Skip to content

Malware Analysis Tools

links: MAI MOC - Index

Process inspection

Process Hacker

  • Add column Verification status & Verified signer
  • Inspect Memory
    • Open process \(\rightarrow\) Memory
  • Inspect DLL:
    • Open process \(\rightarrow\) Modules
    • Add column Verification & Verified signer
    • Identifier: Unverified DLL
  • Inspect dump file:
    • right click on process \(\rightarrow\) create dump file
    • run Yara on dump
  • Inspect memory region
    • right click on Memory Address \(\rightarrow\) Save...
    • use strings

Process Explorer

Inspect processes (like Process Hacker)

  • start with procexp

Process Monitor

  • Create filter PID is xxxx

VMMap

Inspect virtual memory map of process

  • Start and select process

Hollows hunter

Detect inline or IAT hooks

  • creates a directory with results in the path of execution
  • /iat
    • *.iat_hooks.txt: describes the hook
  • /hooks
    • *.tag files describes the hook \(\rightarrow\) tag file per DLL
# generic run
hollows_hunter /hooks /iat

# identify IAT hooks only
hollows_hunter /iat 3 /log

# identify inline hooks only
hollows_hunter /hooks /log

# scan all processes and dump suspicious memory locations
hollows_hunter /shellc /dir .\hhout
hollows_hunter /pid <pid> /dir .\hhout

IDA

Disassemble

  • Start: Open IDA \(\rightarrow\) Debugger \(\rightarrow\) Attach \(\rightarrow\) Open PID
  • Tipps
    • double click to address opens location
    • use "space" to switch view

Autoruns

Detect persistence

  • Tipps
    • Refresh after malware infection!
    • Hide all signed Microsoft entries: Options \(\rightarrow\) Hide Microsoft Entries

Yara

Checks code sequences & strings

yara *.yar <binary>

yara -w -g -r *.yar <binary>/<directory>

Yarad

Yarad (Yara-directory) is a small helper program which facilitates the use of yara rules contained in a repository. Given a mode (list or scan), a directory and a file to scan, it will run yara on the file using each ruleset inside the directory (non-recursive) ending with .yar

Example:

# For scan mode
.\yarad.ps1 -Mode scan -Directory "C:\rules\dir" -ScanFile malware.exe

# For list mode
.\yarad.ps1 -Mode list -Directory "C:\rules\dir" -ScanFile dump.bin

param (
    [Parameter(Mandatory=$true)]
    [string]$Mode,

    [Parameter(Mandatory=$true)]
    [string]$Directory,

    [string]$ScanFile,

    [string]$ScanDirectory
)

function Show-Usage {
    Write-Output "Usage: .\yarad.ps1 -Mode <mode> -Directory <directory> -ScanFile <scan_file> [-ScanDirectory <scan_directory>]"
    Write-Output "Modes:"
    Write-Output "  scan       - Run yara on each .yar file in the directory"
    Write-Output "  list       - List all .yar files in the directory"
    Write-Output "  rscan      - Run yara recursively on each .yar file in the directory and subdirectories"
}

if (-not $PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Mode') -or
    -not $PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Directory')) {
    Show-Usage
    exit 1
}

if (-not ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanFile') -or
         $PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanDirectory'))) {
    Write-Output "Error: Either ScanFile or ScanDirectory must be specified."
    Show-Usage
    exit 1
}

if (-not (Test-Path -Path $Directory -PathType Container)) {
    Write-Output "Error: $Directory is not a directory."
    exit 1
}

if ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanFile') -and
    -not (Test-Path -Path $ScanFile -PathType Leaf)) {
    Write-Output "Error: $ScanFile does not exist."
    exit 1
}

if ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanDirectory') -and
    -not (Test-Path -Path $ScanDirectory -PathType Container)) {
    Write-Output "Error: $ScanDirectory is not a directory."
    exit 1
}

function Scan-Files {
    $results = @()
    Get-ChildItem -Path $Directory -Filter *.yar | ForEach-Object {
        Write-Host "Processing $($_.FullName)"
        $result = & yara -w -g $_.FullName $ScanFile
        $results += $result
    }
    $results
}

function List-Files {
    Get-ChildItem -Path $Directory -Filter *.yar | ForEach-Object {
        Write-Output $_.FullName
    }
}

function Recursive-Scan-Files {
    $results = @()
    Get-ChildItem -Path $Directory -Filter *.yar -Recurse | ForEach-Object {
        Write-Host "Processing $($_.FullName)"
        $result = & yara -r -w -g $_.FullName $ScanDirectory
        $results += $result
    }
    $results
}

switch ($Mode) {
    "scan" {
        $scanResults = Scan-Files
        Write-Output $scanResults
    }
    "list" {
        List-Files
    }
    "rscan" {
        $rscanResults = Recursive-Scan-Files
        Write-Output $rscanResults
    }
    default {
        Write-Output "Invalid mode: $Mode"
        Show-Usage
        exit 1
    }
}

strings

  • use strings on CMD/Powershell
strings <filename>

apimonitor

  • start correct version (e.g. 32bit/x86 version for some malware samples)
  • select .exe
  • select API (e.g. FileOpen, FileWrite, WriteRegistryKey, ...)
  • kernel32
  • virtualalloc, writememory, createremotethread

sigcheck

Check signature of a binary

sigcheck <filename>

# check directory
cd AppData\Roaming
sigcheck -s -e .\

Packing

CFF Explorer

  • Select .exe
  • Inspect File Info
    • Indication for packaging: UPX
    • No match found probably ok

PEiD

  • Select .exe
  • Click on the double arrow
  • Click on the double points to calculate entropy etc.
  • Indicator for packaging: high entropy

peid.png

pestudio

  • open .exe
  • select sections \(\rightarrow\) this takes some time!
  • Indication for packaging:
    • UPX0
      • section is executable
      • raw-size is 0 but virtual-size is x bytes
    • UPX1
      • entrypoint is here, section is executable
      • High entropy \(\rightarrow\) likely packed
    • raw-size is 0 but virtual-size is higher
    • the raw addresses are offsets relative to the beginning of the PE file
    • the virtual addresses are RVAs (relative virtual addresses)

pestudio.png

links: MAI MOC - Index