Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Malware Analyser

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
Locked
beenu

Malware Analyser

Post by beenu »

My First Topic. Had developed a malware analyser whuch performs a good and deeper analysis on Distro compared to win.

Code: Select all

#!/usr/bin/python
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# Greetz to all Darkc0de ,AI,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
#The application can be used to perform intial malware analysis phase.
#Download the PE Module . Else Application won't work:http://code.google.com/p/pefile/
#Some of the deeper Analysis can be perform on Linux OS, so i would prefer to perform analysis on linux OS.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.

#You should have received a copy of the GNU General Public License
#along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os,sys,re,string

def checkconfig():
	try:
		import pefile,peutils

	except(ImportError):
		print "\n[!] PE Module Missing."
		print "\n[!] Download PE Module from [ http://code.google.com/p/pefile/ ]"
		sys.exit(0)


# Say Hello

if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
	SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
	SysCls = 'cls'
else:
	SysCls = 'unknown'

os.system(SysCls)

print "\n|---------------------------------------------------------------|"
print "| beenudel1986[@]gmail[dot]com                                  |"
print "| Malware Analyzer(Static) 1.3                                  |"
print "|   06/2009      analyse_malware.py                             |"
print "|   Do Visit     www.BeenuArora.com                             |"
print "|---------------------------------------------------------------|\n"


INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket","FindResource","LockResource","ShellExecute","GetThreadContext","# Read/WriteProcessMemory",
	"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
	"OutputDebugString","GetEnvironmentStrings","LoadLibraryA","WSASocketA", "GetProcAddress",
	"FindWindow","CreateProcess","DuplicateTokenEx","ImpersonateNamedPipeClient","RevertToSelf","signal",
	"IsDebuggerPresent"
	]
INTERESTING_CALLS_DLLS=["KERNEL32.DLL","advapi32.dll","comctl32.dll","gdi32.dll","ole32.dll","oleaut32.dll","user32.dll","wsock32.dll","ntdll.dll"]
INTERESTING_SYS_CALLS=["ping.exe","telnet.exe"]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","autorum.inf"]
ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]

if (len (sys.argv) <2):
	print "\n Usage: ./analyse_malware.py <MALWARE FILENAME>\n"
	print "\t\t Example: ./analyse_malware.py malware.exe\n"
	print "\tFor Help: ./analyse_malware.py --help\n"
	sys.exit(0)

for arg in sys.argv:
	if arg=='--help':
		print "   To Perform Complete Analysis: Usage: ./analyse_malware.py [Malware FIle]\n "
		print "   To Generate ASCII Dump: Usage: ./analyse_malware.py [Malware File] --Ascii\n"
		print "   To View Dlls Loaded: Usage: ./analyse_malware.py [Malware File] --Dll\n"
		print "   To View the PE Areas: Usage: ./analyse_mwlare.py [Malware File] --Header\n"
		print "\n\t   Example: ./analyse_malware.py malware.exe --Dll\n"
		sys.exit(0)
	


malware=sys.argv[1]

try:
	hosts= open(malware,'r').readlines()
except (IOError):
	print " \n\n[!]Malware Missing .Exiting.\n"
	sys.exit(0)

def start_analysis_system_calls():
	performed=[]
	for line in hosts:
		for calls in INTERESTING_CALLS:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Found an Interesting call to: ",calls
					performed.append(calls)
	

def start_analysis_registry():
	for line in hosts:
		for calls in REGISTRY_CALLS:
			if re.search(calls, line):
				print "[+] Malware is Adding a Key at Hive: ",calls
				print line
def calls_to_dlls():
	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
		str="objdump -x "+malware+" | grep DLL >result"
		#print str
		print "\n Since Host OS is Linux. Peforming Deeper Analysis\n"
		details=os.system(str)
		dllresult=open('result','r').readlines()
		print "\n   [+] Dlls Loaded are:\n"
		for line in dllresult:
			print line
		os.system("rm result")
	else:
		for line in hosts:
			for calls in INTERESTING_CALLS_DLLS:
				if re.search(calls, line):
					print "\n[+] Loaded Dll: ",calls
def find_import_table():
	str="objdump -x "+malware+"  | grep \"import table\" >impresult"
	os.system(str)


	importresult=open('impresult','r').readlines()
	for line in importresult:
		print line
	os.system("rm impresult")

def start_address():
	str="objdump -x "+malware+"  | grep \"start address\" >startresult"
	os.system(str)
	stresult=open('startresult','r').readlines()
	for line in stresult:
		print line
	os.system("rm startresult")

def header_info():
	str="objdump -h "+malware+" >header"
	os.system(str)
	headresult=open('header','r').readlines()
	for line in headresult:
		print line
	os.system("rm header")

def generate_dump():
	str="objdump -s "+malware+" >ascii_dump"
	os.system(str)
	headresult=open('ascii_dump','r').readlines()
	for line in headresult:
		print line

def calls_to_syscommand():
	for line in hosts:
		for calls in INTERESTING_SYS_CALLS:
			if re.search(calls, line):
				print "\n[+] Call Made: ",calls
				print "\n\n[!] It Can be Part of DDOS Network.\n"
				
def start_analysis_online():
	performed=[]
	for line in hosts:
		for calls in ONLINE_WORK:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
					performed.append(calls)
def getSignatureForPe(pe):
	try:
		signatures = peutils.SignatureDatabase(PE_SIGNATURE_PATH)
		return signatures.match_all(pe)
	except:
		print ""

def get_pe_signature():
	try:
		pe = pefile.PE(malware)
		signatureInfo = getSignatureForPe(pe)
		peInfo = pe.dump_info()
		print peInfo
	except:
		print "\n\n[!] Download PE Package from google code.\n"
		print "\n[!]Exiting.\n"


def generate_dump():
	filename="ascii_dump_"+malware+".txt"
	str="objdump -s "+malware+" > "+filename
	os.system(str)
	headresult=open(filename,'r').readlines()
	for line in headresult:
		print line
	print "\n Check "+filename+" for the ASCII dump output"
	raw_input("\n Press <Enter> to Exit.\n")
	sys.exit(0)



def checkPE():
	print "\n Analysing if PE file...\n"
	check = file(malware, "rb")
	buff = check.read(2)
	check.close()
	if buff == "MZ":
		print "\n[+] Valid PE file."
		print "\n[+] Malware File Size :" , (os.path.getsize(malware))/1000 ,"KB"
	else: 
		print "[!] Not a Valid PE File. Exiting.!\n"
		sys.exit(0)

def checkargs():
	for arg in sys.argv:
			if arg.lower()=="--ascii":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					generate_dump()
					sys.exit(0)
				else:
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
	
			if arg.lower()=="--dll":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					calls_to_dlls()
					sys.exit(0)
				else :
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
	
			if arg.lower()=="--header":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					header_info()
					sys.exit(0)
				else :
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
		

def apps_start():
	checkconfig()
	checkPE()
	checkargs()
	print "\n[!] Displaying Interesting System Calls Made.\n"
	start_analysis_system_calls()
	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
		print "\n[+] Displaying Address of Import Table\n"
		find_import_table()
		print "\n[+] Displaying the Start Address\n"
		start_address()
		print "\n[+] Displaying the Header Sections and File Format"
		header_info()
	print "\n[!] Displaying Registry Hives Edited.\n"
	start_analysis_registry()
	print "\n\n[!] Displaying A Little Online Behaviour.\n"
	start_analysis_online()
	print "\n\n[!] Displaying the Loaded DLLs.\n"
	calls_to_dlls()
	print "\n\n[!] Commands Inside the Malware.\n"
	calls_to_syscommand()
	print "\n\n[!] Displaying the Headers of the Malware.\n"
	get_pe_signature()

apps_start()
__Genius__

Post by __Genius__ »

could you put a version with full comments ?
Locked