Jump to content
Usr6

Malware Analyst's Cookbook

By Usr6, in Tutoriale in engleza

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted (edited)

malwaregfx.jpg

Here is a list of the recipes:

Anonymizing Your Activities

  • Anonymous Web Browsing with Tor
  • Wrapping Wget and Network Clients with Torsocks
  • Multi-platform Tor-enabled Downloader in Python
  • Forwarding Traffic Through Open Proxies
  • Using SSH Tunnels to Proxy Connections
  • Privacy-enhanced Web Browsing with Privoxy
  • Anonymous Surfing with Anonymous.org
  • Internet Access Through Cellular Networks
  • Using VPNs with Anonymizer Universal

Honeypots

  • Collecting Malware Samples with Nepenthes
  • Real-time Attack Monitoring with IRC Logging
  • Accepting Nepenthes Submissions over HTTP in Python
  • Collecting Malware Samples with Dionaea
  • Accepting Dionaea Submissions over HTTP in Python
  • Real-time Event Notification and Binary Sharing with XMPP
  • Analyzing and Replaying Attacks Logged by Dionaea
  • Passive Identification of Remote Systems with p0f
  • Graphing Dionaea Attack Patterns with SQLite3 and Gnuplot

Malware Classification

  • Examining Existing ClamAV Signatures
  • Creating a Custom ClamAV Database
  • Converting ClamAV Signatures to YARA
  • Identifying Packers with YARA and PEiD
  • Detecting Malware Capabilities with YARA
  • File Type Identification and Hashing in Python
  • Writing a Multiple-AV Scanner in Python
  • Detecting Malicious PE Files in Python
  • Finding Similar Malware with ssdeep
  • Detecting Self-modifying Code with ssdeep
  • Comparing Binaries with IDA and BinDiff

Sandboxes and Multi-AV Scanners

  • Scanning Files with VirusTotal
  • Scanning Files with Jotti
  • Scanning Files with NoVirusThanks
  • Database-enabled Multi-AV Uploader in Python
  • Analyzing Malware with ThreatExpert
  • Analyzing Malware with CWSandbox
  • Analyzing malware with Anubis
  • Writing AutoIT Scripts for Joebox
  • Defeating Path-dependent Malware with Joebox
  • Defeating Process-dependent DLLs with Joebox
  • Setting an Active HTTP Proxy with Joebox
  • Scanning for Artifacts with Sandbox Results

Domains and IP Addresses

  • Researching Domains with WHOIS
  • Resolving DNS Hostnames
  • Obtaining IP WHOIS Records
  • Querying Passive DNS with BFK
  • Checking DNS Records with Robtex
  • Performing a Reverse IP Search with DomainTools
  • Initiating Zone Transfers with dig
  • Brute-forcing Subdomains with dnsmap
  • Mapping IP Addresses to ASNs via Shadowserver
  • Checking IP Reputation with RBLs
  • Detecting Fast Flux with Passive DNS and TTLs
  • Tracking Fast Flux Domains with Tracker
  • Static Maps with Maxmind, Matplotlib and pygoeip
  • Interactive Maps with Google Charts API

Malicious Documents and URLs

  • Analyzing JavaScript with Spidermonkey
  • Automatically Decoding JavaScript with Jsunpack
  • Optimizing Jsunpack-n Decodings for Speed and Completeness
  • Triggering Exploits by Emulating Browser DOM Elements
  • Extracting JavaScript from PDF Files with pdf.py
  • Triggering Exploits by Faking PDF Software Versions
  • Leveraging Didier Stevens's PDF Tools
  • Determining which Vulnerabilities a PDF File Exploits
  • Disassembling Shellcode with DiStorm
  • Emulating Shellcode with Libemu
  • Analyzing Microsoft Office Files with OfficeMalScanner
  • Debugging Office Shellcode with DisView and MalHost-Setup
  • Extracting HTTP Files from Packet Captures with Jsunpack
  • Graphing URL Relationships with Jsunpack

Malware Labs

  • Routing TCP/IP Connections in Your Lab
  • Capturing and Analyzing Network Traffic
  • Simulating the Internet with INetSim
  • Manipulating HTTP/HTTPS with Burp Proxy
  • Using Joe Stewart's Truman
  • Preserving Physical Systems with Deep Freeze
  • Cloning and Imaging Disks with FOG
  • Automating FOG Tasks with the MySQL Database

Automation

  • Automated Malware Analysis with VirtualBox
  • Working with VirtualBox Disk and Memory Images
  • Automated Malware Analysis with VMware
  • Capturing Packets with TShark via Python
  • Collecting Network Logs with INetSim via Python
  • Analyzing Memory Files with Volatility
  • Putting All the Sandbox Pieces Together
  • Automated Analysis with Zero Wine and QEMU
  • Automated Analysis with Sandboxie and Buster

Dynamic Analysis

  • Logging API Calls with Process Monitor
  • Change Detection with Regshot
  • Receiving File System Change Notifications
  • Receiving Registry Change Notifications
  • Handle Table Diffing
  • Exploring Code Injection with HandleDiff
  • Watching Bankpatch.C Disable Windows File Protection
  • Building an API Monitor with Microsoft Detours
  • Following Child Processes with your API Monitor
  • Capturing Process, Thread, and Image Load Events
  • Preventing Processes from Terminating
  • Preventing Malware from Deleting Files
  • Preventing Drivers from Loading
  • Using the Data Preservation Module
  • Creating a Custom Command Shell with ReactOS

Malware Forensics

  • Discovering Alternate Data Streams with TSK
  • Detecting Hidden Files and Directories with TSK
  • Finding Hidden Registry Data with Microsoft's Offline API
  • Bypassing Poison Ivy's Locked Files
  • Bypassing Conficker's File System ACL Restrictions
  • Scanning for Rootkits with GMER
  • Detecting HTML Injection by Inspecting IE's DOM
  • Registry Forensics with RegRipper Plug-ins
  • Detecting Rogue Installed PKI Certificates
  • Examining Malware that Leaks Data into the Registry

Debugging Malware

  • Opening and Attaching to Processes
  • Configuring a JIT Debugger for Shellcode Analysis
  • Getting Familiar with the Debugger GUI
  • Exploring Process Memory and Resources
  • Controlling Program Execution
  • Setting and Catching Breakpoints
  • Using Conditional Log Breakpoints
  • Debugging with Python Scripts and PyCommands
  • Detecting Shellcode in Binary Files
  • Investigating Silentbanker's API Hooks
  • Manipulating Process Memory with WinAppDbg Tools
  • Designing a Python API Monitor with WinAppDbg

De-Obfuscation

  • Reversing XOR Algorithms in Python
  • Detecting XOR Encoded Data with yaratize
  • Decoding Base64 with Special Alphabets
  • Isolating Encrypted Data in Packet Captures
  • Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal
  • Porting OpenSSL Symbols with Zynamics BinDiff
  • Decrypting Data in Python with PyCrypto
  • Finding OEP in Packed Malware
  • Dumping Process Memory with LordPE
  • Rebuilding Import Tables with ImpREC
  • Cracking Domain Generation Algorithms
  • Decoding Strings with x86emu and Python

Working with DLLs

  • Enumerating DLL Exports
  • Executing DLLs with rundll3exe
  • Bypassing Host Process Restrictions
  • Calling DLL Exports Remotely with rundll32ex
  • Debugging DLLs with LOADDLL.EXE
  • Catching Breakpoints on DLL Entry Points
  • Executing DLLs as a Windows Service
  • Converting DLLs to Standalone Executables

Kernel Debugging

  • Local Debugging with LiveKd
  • Enabling the Kernel's Debug Boot Switch
  • Debug a VMware Workstation Guest (on Windows)
  • Debug a Parallels Guests (on Mac OS X)
  • Introduction to WinDbg Commands and Controls
  • Exploring Processes and Process Contexts
  • Exploring Kernel Memory
  • Catching Breakpoints on Driver Load
  • Unpacking Drivers to OEP
  • Dumping and Rebuilding Kernel Drivers
  • Detecting Rootkits with WinDbg Scripts
  • Kernel Debugging with IDA Pro

Memory Forensics with Volatility

  • Dumping Memory with MoonSols Windows Memory Toolkit
  • Remote, Read-only Memory Acquisition with F-Response
  • Accessing Virtual Machine Memory Files
  • Volatility in a Nutshell
  • Investigating Processes in Memory Dumps
  • Detecting DKOM Attacks with psscan
  • Exploring csrss.exe's Alternate Process Listings
  • Recognizing Process Context Tricks

Memory Forensics: Code Injection & Extraction

  • Hunting Suspicious Loaded DLLs
  • Detecting Unlinked DLLs with ldr_modules
  • Exploring Virtual Address Descriptors (VAD)
  • Translating Page Protections
  • Finding Artifacts in Process Memory
  • Identifying Injected Code with Malfind and YARA
  • Rebuilding Executable Images from Memory
  • Scanning for Imported Functions with impscan
  • Dumping Suspicious Kernel Modules

Memory Forensics: Rootkits

  • Detecting IAT hooks
  • Detecting EAT hooks
  • Detecting Inline API hooks
  • Detecting Interrupt Descriptor Table (IDT) Hooks
  • Detecting Driver IRP Hooks
  • Detecting SSDT Hooks
  • Automating Damn Near Everything with ssdt_ex
  • Finding Rootkits with Detached Kernel Threads
  • Identifying System-wide Notification Routines
  • Locating Rogue Service Processes with svcscan
  • Scanning for Mutex Objects with mutantscan

Memory Forensics: Network and Registry

  • Exploring Socket and Connection Objects
  • Analyzing the Network Artifacts Left by Zeus
  • Detecting Attempts to Hide TCP/IP Activity
  • Detecting Raw Sockets and Promiscuous NICs
  • Analyzing Registry Artifacts with Memory Registry Tools
  • Sorting Keys by Last Written Timestamp
  • Using Volatility with RegRipper

Hotfile.com: One click file hosting: Mal-Analist.rar

Edited by Usr6
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...