DeltaTango11
Contributor
Contributor

Running X86 Windows in VMWare Fusion in Macbook Pro M1

Hi Guys,

How can I run x86 windows (7 or 10) in my Macbook Pro M1 with the VMWare Fusion. I use my windows VMs for the malware analysis purpose and since almost all malware are targeted for x86 system, the sandbox VM should be x86. Any help would be appreciated.

 

Thanks!

0 Kudos
8 Replies
scott28tt
VMware Employee
VMware Employee

You can’t. (EDIT: Using only VMware software)

There is a Tech Preview version of Fusion for M1 Macs, but it doesn’t offer emulation.

Windows for ARM is not supported, never mind Windows for x86.

See here for details: https://communities.vmware.com/t5/Fusion-for-Apple-Silicon-Tech/ct-p/3022

Oh, and you should expect a moderator to move your thread to the area for the Tech Preview too, now that I have reported it, since you’re not asking anything about a vSphere security advisory.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
Technogeezer
Virtuoso
Virtuoso

Well, I wouldn’t say you can’t.

You definitely can not virtualize and run an x86 operating system on either the Tech Preview or Parallels running on an Apple Silicon (M1) Mac.  If you want to do that, you will have to look at something that emulates an Intel architecture processor such as QEMU or it’s more friendly derivative UTM. Just don’t expect the performance or features to be on a par with either physical Hardware or commercial virtualization solutions. Might be OK for what you want, though. 

0 Kudos
dlhotka
Champion
Champion

With the half-implemented options, you're going to have issues.  It won't be a like-for-like environment, won't have things like vmware tools, and won't be anywhere near performant, stable, or even a full x86 implementation as you probably need for those uses cases.  You really do need an intel machine.

0 Kudos
Technogeezer
Virtuoso
Virtuoso

Take @dlhotka 's comment seriously. If you need to get serious work done with an Intel operating system, use an Intel CPU.

As a project, I'm in the middle of trying to get Windows 10 x64 up and running on UTM on an M1 Mac.

Yes it installs (not as easily as I'd like, but it does install). Yes it runs. I can change the screen resolution. I can access a folder on my host Mac from Windows.

But wow, It's slow as molasses. It does not run anywhere close to native M1 chip performance. Period. I did not starve UTM VMs or the Mac host for CPU or memory. It's not disk bound either.

And it's indeed a science project.  I've tried every suggested emulation tuning trick posted on the web, and yes I've installed all the QEMU drivers and SPICE tools. That improved the speed, but not to where I consider it usable.

My ancient 12-year old 2 core Dell Core i7 laptop running Windows 10 eats the emulated Windows 10 x64 on the M1 for lunch. 

File this whole experiment under "yes, you can do it, but really, should you if you're serious"?  I think I can safely say that x86 emulation on ARM will leave you sorely disappointed. 

As a side note, this exercise highlights why nobody should expect x86 emulation to be built into virtualization products so that you can continue to run those x86_64 operating systems.  It simply doesn't perform.

 

0 Kudos
Romain_Petges
Contributor
Contributor

Maybe you could try if the built-in x64 emulation in Windows 11 ARM works with your malware analysis.

0 Kudos
Mikero
Community Manager
Community Manager

I don't get this use case... 

If you're doing malware analysis, and you're not on the same architecture as the exploit or analysis tools, how can you guarantee their accuracy?

Let's say I write an exploit that takes advantage of a known memory location of an app or service and can escalate privilege or something. 

Doesn't the address of that memory pointer change when the chipset is emulated?

Wouldn't you just get false-results? Or at the very least, results that you couldn't 100% trust?

And if you're not getting 100% trustworthy results, what's the point of the test at all?

-
Michael Roy - PM/PMM: Fusion & Workstation
0 Kudos
Technogeezer
Virtuoso
Virtuoso

Flaws in the operating system that grant elevated privileges are one thing. Flaws that are  banking on exploiting an architectural flaw are another. And unless the emulation is accurate to the micro architecture level (thinking things like Spectre here) you may not get what you would in a physical CPU. 

0 Kudos
dlhotka
Champion
Champion

Exactly my thoughts in the earlier post.  Malware analysis is one of those things needs to be as close to real as possible.  A lot of the really sophisticated malware even detects that it's running in a VM and alters its behavior...and that's on native hardware, let alone emulated.

Maybe for a one off with relatively unsophisticated malware it'd work, but for real/corporate/enterprise level analysis, the double hop really isn't going to work out practically.  Just like while you can pour the fake butter from a movie theater into a diesel engine and drive, even if your exhaust smells like popcorn, doesn't mean it's actually popping kernels, let alone good for the car (is that enough mixed metaphors?).

And all that sets aside the horrible performance and stability issues, the faked-out device drivers, and the licensing issues.

 

0 Kudos