Malware Analysis Tools¶
Process inspection¶
Process Hacker¶
- Add column Verification status & Verified signer
- Inspect Memory
- Open process \(\rightarrow\) Memory
- Inspect DLL:
- Open process \(\rightarrow\) Modules
- Add column Verification & Verified signer
- Identifier: Unverified DLL
- Inspect dump file:
- right click on process \(\rightarrow\) create dump file
- run Yara on dump
- Inspect memory region
- right click on Memory Address \(\rightarrow\)
Save...
- use
strings
- right click on Memory Address \(\rightarrow\)
Process Explorer¶
Inspect processes (like Process Hacker)
- start with
procexp
Process Monitor¶
- Create filter
PID is xxxx
VMMap¶
Inspect virtual memory map of process
- Start and select process
Hollows hunter¶
Detect inline or IAT hooks
- creates a directory with results in the path of execution
/iat
*.iat_hooks.txt
: describes the hook
/hooks
*.tag
files describes the hook \(\rightarrow\) tag file per DLL
# generic run
hollows_hunter /hooks /iat
# identify IAT hooks only
hollows_hunter /iat 3 /log
# identify inline hooks only
hollows_hunter /hooks /log
# scan all processes and dump suspicious memory locations
hollows_hunter /shellc /dir .\hhout
hollows_hunter /pid <pid> /dir .\hhout
IDA¶
Disassemble
- Start: Open IDA \(\rightarrow\) Debugger \(\rightarrow\) Attach \(\rightarrow\) Open PID
- Tipps
- double click to address opens location
- use "space" to switch view
Autoruns¶
Detect persistence
- Tipps
- Refresh after malware infection!
- Hide all signed Microsoft entries: Options \(\rightarrow\) Hide Microsoft Entries
Yara¶
Checks code sequences & strings
yara *.yar <binary>
yara -w -g -r *.yar <binary>/<directory>
Yarad¶
Yarad (Yara-directory) is a small helper program which facilitates the use of yara rules contained in a repository. Given a mode (list or scan), a directory and a file to scan, it will run yara on the file using each ruleset inside the directory (non-recursive) ending with .yar
Example:
# For scan mode
.\yarad.ps1 -Mode scan -Directory "C:\rules\dir" -ScanFile malware.exe
# For list mode
.\yarad.ps1 -Mode list -Directory "C:\rules\dir" -ScanFile dump.bin
param (
[Parameter(Mandatory=$true)]
[string]$Mode,
[Parameter(Mandatory=$true)]
[string]$Directory,
[string]$ScanFile,
[string]$ScanDirectory
)
function Show-Usage {
Write-Output "Usage: .\yarad.ps1 -Mode <mode> -Directory <directory> -ScanFile <scan_file> [-ScanDirectory <scan_directory>]"
Write-Output "Modes:"
Write-Output " scan - Run yara on each .yar file in the directory"
Write-Output " list - List all .yar files in the directory"
Write-Output " rscan - Run yara recursively on each .yar file in the directory and subdirectories"
}
if (-not $PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Mode') -or
-not $PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Directory')) {
Show-Usage
exit 1
}
if (-not ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanFile') -or
$PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanDirectory'))) {
Write-Output "Error: Either ScanFile or ScanDirectory must be specified."
Show-Usage
exit 1
}
if (-not (Test-Path -Path $Directory -PathType Container)) {
Write-Output "Error: $Directory is not a directory."
exit 1
}
if ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanFile') -and
-not (Test-Path -Path $ScanFile -PathType Leaf)) {
Write-Output "Error: $ScanFile does not exist."
exit 1
}
if ($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanDirectory') -and
-not (Test-Path -Path $ScanDirectory -PathType Container)) {
Write-Output "Error: $ScanDirectory is not a directory."
exit 1
}
function Scan-Files {
$results = @()
Get-ChildItem -Path $Directory -Filter *.yar | ForEach-Object {
Write-Host "Processing $($_.FullName)"
$result = & yara -w -g $_.FullName $ScanFile
$results += $result
}
$results
}
function List-Files {
Get-ChildItem -Path $Directory -Filter *.yar | ForEach-Object {
Write-Output $_.FullName
}
}
function Recursive-Scan-Files {
$results = @()
Get-ChildItem -Path $Directory -Filter *.yar -Recurse | ForEach-Object {
Write-Host "Processing $($_.FullName)"
$result = & yara -r -w -g $_.FullName $ScanDirectory
$results += $result
}
$results
}
switch ($Mode) {
"scan" {
$scanResults = Scan-Files
Write-Output $scanResults
}
"list" {
List-Files
}
"rscan" {
$rscanResults = Recursive-Scan-Files
Write-Output $rscanResults
}
default {
Write-Output "Invalid mode: $Mode"
Show-Usage
exit 1
}
}
strings¶
- use
strings
on CMD/Powershell
strings <filename>
apimonitor¶
- start correct version (e.g. 32bit/x86 version for some malware samples)
- select
.exe
- select API (e.g.
FileOpen
,FileWrite
,WriteRegistryKey
, ...) - kernel32
- virtualalloc, writememory, createremotethread
sigcheck¶
Check signature of a binary
sigcheck <filename>
# check directory
cd AppData\Roaming
sigcheck -s -e .\
Packing¶
CFF Explorer¶
- Select
.exe
- Inspect
File Info
- Indication for packaging: UPX
- No match found probably ok
PEiD¶
- Select
.exe
- Click on the double arrow
- Click on the double points to calculate entropy etc.
- Indicator for packaging: high entropy
pestudio¶
- open
.exe
- select
sections
\(\rightarrow\) this takes some time! - Indication for packaging:
- UPX0
- section is executable
raw-size
is 0 butvirtual-size
is x bytes
- UPX1
- entrypoint is here, section is executable
- High entropy \(\rightarrow\) likely packed
raw-size
is 0 butvirtual-size
is higher- the raw addresses are offsets relative to the beginning of the PE file
- the virtual addresses are RVAs (relative virtual addresses)
- UPX0