This page looks best with JavaScript enabled

Conociendo sobre Malware XI - Herramientas para An√°lisis de Malware I

 ·   ·   5 min read

Iniciamos una seguidilla de entradas referente a este mundo del analisis de malware esta oportunidad con herramientas dedicadas al An√°lisis de Malware, el autor del post FudMario.

Volatility Framework

Volatility es un Framework con un conjunto de herramientas desarrolladas enteramente en Python con licencia GNU. Este Framework esta pensado para extraer de una imagen de un disco los datos volátiles que estaban en memoria RAM. Estas técnicas de extracción están pensadas para que no dependan del sistema operativo del investigador, es decir podemos utilizar Windows y/o Linux.


Supported Plugin Commands:  
apihooks        Detect API hooks in process and kernel memory  
atoms           Print session and window station atom tables  
atomscan        Pool scanner for _RTL_ATOM_TABLE  
bioskbd         Reads the keyboard buffer from Real Mode memory  
callbacks       Print system-wide notification routines  
clipboard       Extract the contents of the windows clipboard  
cmdscan         Extract command history by scanning for _COMMAND_HISTORY  
connections     Print list of open connections [Windows XP and 2003 Only]  
connscan        Scan Physical memory for _TCPT_OBJECT objects (tcp connections)  
consoles        Extract command history by scanning for _CONSOLE_INFORMATION  
crashinfo       Dump crash-dump information  
deskscan        Poolscaner for tagDESKTOP (desktops)  
devicetree      Show device tree  
dlldump         Dump DLLs from a process address space  
dlllist         Print list of loaded dlls for each process  
driverirp       Driver IRP hook detection  
driverscan      Scan for driver objects _DRIVER_OBJECT  
dumpcerts       Dump RSA private and public SSL keys  
dumpfiles       Extract memory mapped and cached files  
envars          Display process environment variables  
eventhooks      Print details on windows event hooks  
evtlogs         Extract Windows Event Logs (XP/2003 only)  
filescan        Scan Physical memory for _FILE_OBJECT pool allocations  
gahti           Dump the USER handle type information  
gditimers       Print installed GDI timers and callbacks  
gdt             Display Global Descriptor Table  
getservicesids  Get the names of services in the Registry and return Calculated SID  
getsids         Print the SIDs owning each process  
handles         Print list of open handles for each process  
hashdump        Dumps passwords hashes (LM/NTLM) from memory  
hibinfo         Dump hibernation file information  
hivedump        Prints out a hive  
hivelist        Print list of registry hives.  
hivescan        Scan Physical memory for _CMHIVE objects (registry hives)  
hpakextract     Extract physical memory from an HPAK file  
hpakinfo        Info on an HPAK file  
idt             Display Interrupt Descriptor Table  
iehistory       Reconstruct Internet Explorer cache / history  
imagecopy       Copies a physical address space out as a raw DD image  
imageinfo       Identify information for the image  
impscan         Scan for calls to imported functions  
kdbgscan        Search for and dump potential KDBG values  
kpcrscan        Search for and dump potential KPCR values  
ldrmodules      Detect unlinked DLLs  
lsadump         Dump (decrypted) LSA secrets from the registry  
machoinfo       Dump Mach-O file format information  
malfind         Find hidden and injected code  
mbrparser       Scans for and parses potential Master Boot Records (MBRs)  
memdump         Dump the addressable memory for a process  
memmap          Print the memory map  
messagehooks    List desktop and thread window message hooks  
mftparser       Scans for and parses potential MFT entries  
moddump         Dump a kernel driver to an executable file sample  
modscan         Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects  
modules         Print list of loaded modules  
mutantscan      Scan for mutant objects _KMUTANT  
patcher         Patches memory based on page scans  
printkey        Print a registry key, and its subkeys and values  
privs           Display process privileges  
procexedump     Dump a process to an executable file sample  
procmemdump     Dump a process to an executable memory sample  
pslist          Print all running processes by following the EPROCESS lists  
psscan          Scan Physical memory for _EPROCESS pool allocations  
pstree          Print process list as a tree  
psxview         Find hidden processes with various process listings  
raw2dmp         Converts a physical memory sample to a windbg crash dump  
screenshot      Save a pseudo-screenshot based on GDI windows  
sessions        List details on _MM_SESSION_SPACE (user logon sessions)  
shellbags       Prints ShellBags info  
shimcache       Parses the Application Compatibility Shim Cache registry key  
sockets         Print list of open sockets  
sockscan        Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)  
ssdt            Display SSDT entries  
strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)  
svcscan         Scan for Windows services  
symlinkscan     Scan for symbolic link objects  
thrdscan        Scan physical memory for _ETHREAD objects  
threads         Investigate _ETHREAD and _KTHREADs  
timeliner       Creates a timeline from various artifacts in memory  
timers          Print kernel timers and associated module DPCs  
unloadedmodules Print list of unloaded modules  
userassist      Print userassist registry keys and information  
userhandles     Dump the USER handle tables  
vaddump         Dumps out the vad sections to a file  
vadinfo         Dump the VAD info  
vadtree         Walk the VAD tree and display in tree format  
vadwalk         Walk the VAD tree  
vboxinfo        Dump virtualbox information  
vmwareinfo      Dump VMware VMSS/VMSN information  
volshell        Shell in the memory image  
windows         Print Desktop Windows (verbose details)  
wintree         Print Z-Order Desktop Windows Tree  
wndscan         Pool scanner for tagWINDOWSTATION (window stations)  
yarascan        Scan process or kernel memory with Yara signatures  



Buster Sandbox Analyzer

BSA, herramienta dise√Īada para analizar cambios que ocurren en el sistema, basada en Sandboxie permitiendo ejecutar ficheros en un ambiente controlado.
Una de las Principales caracteristicas es que hace hook a la funcion NtQuerySystemInformation(ssdt Hook)

Compatible con la version 3.76 de Sandboxie, recientemente se fixeo la Injection DLL en la version 4.09.1 la cual causaba la incompatibilidad con BSA, aun no es al 100% Compatible,tambien requiere WinPCap.

Ejemplo de Reporte:**






PEframe es una herramienta OPEN SOURCE, ideal para el An√°lisis Est√°tico de Malware.


Código: [Seleccionar]

 peframe <opt> <file>


Código: [Seleccionar]

-h      --help          This help  
-a      --auto          Show Auto analysis  
-i      --info          PE file attributes  
        --hash          Hash MD5 & SHA1  
        --meta          Version info & metadata  
        --peid          PE Identifier Signature  
        --antivm        Anti Virtual Machine  
        --antidbg       Anti Debug | Disassembler  
        --sections      Section analyzer  
        --functions     Imported DLLs & API functions  
        --suspicious    Search for suspicious API & sections  
        --dump          Dumping all the information  
        --strings       Extract all the string  
        --file-url      Extract File Name and Url  
        --file-verbose  Discover potential file name  
        --hexdump       Reverse Hex dump  
        --import        List Entry Import instances  
        --export        List Entry Export instances  
        --resource      List Entry Resource instances  
        --debug         List Entry DebugData instances


 Autor: FudMario


Share on
Support the author with