Tag: analysis

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Penetration Testing

Data Exfiltration – Evasion – Social Engineering

Cloakify Toolset * Data Exfiltration In Plain Sight * Evade DLP/MLS Devices * Social Engineering of Analysts * Evade AV Detection * Text-based steganography usings lists. Python scripts to cloak / uncloak payloads using list-based ciphers (text-based steganography). Allows you to transfer data across a secure network’s perimeter without triggering alerts, defeating data whitelisting controls, …

Malware Analysis

Analyze Microsoft Office OLE2 files

libolecf is a library to access the OLE 2 Compound File (OLECF) format. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.   Source code Download from Github. git clone https://github.com/libyal/libolecfgit clone https://github.com/libyal/libolecf Note: that the git repository holds the development version of …

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …

Debugging, Forensics

Debug processes using ptrace and python

python-ptrace is a debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python. Features * High level Python object API : PtraceDebugger and PtraceProcess * Able to control multiple processes: catch fork events on Linux * Read/write bytes to arbitrary address: take care of memory alignment and split bytes to …

Disassembler, Reverse Engineering

Fast Disassembler-Decomposer Library

diStorm is a lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64. A Decomposer means that you get a binary structure that describes an instruction rather than textual representation. Features * Access to CPU flags that were affected by the instruction. * Basic Flow Control analysis support. * AVX and FMA instruction sets support. * Complete …

Security

Protocol Analysis-Decoder Framework

ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft. Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality. Documentation for ChopShop can be found on ReadTheDocs. Pynids pynids is a …

Forensics, Malware Analysis

Automater – IP URL and MD5 OSINT Analysis

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. Options …

Honeypot, Malware Analysis

Glastopf – Web Application Honeypot

Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. This tool is designed to capture information on the latest web application attacks using a scalable and easy to deploy …

Disassembling, Reverse Engineering

Windows Disassembler for 64-bit & 32-bit Programs

PEBrowse64 Professional (v6.3) is a 64-bit executable and requires the .NET framework. It will display both Win32 and Win64 executables, native, managed and mixed. PEBrowse Professional (v10.1.4) is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies. With the PEBrowse disassembler, one can open and examine any executable without the need to …