聚焦安全|点滴生活

要么读书,要么旅行,身体和灵魂总有一个在路上

恶意软件分析工具库

About the Author

Source & Credit: This article provided to  www.gbhackers.com by BALAJI N. All the Content of this Article Belongs to Original Author BALAJI N.  www.520waf.com won’t take any credits.

0x00静态分析(Static Analysis)

这个步骤包含抽取和检查不同的二进制组件和一个可执行的静态行为感应。for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.

任何偏离正常结果的情况都会在静态调查的结果中被记录下,并作出同样的结论。静态分析的实现不需要执行恶意软件,然而动态分析的实施是在可控的环境中通过执行恶意软件来实现的。

  • Disassembly(拆分) -Programs can be ported to new computer platforms, by compiling the source code in a different environment.
  • File Fingerprinting(文件指纹) – network data loss prevention solutions for identifying and tracking data across a network
  • Virus Scanning (病毒扫描)-Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal
  • Analyzing memory artefacts(分析内存人工加工) -During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
  • Packer Detection(包装机检测): Packer Detection used to Detect  packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+ .

静态分析工具:

0x01动态分析(Dynamic  Analysis)

动态分析方法总是第一分析方法去发现恶意软件的功能。在动态分析中,将创建一个作为一个用于恶意软件分析的地方的虚拟机。除此之外,使用恶意软件沙箱和恶意软件监视器和恶意软件产生的数据包的分析器来分析恶意软件。

虚拟环境中的重要考虑:

隔离环境以避免恶意软件的逃离是非常重要的。
  • single path (execution trace) is examined 检查单路径(执行跟踪)
  • analysis environment possibly not invisible 分析的环境可能不是无形的
  • analysis environment possibly not comprehensive 分析的环境可能不是综合的
  • scalability issues 可拓展性的问题
  • allow to quickly restore analysis environment 允许快速恢复分析用的环境
  • might be detectable (x86 virtualization problems)  可能检测到(x86虚拟话的问题)

动态分析工具:

0x02内存取证(Memory Forensics)

在物理内存中发现的内存易失性组件。易失性的内存取证包含有关系统运行状态的有价值的信息,提供连接组件到传统法理取证分析的能力(network,file system,registry)。

  • mage the full range of system memory (no reliance on API calls).
  • Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps, and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.)
  • Verify the digital signatures of the EXEs and DLLs (disk-based).
  • Output all strings in memory on a per-process basis.

重要的工具:

  •  WinDbg –Kernel debugger for Windows systems         (Windows系统内核调试器)
  •  Muninn – A script to automate portions of analysis using Volatility
  •  DAMM –Differential Analysis of Malware in Memory, built on Volatility
  •  FindAES –Find AES encryption keys in memory
  •  Volatility — Advanced memory forensics framework

0x03恶意软件检测(Malware Detection)

Signature Based or Pattern Matching(基于签名或模式匹配): A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.

Heuristic Analysis or Pro-Active Defense(启发式分析或主动式防御): Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs.

Rule Based(基于规则): The component of the heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against a set of rule for malicious code.

Behavioral Blocking(行为的阻断): The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs.

Weight-Based(基于权重): A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with a certain weight according to the degree of danger

Sandbox(沙箱): allows the file to run in a controlled virtual system (or“sandbox”) to see what it does.

重要的工具:

  • YARA – Pattern matching tool for analysts.   分析用的模式匹配工具
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also, contains a good strings DB to avoid false positives.  基于一组恶意软件样板生成yara规则
  • File Scanning Framework – Modular, recursive file scanning solution.模块化的,循环的文件扫描方案
  • hash deep – Compute digest hashes with a variety of algorithms.通过不同的算法计算摘要哈希值
  • Loki – Host-based scanner for IOCs.基于主机的输入输出控制器的扫描器
  • Malfunction – Catalog and compare malware at a function level.在功能级别登记和比较恶意软件
  • MASTIFF – Static analysis framework.静态分析框架

0x04Web域名分析(Web Domain Analysis)

域名分析(Domain analysis)是一个软件工程师学习了解背景信息的步骤流程,检查域名和IP地址。域名分析应该简单的包括一个简短的你发现的总结信息,作为参考将来可以使其他人发现此信息。

重要的工具:

  • SpamCop – IP-based spam block list.  基于IP的垃圾邮件黑名单列表
  • SpamHaus – Block list based on domains and IPs. 基于域名和IPs的阻断列表
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.免费网站恶意软件和安全扫描器
  • TekDefense Automatic – OSINT tool for gathering information about URLs, IPs, or hashes.获得有关URLs,IPs,or hashes信息的开源情报工具
  • URLQuery – Free URL Scanner. 免费的URL扫描器
  • IPinfo – Gather information about an IP or domain by searching online resources. 通过在线的资源获取有关IP或者域名的的信息
  • Whois – DomainTools free online whois search.免费的在线whois查询 工具
  • mail checker – Cross-language temporary email detection library. 跨语言的临时email检测库

0x05网络交互分析(Network interactions Analysis)

聚焦网络安全监控的综合平台,进行更一般的网络流量分析。一个被动的网络嗅探器/包抓取工具以检测操作系统,会话,主机名,开放的端口等。没有在网络上上传任何网络流量。

IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing.

重要的工具

  • Tcpdump – Collect network traffic.  收集网络流量
  • tcpick – Trach and reassemble TCP streams from network traffic.跟踪和重新组合来自网络流量中的TCP流
  • tcpxtract – Extract files from network traffic.从网络流量中提取文件
  • Wireshark – The network traffic analysis tool.网络流量分析工具
  • CapTipper – Malicious HTTP traffic explorer.恶意HTTP流量探针
  • chopshop – Protocol analysis and decoding framework.协议分析和解码框架
  • CloudShark – Web-based tool for packet analysis and malware traffic detection基于Web的包分析工具和恶意软件流量检测

0x06调试&调试器(Debugging & Debugger)

调试器是一个很有用的工具提供底层的代码分析。调试器最有用的功能是断点(breakpoint)。当断点被击中时,执行的程序将被停止,控制器将交给调试器,允许当下时间的环境分析。一个调试器是一个软件块,使用CPU的特别为此目标而设计的功能。一个调试器提供更深度的视角去查看一个程序是怎样执行其任务的,允许用户去控制执行,还可以提供访问被调试的程序的环境。这些在分析恶意软件时非常有帮助,由于它可能去发现恶意软件是如何检测干预和跳过有特殊目的的插入的垃圾指令。

重要的工具:

  • obj dump – Part of GNU Binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executable
  • FPort – Reports open TCP/IP and UDP ports in a live system and map them to the owning application.
  • GDB – The GNU debugger.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version. Windows反汇编程序器和调试器,免费的评估版本
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.  恶意软件调试器,提供一个Python的API

0x07分析恶意URL’s(Analyze malicious URL’s)

如今,站点被暴露给很多的利用它们脆弱性漏洞的威胁。一个沦陷的站点将被用于踏脚石,然后服务于攻击者的恶意目的。例如,URL重定向机制被广泛的应用作为一种方法去执行基于WEB的秘密的攻击。重定向涉及到自动的替代了访问的目标地,通常被WEB的HTTP协议控制。除了这种常规的传统的方法,其他的方法自动的访问外部站点的内容,e.g.,iframe tag,曾经被使用,特别是基于web的攻击。

重要的工具:

  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.   反编译器和检查JAva apps
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Krakatau – Java decompiler, assembler, and disassembler.
  • Malzilla – Analyze malicious web pages.分析恶意的web页面

0x08沙箱技术(Sandboxes Technique)

沙箱是一个关键的安全系统,隔离程序,避免有恶意的或失败的项目去损坏或者窥探你电脑PC其余的东西。你使用的产品是截止目前你每天跑的 沙箱代码里的重要部分。一个沙箱是一个坚固的控制条件控制什么项目能被执行。沙箱限制代码部分能做的,同样的没有额外的授权同样数量的数量也可能被滥用。

重要的工具:

  • firmware.re – Unpacks, scans and analyzes almost any firmware package.  几乎任何固件包的解包,扫描和分析
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.   在线恶意软件分析工具
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.  针对可疑文件的异步的自定义的分析平台
  • Cuckoo Sandbox – Open source, self-hosted sandbox, and automated analysis system.  开源,基于主机的沙箱,自动化的分析系统
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL.    在GPL许可下发布的Cukoo沙箱的修改版本
  • PDF Examiner – Analyse suspicious PDF files.  分析可疑的PDF文件
  • ProcDot – A graphical malware analysis toolkit.  一个图解的恶意软件分析工具集
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.  自动化的和完整的Android应用分析系统

原文:Most important considerations with Malware Analysis Cheats And Tools list

发表评论

电子邮件地址不会被公开。