Tools & Utilities
I have developed these tools and utilities so that
these come of help during our Malware Analysis process. Some of them are even
useful for general people as they would protect and solve the problems posed by
various kinds of Malwares. I would upload the these tools and utilities for the
general public as and when I develop them. However, I would request you all to
report any kind of bugs that might exist in these applications. Please feel free
to drop an email at
rajdeep@malwareinfo.org. Keeping in mind the fact that I am not a hardcore
programmer, rather programming is just my hobby, you will bring to my notice any
bug that you may find using these applications. I would try my level best to
rectify them and keep these applications bug free.
|
|
|
|
Advance
Malware Identification & Removal
System
Requirement:
Windows 2000/XP/2003 ( Not tested in
Windows VISTA
)
View AMIR Architecture
AMIR is an
application that will help you to quickly
identify any unwanted process (except
RootKit) running in your
system. Also it will give you the option to remove
them easily. Once AMIR runs in the system, it will highlight
(with color) the
possible suspect programs and also give you a lot of other
relevant information about the process. It shows you PE Details, actual Memory
Dumps of the running process and also the various
Resources used by the binary. It even has a Heuristic
Scanner that can sniff out Malicious code from .vbs, .inf,
.bat files. AMIR can also enable Regedit, Task Manager & Folder Option that has been locked by Malware activity. Armed with numerous state of art options, it
becomes very easy to detect any kind of Malware (except
RootKit) running in
the system.
|
Click on the names to expand or collapse the
descriptions.
MalwareInfo Scanner
(880 KB)
Published: July 31, 2009
Aka:
MI-Scanner
File size:
796 KB (815,104 bytes)
Installation: Simply
extract all the files from the zip and use the MI-Scanner.exe.
Description:
This is an Anti-Malware Scanner application. I have tried to create a scanner that would scan malwares on the basis of custom signatures. This comes handy in a scenario when we analyze and conclude that a binary is malware and we want to get it eradicated from the rest of the systems in the network(without having to remove that manually from each and every system).
--> NOTE -
-----------------------------------------------------------------
I am looking for people who can work further in the upgradation of the project
Legal Copyright (C) 2008 - 20010 @ MalwareInfo.Org
-----------------------------------------------------------------
|
PEDetails DLL
(173 KB)
Published: September 24, 2009
Aka:
PE Enumeration DLL
File size:
173 KB (176,184 bytes)
Installation: Simply
extract and use the PEDetails.dll in your application by inserting a reference to it.
Description:
Usage: Use the PEDetails.dll in your application by inserting a reference to it
--> Credits -
-----------------------------------------------------------------
PEDetails - PE File Enumeration & Hashing
Legal Copyright (C) 2008 - 2009
-----------------------------------------------------------------
Developed By: Rajdeep Chakraborty
Email: rajdeep@malwareinfo.org
Website: www.malwareinfo.org
-----------------------------------------------------------------
--> String Hash - [test string "Rajdeep"]
MD5: 03D29CE63FA051D849BAFEB7DF4EF18A
SHA1: B1C8E5E98969868031AE2BDA6A621CC1839AA05B
--> Hash Information -
CRC32: 34E6E257
MD5: F7583B5285EE9AD794BEB019D84EE3B5
SHA1: 897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
--> File Information -
File Name: USB Protect.exe
File Size: 1.23MB (1,294,336 bytes)
Created On: Wednesday, August 26, 2009 2:57:15 AM
Modified On: Tuesday, June 23, 2009 7:01:02 AM
Last Access: Saturday, January 09, 2010 5:40:31 PM
Company: MalwareInfo.Org
Copyright: Copyright (C) 2008 - 2009
Trademarks: MalwareInfo.Org
Description: MalwareInfo.Org - USB Protect
Comments: MalwareInfo.Org - USB Protect
Internal Name: USB Protect
File Type: Application
File Version: 1.00
Product Version: 1.00
--> PE Information -
Characteristics: 0x10F
Machine: Intel 386 (0x014C)
OptionalHeader.Magic: 0x10B
NumberOfSections: 3
NumberOfSymbols: 0
Signature: PE
SizeOfOptionalHeader: 224 (32 Bit System)
TimeDateStamp: 6/23/2009 1:31:01 AM
--> Optional Header -
OptionalHeader.AddressOfEntryPoint: 0x224C
OptionalHeader.BaseOfCode: 0x00001000
OptionalHeader.BaseOfData: 0x00017000
OptionalHeader.MajorLinkerVersion: 6
OptionalHeader.MinorLinkerVersion: 0
OptionalHeader.SizeOfCode: 88.0KB (90,112 bytes)
OptionalHeader.SizeOfInitializedData: 1.15MB (1,204,224 bytes)
OptionalHeader.SizeOfUninitializedData: 0 bytes
--> NT Header -
NTHEADER.CheckSum: 0x14B75D
NTHEADER.DllCharacteristics: 0
NTHEADER.FileAlignment: 0x00001000
NTHEADER.ImageBase: 0x00400000
NTHEADER.LoaderFlags: 0
NTHEADER.MajorImageVersion: 1
NTHEADER.MajorOperatingSystemVersion: 4
NTHEADER.MajorSubsystemVersion: 4
NTHEADER.MinorImageVersion: 0
NTHEADER.MinorOperatingSystemVersion: 0
NTHEADER.MinorSubsystemVersion = retNTHeader.MinorSubsystemVersion
NTHEADER.NumberOfRvaAndSizes: 16
NTHEADER.SectionAlignment: 4096
NTHEADER.SizeOfHeaders: 4.00KB (4,096 bytes)
NTHEADER.SizeOfHeapCommit: 4.00KB (4,096 bytes)
NTHEADER.SizeOfHeapReserve: 1.00MB (1,048,576 bytes)
NTHEADER.SizeOfImage: 1.26MB (1,318,912 bytes)
NTHEADER.SizeOfStackCommit: 4.00KB (4,096 bytes)
NTHEADER.SizeOfStackReserve: 1.00MB (1,048,576 bytes)
NTHEADER.Subsystem: 2
Much more...
|
|
Command Line Enumeration Tool (160 KB)
Published: March 02, 2009
Aka:
Enumerate (Enum)
File size:
160 KB
Installation: Simply
extract Enum.exe and run from command prompt.
Description:
Shown below are some examples from Enum:
Usage: Enum [:process][:enumproc][:kill=<pid>][:portproc][:filter][:showall]
[:details=<file>*][:peinfo=<file>*][:clearlog]
:process -> Show all running PROCESSES
:enumproc -> Show path of running PROCESSES
:kill=<pid> -> Kill a PROCESS with PID
:portproc -> Show all running PROCESSES and associated ports
:filter -> Show 'Non-Microsoft' SYSTEM files
:showall -> Show all SYSTEM files
:details=<file> -> Shows the details of a binary
:peinfo=<file> -> Shows the PE details of a binary
:clearlog -> Clear contents of Enum Log file
* <file> -> PE FIle (.exe, .dll, .ocx, .sys, .drv, .cpl, .scr)
For more details about PE FIles refer to the below link:
http://en.wikipedia.org/wiki/Portable_Executable
ENUM 1.0.103 - Command Line Enumeration Tool
Copyright (C) 2008 - 2009 Rajdeep Chakraborty
MalwareInfo.Org - www.malwareinfo.org
C:\>enum :details=C:\WINDOWS\system32\notepad.exe
File Name : notepad.exe
File Size : 67.5KB (69,120 bytes)
File MD5 : 5E28284F9B5F9097640D58A73D38AD4C
Company : Microsoft Corporation
Description: Notepad
Copyright : Microsoft Corporation. All rights reserved.
Version : 5.1.2600.5512..
Sub Type :
Created : Wednesday, August 04, 2004 12:56:56 AM
Modified : Monday, April 14, 2008 5:42:30 AM
Accessed : Monday, March 02, 2009 12:09:32 AM
Attrib.. : A
C:\>enum :portproc
Port to process enumeration
Lists only processes assigned to ports
TCP-[Port: 25]-[PID: 1768]-inetinfo.exe-Microsoft Corporation
TCP-[Port: 80]-[PID: 1768]-inetinfo.exe-Microsoft Corporation
UDP-[Port: 123]-[PID: 0]-SYSTEM-Microsoft Corporation
TCP-[Port: 135]-[PID: 1552]-svchost.exe-Microsoft Corporation
UDP-[Port: 161]-[PID: 0]-SYSTEM-Microsoft Corporation
TCP-[Port: 443]-[PID: 1768]-inetinfo.exe-Microsoft Corporation
UDP-[Port: 500]-[PID: 0]-SYSTEM-Microsoft Corporation
TCP-[Port: 990]-[PID: 2876]-rapimgr.exe-Microsoft Corporation
|
|
|
|
Personal Malware DataBase (1.07 MB)
Published: February 18, 2009
Aka:
Personal Malware DataBase
File size:
1.07 MB (1,078 KB)
Installation: Simply
extract all and run Personal Malware Database.exe. Personal Malware
Database also comes with a automatic Malware Binary downloader and
analyzer and mailer module.
Personal Malware DataBase Folder Structure:
Description:
Personal Malware Database helps you to
automatically download undetected malware binaries from the internet and
scan them and generate reports on the fly. It stores the analysis reports
in the 'Downloads' folder. It also creates a 'Zip' folder inside the
'Downloads' folder where it creates .zip files with the malware binary and
the reports. Once all the malware links mentioned in the 'Download.Links'
file are scanned and the files downloaded and analyzed, you can select the
'Mail...' button to send these undetected Malwares to most of the major AV
Vendors. Personal Malware Database, as the name suggests, also comes with
a searchable DB (MS Access) that will keep a track of all the files
submitted and analyzed. A detailed manual will be published later.
This application is useful, but may appear
amateurish and little buggy, but it is a must for people who are seriously
submitting and analyzing Malwares. However, I would try to keep this
application updated as well. Please send me your feedback about this
application at Rajdeep at MalwareInfo.Org.
Warning:
--------------------------
If you want to learn about Malware Analysis
methodologies, it is recommended that you create a small infrastructure as
mentioned in the Malware Analysis How To Article:
http://www.malwareinfo.org/files/MalwareAnalysisHow2.pdf
Then you can try out various things, keeping your important things and
systems secure.
I WOULD NOT RECOMMEND PMD TO BE USED BY ANY
NOVICE USERS. ITS LIKE INVITING THE MALWARES TO YOUR SYSTEM AND UNTIL AND
UNLESS YOU ARE FAMILIAR WITH MALWARE ANALYSIS ACTIVITIES DO NOT USE PMD.
PLEASE BE VERY CAREFUL WHILE DEALING WITH MALWARES. THESE ARE LIVE
MALWARES AND IF THE ANTIVIRUS YOU ARE USING DOESN'T DETECT THESE MALWARES,
THEN YOU ARE OPEN TO GET YOURSELF INFECTED. DEAL WITH MALWARES ONLY WHEN
YOU KNOW IN AND OUT ABOUT THEM.
ALSO, DO NOT USE PMD IN YOUR CORPORATE ENVIRONMENT. PMD SHOULD BE USED IN
STAND ALONE PROPERLY CONFIGURED VM SAND BOXES, NOT IN NETWORK SYSTEMS OR
PERSONAL SYSTEMS.
Join the www.malwareanalysis.org forum where you can
post your queries and also get resources that would help you as well.
--------------------------
|
USB
Protect 1.0.0 (1.22 MB)
Published: January 23, 2009
Aka:
USB Protect
File size:
1.22 MB (1282048
bytes)
Installation: Simply
extract and run USB Protect.exe
Description:
USB Protect runs in the background and
monitors the DBT_DEVICEARRIVAL events. Once it detects a DBT_DEVICEARRIVAL
event, it identifies if its a REMOVABLE media like USB. If it detects a
USB DBT_DEVICEARRIVAL, it detects the drive entry and checks for the
existence of Autorun.inf and the malware binary that is being called
through it. On a positive detection, it deactivates both the Malware
binary and the Autorun.inf file. USB Protect also gives a voice
confirmation when an Autorun.inf file is detected in the USB drive. On
a positive detection, USB Protect changes the Malware binary to .blocked
and Autorun.inf to .usb extensions, so nothing is deleted or lost.
It creates a blank harmless autorun file so that Open With window doesn't
appear when the USB Drive is clicked.
USB Protect will save log files in C:\USBProtectLog with names like
USBProtectLog_23012009_163525.log
Shortcut keys:
CTRL + NUM 1 --> Shows application window
CTRL + NUM 2 --> Shows About Me window
Sample log file entries will look like:
1/23/2009 4:46:15 PM: WM_DEVICECHANGE 537
1/23/2009 4:46:15 PM: wParam = DBT_DEVICEARRIVAL
<---- detects device insertions
1/23/2009 4:46:15 PM: Device Type: DBT_DEVTYP_DEVICEINTERFACE
1/23/2009 4:46:15 PM: Device Name: STORAGE
<---- detects if storage is USB Removable drive
1/23/2009 4:46:15 PM: Vendor\Product ID: REMOVABLEMEDIA
1/23/2009 4:46:15 PM: Device Unique ID: 7&14A32F0A&0&RM
1/23/2009 4:46:15 PM: Device CLSID: {53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}
1/23/2009 4:46:15 PM: Drive Letter: I
<---- detects drive letter
1/23/2009 4:46:15 PM: Renamed To: I:\USBProtect_23012009_164615.usb
1/23/2009 4:46:15 PM: Autorun Detected In Drive I
1/23/2009 4:46:15 PM: Autorun Path: I:\USBProtect_23012009_164615.usb
<---- renames autorun.inf
1/23/2009 4:46:15 PM: Autorun Content: <----
displays the autorun.inf text
[AutoRun]
> open=Malware.exe
<---- shows the malware binary
shell\open=Malware
> shell\open\Command=Malware.exe
shell\explore=Malware
> shell\explore\Command="Malware.exe"
1/23/2009 4:46:16 PM: Binary Renamed To: I:\Malware.blocked
<---- deactivates malware binary
|
Unknown Malware Remover
(376 KB)
Published: July 30, 2008
Aka:
Unknown Malware Remover
File size:
376 KB (385,055 bytes)
Prerequisite:
XMD5.dll (provided
along with the utility inside the UMR.Zip)
Installation: Simply
extract and
run MalwareInfo-UMRSignature (MalwareInfo-UMRSignature.exe)
Description:
Unknown Malware Remover or in short UMR is a
tool for Malware Researchers and advanced users to get rid of Malwares
which are not getting detected by the installed AV Software.
|
USB Activity Monitor
(236 KB)
Published: June 28, 2008
Aka: USBMalwareStopper
Version: 1.0.0
Copyright: MalwareInfo.Org
File size: 236 KB (241,664 bytes)
Prerequisite:
DotNet Framework 2.0
Installation: Simply
extract and
run USBActivityMonitor (USBActivityMonitor.exe)
Description:
USBActivityMonitor (aka.
USBMalwareStopper) is an application that runs in the background and
monitors all the drives (fixed & removable) to detect the creation of
autorun.inf files. In recent times, there has been an increase in
Malwares that spread via USB pen drives. I am sure, everyone of us has
been troubled by these absolutely nasty Malwares that causes various
unwanted activities in our computers. The frequency in which newer
variants of these Malwares are coming out, on numerous occasions, these
get undetected by the Antivirus Software running in your computer. The AV
Vendors are finding it quite difficult to add the signatures of these
Malwares in their daily Virus Definition Updates. As a result, the menace
and threat posed by these ever increasing variants are quite significant.
USBActivityMonitor quietly monitors the
activities of USB pen drives. From the time they are plugged in till the
time they are plugged out. USBActivityMonitor will not just protect your
computer from these Malwares, but it also makes sure that others don't get
infected by your USB pen drive. USBActivityMonitor will make the Malware
(if it finds it there) inside your USB pen drive inactive.
However, at times, there are various USB
utilities, viz. Data Backup tools, File Encryption tools that also run
automatically from the USB pen drives when they are plugged in the system.
To make USBActivityMonitor super intelligent, I have provided a feature by
which you can generate the MD5 hash of these useful tools present in your
USB pen drive and place them in the exclusion list. When an autorun.inf
calls the corresponding file, USBActivityMonitor will check if the MD5 of
the app called is present in its exclusion list. If it finds it in the
exclusion list, then USBActivityMonitor will skip that file, making sure
hat the legitimate files are not detected as false positives.
Hope you will like USBActivityMonitor and
please feel free to let me know your experience with USBActivityMonitor.
Also, please let me know, if there are any bugs in the application.
|
Malware Activity Watcher
(212 KB)
Published: June 29, 2008
Aka: MalwareActivityWatcher
Version: 1.0.0.0
Copyright: MalwareInfo.Org
File size: 212 KB (217,088 bytes)
Prerequisite:
DotNet Framework 2.0
Installation:
Simply extract and
run MalwareActivityWatcher (MalwareActivityWatcher.exe)
Description:
MalwareActivityWatcher is an application that
will help us track the activities of Malwares when they create certain
types of files in our Windows installation drive. It will monitor the File
System for activities by file types like "exe", "chm", "dll", "com",
"cmd", "vbs", "pif", "hta", "sys", "bat", "tmp" etc. These file types are
mainly used by Malwares to drop or initiate their payloads.
You can also export the log
from MalwareActivityWatcher for later analysis.
|
|
