Epale ya vamos con la novena entrega de Conociendo sobre Malware, esta vez con un aporte para nuestros conocimientos, y poder leer este excelente libro que es Malware Analyst's Cookbook, en el cual viene con consejos prácticos que los autores han previsto para la comprensión y la lucha contra el malware. Algo que resaltar que este libro no cuenta con un engorroso por así decirlo de todas las técnicas de malware análisis, pero si tiene herramientas y enfoques bastante prácticos como también todo lo relacionado a comandos, y herramientas ya ustedes sacaran su propio resumen o atribuciones de este libro, este es un libro que cuando ando con tiempo o ando aburrido en mis cosas me pongo a leer en el Kindle, la aspiración es llegar a trabajar como analista de malware ya que me apasiona bastante este mundo.
Para saber mas del libro se puede acceder a su pagina oficial www.malwarecookbook.com en la cual realizaron la liberación de las herramientas en code google Source Malware Cookbook y no puede falta el
PDF Malware CookBook descarga directa.
Un listado de las herramientas, que vienen extraído de la pagina oficial.
* wwwhoney.tgz: CGI scripts to accept submissions from nepenthes and dionaea honeypots
* clamav_to_yara.py: Convert ClamAV antivirus signatures to YARA rules
* peid_to_yara.py: Convert PEiD packer signatures to YARA rules
* av_multiscan.py: Script to implement your own antivirus multi-scanner
* pescanner.py: Detect malicious PE file attributes
* ssdeep_procs.py: Detect self-mutating code on live Windows systems using ssdeep
* avsubmit.py: Command-line interface to VirusTotal, ThreatExpert, Jotti, and NoVirusThanks
* dbmgr.py: Malware artifacts database manager
* artifactscanner.py: Application to scan live Windows systems for artifacts (files, Registry keys, mutexes) left by malware
* mapper.py: Create static PNG images of IP addresses plotted on a map using GeoIP
* googlegeoip.py: Create dynamic/interactive geographical maps of IP addresses using Google charts
* sc_distorm.py: Script to produce disassemblies (via DiStorm) of shellcode and optionally apply an XOR mask
* vmauto.py: Python class for automating malware execution in VirtualBox and VMware guests
* mybox.py: Sample automation script for VirtualBox based on vmauto.py
* myvmware.py: Sample automation script for VMware based on vmauto.py
* analysis.py: Python class for building sandboxes with support for analyzing network traffic, packet captures, and memory
* RegFsNotify.exe: Tool to detect changes to the Registry and file system in real time (from user mode without API hooks)
* HandleDiff.exe: Tool to detect changes to the handle tables of all processes on a system (useful to analyze the side-effects of code injecting malware)
* Preservation.zip: Kernel driver for monitoring notification routines, preventing processes from terminating, preventing files from being deleted, and preventing other drivers from loading
* cmd.exe: Custom command shell (cmd.exe) for logging malware activity and backdoor activity
* tsk-xview.exe: Cross-view based rootkit detection tool based on The Sleuth Kit API and Microsoft’s Offline Registry API
* HTMLInjection Detector.exe: Detect HTML injection attacks on banking and financial websites
* routes.pl: RegRipper plug-in for printing a computer’s routing table
* pendingdelete.pl: RegRipper plug-in for printing files that are pending deletion
* disallowrun.pl: RegRipper plug-in for printing processes that malware prevents from running
* shellexecutehooks.pl: RegRipper plug-in for printing ShellExecute hooks (a method of DLL injection)
* dumpcerts.pl: Parse::Win32Registry module to extract and examine cryptography certificates stored in Registry hives
* somethingelse.pl: Parse::Win32Registry module for finding hidden binary data in the Registry
* scloader.exe: Executable wrapper for launching shell code in a debugger
* scd.py: Immunity Debugger PyCommand for finding shellcode in arbitrary binary files
* findhooks.py: Immunity Debugger PyCommand for finding Inline-style user mode API hooks
* pymon.py: WinAppDbg plug-in for monitoring API calls, alerting on suspicious flags/parameters and producing an HTML report
* xortools.py: Python library for encoding/decoding XOR, including brute force methods and automated YARA signature generation
* trickimprec.py: Immunity Debugger PyCommand for assistance when rebuilding import tables with Import REconstructor
* kraken.py: Immunity Debugger PyCommand for cracking Kraken’s Domain Generation Algorithm (DGA)
* sbstrings.py: Immunity Debugger PyCommand for decrypting Silent Banker strings
* rundll32ex.exe: Extended version of rundll32.exe that allows you to run DLLs in other processes, call exported functions, and pass parameters
* install_svc.bat: Batch script for installing a service DLL (for dynamic analysis of the DLL)
* install_svc.py: Python script for installing a service DLL and supplying optional arguments to the service
* dll2exe.py: Python script for converting a DLL into a standalone executable
* DriverEntryFinder: Kernel driver to find the correct address in kernel memory to set breakpoints for catching new drivers as they load
* windbg_to_ida.py: Python script to convert WinDbg output into data that can be imported into IDA
* WinDbgNotify.txt: WinDbg script for identifying malicious notification routines
Espero les agrade y sigamos metiendonos mas en este mundito del malware.
Regards,
Snifer
Buena entrada amigo, me quedo con el libro, gracias
ResponderEliminarMuy buena la lista de Scripts y programas, gracias por el aporte (:
ResponderEliminarDe nada a ambos, el gusto es mio al poder compartir!
ResponderEliminarRegards,
Snifer
Un profesor me dijo que si tienes un sueño y quieres hacerlo real, hay que darle forma.
ResponderEliminarSi quiere ser analista de malware dele forma :)