본문 바로가기
Tools

[분석툴]Malicious Document Analysis Tools(Malware Analysis Tools)

by 잡다한 처리 2010. 7. 22.
반응형

악성파일을 분석하기에 필요한 또는 편리한 툴을 소개하였다.

This non-comprehensive list of tools are some of the ones that I use most often. I also included some that may be used as additional resources that may make some tasks easier.


Ariad - “Ariad started as a tool to prevent inserted USB sticks from executing code.”

http://blog.didierstevens.com/programs/ariad/



XueTr - Chinese Anti-Rootkit tool

http://xuetr.com/download/XueTr.zip


BinText - "A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode"

http://www.foundstone.com/us/resources/proddesc/bintext.htm


Capture-BAT - "Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available."

https://www.honeynet.org/node/315


DLLInject - “DLLInject is a simple command-line utility for loading a DLL into a target process's address space, by using the CreateRemoteThread API to execute LoadLibraryA.”

http://research.eeye.com/html/tools/RT20060801-6.html


Fiddler - “Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet.”

http://www.fiddler2.com


FileAlyzer - “FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).”

http://www.safer-networking.org/en/filealyzer/index.html


F-Secure BlackLight - "F-Secure BlackLight is a tool that detects files, folders and processes hidden from the user and other programs. 

BlackLight is also able to remove hidden malware by renaming them."

ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe


GMER - http://www.gmer.net/


Helios - "Helios is an advanced malware detection system has been designed to detect, remove and innoculate against modern rootkits. What makes it different from conventional antivirus / antispyware products is that it does not rely on a database of known signatures."

http://helios.miel-labs.com/


HijackThis - "Scan your computer to find settings changed by spyware, malware or other unwanted programs. Trend Micro HijackThis generates an in-depth report to enable you to analyze and fix your infected computer"

http://free.antivirus.com/hijackthis/


IceSword - "IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show."

http://www.antirootkit.com/software/IceSword.htm


JSUnpack - "The main difference is that it is a completely passive JavaScript decoder to perform Intrusion Detection, by processing network traffic (either an interface or pcap file), rather than URLs."

http://jsunpack.jeek.org/jsunpack-n.tgz


LordPE - "LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,..."

http://www.woodmann.com/collaborative/tools/images/Bin_LordPE_2007-10-21_1.48_LordPE_1.41_Deluxe_b.zip


Malcode Analyst Pack - "The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. "

http://labs.idefense.com/software/download/?downloadID=8


Malzilla - “"Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.”

http://malzilla.sourceforge.net/



McAfee FileInsight - "FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more."

http://download.nai.com/products/mcafee-avert/fileinsight.zip


McAfee Rootkit Detective - "McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system."

http://vil.nai.com/vil/stinger/rkstinger.aspx


McAfee Stinger - "Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations." http://vil.nai.com/vil/stinger/


MS Sysinternals Tools - Specially Process Explorer, TCPView and Strings.

http://technet.microsoft.com/en-us/sysinternals/default.aspx


Ollydbg - "OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable."

http://www.ollydbg.de/


OllyDbg Plugins - http://www.openrce.org/downloads/browse/OllyDbg_Plugins


PEiD - "PEiD detects most common packers, cryptors and compilers for PE files. "

http://www.peid.info/


PEInfo - "PEInfo is a program for a detailed analysis of the 32-bit EXE, DLL, OCX, BPL files and other produced according to Portable Executable File Format specification."

http://www.pazera-software.com/products/peinfo/


ProcessHacker - “Process Hacker is a feature-packed tool for manipulating processes and services on your computer.”

http://processhacker.sourceforge.net/


Regshot - "Regshot is an open-source(GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product."

http://sourceforge.net/projects/regshot/


RootkitRevealer - "RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit."

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx


Rootkit UnHooker - http://www.antirootkit.com/software/RootKit-Unhooker.htm


SpiderMonkey - "SpiderMonkey is the code-name for the Mozilla's C implementation of JavaScript."

http://www.mozilla.org/js/spidermonkey/ 


SpiderMonkey - DidierStevens Version - "My SpiderMonkey is a modified version of Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis."

http://blog.didierstevens.com/programs/spidermonkey/


SysAnalyzer - "SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. "

http://labs.idefense.com/software/download/?downloadID=15


User mode Process Dumper - "The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image (including system processes such as csrss.exe, winlogon.exe, services.exe, etc) on the fly, without attaching a debugger, or terminating target processes"

http://download.microsoft.com/download/8/c/d/8cde0b73-d917-4130-9027-b3fa5b37467c/UserModeProcessDumper8_1_2929_5.exe


WinApiOverride32 - “WinAPIOverride32 is an advanced api monitoring software.

You can monitor and/or override any function of a process. 

This can be done for API functions or executable internal functions.”

http://jacquelin.potier.free.fr/winapioverride32/






댓글