my batch file has this line to run the Virtual Machine. This should run zerowine with QEmu.
qemu.exe -L . -m 128 -hda C:\zerowine_vm\hda.img -redir tcp:8000:10.2.0.15:8000
I wanted to use VMware so what I did is convert the image file to a .vmdk format and use it with Vmware. Luckily we already have the tool we need to do this. qemu-img.exe can convert .img files to .vmdk. So the command we use to do this is
qemu-img.exe convert c:\zerowine_vm\hda.img -O vmdk c:\zerowine_vm\zerowine.vmdk
After a few minutes a .vmdk file should appear in the directory you specified. Now it's time to create a new virtual machine and attach the zerowine.vmdk file that we just created.
To start we open Vmware workstation and choose File>New>Virtual Machine. Then you choose Next then Custom and Next 2 times. Then choose Linux and Other Linux 2.6.x kernel.
Then Next through until you reach the networking section. In the Networking section choose NAT networking. Then Next twice and you will get to the Select a Disk section. Choose use existing and point this at our .vmdk file that we created earlier. After this finish the Virtual Machine wizard and boot it up.
Ok so now we have a booting image of zerowine. We have a few steps left. The first step is to change the keyboard map then we need to change a file to get eth0 to come up correctly. To do this login as root with a password of zerowine. Then type
walk through this wizard and change your keyboard map to pc us standard then use the following command
Then delete all lines in this file. This will allow you to reclaim your eth0 otherwise if you opened this file in qemu previously it might not register your eth0 in ifconfig.
Then in the VMware window choose Edit>Virtual Network Settings. Then choose the NAT tab. Then choose the edit button. Then the Port Forwarding button and finally the add button. Enter the host port of 8000 and the ip address of the virtual machine and then port 8000. If you don't know the ip of the host enter the command ifconfig eth0. This will give you the IP address of the virtual machine.
Finally enter 127.0.0.1:8000 in a browser and you will get the zerowine web interface. It should look like the following.
Thats it then, we have a cool incident response and malware analysis tool working in VMware. The reports aren't bad and it does unpacking as well. I hope newer versions expand on the functionality of this tool.