Quick and Dirty Python Malware Static Analysis script

Quick and Dirty Python Malware Static Analysis script 

I'm still having fun going through the Practical Malware Analysis book but started getting tired of all of the various tools that are presented in this book and other - Malware Analyst's Cookbook and Grey Hat Python books. So I decided to utilize Python scripts to automate the process of analyzing Malware by starting with the PEfile module that I covered in my previous writeup.

I then added the strings command in my script to ensure that I was able to read the string information utilizing my python script, and I was also able to locate a great power point presentation from - "Win32 Static Analysis in Python" by Ero Carrera Sabre Security GmbH (http://www.recon.cx/en/f/lightning-ecarrera-win32-static-analysis-in-python.pdf). They pretty much provide all of the code in this presentation for the other portions of the script - 

#Section Inspection

#Inspecting the Headers

#Imports

I have yet to see the def H(data): function work and I am curious on its functionality and will test on other Malware examples. (Stay Tuned)

Now that I have great start for analyzing Malware statically on a 32 bit environment, I will continue refining this script to make the output prettier and to file out some of the garbage. 

To Do:

• Submit the file to virustotal or other online submissions - the code is in the Malware cookbook
• Perform a HASH and update my db with values
• Filter out garbage data whenever possible
• Work with the various debuggers including immunity debugger and to try and incorporate the same process of scripting most of the actions required to analyse malware. 
• Start working with the Debuggers

Working version of my script

###########################################################################


import pefile
import math
import os

#pe = pefile.PE (sys.argv[1])
path = 'C:/admin/Practical Malware Analysis Labs/BinaryCollection/Chapter_3L/Lab03-01.exe'
pe = pefile.PE (path)


def H(data):
    if not data:
        return 0
 
    entropy = 0
    for x in range(256):
        p_x = float(data.count(chr(x)))/len(data)
        if p_x > 0:
            entropy += - p_x*math.log(p_x,2)
         
    return entropy

#Section Inspection #############################################################

#This will print strings to the screen - the strings must be in your windows path

try:
    HoldString = os.system("strings " + "\"" + path + "\"")
except: os.error

#################################################################################

print "\n"
print "This will print the Section inspection information"
print "\n"
for section in pe.sections:
    print (section.Name,
           hex(section.VirtualAddress),
           hex(section.Misc_VirtualSize),
           section.SizeOfRawData)

#Inspecting the Headers
###############################################################################

print "\n"
print "This will print the Headers in the file"
print "imageBase -->", hex(pe.OPTIONAL_HEADER.ImageBase)
print "AddressOfEntryPoint -->",  hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
print "NumberofSections -->",  hex(pe.FILE_HEADER.NumberOfSections)
print "\n"
################################################### Section Data File

for section in pe.sections:
 
    try:
        print section.Name
        print H(section.data)    
    except:
        print ("No Section Data File")

# Imports
###############################################################

print "\n"
print "This will print the import of the file"
print "\n"

for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print entry.dll
    for imp in entry.imports:
        print '\t' , hex(imp.address), imp.name

############################################################################3

Building a Practical Malware Analysis Environment using (Snort, SPLUNK, Python, Eclipse, md5deep, Dependency Walker, PeFile, UPX, WireShark, Nessus and VirtualBox)

This is my documentation space for future reference(s) in my current Malware Analysis adventure using the "Practical Malware Analysis" (The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig) book that I picked up at BlackHat this year.

The books downloads can be located at the following -

http://practicalmalwareanalysis.com/ or http://sourceforge.net/projects/pmalabs/

There is an unencrypted file version and you can also download the encrypted files at the following location -

http://sourceforge.net/projects/pmalabs/files/PracticalMalwareAnalysis-Labs.exe/download

http://sourceforge.net/projects/labs-encryptzip/

I will also post all supported files used in this project in my DropBox folder for future references.

Please note: There is a heavy reference of using https://www.virustotal.com/  to scan all malware ridden executables.

As part of this malware analysis project, I will also implement the utilization of Snort and SPLUNK on the host machine in order to monitor various log coming from the VirtualBox PC on my network. The traffic should hold some very valuable information and lessons learned, and please see my blog post concerning splunk on ubuntu.

http://ubuntumongol.blogspot.com/2012/07/installing-and-using-splunk-on-ubuntu.html

Here is my notes concerning snort and installing it on my ubuntu box with a virtualbox interface.

sudo apt-get install snort

sudo snort -v -i vboxnet0 -c /etc/snort/snort.conf -l /var/log/snort/

This was a slight pain starting this on my ubuntu system since I am using Firestarter to manage my firewall logs and I had to ensure that my wlan interface allowed for internet sharing in order for my host box to communicate with my virtual box implementation.


Please see screenshot below for VirtualBox settings -





This is my FireStarter Setting to allow for network connectivity between my host system and virtualbox testing station.

Here is a quick reference on how to setup a quick dashboard in Splunk to monitor my /var/log/snort/ logs

1. The first step is to ensure that you have included the snort logs into the data repository -

2. The next step is to click on the Files & Directories and ensure that it contains the correct file location and if you are using the *nix download then the /var/log should be set by default.

---

• 
  Fingerprint the Malware using MD5 hashes -

Need to to install md5deep

http://md5deep.sourceforge.net/

Download strings and place it on my XP system and utilize this to read any text in any executable.

http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx

Install dependency walker
“Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules.” http://www.dependencywalker.com/

- Download PEid to detect packed files also there is a PEid (pefile python script that will parse PEiD's signature databases) and install on my XP system.  - I

I started looking for a compatible windows PEid on the internet without any luck so I decided to deviate from the books examples and utilize Python in the windows environment. Since most of my favorite code is written in Python. - See Step 7

Install Python on Windows

I will install Python 2.5 only because I also work with the Gray Hat Python book and will utilize this environment image for all of those fun activities.

http://www.python.org/ftp/python/2.5/python-2.5.msi


Install Eclipse with Python on Windows -

http://www.rose-hulman.edu/Class/csse/resources/Eclipse/eclipse-python-configuration.htm


installing pefile for python so that I can write my own scripts to work with portable executables.

pefile
pefile is a Python module to read and work with PE (Portable Executable) files


http://code.google.com/p/pefile/downloads/detail?name=pefile-1.2.10-118.zip&can=2&q=

I created a quick python script to read all of the PE information for the books examples,

Code - pefile_dump.py
------------------------------------------------------
import pefile
import sys

pe = pefile.PE (sys.argv[1])
print pe.dump_info()
-------------------------------------------------------

Usage

python pfile_dump.py Lab01-01.exe


I did find an really great and functional WindowsGUI tool that will perform the same function but with XML reporting capabilities, so it will save some serious programming


http://www.winitor.com/


Download UPX for packed files

http://upx.sourceforge.net/

Download Wireshark and install on Client and Host System

http://www.wireshark.org/download.html

Download Nessus and install on the Host and Client System

http://www.nessus.org/products/nessus/select-your-operating-system ]


The Last step is to take a snapshot and backup your VirtualBox image to revert back to a clean operating system state when playing with malware.