qvm-create-windows-qube is a tool for quickly and conveniently installing fresh new Windows qubes with Qubes Windows Tools (QWT) drivers automatically. It officially supports Windows 7, 8.1 and 10 as well as Windows Server 2008 R2, 2012 R2, 2016 and 2019.
The project emphasizes correctness, security and treating Windows as an untrusted guest operating system throughout the entire process. It also features other goodies such as automatic installation of packages including Firefox, Office 365, Notepad++, Visual Studio and more using Chocolatey.
Installation
install.sh
into Dom0 by running the following command in Dom0:qvm-run -p --filter-escape-chars --no-color-output <qube_script_is_located_on> "cat '/home/user/Downloads/install.sh'" > install.sh
install.sh
to ensure its integritychmod +x install.sh && ./install.sh
TemplateVM
, which is fedora-XX
by defaultqvm-create-windows-qube.sh
A more streamlined and secure installation process with packaging will be shipping with Qubes R4.1.
Usage
Usage: ./qvm-create-windows-qube.sh [options] -i -a
-h, –help
-c, –count Number of Windows qubes with given basename desired
-t, –template Make this qube a TemplateVM instead of a StandaloneVM
-n, –netvm NetVM for Windows to use
-s, –seamless Enable seamless mode persistently across reboots
-o, –optimize Optimize Windows by disabling unnecessary functionality for a qube
-y, –spyless Configure Windows telemetry settings to respect privacy
-w, –whonix Apply Whonix recommended settings for a Windows-Whonix-Workstation
-p, –packages Comma-separated list of packages to pre-install (see available packages at: https://chocolatey.org/packages)
-i, –iso Windows media to automatically install and setup
-a, –answer-file Settings for Windows installation
Downloading Windows ISO
The windows-media/isos/download-windows.sh
script (in windows-mgmt
) securely downloads the official Windows ISO to be used by qvm-create-windows-qube
.
Creating Windows VM
./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10
./qvm-create-windows-qube.sh -n sys-firewall -oyp steam -i win10x64.iso -a win10x64-pro.xml game-console
./qvm-create-windows-qube.sh -n sys-firewall -oy -i win2019-eval.iso -a win2019-datacenter-eval.xml fs-win2019
./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml work-win10
./qvm-create-windows-qube.sh -n sys-whonix -oyw -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml anon-win10
./qvm-create-windows-qube.sh -n sys-firewall -soyp firefox,notepadplusplus,office365proplus -i win7x64-ultimate.iso -a win7x64-ultimate.xml work-win7
Security
qvm-create-windows-qube is “reasonably secure” as Qubes would have it.
windows-mgmt
is air gappedwindows-mgmt
qubeqvm-run
; no variablesmicrosoft.com
transport security = encryption * authentication
(This allows for the utmost authentication)release4.1
branch and qubes-mgmt-salt-windows-mgmtwindows-mgmt
ModTask is an advanced C# tool designed for red teaming operations, focusing on manipulating scheduled…
HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect…
SharpRedirect is a simple .NET Framework-based redirector from a specified local port to a destination…
Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…
A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…
LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…