Conociendo sobre Malware XI - Herramientas para Análisis de Malware I

No Comments
Iniciamos una seguidilla de entradas referente a este mundo del analisis de malware esta oportunidad con herramientas dedicadas al Análisis de Malware, el autor del post FudMario.




Volatility Framework

Volatility es un Framework con un conjunto de herramientas desarrolladas enteramente en Python con licencia GNU. Este Framework esta pensado para extraer de una imagen de un disco los datos volátiles que estaban en memoria RAM. Estas técnicas de extracción están pensadas para que no dependan del sistema operativo del investigador, es decir podemos utilizar Windows y/o Linux.





Código:
Supported Plugin Commands:

apihooks        Detect API hooks in process and kernel memory
atoms           Print session and window station atom tables
atomscan        Pool scanner for _RTL_ATOM_TABLE
bioskbd         Reads the keyboard buffer from Real Mode memory
callbacks       Print system-wide notification routines
clipboard       Extract the contents of the windows clipboard
cmdscan         Extract command history by scanning for _COMMAND_HISTORY
connections     Print list of open connections [Windows XP and 2003 Only]
connscan        Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles        Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo       Dump crash-dump information
deskscan        Poolscaner for tagDESKTOP (desktops)
devicetree      Show device tree
dlldump         Dump DLLs from a process address space
dlllist         Print list of loaded dlls for each process
driverirp       Driver IRP hook detection
driverscan      Scan for driver objects _DRIVER_OBJECT
dumpcerts       Dump RSA private and public SSL keys
dumpfiles       Extract memory mapped and cached files
envars          Display process environment variables
eventhooks      Print details on windows event hooks
evtlogs         Extract Windows Event Logs (XP/2003 only)
filescan        Scan Physical memory for _FILE_OBJECT pool allocations
gahti           Dump the USER handle type information
gditimers       Print installed GDI timers and callbacks
gdt             Display Global Descriptor Table
getservicesids  Get the names of services in the Registry and return Calculated SID
getsids         Print the SIDs owning each process
handles         Print list of open handles for each process
hashdump        Dumps passwords hashes (LM/NTLM) from memory
hibinfo         Dump hibernation file information
hivedump        Prints out a hive
hivelist        Print list of registry hives.
hivescan        Scan Physical memory for _CMHIVE objects (registry hives)
hpakextract     Extract physical memory from an HPAK file
hpakinfo        Info on an HPAK file
idt             Display Interrupt Descriptor Table
iehistory       Reconstruct Internet Explorer cache / history
imagecopy       Copies a physical address space out as a raw DD image
imageinfo       Identify information for the image
impscan         Scan for calls to imported functions
kdbgscan        Search for and dump potential KDBG values
kpcrscan        Search for and dump potential KPCR values
ldrmodules      Detect unlinked DLLs
lsadump         Dump (decrypted) LSA secrets from the registry
machoinfo       Dump Mach-O file format information
malfind         Find hidden and injected code
mbrparser       Scans for and parses potential Master Boot Records (MBRs)
memdump         Dump the addressable memory for a process
memmap          Print the memory map
messagehooks    List desktop and thread window message hooks
mftparser       Scans for and parses potential MFT entries
moddump         Dump a kernel driver to an executable file sample
modscan         Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules         Print list of loaded modules
mutantscan      Scan for mutant objects _KMUTANT
patcher         Patches memory based on page scans
printkey        Print a registry key, and its subkeys and values
privs           Display process privileges
procexedump     Dump a process to an executable file sample
procmemdump     Dump a process to an executable memory sample
pslist          Print all running processes by following the EPROCESS lists
psscan          Scan Physical memory for _EPROCESS pool allocations
pstree          Print process list as a tree
psxview         Find hidden processes with various process listings
raw2dmp         Converts a physical memory sample to a windbg crash dump
screenshot      Save a pseudo-screenshot based on GDI windows
sessions        List details on _MM_SESSION_SPACE (user logon sessions)
shellbags       Prints ShellBags info
shimcache       Parses the Application Compatibility Shim Cache registry key
sockets         Print list of open sockets
sockscan        Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt            Display SSDT entries
strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan         Scan for Windows services
symlinkscan     Scan for symbolic link objects
thrdscan        Scan physical memory for _ETHREAD objects
threads         Investigate _ETHREAD and _KTHREADs
timeliner       Creates a timeline from various artifacts in memory
timers          Print kernel timers and associated module DPCs
unloadedmodules Print list of unloaded modules
userassist      Print userassist registry keys and information
userhandles     Dump the USER handle tables
vaddump         Dumps out the vad sections to a file
vadinfo         Dump the VAD info
vadtree         Walk the VAD tree and display in tree format
vadwalk         Walk the VAD tree
vboxinfo        Dump virtualbox information
vmwareinfo      Dump VMware VMSS/VMSN information
volshell        Shell in the memory image
windows         Print Desktop Windows (verbose details)
wintree         Print Z-Order Desktop Windows Tree
wndscan         Pool scanner for tagWINDOWSTATION (window stations)
yarascan        Scan process or kernel memory with Yara signatures

BSA, herramienta diseñada para analizar cambios que ocurren en el sistema, basada en Sandboxie permitiendo ejecutar ficheros en un ambiente controlado.
Una de las Principales caracteristicas es que hace hook a la funcion NtQuerySystemInformation(ssdt Hook)

Compatible con la version 3.76 de Sandboxie, recientemente se fixeo la Injection DLL en la version 4.09.1 la cual causaba la incompatibilidad con BSA, aun no es al 100% Compatible,tambien requiere WinPCap.




PeFrame


PEframe es una herramienta OPEN SOURCE, ideal para el Análisis Estático de Malware.




USO:
     
Código: [Seleccionar]
 peframe <opt> <file>

OPCIONES:

Código: [Seleccionar]
-h      --help          This help
-a      --auto          Show Auto analysis
-i      --info          PE file attributes
        --hash          Hash MD5 & SHA1
        --meta          Version info & metadata
        --peid          PE Identifier Signature
        --antivm        Anti Virtual Machine
        --antidbg       Anti Debug | Disassembler
        --sections      Section analyzer
        --functions     Imported DLLs & API functions
        --suspicious    Search for suspicious API & sections
        --dump          Dumping all the information
        --strings       Extract all the string
        --file-url      Extract File Name and Url
        --file-verbose  Discover potential file name
        --hexdump       Reverse Hex dump
        --import        List Entry Import instances
        --export        List Entry Export instances
        --resource      List Entry Resource instances
        --debug         List Entry DebugData instances


 Autor: FudMario

Regards,
Snifer

0 comentarios

Publicar un comentario en la entrada