beenu
July 24th, 2009, 05:32
My First Topic. Had developed a malware analyser whuch performs a good and deeper analysis on Distro compared to win.
Code:
#!/usr/bin/python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Greetz to all Darkc0de ,AI,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
#The application can be used to perform intial malware analysis phase.
#Download the PE Module . Else Application won't work:http://code.google.com/p/pefile/
#Some of the deeper Analysis can be perform on Linux OS, so i would prefer to perform analysis on linux OS.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#You should have received a copy of the GNU General Public License
#along with this program. If not, see <http://www.gnu.org/licenses/>.
import os,sys,re,string
def checkconfig():
try:
import pefile,peutils
except(ImportError):
print "\n[!] PE Module Missing."
print "\n[!] Download PE Module from [ http://code.google.com/p/pefile/ ]"
sys.exit(0)
# Say Hello
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
SysCls = 'cls'
else:
SysCls = 'unknown'
os.system(SysCls)
print "\n|---------------------------------------------------------------|"
print "| beenudel1986[@]gmail[dot]com |"
print "| Malware Analyzer(Static) 1.3 |"
print "| 06/2009 analyse_malware.py |"
print "| Do Visit www.BeenuArora.com |"
print "|---------------------------------------------------------------|\n"
INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons",
"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket","FindResource","LockResource","ShellExecute","GetThreadContext","# Read/WriteProcessMemory",
"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
"OutputDebugString","GetEnvironmentStrings","LoadLibraryA","WSASocketA", "GetProcAddress",
"FindWindow","CreateProcess","DuplicateTokenEx","ImpersonateNamedPipeClient","RevertToSelf","signal",
"IsDebuggerPresent"
]
INTERESTING_CALLS_DLLS=["KERNEL32.DLL","advapi32.dll","comctl32.dll","gdi32.dll","ole32.dll","oleaut32.dll","user32.dll","wsock32.dll","ntdll.dll"]
INTERESTING_SYS_CALLS=["ping.exe","telnet.exe"]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","autorum.inf"]
ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
if (len (sys.argv) <2):
print "\n Usage: ./analyse_malware.py <MALWARE FILENAME>\n"
print "\t\t Example: ./analyse_malware.py malware.exe\n"
print "\tFor Help: ./analyse_malware.py --help\n"
sys.exit(0)
for arg in sys.argv:
if arg=='--help':
print " To Perform Complete Analysis: Usage: ./analyse_malware.py [Malware FIle]\n "
print " To Generate ASCII Dump: Usage: ./analyse_malware.py [Malware File] --Ascii\n"
print " To View Dlls Loaded: Usage: ./analyse_malware.py [Malware File] --Dll\n"
print " To View the PE Areas: Usage: ./analyse_mwlare.py [Malware File] --Header\n"
print "\n\t Example: ./analyse_malware.py malware.exe --Dll\n"
sys.exit(0)
malware=sys.argv[1]
try:
hosts= open(malware,'r').readlines()
except (IOError):
print " \n\n[!]Malware Missing .Exiting.\n"
sys.exit(0)
def start_analysis_system_calls():
performed=[]
for line in hosts:
for calls in INTERESTING_CALLS:
if re.search(calls, line):
if not calls in performed:
print "[+] Found an Interesting call to: ",calls
performed.append(calls)
def start_analysis_registry():
for line in hosts:
for calls in REGISTRY_CALLS:
if re.search(calls, line):
print "[+] Malware is Adding a Key at Hive: ",calls
print line
def calls_to_dlls():
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
str="objdump -x "+malware+" | grep DLL >result"
#print str
print "\n Since Host OS is Linux. Peforming Deeper Analysis\n"
details=os.system(str)
dllresult=open('result','r').readlines()
print "\n [+] Dlls Loaded are:\n"
for line in dllresult:
print line
os.system("rm result"
else:
for line in hosts:
for calls in INTERESTING_CALLS_DLLS:
if re.search(calls, line):
print "\n[+] Loaded Dll: ",calls
def find_import_table():
str="objdump -x "+malware+" | grep \"import table\" >impresult"
os.system(str)
importresult=open('impresult','r').readlines()
for line in importresult:
print line
os.system("rm impresult"
def start_address():
str="objdump -x "+malware+" | grep \"start address\" >startresult"
os.system(str)
stresult=open('startresult','r').readlines()
for line in stresult:
print line
os.system("rm startresult"
def header_info():
str="objdump -h "+malware+" >header"
os.system(str)
headresult=open('header','r').readlines()
for line in headresult:
print line
os.system("rm header"
def generate_dump():
str="objdump -s "+malware+" >ascii_dump"
os.system(str)
headresult=open('ascii_dump','r').readlines()
for line in headresult:
print line
def calls_to_syscommand():
for line in hosts:
for calls in INTERESTING_SYS_CALLS:
if re.search(calls, line):
print "\n[+] Call Made: ",calls
print "\n\n[!] It Can be Part of DDOS Network.\n"
def start_analysis_online():
performed=[]
for line in hosts:
for calls in ONLINE_WORK:
if re.search(calls, line):
if not calls in performed:
print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
performed.append(calls)
def getSignatureForPe(pe):
try:
signatures = peutils.SignatureDatabase(PE_SIGNATURE_PATH)
return signatures.match_all(pe)
except:
print ""
def get_pe_signature():
try:
pe = pefile.PE(malware)
signatureInfo = getSignatureForPe(pe)
peInfo = pe.dump_info()
print peInfo
except:
print "\n\n[!] Download PE Package from google code.\n"
print "\n[!]Exiting.\n"
def generate_dump():
filename="ascii_dump_"+malware+".txt"
str="objdump -s "+malware+" > "+filename
os.system(str)
headresult=open(filename,'r').readlines()
for line in headresult:
print line
print "\n Check "+filename+" for the ASCII dump output"
raw_input("\n Press <Enter> to Exit.\n"
sys.exit(0)
def checkPE():
print "\n Analysing if PE file...\n"
check = file(malware, "rb"
buff = check.read(2)
check.close()
if buff == "MZ":
print "\n[+] Valid PE file."
print "\n[+] Malware File Size :" , (os.path.getsize(malware))/1000 ,"KB"
else:
print "[!] Not a Valid PE File. Exiting.!\n"
sys.exit(0)
def checkargs():
for arg in sys.argv:
if arg.lower()=="--ascii":
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
checkPE()
generate_dump()
sys.exit(0)
else:
print "\n This Analysis is Applicable on Linux OS only"
sys.exit(0)
if arg.lower()=="--dll":
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
checkPE()
calls_to_dlls()
sys.exit(0)
else :
print "\n This Analysis is Applicable on Linux OS only"
sys.exit(0)
if arg.lower()=="--header":
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
checkPE()
header_info()
sys.exit(0)
else :
print "\n This Analysis is Applicable on Linux OS only"
sys.exit(0)
def apps_start():
checkconfig()
checkPE()
checkargs()
print "\n[!] Displaying Interesting System Calls Made.\n"
start_analysis_system_calls()
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
print "\n[+] Displaying Address of Import Table\n"
find_import_table()
print "\n[+] Displaying the Start Address\n"
start_address()
print "\n[+] Displaying the Header Sections and File Format"
header_info()
print "\n[!] Displaying Registry Hives Edited.\n"
start_analysis_registry()
print "\n\n[!] Displaying A Little Online Behaviour.\n"
start_analysis_online()
print "\n\n[!] Displaying the Loaded DLLs.\n"
calls_to_dlls()
print "\n\n[!] Commands Inside the Malware.\n"
calls_to_syscommand()
print "\n\n[!] Displaying the Headers of the Malware.\n"
get_pe_signature()
apps_start()
