病毒分析工具介紹
這篇文章主要說明當讀者想要自己動作分析病毒時有哪些工具可以使用?
首先並須要做初步的分類。就好像我們生病到醫院,要先決定掛號看哪一科?
該專門的醫生才有辦法進一步診斷是哪一種病毒,接下來要如何醫治。
醫生就好比是這些各式各樣不同的分析工具。
當然要全部精通這些工具是需要一些時間與專業,
但是本篇文章的重點在於讓讀者至少可以知道怎樣分類掛號。
進一步對於病毒的種類與分析的方法有初步的了解。
靜態分析檔案
“靜態”分析是什麼意義呢? 也就是還沒有執行該可疑檔案之前所做的分析。
靜態分析如果可以判斷出是病毒特徵,也就相對的可以達到病毒做壞事(執行)前 ,就可以將該病毒阻隔。
因此,靜態分析是”預知”該可疑檔案是否為病毒的關鍵。
相反的,”動態”分析指的是檔案執行的情況下,動態的觀察該檔案執行過程的行為。
通常,我們會建立一個隔離的虛擬環境讓該病毒執行,看看該病毒做哪些壞事?
當然,病毒也變聰明。會偵測是不是虛擬環境,或是等待超過1天以上才開始執行做壞事。因此很多動態分析都會偵測不到。
靜態分析有哪些工具可以使用呢?
檔案屬性 | pescanner, pestr, pyew, pedump, peframe, signsrch, readpe.py. |
Reverse Engineering | bokken, vivbin, udcli, RATDecoders, radare2, yara, wxHexEditor. |
將編碼的檔案還原 | xorsearch, unxor.py, Balbuzard, NoMoreXOR.py, brutexor.py, xortool. |
檢查記憶體狀態 | Rekall, Volatility. |
分析Packed 檔案 | bytehist, packerid, upx. |
取出已知格式的檔案 | hachoir-subfile, bulk_extractor, scalpel, foremost. |
用已知病毒碼掃描 | freshclam clamscan |
病毒範例分析 | mas, viper, maltrieve, Ragpicker. |
Hash 的分析 | nsrllookup, Automater, hash_id, ssdeep, totalhash, virustotal-search, vt. |
定義病毒特徵 | yaraGenerator.py, autorule.py, IOCextractor.py, rule-editor. |
網路病毒分析工具
分析網路封包內容 | wireshark, ngrep, tcpick, tcpxtract, tcpflow, tcpdump. |
分析 HTTP 的網路封包 | burpsuite, mitmproxy, CapTipper, NetworkMiner. |
建立假的網路服務 | fakedns, fakesmtp, inetsim, |
JavaScript / Web 相關病毒
Deobfuscate JavaScript with SpiderMonkey (js), d8, rhino-debugger and Firebug.
Define JavaScript objects for SpiderMonkey using /usr/share/remnux/objects.js.
Clean up JavaScript with js-beautify.
Retrieve web pages with wget and curl.
Examine malicious Flash files with swfdump, flare, RABCDAsm, xxxswf.py, extract_swf.
Analyze Java malware using idx_parser.py, cfr, jad, jd-gui, Javassist.
Inspect malicious websites and domains using thug, Automater, pdnstool.py, passive.py.
文件型病毒分析
Analyze suspicious Microsoft Office documents with officeparser.py, oletools, libolecf, oledump.py.
Examine PDFs using pdfid, pdfwalker, pdf-parser, pdfdecompress, pdfxray_lite, pyew, peepdf.
Extract JavaScript or SWFs from PDFs using “pdfextract”, “pdf.py” and swf_mastah.
Examine shellcode using shellcode2exe.py, sctest, dism-this, unicode2hex-escaped, m2elf, dism-this.py.
Investigate Linux Malware
Disassemble and debug binaries using bokken, vivbin, edb, gdb, udcli, radare2, objdump.
Examine the system during behavioral analysis with sysdig, unhide, strace, ltrace.
Examine memory snapshots using Rekall, Volatility.
Decode Android malware using Androwarn, AndroGuard.
Sandboxes
- Cuckoo Sandbox
Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. - DroidBox
DroidBox is developed to offer dynamic analysis of Android applications. - Malwasm
Malwasm is a tool based on Cuckoo Sandbox designed to help perform step by step analysis, log all malware activities and store them into a web accessible database.
Mobile Malware Analysis Tools
- APKTool
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. - Dex2Jar
Designed to read the Android Dalvik Executable (.dex/.odex) format. It reads the dex instruction to dex-ir format and can convert to ASM format. Can also be used to perform some basic deobfuscation. - Smali
smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.