-
Notifications
You must be signed in to change notification settings - Fork 22
/
malfindideas
60 lines (49 loc) · 1.49 KB
/
malfindideas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
FILE=
PROFILE=
HOME=
CASE=
#
cd /cases/wnyclt72179/dlldump
while read i;
do
mkdir $i;
vol.py -f /cases/wnyclt72179/wnyclt72179.ram --profile=Win7SP1x86 dlldump -p $i -D /cases/wnyclt72179/dlldump/$i >> /cases/wnyclt72179/dlldump/$i/$i.list;
cd /cases/wnyclt72179/dlldump/$i
file *.dll | grep -v data | cut -f 1 -d":" >> pe.file.list;
while read p; do
md5sum $p | awk '{print $1}' >> md5.full.list;
md5sum $p >> md5.name.full.list;
done < pe.file.list;
cat md5.full.list >> /cases/wnyclt72179/evidence/md5.dlldump.total.list;
done < folder.list/cases/wnyclt72179/procexedump/malfind.injectedPE.list;
#
/cases/wnyclt72179/evidence/md5.dlldump.total.list | sort | uniq >> md5.dlldump.list;
#
#
#
cd $HOME/$CASE/vaddump;
while read i;
do
mkdir $i;
vol.py -f $HOME/$CASE/$FILE --profile=$PROFILE vaddump -p $i -D $HOME/$CASE/vaddump/$i >> $HOME/$CASE/vaddump/$i/$i.list;
cd $i;
file *.dmp | grep -v data | cut -f 1 -d":" >> pe.file.list
while read p; do
md5sum $p | awk '{print $1}' >> md5.full.list
md5sum $p >> md5.name.full.list
done < pe.file.list;
cat md5.full.list >> $HOME/$CASE/evidence/md5.vaddump.total.list
done < /cases/wnyclt72179/procexedump/malfind.injectedPE.list
#
$HOME/$CASE/evidence/md5.vaddump.total.list | sort | uniq >> md5.vaddump.list
#
#
#
cd $HOME/$CASE/apihooks;
while read i;
do
mkdir $i;
vol.py -f $HOME/$CASE/$FILE --profile=$PROFILE apihooks -p $i >> $HOME/$CASE/dlldump/$i/$i.list;
done < /cases/wnyclt72179/procexedump/malfind.injectedPE.list
#
#