Group Details Private

administrators

  • RE: Disassemble .Net Binaries

    Sorry for the delay: busy week last week.

    You should download dnSpy or ILSPy. dnSpy is nicer and it also has a debugger which allows you not only to decompile C#/.NET code, but it even allows you to edit it, rebuild it, place breakpoints and run, etc… If it’s obfuscated, get de4dot and drag the file onto de4dot first, then use dnSpy after.

    Have fun… Much easier than native code :)

    posted in Code/Disassembly Analysis
  • RE: How to Analysis Dll file.

    @rohit_secres said in How to Analysis Dll file.:

    Hi all,
    I need u people help , can u plz tell me how to analyse DLL’s file 'cuz as it’s not a directly executable file. How can we check DLL’s to analyse and to find it’s beahviour
    Thanks.

    For this, you can use several options.

    DLL file, as you may know contains code functions, it just doesn’t have a “main” function which the OS loader can load directly. However, another program can load the DLL file and thus there is one supplied with Windows called rundll32.exe. If you run rundll32.exe at the commandline and pass to it the dll file followed by , followed by either a function name or an ordinal number, then rundll32.exe will execute the function specified.

    You can also analyze DLL files with IDA Pro, x64Dbg, and OllyDbg. OllyDbg has its own DLL loader but if you want, you could always load rundll32.exe in another debugger and simply pass to it the argument to load the DLL that you want… Then, you can tell the debugger to “break on module load” and keep pressing Continue until the dll you want is loaded, then step through the code that way.

    There are a few other caveats to note with DLL files: Earlier I said DLL files don’t have a “main” like exes. This isn’t really true. DLLs actually do have a main and it’s called DllMain. DllMain is run whenever the DLL is loaded into a program so it is important to note that a DLL file can execute code which is outside of the function being imported to another exe by placing it in DllMain or jumping to it from DllMain.

    Another thing, you will note that when you use rundll32.exe, you don’t really have nice options to pass multiple arguments to a function. For example, the function CreateProcess() takes more than 1 argument and if you wanted to run it so that it actually works, you’d have to supply all of those args. You cannot do that with rundll32 unfortunately. The OllyDbg DLL loader has better support for more arguments than rundll32.exe does.

    posted in Tools and Techniques Discussions
  • RE: .msi file Analysis

    @Rohit_SecRes

    You should be able to find it by extracted as @Struppigel said and then using various tools - I’m not sure what you are using as you didn’t state it but what I would probably do is extract it and then run with ProcMon and Microsoft Network Monitor or Wireshark on and then find some of the malicious activity and look at the process tree in ProcMon using Ctrl+T. One thing you need to determine is whether the actual msi process is carrying out malicious behavior, or if it is spawning a child process and/or dropping a file to disk which is carrying out malicious behavior…

    Another tool you can use is Process Hacker and when you find the payload in memory, suspend it and then look at details by double-clicking it in memory in Process Hacker 2, dump it to disk, you can also take that info (strings, memory locations) and search for it inside of the exe on disk (either the one you extracted or the dumped file) using other tools like IDA Pro, hex editor, PE-Bear, etc…

    When I am cross-analyzing files like this, the first thing I do is open the file up in CFF Explorer, go to the PE header -> optional header -> DllCharacteristics and I disable ASLR and NX so that way the memory addresses of the mapped memory can be used to search using static tools like IDA Pro.

    This should allow you to further analyze it.

    posted in Dynamic Analysis
  • RE: .msi file Analysis

    What’s the behavior of the file? Does it operate as a proper msi file does with an install of malicious payload? Have you examined in HxD or 010 Editor? Can you post us some screenshots?

    posted in Dynamic Analysis
  • RE: Introduce yourself!

    @struppigel I was so happy when I saw you on here. Welcome!!!

    posted in Off-Topic Lounge
  • RE: pestudio - Windows Executable file static analysis

    Hey @marc-ochsenmeier . Thank you for posting about PE Studio! It has been my foundational PE parsing tool at work for a long time! Indeed, it is a great tool for initial assessment.

    posted in Windows
  • RE: Introduce yourself!

    @z3r0sum hey, welcome to Malware Analysis Forums. I hope you connect with other members here since there are not many reversers near you. Feel free to ask anything or share resources here!

    posted in Off-Topic Lounge
  • CATALOG - ALL TOOLS

    In-Memory Process Scanning

    PE-Sieve

    Category: Executable Utility
    Status: Open Source
    Usage: Detecting and locating in-memory attacks by malware such as process injection and process hollowing.
    Link: https://github.com/hasherezade/pe-sieve
    Author: hasherezade
    Contact: https://twitter.com/hasherezade

    FridaExtract

    Category: Executable Python Script
    Status: Open Source
    Usage: Automatically extracts and re-constructs PE files which have been injected into running processes via RunPE/Process injection. Useful for pulling an injected file to disk for analysis.
    Link: https://github.com/OALabs/frida-extract
    Author: OALabs (Sergei and Sean)
    Contact: oalabs.openanalysis.net/

    Detector - Anti-Analysis

    Makin

    Category: Executable Utility
    Status: Open Source
    Usage: Finding anti-analysis, anti-debug, and anti-VM functionality in specific malware files.
    Link: https://github.com/secrary/makin
    Author: Lasha Khasaia
    Contact: https://twitter.com/_qaz_qaz

    Recently updated RE: https://twitter.com/_qaz_qaz/status/982182758654009344

    Paranoid Fish (pafish)

    Category: Executable Utility
    Status: Open Source
    Usage: VM hardening - Will attempt to detect your VM and notify you if it does, similar to actual malware.
    Link: https://github.com/a0rtega/pafish
    Author: Alberto Ortega
    Contact: http://aortega.badtrace.com/

    Al-Khaser

    Category: Executable Utility
    Status: Open Source
    Usage: VM hardening - will test your analysis VM/environment with common anti-analysis tests used by malware
    Link: https://github.com/LordNoteworthy/al-khaser
    Author: LordNoteworthy
    Contact: https://twitter.com/LordNoteworthy

    PafishMacro

    Category: Microsoft Word Document Macro
    Status: Open Source
    Usage: VM hardening - Will perform checks that pafish (listed above) performs, but with a Word Document macro interface and a few other small changes.
    Link: https://github.com/joesecurity/pafishmacro
    Author: Joe Security
    Contact: https://twitter.com/joe4security

    Malware Analysis Environments/Sandboxes

    JoeSandbox A1

    Categoriy: Physical analysis appliance sandbox
    Status: Closed Source
    Usage: Instrumentation sandbox to collect static and dynamic information on malware
    Link: https://www.joesecurity.org/joe-sandbox-appliance
    Contact: https://twitter.com/joe4security

    Malicious Shellcode

    BlobRunner

    Category: Executable Utility
    Status: Open Source
    Usage: Serves as a “base process” to shellcode that you hand it. Sets up a runtime environment and then transfers execution to the shellcode specified by YOU.
    Link: https://github.com/OALabs/BlobRunner
    Author: OALabs
    Contact: oalabs.openanalysis.net/

    shellcode2exe

    Category: Executable Python Script
    Status: Open Source
    Usage: Given some shellcode as input, it creates a fully functional executable for Windows, Mac, or Linux as output. Good for shellcode isolation and execution.
    Link: https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py
    Author: Mario Vilas
    Contact: https://twitter.com/Mario_Vilas

    Portable Executable Repair

    Portex Analyzer

    Category: Java Executable
    Status: Open Source
    Usage: Graphical depiction of file entropy, basic repair of PE headers, basic parsing and analysis of PE headers geared toward malware analysis
    Link: https://github.com/katjahahn/PortEx
    Author: Karsten Hahn
    Contact: https://twitter.com/struppigel

    posted in MAF Tool Repository (Tool Vendors Welcome)
  • WARNING if you use VirtualBox for analysis

    Hey all,

    Just wanted to let you know that in the newer version of Oracle VirtualBox 5.2.8r121009, Oracle moved the position of the Delete snapshot button. As an analyst, I often restore snapshots and typically I do it by right clicking on the snapshot in my list of snapshots and clicking the first option which used to be “Restore Snapshot.” They’ve not put the Delete Snapshot option in that spot so if you are just flying through it fast or have muscle memory, you may accidentally delete your snapshot! Luckily I didn’t, but that is a very poor design choice!!

    On a side note, check this talk out:

    https://www.youtube.com/watch?v=fFaWE3jt7qU&t=496s

    Enjoy. Happy hunting.

    posted in General Malware Discussion
  • RE: PE-Bear Updated with bug fixes

    Yeah hasherezade is really good, highly skilled, and focused. She’s a great role model :)

    posted in Static Analysis

Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.