1. Вы находитесь в архивной версии форума xaker.name. Здесь собраны темы с 2007 по 2012 год, большинство инструкций и мануалов уже неактуальны.
    Скрыть объявление

Malware Analyser 3.2

Тема в разделе "Исследование софта на уязвимости, crackme", создана пользователем onthar, 23 ноя 2010.

  1. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0

    Приятная консольная утилиты, для анализа файлов. На самом деле на практике пока особо не применял, но отчет анализа файла довольно заинтересовал своей сдержанностью.
    Возможности чудо-юдо-утилиты-на-питоне:
    • Основанный на строчках файла анализ возможных действий в реестре, API вызовов , Комманд IRC, Вызванных DLL и Анти-отладчиков.
    • Подробно отображает заголовки PE-файлов со всеми их секциями, импортами, экспортами и т.д.
    • Может сделать ASCII-дамп файла.
    • Для винды может генерировать множество секций PE : DOS Header , DOS Stub, PE File Header , Image Optional Header , Section Table , Data Directories , Sections
    • Дизассемблирует программу, ищет свойственные вредоносным коды
    • Чекает файл на вирустотале по хэшу, то есть сам файл не отправляется.
    • Определяет упаковщик из базы Database.txt
    • Трассировка поможет найти Anti-debugging Calls tricks , File system manipulations Calls Rootkit Hooks, Keyboard Hooks , DEP Setting Change

    Скачать безделушку:
    http://code.google.com/p/malwareanalyzer/

    [+] Пример генерируемого отчета

    |---------------------------------------------------------------|
    | beenudel1986[@]gmail[dot]com |
    | Malware Analyzer(Static) 2.6.2 |
    | 06/2009 analyse_malware.py |
    | Do Visit www.BeenuArora.com |
    | Last Updated : 10-10-2010 |
    |---------------------------------------------------------------|


    Analysing if PE file...


    [+] Valid PE file.

    [+] Malware File Size : 48 KB

    Checking for Packer Signature....

    Identified packer :pECompact 2.0x Heuristic Mode -> Jeremy Collake

    [+] Computing Checksum for malware :eek:ut.exe
    [-]Checksum of malware :9ad58beb14ce7ac318c6a446f8b7f75a

    -------- Identifying Strings in the malware---------------
    !This program cannot be run in DOS mode.
    x4W
    xRich
    .text
    PEC2nO
    .rsrc
    *)9
    --OSo
    d-"K
    wOu
    K$0
    3ab

    -----------Performing signatures based scan---------------

    [+]Displaying Interesting System Calls Made.

    [-]Signatures not found.....

    [+]Displaying Registry Hives Edited.

    [-]Signatures not found.....


    [+]Displaying A Little Online Behaviour.

    [-]Signatures not found.....


    [+]Displaying the Loaded DLLs.

    [-]Signatures not found.....


    [+]Commands Inside the Malware.

    [-]Signatures not found.....


    [+]Sys Calls Made.

    [-]Signatures not found.....

    [+]Searching if malware is VM aware
    [-]Signatures not found.....

    ---------------------------------------------------------
    !This program cannot be run in DOS mode.
    x4W
    xRich
    .text
    PEC2nO
    .rsrc
    *)9
    --OSo
    d-"K
    wOu
    K$0
    3ab

    Malware loads following DLLs

    kernel32.dll
    [0x401f58L] push eax
    [0x401f5dL] push [fs:0x0]
    [0x401f5eL] mov [fs:0x0] esp
    [0x401f65L] xor eax eax
    [0x401f6cL] mov [ax] ecx
    [0x401f6eL] push eax
    [0x401f70L] inc ebp
    [0x401f71L] inc ebx
    [0x401f72L] outsd
    [0x401f73L] insd
    [0x401f74L] jo 0x401fd8L

    **This Test shall be performed when you are confirm that suspect is a malware**

    Anti Debugging traces identification

    [!] Found a call at: 0x447070 LoadLibraryA
    [!] Found a call at: 0x447074 GetProcAddress

    Malware File System Activity Traces

    No Filesystem traces :( . Try manually

    Malware System Hook Calls

    No System Hook Call traces found :( . Try manually

    Malware Keyboard Hook Calls

    No Keyboard Hook Call traces found :( . Try manually

    Malware Rootkit traces

    No Rootkit Hook traces found :( . Try manually

    DEP Setting Change trace

    [!] Found a DEP setting change trace: 0x447078 VirtualAlloc

    [+] Computing Checksum for malware :eek:ut.exe
    [-]Checksum of malware :9ad58beb14ce7ac318c6a446f8b7f75a
    [+] No malware detected

    ----------Parsing Warnings----------

    Suspicious flags set for section 0. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.

    Suspicious flags set for section 1. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.This might indicate a packed executable.

    ----------DOS_HEADER----------

    [IMAGE_DOS_HEADER]
    e_magic: 0x5A4D
    e_cblp: 0x90
    e_cp: 0x3
    e_crlc: 0x0
    e_cparhdr: 0x4
    e_minalloc: 0x0
    e_maxalloc: 0xFFFF
    e_ss: 0x0
    e_sp: 0xB8
    e_csum: 0x0
    e_ip: 0x0
    e_cs: 0x0
    e_lfarlc: 0x40
    e_ovno: 0x0
    e_res:
    e_oemid: 0x0
    e_oeminfo: 0x0
    e_res2:
    e_lfanew: 0xB8

    ----------NT_HEADERS----------

    [IMAGE_NT_HEADERS]
    Signature: 0x4550

    ----------FILE_HEADER----------

    [IMAGE_FILE_HEADER]
    Machine: 0x14C
    NumberOfSections: 0x2
    TimeDateStamp: 0x4CEA4B61 [Mon Nov 22 10:52:17 2010 UTC]
    PointerToSymbolTable: 0x0
    NumberOfSymbols: 0x0
    SizeOfOptionalHeader: 0xE0
    Characteristics: 0x10F
    Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED

    ----------OPTIONAL_HEADER----------

    [IMAGE_OPTIONAL_HEADER]
    Magic: 0x10B
    MajorLinkerVersion: 0x6
    MinorLinkerVersion: 0x0
    SizeOfCode: 0x34000
    SizeOfInitializedData: 0x8000
    SizeOfUninitializedData: 0x0
    AddressOfEntryPoint: 0x1F58
    BaseOfCode: 0x1000
    BaseOfData: 0x35000
    ImageBase: 0x400000
    SectionAlignment: 0x1000
    FileAlignment: 0x200
    MajorOperatingSystemVersion: 0x4
    MinorOperatingSystemVersion: 0x0
    MajorImageVersion: 0xD
    MinorImageVersion: 0xCC
    MajorSubsystemVersion: 0x4
    MinorSubsystemVersion: 0x0
    Reserved1: 0x0
    SizeOfImage: 0x48000
    SizeOfHeaders: 0x200
    CheckSum: 0x1A1BA
    Subsystem: 0x2
    DllCharacteristics: 0x0
    SizeOfStackReserve: 0x100000
    SizeOfStackCommit: 0x1000
    SizeOfHeapReserve: 0x100000
    SizeOfHeapCommit: 0x1000
    LoaderFlags: 0x0
    NumberOfRvaAndSizes: 0x10
    DllCharacteristics:

    ----------PE Sections----------

    [IMAGE_SECTION_HEADER]
    Name: .text
    Misc: 0x45000
    Misc_PhysicalAddress: 0x45000
    Misc_VirtualSize: 0x45000
    VirtualAddress: 0x1000
    SizeOfRawData: 0x9A00
    PointerToRawData: 0x200
    PointerToRelocations: 0x32434550
    PointerToLinenumbers: 0x4F6E
    NumberOfRelocations: 0x0
    NumberOfLinenumbers: 0x0
    Characteristics: 0xE0000060
    Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    Entropy: 7.990957 (Min=0.0, Max=8.0)
    MD5 hash: 5880852c3820ded482e85ea419d0ffad
    SHA-1 hash: a78695b034d974ce75ec611d3def43a330deb864
    SHA-256 hash: f2fdfdbaeb122c71157f7d569df6aa6a6f981de17b61e269ace2f5634fa6e211
    SHA-512 hash: a6a07a607f9211939ee4dc9b8e799141a51731b6c70086afcf4d4444b1d62c3e0f80a61706362b6d318cb60189f9cae2d07602fcffe4acf6b651748508a7024c

    [IMAGE_SECTION_HEADER]
    Name: .rsrc
    Misc: 0x2000
    Misc_PhysicalAddress: 0x2000
    Misc_VirtualSize: 0x2000
    VirtualAddress: 0x46000
    SizeOfRawData: 0x2000
    PointerToRawData: 0x9C00
    PointerToRelocations: 0x0
    PointerToLinenumbers: 0x0
    NumberOfRelocations: 0x0
    NumberOfLinenumbers: 0x0
    Characteristics: 0xE0000020
    Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Entropy: 5.942042 (Min=0.0, Max=8.0)
    MD5 hash: 2d54afa10bccfa2b9156aca2e4146701
    SHA-1 hash: fd4ea07a3b49039072aea9c1be77650724977ab4
    SHA-256 hash: ba03731c0c5aaaccecdf9eb3096c701d0a394921c6f00a8c05826e27bd885bc0
    SHA-512 hash: a0995047d010d1be57d621b1617c87da6e40cb91b36688cf5cde3096c0905278ceeaeaf1c32df8e3dbfaf1b0142ca71d473ee35879d3704b639953d728fe9738

    ----------Directories----------

    [IMAGE_DIRECTORY_ENTRY_EXPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_IMPORT]
    VirtualAddress: 0x47084
    Size: 0x8F
    [IMAGE_DIRECTORY_ENTRY_RESOURCE]
    VirtualAddress: 0x46000
    Size: 0x1038
    [IMAGE_DIRECTORY_ENTRY_EXCEPTION]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_SECURITY]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_BASERELOC]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_DEBUG]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_TLS]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_IAT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
    VirtualAddress: 0x0
    Size: 0x0
    [IMAGE_DIRECTORY_ENTRY_RESERVED]
    VirtualAddress: 0x0
    Size: 0x0

    ----------Version Information----------

    [VS_VERSIONINFO]
    Length: 0x218
    ValueLength: 0x34
    Type: 0x0

    [VS_FIXEDFILEINFO]
    Signature: 0xFEEF04BD
    StrucVersion: 0x10000
    FileVersionMS: 0xD00CC
    FileVersionLS: 0x2CD
    ProductVersionMS: 0xD00CC
    ProductVersionLS: 0x2CD
    FileFlagsMask: 0x0
    FileFlags: 0x0
    FileOS: 0x4
    FileType: 0x1
    FileSubtype: 0x0
    FileDateMS: 0x0
    FileDateLS: 0x0

    [VarFileInfo]
    Length: 0x44
    ValueLength: 0x0
    Type: 0x0

    [StringFileInfo]
    Length: 0x178
    ValueLength: 0x0
    Type: 0x1

    [StringTable]
    Length: 0x154
    ValueLength: 0x0
    Type: 0x1
    LangID: 040904B0

    InternalName: WaDgc
    FileVersion: 13.204.0717
    CompanyName: Xr7lVU
    ProductName: NgHJU4
    ProductVersion: 13.204.0717
    OriginalFilename: WaDgc.exe

    ----------Imported symbols----------

    [IMAGE_IMPORT_DESCRIPTOR]
    OriginalFirstThunk: 0x47070
    Characteristics: 0x47070
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    ForwarderChain: 0xFFFFFFFF
    Name: 0x470AC
    FirstThunk: 0x47070

    kernel32.dll.LoadLibraryA Hint[0]
    kernel32.dll.GetProcAddress Hint[0]
    kernel32.dll.VirtualAlloc Hint[0]
    kernel32.dll.VirtualFree Hint[0]

    ----------Resource directory----------

    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x4
    Id: [0x3] (RT_ICON)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x3
    OffsetToData: 0x80000030
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x0
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x80000048
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x0
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x0
    OffsetToData: 0x60
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46160
    Size: 0xCA8
    CodePage: 0x0
    Reserved: 0x0

    Id: [0xE] (RT_GROUP_ICON)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0xE
    OffsetToData: 0x80000070
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x80000088
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x0
    OffsetToData: 0xA0
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46E08
    Size: 0x14
    CodePage: 0x4E4
    Reserved: 0x0

    Id: [0x10] (RT_VERSION)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x10
    OffsetToData: 0x800000B0
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    Id: [0x1]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x1
    OffsetToData: 0x800000C8
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x409
    OffsetToData: 0xE0
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x46E20
    Size: 0x218
    CodePage: 0x4E4
    Reserved: 0x0

    Id: [0xB5] (-)
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0xB5
    OffsetToData: 0x800000F0
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x2
    Id: [0x3]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x3
    OffsetToData: 0x80000110
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x43B
    OffsetToData: 0x128
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x3F000
    Size: 0x56EF
    CodePage: 0x4E4
    Reserved: 0x0
    Id: [0x43]
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x43
    OffsetToData: 0x80000138
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics: 0x0
    TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion: 0x4
    MinorVersion: 0x0
    NumberOfNamedEntries: 0x0
    NumberOfIdEntries: 0x1
    [IMAGE_RESOURCE_DIRECTORY_ENTRY]
    Name: 0x405
    OffsetToData: 0x150
    [IMAGE_RESOURCE_DATA_ENTRY]
    OffsetToData: 0x446F0
    Size: 0x10F
    CodePage: 0x4E4
    Reserved: 0x0

    [свернуть]
     
    1 человеку нравится это.
  2. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0
    [​IMG]

    Программа обновилась до версии 2.9, а проект переехал с гуглокода на сорсфрдж.
    Чейнджлог:
    Код:
    Release notes : 30/11/2010 (2.7)
    	--Resloved the GUI issue raised on 10th October 2010
    	--Rosolved the code analysis function
    	--Added new trace features
    	--Resolved the packer exceptional issue
    	--Improved GUI functionality
    
    Release Notes : 22/01/2011 (2.8)
    
    --Added the CRC verification
    --Added the Timestamp verification
    --Added Entropy check
    --Added Hardware Breakpoint Trace
    
    Release Notes: 22/02/2011 (2.9)
    
    --Added Process Dumping Feature
    --Added Dynamic ANalysis ( File Creation)
    --Minor Bug Fixes
    Новая страничка: http://sourceforge.net/projects/malwareanalyser/
    Скачать: http://sourceforge.net/projects/malwareanalyser/files/
     
  3. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0
    [​IMG]

    Malware Analyser обновился до третьей версии.
    Приятно улучшился вывод в консоли.

    [​IMG]
    [​IMG]

    Остальные изменения:
    Проект переехал на новый адрес:
    http://malwareanalyser.blogspot.com/

    Скачать саму утилиту можно по ссылке
     
    Последнее редактирование: 9 июл 2011
  4. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0
    Вышла новая версия Malware Analyser 3.1
    В новой версии:
    Код:
    [B]--[/B]Добавлен анализ DLL
    [B]--[/B]Добавлена возможность сканирования дирректорий и субдирректорий
    
    [​IMG]

    Скачать: http://beenuarora.com/malware_analyser 3.1.zip
     
  5. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0
    [​IMG]

    Вышел Malware Analyser 3.2
    Список изменений:
    --Добавлено онлайн-сканирование на ThreatExpert
    --Все библиотеки упакованы в файл
    --Улучшенные технологии трэйсинга
    --Багфиксы

    Скачать
     
  6. onthar

    onthar Команда форума Админ

    Регистрация:
    8 янв 2008
    Сообщения:
    0
    Симпатии:
    609
    Баллы:
    0
    Malware Analyser 3.3

    [​IMG]

    Malware Analyser 3.3

    --Добавлены сигнатуры для трейсинга
    --Улучшен парсинг
    --Багфиксы

    Скачать: http://beenuarora.com/malware_analyser%203.3.zip
     

Поделиться этой страницей