Conociendo sobre Malware IX - Malware CookBook + Tools

4 comments

Epale ya vamos con la novena entrega de Conociendo sobre Malware, esta vez con un aporte para nuestros conocimientos, y poder leer este excelente libro que es Malware Analyst's Cookbook, en el cual viene con consejos prácticos que los autores han previsto para la comprensión y la lucha contra el malware. Algo que resaltar que este libro no cuenta con un engorroso por así decirlo de todas las técnicas de malware  análisis, pero si tiene herramientas y enfoques bastante prácticos como también todo lo relacionado a comandos, y herramientas ya ustedes sacaran su propio resumen o atribuciones de este libro, este es un libro que cuando ando con tiempo o ando aburrido en mis cosas me pongo a leer en el Kindle, la aspiración es llegar a trabajar como analista de malware ya que me apasiona bastante este mundo.



Para saber mas del libro se puede acceder a su pagina oficial www.malwarecookbook.com en la cual realizaron la liberación de las herramientas en code google Source Malware Cookbook y no puede falta el
PDF Malware CookBook descarga directa.

Un listado de las herramientas, que vienen extraído de la pagina oficial. 

torwget.py: Multi-platform TOR-enabled URL
* wwwhoney.tgz: CGI scripts to accept submissions from nepenthes and dionaea honeypots
clamav_to_yara.py: Convert ClamAV antivirus signatures to YARA rules
peid_to_yara.py: Convert PEiD packer signatures to YARA rules
av_multiscan.py: Script to implement your own antivirus multi-scanner
pescanner.py: Detect malicious PE file attributes
ssdeep_procs.py: Detect self-mutating code on live Windows systems using ssdeep
avsubmit.py: Command-line interface to VirusTotal, ThreatExpert, Jotti, and NoVirusThanks
dbmgr.py: Malware artifacts database manager
artifactscanner.py: Application to scan live Windows systems for artifacts (files, Registry keys, mutexes) left by malware
mapper.py: Create static PNG images of IP addresses plotted on a map using GeoIP
googlegeoip.py: Create dynamic/interactive geographical maps of IP addresses using Google charts
* sc_distorm.py: Script to produce disassemblies (via DiStorm) of shellcode and optionally apply an XOR mask
vmauto.py: Python class for automating malware execution in VirtualBox and VMware guests
mybox.py: Sample automation script for VirtualBox based on vmauto.py
myvmware.py: Sample automation script for VMware based on vmauto.py
analysis.py: Python class for building sandboxes with support for analyzing network traffic, packet captures, and memory
RegFsNotify.exe: Tool to detect changes to the Registry and file system in real time (from user mode without API hooks)
HandleDiff.exe: Tool to detect changes to the handle tables of all processes on a system (useful to analyze the side-effects of code injecting malware)
Preservation.zip: Kernel driver for monitoring notification routines, preventing processes from terminating, preventing files from being deleted, and preventing other drivers from loading
cmd.exe: Custom command shell (cmd.exe) for logging malware activity and backdoor activity
tsk-xview.exe: Cross-view based rootkit detection tool based on The Sleuth Kit API and Microsoft’s Offline Registry API
HTMLInjection Detector.exe: Detect HTML injection attacks on banking and financial websites
routes.pl: RegRipper plug-in for printing a computer’s routing table
pendingdelete.pl: RegRipper plug-in for printing files that are pending deletion
disallowrun.pl: RegRipper plug-in for printing processes that malware prevents from running
shellexecutehooks.pl: RegRipper plug-in for printing ShellExecute hooks (a method of DLL injection)
dumpcerts.pl: Parse::Win32Registry module to extract and examine cryptography certificates stored in Registry hives
somethingelse.pl: Parse::Win32Registry module for finding hidden binary data in the Registry
scloader.exe: Executable wrapper for launching shell code in a debugger
* scd.py: Immunity Debugger PyCommand for finding shellcode in arbitrary binary files
findhooks.py: Immunity Debugger PyCommand for finding Inline-style user mode API hooks
pymon.py: WinAppDbg plug-in for monitoring API calls, alerting on suspicious flags/parameters and producing an HTML report
xortools.py: Python library for encoding/decoding XOR, including brute force methods and automated YARA signature generation
trickimprec.py: Immunity Debugger PyCommand for assistance when rebuilding import tables with Import REconstructor
kraken.py: Immunity Debugger PyCommand for cracking Kraken’s Domain Generation Algorithm (DGA)
sbstrings.py: Immunity Debugger PyCommand for decrypting Silent Banker strings
rundll32ex.exe: Extended version of rundll32.exe that allows you to run DLLs in other processes, call exported functions, and pass parameters
* install_svc.bat: Batch script for installing a service DLL (for dynamic analysis of the DLL)
install_svc.py: Python script for installing a service DLL and supplying optional arguments to the service
dll2exe.py: Python script for converting a DLL into a standalone executable
DriverEntryFinder: Kernel driver to find the correct address in kernel memory to set breakpoints for catching new drivers as they load
windbg_to_ida.py: Python script to convert WinDbg output into data that can be imported into IDA
WinDbgNotify.txt: WinDbg script for identifying malicious notification routines

Espero les agrade y sigamos metiendonos mas en este mundito del malware.

Regards,
Snifer

4 comentarios

  1. Buena entrada amigo, me quedo con el libro, gracias

    ResponderEliminar
  2. Muy buena la lista de Scripts y programas, gracias por el aporte (:

    ResponderEliminar
  3. De nada a ambos, el gusto es mio al poder compartir!

    Regards,
    Snifer

    ResponderEliminar
  4. Un profesor me dijo que si tienes un sueño y quieres hacerlo real, hay que darle forma.
    Si quiere ser analista de malware dele forma :)

    ResponderEliminar