Skip to content

Latest commit

 

History

History
81 lines (61 loc) · 3.97 KB

MNOTES.md

File metadata and controls

81 lines (61 loc) · 3.97 KB
Raw

MALWARE ANALYSIS TOOLS

Basic Static Analysis Tools:

  • md5deep - calculate file hash
  • VirusTotal - upload .exe file / input .exe's md5 hash
  • strings - prints ascii and unicode chars from raw .exe
  • PEiD | Exeinfo PE - detect type of packer if used in .exe
  • upx - to unpack a packed .exe with upx
  • Dependency Walker - explore dynamically linked functions to an .exe and .dll
  • PEview | PE Explorer - browse through PE file format in an .exe
  • PEBrowse Professional - allows to look bytes from each section and shows the parsed data from PE
  • Resource Hacker - shows all the resources used by an .exe

Basic Dynamic Analysis Tools:

  • Sandboxes - a security mechanism for running untrusted programs in a safe environment

    • Norman SandBox
    • GFI Sandbox (formerly CWSandbox)
    • Anubis
    • Joe Sandbox
    • ThreatExpert
    • BitBlaze
    • Comodo Instant Malware Analysis

  • rundll32.exe - provides a container for running a DLL

    Syntax:

    C:\> rundll32.exe DLLname, Export arguments

    Example 1:

    C:\> rundll32.exe rip.dll, Install

    Example 2: (Using ordinal number)

    C:\> rundll32.exe xyzzy.dll, #5

    Example 3: (Install service using a DLL & starting the service)

    C:\> rundll32.exe ipr32x.dll, InstallService ServiceName
C:\> net start ServiceName

    Note

    When you install a service using rundll32, it creates a new subkey under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key with the name of the service you specified

  • Process Monitor / procmon - provides way to monitor registry, file system, network, process, thread activity, registries and has advanced filtering in basis of windows apis, processes, thread, operation, filter inclusion exclusion etc (Later could be saved and used in ProcDOT to see changes visually)

  • Process Explorer / procexp - an overkill version of Windows Task Manager that allows to view each process's threads, handles, strings in disk and in memory, dlls loaded, tcp/ip connections established or listening to, activity monitoring such as disk, network, memory, cpu

  • Regshot - take and compare two registry snapshots before and after executing an .exe or .dll

  • ApateDNS - view DNS requests created from an .exe by spoofing DNS responses and listens in UDP 53

  • Netcat / nc - used for in/outbound connections for port scanning, listening/connecting to servers, tunneling, proxying, port forwarding etc

    Example: (Listen for connections in port 80)

    C:\> nc -l -p 80

  • Wireshark - packet capture tool that intercepts and logs network traffic, provides visualization, packet-stream/in-depth analysis of individual packets, analyze internal networks, view network usage, debug app issues, reverse-engineer network protocols, steal sensitive information etc

  • INetSim - software suite used for simulating common Internet services to identify network behavior of unknown malware samples

Advanced Static Analysis Tools:

EXTRAS:

  • BinText - extract text from any file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings
  • PE-bear - inspection of the PE file structure, metadata viewing and modification, analyze packed and obfuscated file, analysis and detection of hidden data, code, extraction of embedded resources, configuration settings, scriptable interface for automation and integration with other tools
  • FakeNet-NG - allows to intercept and redirect all or specific network traffic while simulating legitimate network services