Iniciamos una seguidilla de entradas referente a este mundo del analisis de malware esta oportunidad con herramientas dedicadas al Análisis de Malware, el autor del post FudMario.
Volatility Framework
Volatility es un Framework con un conjunto de herramientas desarrolladas enteramente en Python con licencia GNU. Este Framework esta pensado para extraer de una imagen de un disco los datos volátiles que estaban en memoria RAM. Estas técnicas de extracción están pensadas para que no dependan del sistema operativo del investigador, es decir podemos utilizar Windows y/o Linux.
Supported Plugin Commands:
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for _RTL_ATOM_TABLE
bioskbd Reads the keyboard buffer from Real Mode memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Scan Physical memory for _FILE_OBJECT pool allocations
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist Print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan for symbolic link objects
thrdscan Scan physical memory for _ETHREAD objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for tagWINDOWSTATION (window stations)
yarascan Scan process or kernel memory with Yara signatures
Descargas:
https://code.google.com/p/volatility/downloads/list
Web:
https://code.google.com/p/volatility/
Buster Sandbox Analyzer
BSA, herramienta diseñada para analizar cambios que ocurren en el sistema, basada en Sandboxie permitiendo ejecutar ficheros en un ambiente controlado.
Una de las Principales caracteristicas es que hace hook a la funcion NtQuerySystemInformation(ssdt Hook)
Compatible con la version 3.76 de Sandboxie, recientemente se fixeo la Injection DLL en la version 4.09.1 la cual causaba la incompatibilidad con BSA, aun no es al 100% Compatible,tambien requiere WinPCap.
**
Ejemplo de Reporte:**
**
Descargas:**
**BSA**
http://bsa.novirusthanks.org/downloads/bsa.rar
http://www.woodmann.com/virusbuster/bsa.rar
SANDBOXIE
http://www.sandboxie.com/index.php?AllVersions
WinPCap
Web:
PeFrame
PEframe es una herramienta OPEN SOURCE, ideal para el Análisis Estático de Malware.
USO:
Código: [Seleccionar]
peframe <opt> <file>
OPCIONES:
Código: [Seleccionar]
-h --help This help
-a --auto Show Auto analysis
-i --info PE file attributes
--hash Hash MD5 & SHA1
--meta Version info & metadata
--peid PE Identifier Signature
--antivm Anti Virtual Machine
--antidbg Anti Debug | Disassembler
--sections Section analyzer
--functions Imported DLLs & API functions
--suspicious Search for suspicious API & sections
--dump Dumping all the information
--strings Extract all the string
--file-url Extract File Name and Url
--file-verbose Discover potential file name
--hexdump Reverse Hex dump
--import List Entry Import instances
--export List Entry Export instances
--resource List Entry Resource instances
--debug List Entry DebugData instances
Web:
https://github.com/guelfoweb/peframe
Autor: FudMario
Regards,
Snifer
