Last changed: 11.07.2019
Basic binary analysis
echo c68e c6a7 d0af c68e 56 c68e d0af | xxd -ps -r
hashsum checks
To check if a binary gets recognized as malware or if it is already known you query virustotal.com for the file or its hash.
md5sum <file>
sha1sum <file>
pehash <file>
To search for similar files you could use the fuzzy ssdeep
hash or the imphash
which hashes only the import address table of binaries.
virustotal.com offers the search modifiers
ssdeep:"<HASH> <SCORE>"
and imphash:<HASH>
.
ssdeep <file>
imphash.py
import pefile
pe = pefile.PE('evil.exe')
pe.get_imphash()
compare binary files
cmp -l <file1> <file2> | gawk '{printf "%08X %02X %02X\n", $1-1, strtonum(0$2), strtonum(0$3)}'
vbindiff <file1> <file2>
PE information (linux)
For some basic static analysis of a PE file linux offers some command line tools.
basic identification
file <file>
string search
strings <file>
strings -el <wide-char-file>
pestr <file>
show headers, sections, import & exports
readpe -h coff <file>
readpe -S <file>
readpe -i -e <file>
To resolve imports by ordinals you can use objdump or radare2. At this moment it seems as if radare2 does ignore the ordinal offset.
objdump -p <my_dll>
r2 -qc iE <my_dll> | grep ord=003 | cut -d " " -f 3,8
scan for suspicious artifacts
peframe <file>
disassemble selected instructions
pedis -e -i 10 <file>
pedis -s .text <file>
identify packer
pepack -d userdb.txt <file>
show security features
pesec <file>
extract ressources
for f in *exe; do echo "$f"; peres -s "$f"; done
peres -l <file>
peres -X <file>
The listing and the named extraction were patched into peres
in June 2018. So I
make sure to use a recent version from the
git repository.
ELF information (linux)
show headers, sections, symbols
readelf -h <file>
readelf -S <file>
readelf --dyn-syms <file>
show dynamically linked libraries
ldd <file>
disassemble selected instructions
objdump -dMintel <file> | grep \<main -A 30
PE information (windows)
PEiD
(identify packer)PEview
(show header)dependency walker
(show imports/exports)PEStudio
(scans for suspicious artifacts)
basic dynamic analysis (windows)
To run dynamic analysis of a PE file you could monitor its execution in a safe windows environment. To simulate an internet connection I use inetsim on another linux machine.
echo -n "Microsoft NCSI" > /var/lib/inetsim/http/fakefiles/sample.txt
For Windows 10 it should be
echo -n "Microsoft Connect Test" > /var/lib/inetsim/http/fakefiles/sample.txt
execute exported dll function
rundll32.exe <my_dll>,<function> [<parameter>]
This can be used to start the function in a debugger like x64dbg
. Then you
could create a dll breakpoint to stop when the dll is loaded.
service dlls
A function called ServiceMain
can indicate, that the dll shall run as a
service. Sometime a function to install the service is also present.
The function can be executed through rundll32.exe
. The name of the new service
can be found with regshot
or procmon.exe
.
sc qc <my_service>
net start <my_service>
procexp.exe (SysinternalsSuite)
Some very useful functions of the procexp.exe
are
- list process tree and see orphaned processes
- compare strings of image and of process memory
- find processes by dll name
- list dlls, handles and mutexes
- verify signed binaries
- suspend or kill processes
procmon.exe (SysinternalsSuite)
procmon.exe
can be used to capture and filter events. To quickly find system
modifications or process execution the following filters are useful.
ProcessName is my_process.exe
Operation is WriteFile
Operation is RegSetValue
Operation is Process Create
To gain a quick overview procmon.exe
offers a Process Tree (Ctrl+T
) or
activity summaries in its Tools
menue.
ProcDOT
ProcDOT
can import .csv
files from procmon.exe
and generate a graph with
the main activity of a specified process. Furthermore this graph can be replayed
sequentially according to the timestamps recorded by procmon.exe
.
regshot
To quickly see changes in the registry regshot can be used to create and compare snapshots of all registry values before and after the execution of the program.
basic dynamic analysis (linux)
To gain a first impression what a binary does you can monitor its system calls and library calls in a safe environment.
strace
Running a program through strace
will print all occuring system calls, their
parameters and the return values. The output can be filtered and written to a
text file.
strace -n 100 -fi <file>
strace -e trace=open,close,write -o output.txt <file>
strace -p <pid>
ltrace
When analysing a dynamically linked binary with ltrace
all library calls get
printed. System calls can get included in the output.
ltrace -S -f -i <file>
ltrace -l libc.so.6 -s 100 -o output.txt <file>
lsof
The program lsof
helps finding opened files, pipes and network connections. It
can combine filters with OR or AND.
lsof <file> +D <directory>
lsof -u <user> -c <command> -a
lsof -i4 -p <pid>
unpacking packed binaries with x64dbg
dump with scylla
- Check if OEP is correct
- Dump (-> creates new file)
fix IAT with scylla
- IAT Autosearch
- Get Imports
- Fix Dump (choose new file)
Signatures
Host and network based Indicators of Compromise can be turned into signatures to detect infected machines or malicious network traffic.
snort_example.rule
alert tcp any any -> any any (msg:"Snort example"; content:"|0d 0a|value\: evil|0d 0a|"; sid:12345; rev:1;)
test snort rules
To test these rules the config has to be modified to include the rule file.
Afterwards snort
can be run. If it runs on the same machine as the
communication participant checksum filtering should be disabled.
snort -i eth0 -c /etc/snort/snort.conf -A console -k none
yara_example.rule
rule yara_example {
meta:
quality = "high"
description = "evil string in pe file"
strings:
$s1 = "evil"
$s2 = "evil" wide
condition:
(1 of them) and (pe.characteristics & pe.EXECUTABLE_IMAGE)
}
test yara rules
yara -rwm yara_examle.rule <folder>
virustotal yara module
Virustotal
offers its own yara module for live hunting.