Windows Sandbox (WSB) starter project for malware analysis: automatically provisions a ready-to-use Windows Sandbox environment, including analysis tools, a preconfigured .wsb file, and helper scripts/samples.
Change the MemoryInMB entry in analysis.wsb to something that your system can handle - it is 8GBs of RAM by default; designed for a 16GB machine.
- Ensure Windows Sandbox is enabled.
- Add/remove any program you want from applications/applications.dat by using its' corresponding WinGet package ID - you can search a program here: https://winget.ragerworks.com/
- Use the preconfigured
.wsbfile from this repo. - Start the Sandbox and let the install complete (this can take 10+ mins)
Pro tip: use the download-applications.ps1 script to download the WinGet installers locally on your host machine, this can speed up installations (by quite a bit) in the Windows Sandbox environment as the programs have already been downloaded + will not need to be hash verified.
The installer uses winget to install the following tools:
| Category | Tool | Winget id |
|---|---|---|
| Utilities | Everything | voidtools.Everything |
| Compression / archives | 7-Zip | 7zip.7zip |
| System / process tooling | Sysinternals Suite | Microsoft.Sysinternals.Suite |
| Reverse engineering | x64dbg | x64dbg.x64dbg |
| Reverse engineering | rizin | Rizin.Rizin |
| .NET reverse engineering | dnSpyEx | dnSpyEx.dnSpyEx |
| Browser | LibreWolf | LibreWolf.LibreWolf |
| Editor / IDE | Zed | ZedIndustries.Zed |
| Network analysis | Wireshark | WiresharkFoundation.Wireshark |
| Launcher | Flow Launcher | Flow-Launcher.Flow-Launcher |
After installation, the script pins these binaries to the taskbar when they exist at their expected locations:
- LibreWolf (
librewolf.exe) - dnSpyEx (
dnSpy.exe) - Sysinternals (
ProcMon64.exe,procexp64.exe,tcpview64.exe,Autoruns64.exe) - x64dbg (
x64dbg.exe) - Wireshark (
Wireshark.exe)
applications/applications.dat- A list of WinGet package IDs to install to the sandbox
samples/- A placeholder folder for malware samples
scripts/Pin-Taskbar/function helper is included as a submodule of https://github.com/Freenitial/Pin-Taskbar- Install scripts (
preinstall.ps1,helpers.ps1,install-winget.ps1,install-deps.ps1)
analysis.wsb- A preconfigured Windows Sandbox filedownload-applications.ps1- Optional helper script to run on host; run from host machine and it'll download manifest+installer files for each program inapplications.dat
- Please respect the license of https://github.com/Freenitial/Pin-Taskbar and do not use their tool for commercial use; you can use my work for commercial use but you will need to remove all traces of their project.
- The
.wsbfile is configured to integrate yourapplications/,samples/andscripts/directories into the Sandbox session.