Results 1 to 2 of 2

Thread: Malware Analyser

  1. #1
    beenu
    Guest

    Arrow Malware Analyser

    My First Topic. Had developed a malware analyser whuch performs a good and deeper analysis on Distro compared to win.

    Code:
    #!/usr/bin/python
    ################################################################ 
    #       .___             __          _______       .___        # 
    #     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
    #    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
    #   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
    #   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
    #        \/                  \/             \/                 # 
    #                   ___________   ______  _  __                # 
    #                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
    #                 \  \___|  | \/\  ___/\     /                 # 
    #                  \___  >__|    \___  >\/\_/                  # 
    #      est.2007        \/            \/   forum.darkc0de.com   # 
    ################################################################ 
    # Greetz to all Darkc0de ,AI,ICW Memebers
    #Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
    #The application can be used to perform intial malware analysis phase.
    #Download the PE Module . Else Application won't work:http://code.google.com/p/pefile/
    #Some of the deeper Analysis can be perform on Linux OS, so i would prefer to perform analysis on linux OS.
    # This program is free software: you can redistribute it and/or modify
    # it under the terms of the GNU General Public License as published by
    #  the Free Software Foundation, either version 3 of the License, or
    # (at your option) any later version.
    
    #This program is distributed in the hope that it will be useful,
    #but WITHOUT ANY WARRANTY; without even the implied warranty of
    #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    #GNU General Public License for more details.
    
    #You should have received a copy of the GNU General Public License
    #along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    import os,sys,re,string
    
    def checkconfig():
    	try:
    		import pefile,peutils
    
    	except(ImportError):
    		print "\n[!] PE Module Missing."
    		print "\n[!] Download PE Module from [ http://code.google.com/p/pefile/ ]"
    		sys.exit(0)
    
    
    # Say Hello
    
    if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    	SysCls = 'clear'
    elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
    	SysCls = 'cls'
    else:
    	SysCls = 'unknown'
    
    os.system(SysCls)
    
    print "\n|---------------------------------------------------------------|"
    print "| beenudel1986[@]gmail[dot]com                                  |"
    print "| Malware Analyzer(Static) 1.3                                  |"
    print "|   06/2009      analyse_malware.py                             |"
    print "|   Do Visit     www.BeenuArora.com                             |"
    print "|---------------------------------------------------------------|\n"
    
    
    INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
    	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
    	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket","FindResource","LockResource","ShellExecute","GetThreadContext","# Read/WriteProcessMemory",
    	"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
    	"OutputDebugString","GetEnvironmentStrings","LoadLibraryA","WSASocketA", "GetProcAddress",
    	"FindWindow","CreateProcess","DuplicateTokenEx","ImpersonateNamedPipeClient","RevertToSelf","signal",
    	"IsDebuggerPresent"
    	]
    INTERESTING_CALLS_DLLS=["KERNEL32.DLL","advapi32.dll","comctl32.dll","gdi32.dll","ole32.dll","oleaut32.dll","user32.dll","wsock32.dll","ntdll.dll"]
    INTERESTING_SYS_CALLS=["ping.exe","telnet.exe"]
    REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","autorum.inf"]
    ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
    
    if (len (sys.argv) <2):
    	print "\n Usage: ./analyse_malware.py <MALWARE FILENAME>\n"
    	print "\t\t Example: ./analyse_malware.py malware.exe\n"
    	print "\tFor Help: ./analyse_malware.py --help\n"
    	sys.exit(0)
    
    for arg in sys.argv:
    	if arg=='--help':
    		print "   To Perform Complete Analysis: Usage: ./analyse_malware.py [Malware FIle]\n "
    		print "   To Generate ASCII Dump: Usage: ./analyse_malware.py [Malware File] --Ascii\n"
    		print "   To View Dlls Loaded: Usage: ./analyse_malware.py [Malware File] --Dll\n"
    		print "   To View the PE Areas: Usage: ./analyse_mwlare.py [Malware File] --Header\n"
    		print "\n\t   Example: ./analyse_malware.py malware.exe --Dll\n"
    		sys.exit(0)
    	
    
    
    malware=sys.argv[1]
    
    try:
    	hosts= open(malware,'r').readlines()
    except (IOError):
    	print " \n\n[!]Malware Missing .Exiting.\n"
    	sys.exit(0)
    
    def start_analysis_system_calls():
    	performed=[]
    	for line in hosts:
    		for calls in INTERESTING_CALLS:
    			if re.search(calls, line):
    				if not calls in performed:
    					print "[+] Found an Interesting call to: ",calls
    					performed.append(calls)
    	
    
    def start_analysis_registry():
    	for line in hosts:
    		for calls in REGISTRY_CALLS:
    			if re.search(calls, line):
    				print "[+] Malware is Adding a Key at Hive: ",calls
    				print line
    def calls_to_dlls():
    	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    		str="objdump -x "+malware+" | grep DLL >result"
    		#print str
    		print "\n Since Host OS is Linux. Peforming Deeper Analysis\n"
    		details=os.system(str)
    		dllresult=open('result','r').readlines()
    		print "\n   [+] Dlls Loaded are:\n"
    		for line in dllresult:
    			print line
    		os.system("rm result")
    	else:
    		for line in hosts:
    			for calls in INTERESTING_CALLS_DLLS:
    				if re.search(calls, line):
    					print "\n[+] Loaded Dll: ",calls
    def find_import_table():
    	str="objdump -x "+malware+"  | grep \"import table\" >impresult"
    	os.system(str)
    
    
    	importresult=open('impresult','r').readlines()
    	for line in importresult:
    		print line
    	os.system("rm impresult")
    
    def start_address():
    	str="objdump -x "+malware+"  | grep \"start address\" >startresult"
    	os.system(str)
    	stresult=open('startresult','r').readlines()
    	for line in stresult:
    		print line
    	os.system("rm startresult")
    
    def header_info():
    	str="objdump -h "+malware+" >header"
    	os.system(str)
    	headresult=open('header','r').readlines()
    	for line in headresult:
    		print line
    	os.system("rm header")
    
    def generate_dump():
    	str="objdump -s "+malware+" >ascii_dump"
    	os.system(str)
    	headresult=open('ascii_dump','r').readlines()
    	for line in headresult:
    		print line
    
    def calls_to_syscommand():
    	for line in hosts:
    		for calls in INTERESTING_SYS_CALLS:
    			if re.search(calls, line):
    				print "\n[+] Call Made: ",calls
    				print "\n\n[!] It Can be Part of DDOS Network.\n"
    				
    def start_analysis_online():
    	performed=[]
    	for line in hosts:
    		for calls in ONLINE_WORK:
    			if re.search(calls, line):
    				if not calls in performed:
    					print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
    					performed.append(calls)
    def getSignatureForPe(pe):
    	try:
    		signatures = peutils.SignatureDatabase(PE_SIGNATURE_PATH)
    		return signatures.match_all(pe)
    	except:
    		print ""
    
    def get_pe_signature():
    	try:
    		pe = pefile.PE(malware)
    		signatureInfo = getSignatureForPe(pe)
    		peInfo = pe.dump_info()
    		print peInfo
    	except:
    		print "\n\n[!] Download PE Package from google code.\n"
    		print "\n[!]Exiting.\n"
    
    
    def generate_dump():
    	filename="ascii_dump_"+malware+".txt"
    	str="objdump -s "+malware+" > "+filename
    	os.system(str)
    	headresult=open(filename,'r').readlines()
    	for line in headresult:
    		print line
    	print "\n Check "+filename+" for the ASCII dump output"
    	raw_input("\n Press <Enter> to Exit.\n")
    	sys.exit(0)
    
    
    
    def checkPE():
    	print "\n Analysing if PE file...\n"
    	check = file(malware, "rb")
    	buff = check.read(2)
    	check.close()
    	if buff == "MZ":
    		print "\n[+] Valid PE file."
    		print "\n[+] Malware File Size :" , (os.path.getsize(malware))/1000 ,"KB"
    	else: 
    		print "[!] Not a Valid PE File. Exiting.!\n"
    		sys.exit(0)
    
    def checkargs():
    	for arg in sys.argv:
    			if arg.lower()=="--ascii":
    				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    					checkPE()
    					generate_dump()
    					sys.exit(0)
    				else:
    					print "\n This Analysis is Applicable on Linux OS only"
    					sys.exit(0)
    	
    			if arg.lower()=="--dll":
    				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    					checkPE()
    					calls_to_dlls()
    					sys.exit(0)
    				else :
    					print "\n This Analysis is Applicable on Linux OS only"
    					sys.exit(0)
    	
    			if arg.lower()=="--header":
    				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    					checkPE()
    					header_info()
    					sys.exit(0)
    				else :
    					print "\n This Analysis is Applicable on Linux OS only"
    					sys.exit(0)
    		
    
    def apps_start():
    	checkconfig()
    	checkPE()
    	checkargs()
    	print "\n[!] Displaying Interesting System Calls Made.\n"
    	start_analysis_system_calls()
    	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
    		print "\n[+] Displaying Address of Import Table\n"
    		find_import_table()
    		print "\n[+] Displaying the Start Address\n"
    		start_address()
    		print "\n[+] Displaying the Header Sections and File Format"
    		header_info()
    	print "\n[!] Displaying Registry Hives Edited.\n"
    	start_analysis_registry()
    	print "\n\n[!] Displaying A Little Online Behaviour.\n"
    	start_analysis_online()
    	print "\n\n[!] Displaying the Loaded DLLs.\n"
    	calls_to_dlls()
    	print "\n\n[!] Commands Inside the Malware.\n"
    	calls_to_syscommand()
    	print "\n\n[!] Displaying the Headers of the Malware.\n"
    	get_pe_signature()
    
    apps_start()
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    __Genius__
    Guest
    could you put a version with full comments ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. PHP Malware
    By Darkelf in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: April 16th, 2010, 02:30
  2. Autorun Malware
    By AttonRand in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 3rd, 2010, 18:47
  3. Malware fight
    By naides in forum Malware Analysis and Unpacking Forum
    Replies: 22
    Last Post: July 1st, 2007, 04:46
  4. Looking for Disk Analyser
    By peterg70 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: February 19th, 2003, 05:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •