This webblog will tell and story about my software development and anything related to computer security.

Malware Playground

by Kamil Alta | Sunday, November 29, 2009 in , | comments (0)


Around 3 month ago, I was starting developing a sandbox tool for easy to analyst any of malware sample that can generate at least basic information from the sample. I just named it Malware Playground as its work to 'play' with almost all Windows programs within it. Sound funny like a kids playing with knife but wearing a shield. The program itself has been developed using Microsoft Visual Basic 6 and working with more than 20 other programs.



At this moment, this program includes all required features for doing malware analyst. Here it is some features:
+ Save report as text and HTML format.
+ Analysis can be started at your own choice such as you can dump process memory instead of analyst all of the function (Registry, Dump, Handle, String, Port, Files and Folders, AV alias and so on).
+ Work with Windows platform (on VMWare or VirPC).
+ Work together with Sandboxie.
+ Drag and drop and warn before start analyzing it.



Malware Playground is still in development and some advanced features still remains in progress. Here it is list of features that currently in development:
+ Network activities
+ Process activities
+ Smart suggestion and recommendation technologies.
+ Add more AV alias detection
+ Security Risk Level perimeter.
+ Provide an official website for useful information and services.
+ Integrates with web interfaces that allowed user uploading their malware sample.
+ Save all known threat object into database.
+ Mapping all origin location for the malware and visualize on global map.

While this useful tools is still in progress, I was unable to provide a fully compiled program to give a test but you can leave a comment and suggest for more features.

Extract AutoIt Script

by Kamil Alta | Thursday, September 25, 2008 in , , | comments (0)

This is quite old technique to extract an AutoIt script from the compiled EXE files espeacially malware. You can refer this tutorial from my video uploaded to YouTube.

Extract AutoIt Script Video Tutorial



Actually this kind of extracting method is depending on AutoIt version. Currently this tutorial show you how to extract AutoIt EXE version 3.2.2.0. Other version will be available soon.

AT4RE FastScanner

by Kamil Alta | Thursday, September 22, 2005 in , | comments (0)

AT4RE FastScanner is one of packer, PE info, compiler, cryptor detector  with plug-in capabilities. This tools works same like other packed detector to give alternative usage for user.





An example show you PE file is being analyzed with all basic information shown.


Show you PE section with all available offset.


Disassembler is another advantage giving user to analyze and finding useful instruction.


AT4RE FastScanner can be downloaded from:
Here

PROTECTiON iD

by Kamil Alta | Wednesday, September 21, 2005 in , | comments (0)

Another small tools with great features. As I downloaded the latest one, there interfaces was changed and little bit confuse if some user new to it but again this great tools comes with special features.



Features

- detection of every major PC ISO Game / App protection
- sector scanning CDs / DVDs for Copy Protections
- covers more than 430 (different!) protections including exe protectors, .net protectors, packers, dongles, licenses & installers
- files / folders can simply be drag & droped into pid (link files will re resolved too)
- strong scanning routines allowing it to detect multiple protections in one file
- easy scanning via shell context menu
- usefully misc tools included
- coded 100% in Win32 assembly language
- fully 32bit & 64bit compliant
- working on every Windows OS from Win9x to windows Vista
- no additional files are required (like VB Runtimes, MSVC dlls or ASPI drivers)

PROTECTION ID can be downloaded from:
Here

ExeInfo PE

by Kamil Alta | Tuesday, September 21, 2004 in , | comments (0)

ExeInfo PE have some same features with PEiD but with some extra function to make it more easier and faster to access such as





Main interfaces is very similar to PEiD but with some great functionalities. 


With Rip button all resources can be extracted at once and saved into current directory.


With tools menu user can get a lot of information inside PE files such as registry key, OEP, save resource section, XoR permutator (easy to reverse any reversed string such as ROT13) and many more.


File Menu offer to you multiple options about taking action to your analyzed file. WYSIWYG.


EXEInfo PE can be downloaded from:
http://www.exeinfo.xwp.pl

PEiD - PE Identifier

by Kamil Alta | Tuesday, September 21, 2004 in , | comments (0)

This small tools have a big features for those who want to extract information from PE files.



PEiD have its own special features:
1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Well, I use it for long time and this is the great and fast tools for getting PE information without need to install anything.

PEiD can be downloaded from here:
http://www.peid.info

Explorer Suite

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

This one of most advanced freeware tools for Reverse Code Engineer. Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

- Explorer Suite (Multi-Platform Version, Recommended)
- Explorer Suite (x86 Version)
- CFF Explorer (x86 Version, stand-alone, Zip Archive)

- CFF Explorer Extensions Repository 




The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. 



Features:

  • Process Viewer
  • Windows Viewer
  • PE and Memory Dumper
  • Full support for PE32/64
  • Special fields description and modification (.NET supported)
  • PE Utilities
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Resource Editor (full support for Windows Vista icons)
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Import Adder
  • PE integrity checks
  • Extension support
  • Visual Studio Extensions Wizard
  • Powerful scripting language
  • Dependency Walker
  • Quick Disassembler (x86, x64, MSIL)
  • Name Unmangler
  • Extension support
  • File Scanner
  • Directory Scanner
  • Deep Scan method
  • Recursive Scan method
  • Multiple results
  • Report generation
  • Signatures Manager
  • Signatures Updater
  • Signatures Collisions Checker
  • Signatures Retriever

TrID - File Identifier

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.
TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.
TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.
Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.
To get you started, the current library of definitions is up to 3833 file types and growing fast.
TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.




For more information and download click here.

OllyDump for OllyDebugger

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

OllyDump is one of advanced memory dumping tools. It is easy to use with OllyDbg as a plugin. Once the process is being debugged at runtime, it will be automatically search for PE section. But this tools does not give you automatically an OEP for any compressed PE file. You still have to find their OEP offset manually and write down the offset to the OllyDump window. The picture below show you how the OllyDump plugin works for dumping UPX packed file.



Just simply add your founded OEP to the Modify box and hit Dump button to save as a dumped file. You can edit the listed section for your own usages. You can easily dumping PE file without need to highlight all the debugged code and choose 'Follow in Dump > Selection'. This way sometime does not produce an accurate result.

You can find OllyDump here or here.

LordPE Deluxe

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)


LordPE Deluxe is one of the greatest tools for making process dump on memory for along time. It was developed by yoda. Here it is what this tools can do:

+ Dump process from memory and save as file.
+ Dump process module
+ Get Basic information about PE header.
+ Rebuild any PE file (realign, wipe relocation, rebuild import table, etc)



Author website can be reach at http://y0da.cjb.net but it no longer exist I guess. You can try get it from here.

Subscribe to: Posts (Atom)



Latest Threats

Loading...

Followers

Sponsor