1. Вы находитесь в архивной версии форума xaker.name. Здесь собраны темы с 2007 по 2012 год, большинство инструкций и мануалов уже неактуальны.

Malware Analyser 3.2


  1. Приятная консольная утилиты, для анализа файлов. На самом деле на практике пока особо не применял, но отчет анализа файла довольно заинтересовал своей сдержанностью.
    Возможности чудо-юдо-утилиты-на-питоне:
    • Основанный на строчках файла анализ возможных действий в реестре, API вызовов , Комманд IRC, Вызванных DLL и Анти-отладчиков.
    • Подробно отображает заголовки PE-файлов со всеми их секциями, импортами, экспортами и т.д.
    • Может сделать ASCII-дамп файла.
    • Для винды может генерировать множество секций PE : DOS Header , DOS Stub, PE File Header , Image Optional Header , Section Table , Data Directories , Sections
    • Дизассемблирует программу, ищет свойственные вредоносным коды
    • Чекает файл на вирустотале по хэшу, то есть сам файл не отправляется.
    • Определяет упаковщик из базы Database.txt
    • Трассировка поможет найти Anti-debugging Calls tricks , File system manipulations Calls Rootkit Hooks, Keyboard Hooks , DEP Setting Change

    Скачать безделушку:
    http://code.google.com/p/malwareanalyzer/

    [+] Пример генерируемого отчета

    |---------------------------------------------------------------|
    | beenudel1986[@]gmail[dot]com |
    | Malware Analyzer(Static) 2.6.2 |
    | 06/2009 analyse_malware.py |
    | Do Visit www.BeenuArora.com |
    | Last Updated : 10-10-2010 |
    |---------------------------------------------------------------|


    Analysing if PE file...


    [+] Valid PE file.

    [+] Malware File Size : 48 KB

    Checking for Packer Signature....

    Identified packer :pECompact 2.0x Heuristic Mode -> Jeremy Collake

    [+] Computing Checksum for malware :eek:ut.exe
    [-]Checksum of malware :9ad58beb14ce7ac318c6a446f8b7f75a

    -------- Identifying Strings in the malware---------------
    !This program cannot be run in DOS mode.
    x4W
    xRich
    .text
    PEC2nO
    .rsrc
    *)9
    --OSo
    d-"K
    wOu
    K$0
    3ab

    -----------Performing signatures based scan---------------

    [+]Displaying Interesting System Calls Made.

    [-]Signatures not found.....

    [+]Displaying Registry Hives Edited.

    [-]Signatures not found.....


    [+]Displaying A Little Online Behaviour.

    [-]Signatures not found.....


    [+]Displaying the Loaded DLLs.

    [-]Signatures not found.....


    [+]Commands Inside the Malware.

    [-]Signatures not found.....


    [+]Sys Calls Made.

    [-]Signatures not found.....

    [+]Searching if malware is VM aware
    [-]Signatures not found.....

    ---------------------------------------------------------
    !This program cannot be run in DOS mode.
    x4W
    xRich
    .text
    PEC2nO
    .rsrc
    *)9
    --OSo
    d-"K
    wOu
    K$0
    3ab

    Malware loads following DLLs

    kernel32.dll
    [0x401f58L] push eax
    [0x401f5dL] push [fs:0x0]
    [0x401f5eL] mov [fs:0x0] esp
    [0x401f65L] xor eax eax
    [0x401f6cL] mov [ax] ecx
    [0x401f6eL] push eax
    [0x401f70L] inc ebp
    [0x401f71L] inc ebx
    [0x401f72L] outsd
    [0x401f73L] insd
    [0x401f74L] jo 0x401fd8L

    **This Test shall be performed when you are confirm that suspect is a malware**

    Anti Debugging traces identification

    [!] Found a call at: 0x447070 LoadLibraryA
    [!] Found a call at: 0x447074 GetProcAddress

    Malware File System Activity Traces

    No Filesystem traces :( . Try manually

    Malware System Hook Calls

    No System Hook Call traces found :( . Try manually

    Malware Keyboard Hook Calls

    No Keyboard Hook Call traces found :( . Try manually

    Malware Rootkit traces

    No Rootkit Hook traces found :( . Try manually

    DEP Setting Change trace

    [!] Found a DEP setting change trace: 0x447078 VirtualAlloc

    [+] Computing Checksum for malware :eek:ut.exe
    [-]Checksum of malware :9ad58beb14ce7ac318c6a446f8b7f75a
    [+] No malware detected

    ----------Parsing Warnings----------

    Suspicious flags set for section 0. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.

    Suspicious flags set for section 1. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.

    ----------DOS_HEADER----------

    [IMAGE_DOS_HEADER]
    e_magic: 0x5A4D
    e_cblp: 0x90
    e_cp: 0x3
    e_crlc: 0x0
    e_cparhdr: 0x4
    e_minalloc: 0x0
    e_maxalloc: 0xFFFF
    e_ss: 0x0
    e_sp: 0xB8
    e_csum: 0x0
    e_ip: 0x0
    e_cs: 0x0
    e_lfarlc: 0x40
    e_ovno: 0x0
    e_res:
    e_oemid: 0x0
    e_oeminfo: 0x0
    e_res2:
    e_lfanew: 0xB8

    ----------NT_HEADERS----------

    [IMAGE_NT_HEADERS]
    Signature: 0x4550

    ----------FILE_HEADER----------

    [IMAGE_FILE_HEADER]
    Machine: 0x14C
    NumberOfSections: 0x2
    TimeDateStamp: 0x4CEA4B61 [Mon Nov 22 10:52:17 2010 UTC]
    PointerToSymbolTable: 0x0
    NumberOfSymbols: 0x0
    SizeOfOptionalHeader: 0xE0
    Characteristics: 0x10F
    Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED

    ----------OPTIONAL_HEADER----------

    [IMAGE_OPTIONAL_HEADER]
    Magic: 0x10B
    MajorLinkerVersion: 0x6
    MinorLinkerVersion: 0x0
    SizeOfCode: 0x34000
    SizeOfInitializedData: 0x8000
    SizeOfUninitializedData: 0x0
    AddressOfEntryPoint: 0x1F58
    BaseOfCode: 0x1000
    BaseOfData: 0x35000
    ImageBase: 0x400000
    SectionAlignment: 0x1000
    FileAlignment: 0x200
    MajorOperatingSystemVersion: 0x4
    MinorOperatingSystemVersion: 0x0
    MajorImageVersion: 0xD
    MinorImageVersion: 0xCC
    MajorSubsystemVersion: 0x4
    MinorSubsystemVersion: 0x0
    Reserved1: 0x0
    SizeOfImage: 0x48000
    SizeOfHeaders: 0x200
    CheckSum: 0x1A1BA
    Subsystem: 0x2
    DllCharacteristics: 0x0
    SizeOfStackReserve: 0x100000
    SizeOfStackCommit: 0x1000
    SizeOfHeapReserve: 0x100000
    SizeOfHeapCommit: 0x1000
    LoaderFlags: 0x0
    NumberOfRvaAndSizes: 0x10
    DllCharacteristics:

    ----------PE Sections----------

    [IMAGE_SECTION_HEADER]
    Name: .text
    Misc: 0x45000
    Misc_PhysicalAddress: 0x45000
    Misc_VirtualSize: 0x45000
    VirtualAddress: 0x1000
    SizeOfRawData: 0x9A00
    PointerToRawData: 0x200
    PointerToRelocations: 0x32434550
    PointerToLinenumbers: 0x4F6E
    NumberOfRelocations: 0x0
    NumberOfLinenumbers: 0x0
    Characteristics: 0xE0000060
    Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    Entropy: 7.990957 (Min=0.0, Max=8.0)
    MD5 hash: 5880852c3820ded482e85ea419d0ffad
    SHA-1 hash: a78695b034d974ce75ec611d3def43a330deb864
    SHA-256 hash: f2fdfdbaeb122c71157f7d569df6aa6a6f981de17b61e269ace2f5634fa6e211
    SHA-512 hash: a6a07a607f9211939ee4dc9b8e799141a51731b6c70086afcf4d4444b1d62c3e0f80a61706362b6d318cb60189f9cae2d07602fcffe4acf6b651748508a7024c

    [IMAGE_SECTION_HEADER]
    Name: .rsrc
    Misc: 0x2000
    Misc_PhysicalAddress: 0x2000
    Misc_VirtualSize: 0x2000
    VirtualAddress: 0x46000
    SizeOfRawData: 0x2000
    PointerToRawData: 0x9C00
    PointerToRelocations: 0x0
    PointerToLinenumbers: 0x0
    NumberOfRelocations: 0x0
    NumberOfLinenumbers: 0x0
    Characteristics: 0xE0000020
    Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Entropy: 5.942042 (Min=0.0, Max=8.0)
    MD5 hash: 2d54afa10bccfa2b9156aca2e4146701
    SHA-1 hash: fd4ea07a3b49039072aea9c1be77650724977ab4
    SHA-256 hash: ba03731c0c5aaaccecdf9eb3096c701d0a394921c6f00a8c05826e27bd885bc0
    SHA-512 hash: a0995047d010d1be57d621b1617c87da6e40cb91b36688cf5cde3096c0905278ceeaeaf1c32df8e3dbfaf1b0142ca71d473ee35879d3704b639953d728fe9738

    ----------Directories----------

    [IMAGE_DIRECTORY_ENTRY_EXPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_IMPORT]
    VirtualAddress: 0x47084
    Size: 0x8F
    [IMAGE_DIRECTORY_ENTRY_RESOURCE]
    VirtualAddress: 0x46000
    Size: 0x1038
    [IMAGE_DIRECTORY_ENTRY_EXCEPTION]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_SECURITY]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_BASERELOC]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_DEBUG]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_TLS]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_IAT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_RESERVED]
    VirtualAddress: 0x0
    Size: 0x0

    ----------Version Information----------

    [VS_VERSIONINFO]
    Length: 0x218
    ValueLength: 0x34
    Type: 0x0

    [VS_FIXEDFILEINFO]
    Signature: 0xFEEF04BD
    StrucVersion: 0x10000
    FileVersionMS: 0xD00CC
    FileVersionLS: 0x2CD
    ProductVersionMS: 0xD00CC
    ProductVersionLS: 0x2CD
    FileFlagsMask: 0x0
    FileFlags: 0x0
    FileOS: 0x4
    FileType: 0x1
    FileSubtype: 0x0
    FileDateMS: 0x0
    FileDateLS: 0x0

    [VarFileInfo]
    Length: 0x44
    ValueLength: 0x0
    Type: 0x0

    [StringFileInfo]
    Length: 0x178
    ValueLength: 0x0
    Type: 0x1

    [StringTable]
    Length: 0x154
    ValueLength: 0x0
    Type: 0x1
    LangID: 040904B0

    InternalName: WaDgc
    FileVersion: 13.204.0717
    CompanyName: Xr7lVU
    ProductName: NgHJU4
    ProductVersion: 13.204.0717
    OriginalFilename: WaDgc.exe

    ----------Imported symbols----------

    [IMAGE_IMPORT_DESCRIPTOR]
    OriginalFirstThunk: 0x47070
    Characteristics: 0x47070
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    ForwarderChain: 0xFFFFFFFF
    Name: 0x470AC
    FirstThunk: 0x47070

    kernel32.dll.LoadLibraryA Hint[0]
    kernel32.dll.GetProcAddress Hint[0]
    kernel32.dll.VirtualAlloc Hint[0]
    kernel32.dll.VirtualFree Hint[0]

    ----------Resource directory----------

    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x4
    Id: [0x3] (RT_ICON)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x3
    OffsetToData: 0x80000030
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x0
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x80000048
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x0
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x0
    OffsetToData: 0x60
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46160
    Size: 0xCA8
    CodePage: 0x0
    Reserved: 0x0

    Id: [0xE] (RT_GROUP_ICON)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0xE
    OffsetToData: 0x80000070
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x80000088
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x0
    OffsetToData: 0xA0
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46E08
    Size: 0x14
    CodePage: 0x4E4
    Reserved: 0x0

    Id: [0x10] (RT_VERSION)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x10
    OffsetToData: 0x800000B0
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x800000C8
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x409
    OffsetToData: 0xE0
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46E20
    Size: 0x218
    CodePage: 0x4E4
    Reserved: 0x0

    Id: [0xB5] (-)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0xB5
    OffsetToData: 0x800000F0
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x2
    Id: [0x3]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x3
    OffsetToData: 0x80000110
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x43B
    OffsetToData: 0x128
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x3F000
    Size: 0x56EF
    CodePage: 0x4E4
    Reserved: 0x0
    Id: [0x43]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x43
    OffsetToData: 0x80000138
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x405
    OffsetToData: 0x150
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x446F0
    Size: 0x10F
    CodePage: 0x4E4
    Reserved: 0x0

    [свернуть]
     
    1 человеку нравится это.
  2. [​IMG]

    Программа обновилась до версии 2.9, а проект переехал с гуглокода на сорсфрдж.
    Чейнджлог:
    Код:
    Release notes : 30/11/2010 (2.7)
    	--Resloved the GUI issue raised on 10th October 2010
    	--Rosolved the code analysis function
    	--Added new trace features
    	--Resolved the packer exceptional issue
    	--Improved GUI functionality
    
    Release Notes : 22/01/2011 (2.8)
    
    --Added the CRC verification
    --Added the Timestamp verification
    --Added Entropy check
    --Added Hardware Breakpoint Trace
    
    Release Notes: 22/02/2011 (2.9)
    
    --Added Process Dumping Feature
    --Added Dynamic ANalysis ( File Creation)
    --Minor Bug Fixes
    Новая страничка: http://sourceforge.net/projects/malwareanalyser/
    Скачать: http://sourceforge.net/projects/malwareanalyser/files/
     
  3. [​IMG]

    Malware Analyser обновился до третьей версии.
    Приятно улучшился вывод в консоли.

    [​IMG]
    [​IMG]

    Остальные изменения:
    Проект переехал на новый адрес:
    http://malwareanalyser.blogspot.com/

    Скачать саму утилиту можно по ссылке
     
  4. Вышла новая версия Malware Analyser 3.1
    В новой версии:
    Код:
    [B]--[/B]Добавлен анализ DLL
    [B]--[/B]Добавлена возможность сканирования дирректорий и субдирректорий
    
    [​IMG]

    Скачать: http://beenuarora.com/malware_analyser 3.1.zip
     
  5. [​IMG]

    Вышел Malware Analyser 3.2
    Список изменений:
    --Добавлено онлайн-сканирование на ThreatExpert
    --Все библиотеки упакованы в файл
    --Улучшенные технологии трэйсинга
    --Багфиксы

    Скачать
     
  6. Malware Analyser 3.3

    [​IMG]

    Malware Analyser 3.3

    --Добавлены сигнатуры для трейсинга
    --Улучшен парсинг
    --Багфиксы

    Скачать: http://beenuarora.com/malware_analyser%203.3.zip