This repository was archived by the owner on May 20, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 14
Utilities
malwarefrank edited this page Sep 4, 2024
·
6 revisions
List of small utilities that may be run standalone to assist with static binary analysis or as modules supporting a broader program.
- ADD - Script for addition of byte values using commonly observed techniques in malware.
- APIHASH - Generate API hashes using previously observed techniques and store them in a database.
- APLIBDUMPER - Extracts, decompresses, and dumps embedded payloads compressed using aPLib to disk using the MD5 of the decompressed data as the filename.
- BYTEFLIP - Script for flipping a pair of byte values.
- B64DUMP - Script to search, decode, and dump candidate Base64 data.
- BRUTE_XOR - Attempt to brute force an XOR key.
- BYTEFLIP - Swap each byte.
- COBALTSTRIKE_MALLEABLE_RESTORE - Restore section, module, and function names to stagers.
- COMGUIDTOYARA - Enumerate and convert a supplied list of IIDs for COM interfaces to binary Yara signatures.
- DOTNETDUMPER - Script that dumps information within content streams and resources of a .NET file.
- ENTROPYCALC - Script that calculates entropy based on a provided file.
- FINDAPIHASH - Script that works with data generated by apihash script. Searches supplied shellcode binary for any API hash matches and then dumps the results.
- GENRSA - Generate private and public certificates using RSA given key attribute values.
- GENSIG - Generate YARA signatures based on code using various generator schemes.
- GUID_RECOVERY - Fetch embedded .NET GUIDs.
- HASHES - Get various hashes on supplied filename.
- HIDDENCAB - Script that searches for hidden CAB files and restores them to disk.
- KILLASLR - Patches PE files to disable ASLR security feature.
- NEGATE - Script for negation of byte values.
- PECARVER - Checks for embedded PE files.
- PEPDB - Display PE debug information if present.
- PERESOURCES - Display embedded PE resources and optionally dump them to disk. Entries with '-' are unlabeled.
- PETIMESTAMP - Take a series of provided files and print the extracted PE timestamps, alongside other information like the filename and MD5.
- REVERSE_BYTES - Reverse data stream.
- ROTATE - Script for bitwise rotation of byte values.
- SSL_CERT - Script that can scan for, and retrieve, a list of SSL certificates hashes.
- SUB - Script for subtraction of byte values using commonly observed techniques in malware.
- SUPERSTRINGS - Module for enhanced strings enumeration. Aims to provide users with access to ascii, wide, and stack strings observed in a binary.
- VTINSPECT - Search and retrieve data from VirusTotal database using private API feature set.
- XOR - Apply commonly observed instances of xor encoding to a supplied buffer and return the result.
- XOR_PAIRWISE - Apply pairwise xor encoding to a supplied buffer and return the result.
Simple script for addition of byte values using commonly observed techniques in malware.
malutil-add -h
usage: malutil-add [-h] [-v] [-o OFFSET] [-s SIZE] [-c COUNT] [-sn] [-sk]
infile key
Process data stream and add each byte by the supplied key. Numeric values may
be provided as regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
key Single or multibyte key value. May be supplied as an
integer or as a hex value with the '0x' prefix.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-c COUNT, --count COUNT
Interval to increment key value on each byte
iteration. Range of 0x00 - 0xff.
-sn, --skip-nulls When processing the buffer, skip all null ('0x00')
bytes.
-sk, --skip-key Skip bytes that match the supplied key value.
This is a simple program that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 23 17 18 22 cf 18 22 cf 10 cf 23 |.....#..".."...#|
00000010 14 22 23 51 51 51 51 51 |."#QQQQQ|
Apply single byte key and perform add operation on bytes...
cat 1.bin | malutil-add - 0x51 | hexdump -Cv
00000000 51 51 51 51 51 74 68 69 73 20 69 73 20 61 20 74 |QQQQQthis is a t|
00000010 65 73 74 a2 a2 a2 a2 a2 |est.....|
Apply single byte key and skip nulls...
cat 1.bin | malutil-add - 0x51 -sn | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 a2 a2 a2 a2 a2 |est.....|
Skip nulls and skip the key...
cat 1.bin | malutil-add - 0x51 -sn -sk | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 51 51 51 51 51 |estQQQQQ|
Specify the size and offset of the data to target...
cat 1.bin | malutil-add - 0x51 -sn -sk -s 14 -o 5 | hexdump -Cv
00000000 74 68 69 73 20 69 73 20 61 20 74 65 73 74 |this is a test|
Generate API hashes using previously observed techniques and store them in a database. Already included in this package is apihashes.db, which includes hashes generated using this script from advapi32.dll, IPHLPAPI.DLL, kernel32.dll, msvcrt.dll, ntdll.dll, urlmon.dll, user32.dll, wininet.dll, ws2_32.dll, and wtsapi32.dll.
malutil-apihash -h
usage: malutil-apihash [-h] [-v] [-db DATABASE_NAME] [FILE [FILE ...]]
Generate an sqlite database of API hashes using algorithms commonly observed
in shellcode. Input files must be valid Windows DLLs.
positional arguments:
FILE Full path to the DLL(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-db DATABASE_NAME, --database-name DATABASE_NAME
Name of database file to be generated. (default:
apihashes.db)
Simply point to a file or a directory containing DLLs for which you want to generate hashes.
The following hashing algorithms are currently supported:
- Standard add char and rotate 0xd
- Standard add char and rotate 0x7
- CRC32
- CRC32 with null appended
- JSHash
- Metasploit hashing
- Carberp hashing
In our example we have several Windows DLLs that have export functions commonly observed in shellcode.
$ ls
advapi32.dll IPHLPAPI.DLL kernel32.dll msvcrt.dll ntdll.dll urlmon.dll user32.dll wininet.dll ws2_32.dll wtsapi32.dll
Run the script and your database will be generated.
malutil-apihash.py -v *
INFO:__main__:Generating hashes for advapi32.dll...
INFO:__main__:Found 854 export entries...
INFO:__main__:Adding 5971 hashes to database...
INFO:__main__:Inserted 5971 new entries in 0:00:03.709112...
INFO:__main__:Generating hashes for IPHLPAPI.DLL...
INFO:__main__:Found 280 export entries...
INFO:__main__:Adding 1960 hashes to database...
INFO:__main__:Inserted 1960 new entries in 0:00:01.521276...
INFO:__main__:Generating hashes for kernel32.dll...
INFO:__main__:Found 1616 export entries...
INFO:__main__:Adding 11312 hashes to database...
INFO:__main__:Inserted 11312 new entries in 0:00:09.403407...
INFO:__main__:Generating hashes for msvcrt.dll...
INFO:__main__:Found 1396 export entries...
INFO:__main__:Adding 9772 hashes to database...
INFO:__main__:Inserted 9772 new entries in 0:00:04.269118...
INFO:__main__:Generating hashes for ntdll.dll...
INFO:__main__:Found 2291 export entries...
INFO:__main__:Adding 16030 hashes to database...
INFO:__main__:Inserted 16030 new entries in 0:00:09.483294...
INFO:__main__:Generating hashes for urlmon.dll...
INFO:__main__:Found 298 export entries...
INFO:__main__:Adding 882 hashes to database...
INFO:__main__:Inserted 882 new entries in 0:00:01.090976...
INFO:__main__:Generating hashes for user32.dll...
INFO:__main__:Found 846 export entries...
INFO:__main__:Adding 5810 hashes to database...
INFO:__main__:Inserted 5810 new entries in 0:00:03.074741...
INFO:__main__:Generating hashes for wininet.dll...
INFO:__main__:Found 325 export entries...
INFO:__main__:Adding 2079 hashes to database...
INFO:__main__:Inserted 2079 new entries in 0:00:01.697258...
INFO:__main__:Generating hashes for ws2_32.dll...
INFO:__main__:Found 195 export entries...
INFO:__main__:Adding 1365 hashes to database...
INFO:__main__:Inserted 1365 new entries in 0:00:01.212643...
INFO:__main__:Generating hashes for wtsapi32.dll...
INFO:__main__:Found 61 export entries...
INFO:__main__:Adding 427 hashes to database...
INFO:__main__:Inserted 427 new entries in 0:00:00.729703...
Complete! Hashes saved to apihashes.db
Simple script for addition of byte values using commonly observed techniques in malware.
malutil-aplibdumper -h
usage: malutil-aplibdumper [-h] [-v] [-t TARGET_DIRECTORY] [-s]
[FILE [FILE ...]]
Extracts, decompresses, and dumps embedded payloads compressed using aPLib to
disk using the MD5 of the decompressed data as the filename. This is done by
evaluating an embedded structure that preceeds aPLib compressed content.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-t TARGET_DIRECTORY, --target-directory TARGET_DIRECTORY
Target directory to write files. Defaults to executing
directory.
-s, --suppress-write Prevent results from being written to disk. Opting
instead for just a table view of the results.
Extract will process a file and aggregate a list of subobjects for extraction.
malutil-aplibdumper d78fd670770fca08fa6d24554ccab739.vt -s
INFO:__main__:Processing file d78fd670770fca08fa6d24554ccab739.vt...
INFO:__main__:Found 15 compressed files in d78fd670770fca08fa6d24554ccab739.vt...
+----------------------------------+--------+----------+------------+
| MD5 | Size | Offset | CRC32 |
+==================================+========+==========+============+
| 40d6431a7eecdaed02990fec49096e04 | 131072 | 0x2274a | 0x7fd22a9a |
+----------------------------------+--------+----------+------------+
| f74db931c2c2f33ce06f57e5944c8ba3 | 131072 | 0x30ac5 | 0x34a01fa3 |
+----------------------------------+--------+----------+------------+
| 845fbc1194238c35f7082b75c21d329f | 131072 | 0x3f563 | 0x42e2974d |
+----------------------------------+--------+----------+------------+
| 28b59f4fc7b4cd699ea1eb4b9ae18e6e | 131072 | 0x50e6f | 0xa5e4f60b |
+----------------------------------+--------+----------+------------+
| c383066f0d9f040e6bed7158a2b7fc33 | 131072 | 0x614d9 | 0xe3c352e8 |
+----------------------------------+--------+----------+------------+
| 0259fa6d53a423bf9d658cf98dc35d2e | 131072 | 0x6bdf2 | 0xf531b272 |
+----------------------------------+--------+----------+------------+
| c8c2cdd2a3e25b97ff2d2c84c3edb2e2 | 131072 | 0x7dbbc | 0x5090893 |
+----------------------------------+--------+----------+------------+
| 42742d94f43ccdcf00513279161d7fdf | 23552 | 0x8f339 | 0x8c4bc1f5 |
+----------------------------------+--------+----------+------------+
| 8a262a2ea39759384d750b6f89a03acb | 131072 | 0x1a0d4a | 0x2eceb63b |
+----------------------------------+--------+----------+------------+
| 664024889d8c48a83fbfec43bf77ea75 | 131072 | 0x1acdd1 | 0x31933fcd |
+----------------------------------+--------+----------+------------+
| 8a49d285f85440b33968b2a5ed61b75f | 131072 | 0x1b91db | 0xdf551218 |
+----------------------------------+--------+----------+------------+
| 632d2a2a0c332d3369a1a69de1139d78 | 29184 | 0x1c549c | 0x4b4b25b |
+----------------------------------+--------+----------+------------+
| d2d90aa771da806a7b28433a1ee698ad | 810 | 0x1c8f4d | 0x59fda1e5 |
+----------------------------------+--------+----------+------------+
| 4412cacc3a4b4ec53f38b621ba8eab0a | 16544 | 0x1c9290 | 0x88078fcd |
+----------------------------------+--------+----------+------------+
| b75025e850d47f2e7901867af7cf44d9 | 13995 | 0x1ccb20 | 0xcba12efe |
+----------------------------------+--------+----------+------------+
Simple module for flipping a pair of byte values. A technique using commonly observed in malware.
malutil-byteflip -h
usage: malutil-byteflip [-h] [-v] [-o OFFSET] [-s SIZE] infile
Process data stream and swap each byte. Numeric values may be provided as
regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
This is a simple program that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 5a 4d 00 90 00 03 00 00 00 04 00 00 ff ff 00 00 |ZM..............|
00000010 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 |.........@......|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 |................|
00000040 1f 0e 0e ba b4 00 cd 09 b8 21 4c 01 21 cd 68 54 |.........!L.!.hT|
00000050 73 69 70 20 6f 72 72 67 6d 61 63 20 6e 61 6f 6e |sip orrgmac naon|
00000060 20 74 65 62 72 20 6e 75 69 20 20 6e 4f 44 20 53 | tebr nui nOD S|
00000070 6f 6d 65 64 0d 2e 0a 0d 00 24 00 00 00 00 00 00 |omed.....$......|
Simple flipping of values...
cat 1.bin | malutil-byteflip - | hexdump -Cv
00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 |................|
00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
Specifying a specific size and offset...
cat 1.bin | malutil-byteflip - -o 0x4e -s 0x26| hexdump -Cv
00000000 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e |This program can|
00000010 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f |not be run in DO|
00000020 53 20 6d 6f 64 65 |S mode|
Process a stream of binary data and search for Base64 candidates meeting specific length criteria. Decode and dump the candidates to disk.
malutil-b64dump -h
usage: malutil-b64dump [-h] [-v] [-s] [-t TARGET_DIRECTORY] [-m MODIFIER]
[FILE [FILE ...]]
Parse provided files and extract and decode candidate Base64 data streams.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-s, --suppress-write Prevent results from being written to disk. Opting
instead for just a table view of the results.
-t TARGET_DIRECTORY, --target-directory TARGET_DIRECTORY
Target directory to write files. Defaults to executing
directory.
-m MODIFIER, --modifier MODIFIER
Amount of Base64 characters encountered before a
string is recognized (default is 500).
malutil-b64dump olevba.out -s
+------------+--------+----------------------------------+
| Filename | Size | MD5 |
+============+========+==================================+
| olevba.out | 747520 | 44be97629c008dcbe23c56d7ce26cb37 |
+------------+--------+----------------------------------+
| olevba.out | 542040 | 0376a6998db5e59852da41c57f8b6ef6 |
+------------+--------+----------------------------------+
| olevba.out | 33980 | 443e453ef7c696fc46369a7c0f261531 |
+------------+--------+----------------------------------+
Process candidate and attempt to brute force an XOR key using hamming distance, coincidence index, and known plaintext. Prints results in table format. Key is computed based on the start of the offset specified.
usage: malutil-brute_xor [-h] [-o OFFSET] [-s SAMPLE_SIZE] [-v] [FILE ...]
Process candidate and attempt to brute force an XOR key using hamming distance,
coincidence index, and known plaintext. Prints results in table format. Key is
computed based on the start of the offset specified.
positional arguments:
FILE candidate file(s).
optional arguments:
-h, --help show this help message and exit
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin sampling
the data. Should represent a rough idea where the XOR'd
data starts. Defaults to start of file.
-s SAMPLE_SIZE, --sample-size SAMPLE_SIZE
The total number of bytes to sample for candidate key size.
This should comprise an area you know to be encrypted with
XOR. Defaults to 1024.
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
usage: malutil-byteflip [-h] [-v] [-o OFFSET] [-s SIZE] infile
Process data stream and swap each byte. Numeric values may be provided as regular
integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size of
supplied data.
Patch Cobalt Strike stager payloads.
usage: malutil-cobaltstrike_malleable_restore [-h] [-o] [-v] [FILE [FILE ...]]
Patch provided PE to restore section, module, and function names obfuscated by
Cobalt Strike malleable stager. Write new PE with '.patched' prefix.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-o, --overwrite Patch existing file instead of creating a new one.
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
malutil-cobaltstrike_malleable_restore tmp -o -v
INFO:malchive.utilities.cobaltstrike_malleable_restore:Processing tmp...
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Proceeding with x64 image...
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Proceeding with key value 0xce
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered section at 0x1f8 : .text
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered section at 0x220 : .rdata
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Found import section 0x220
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered section at 0x248 : .data
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered section at 0x270 : .pdata
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered section at 0x298 : .reloc
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered module at 0x399e6 : KERNEL32.dll
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered function at 0x39632 : SystemTimeToTzSpecificLocalTime
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered function at 0x39654 : FileTimeToSystemTime
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered function at 0x3966c : ExpandEnvironmentStringsA
...
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered function at 0x39c4a : InternetOpenA
DEBUG:malchive.utilities.cobaltstrike_malleable_restore:Recovered module at 0x39d28 : WS2_32.dll
Patched file written as tmp...
Enumerate and convert a supplied list of IIDs for COM interfaces to binary Yara signatures.
malutil-comguidtoyara -h
usage: malutil-comguidtoyara [-h] [-o OUTPUT_FILENAME] [-v] [FILE [FILE ...]]
Crawls windows registry to hunt for and convert IIDs for COM interfaces to
binary YARA signatures. The submitted hives must be from HKLM\SOFTWARE. You
can make copies of these files off an active Windows OS using the command 'reg
save HKLM\SOFTWARE hklm_sft.hiv' when running as administrator.
positional arguments:
FILE Full path to the registry hive to be processed.
optional arguments:
-h, --help show this help message and exit
-o OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
Filename to write YARA signatures to (default:
com_interface_ids.yara)
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
You will need DAT files retrieved from various Windows systems to use this script.
malutil-comguidtoyara /data/workarea/com_sigs/*.dat -o /data/yara/com_interface_ids.yara
INFO:__main__:Collecting IIDs from /data/workarea/com_sigs/win10_64_software.dat...
INFO:__main__:Collecting IIDs from /data/workarea/com_sigs/win7_64_software.dat...
INFO:__main__:Collecting IIDs from /data/workarea/com_sigs/xp_software.dat...
INFO:__main__:Processing 62594 results...
99% (62554 of 62594) |################################################################################################################################################# | Elapsed Time: 0:00:15 ETA: 0:00:00
INFO:__main__:Generating 12250 YARA signatures...
99% (12245 of 12250) |################################################################################################################################################# | Elapsed Time: 0:00:39 ETA: 0:00:00
INFO:__main__:Writing YARA rules to /data/yara/com_interface_ids.yara
INFO:__main__:Complete!
Script that dumps information within content streams of a .NET file.
malutil-dotnetdumper -h
usage: malutil-dotnetdumper [-h] [-v] [FILE [FILE ...]]
Dump netz resources and streams to file.
positional arguments:
FILE Full path to the file to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing.
Extracted data is written to the current working directory.
malutil-dotnetdumper ae34c120ea95fb3021e4bd8f7668bc52.vt
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.rsrc_bin_0 (457395)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_#~_bin_1 (28744)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_bCLR_bin_2 (0)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_#Strings_bin_3 (14616)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_#GUID_bin_4 (16)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_#Blob_bin_5 (15660)
Writing ae34c120ea95fb3021e4bd8f7668bc52.vt.stream_#US_bin_6 (352)
Take a series of provided files and print the entropy, alongside other information like the filename and MD5.
malutil-entropycalc -h
usage: malutil-entropycalc [-h] [-o OFFSET] [-s SIZE] [-v] [FILE [FILE ...]]
Take a series of provided files and print the entropy, alongside other
information like the filename and MD5.
positional arguments:
FILE Full path to the file to be processed.
optional arguments:
-h, --help show this help message and exit
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
Sometimes all you want to know is the entropy of a group of files. This script does that and gives you offset and size constraints to work with.
malutil-entropycalc 3fed8a6d4532240092fbaf35004f1361.vt -o 0x15520 -s 0xba8
+----------------------------------+-------------------------------------+-----------+
| MD5 | Filename | Entropy |
+==================================+=====================================+===========+
| d3bcf84ca699aa86233a73f684b50dd5 | 3fed8a6d4532240092fbaf35004f1361.vt | 7.71876 |
+----------------------------------+-------------------------------------+-----------+
Script that works with data generated by apihash.py script. Searches supplied shellcode binary for any API hash matches and then dumps the results. If the malchive package is installed, the pre-generated database will be used by default.
malutil-findapihash -h
usage: malutil-findapihash [-h] [-db DATABASE_NAME] [-v] FILE
Searches supplied shellcode binary for any API hash matches. Results are
displayed as a table denoting function and hash matches.
positional arguments:
FILE Binary file containing shellcode.
optional arguments:
-h, --help show this help message and exit
-db DATABASE_NAME, --database-name DATABASE_NAME
Name of the database to reference for hashes. Will
search the data directory located in the same path as
the executing script unless an alternate name is
provided (default: data/apihashes.db).
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
FindAPIHash uses all the different hashes generated using the database generated by the APIHash script. It is best used as a tool to aid in contextualizing shellcode.
malutil-findapihash sc.bin
+------------------+--------------+------------------+------------+-------------+
| Algorithm | Library | Function | Hash | Offset(s) |
+==================+==============+==================+============+=============+
| Standard ROR 0xd | kernel32.dll | CloseHandle | 0xffd97fb | 0x19 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | ExitProcess | 0x73e2d87e | 0x35 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GetCommandLineA | 0x36ef7370 | 0x2d |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GetFileSize | 0xdf7d9bad | 0x9 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GetModuleHandleA | 0xd3324904 | 0x39 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GetTempPathA | 0x5b8aca33 | 0x1d |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GlobalAlloc | 0xc0397ec | 0x15 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | GlobalFree | 0x7cb922f6 | 0x31 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | ReadFile | 0x10fa6516 | 0x11 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | SetFilePointer | 0x76da08ac | 0xd |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | WinExec | 0xe8afe98 | 0x29 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | WriteFile | 0xe80a791f | 0x3d |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | _hwrite | 0xe9238ad9 | 0x25 |
+------------------+--------------+------------------+------------+-------------+
| Standard ROR 0xd | kernel32.dll | _lcreat | 0xe88a49ea | 0x21 |
+------------------+--------------+------------------+------------+-------------+
Generate RSA keys given corresponding values. Numeric values may be provided as regular integers or hexadecimal with the '0x' prefix.
malutil-genrsa -h
usage: malutil-genrsa [-h] [-p FIRST_PRIME] [-q SECOND_PRIME]
[-e PUBLIC_EXPONENT] [-n PUBLIC_MODULUS] [-v]
Generate RSA keys given corresponding values. Numeric values may be provided
as regular integers or hexadecimal with the '0x' prefix.
optional arguments:
-h, --help show this help message and exit
-p FIRST_PRIME, --first-prime FIRST_PRIME
First prime value. Used along with 'Q' for private key
generation.
-q SECOND_PRIME, --second-prime SECOND_PRIME
Second prime value. Used along with 'P' for private
key generation.
-e PUBLIC_EXPONENT, --public-exponent PUBLIC_EXPONENT
Public exponent used for private and public key
generation. (Default: 0x010001)
-n PUBLIC_MODULUS, --public-modulus PUBLIC_MODULUS
Public modulus used when generating public keys.
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
Generating a private certificate using values for p and q along with the default public exponent.
malutil-genrsa.py -p [first prime factor] -q [second prime factor]
Generate YARA signature for x86 architectures based on data passed. Numeric values may be provided as regular integers or hexadecimal with the '0x' prefix.
malutil-gensig -h
usage: malutil-gensig [-h] -f FILES [FILES ...]
[-s START_OFFSET [START_OFFSET ...]]
[-e END_OFFSET [END_OFFSET ...]]
[-g {strict,pic,mnem,bdiff}] [-m {16,32,64}]
[-r RULE_NAME] [-va] [--suppress-asm] [-w] [-v]
Generate YARA signature for x86 architectures based on data passed.
Numeric values may be provided as regular integers or hexadecimal
with the '0x' prefix.
You can optionally create a file .gensig.json in your home
directory with JSON data that can serve as a template for
rule 'meta'.
optional arguments:
-h, --help show this help message and exit
-f FILES [FILES ...], --files FILES [FILES ...]
Name of file(s) to process.
-s START_OFFSET [START_OFFSET ...], --start-offset START_OFFSET [START_OFFSET ...]
Starting point within the supplied buffer to begin processing. One or more offsets may
be provided, and are processed sequentially with respect the list of files. For virtual
address offsets, please see the --force-virtual-address flag.
-e END_OFFSET [END_OFFSET ...], --end-offset END_OFFSET [END_OFFSET ...]
End point to stop processing. Multiple offsets are processed in sequence with
the list of files. If this is not provided, it will default to the length of the data
minus the start offset.
-g {strict,pic,mnem,bdiff}, --generator {strict,pic,mnem,bdiff}
Choose how the signatures is generated from the supplied bytes. Defaults to 'strict'.
* Strict - Literal interpretation of bytes to generate signature.
* PIC - Position Independent Code (PIC) mode attempts to wildcard immediate and
memory type operands.
* Mnemonic (mnem) - Only show bytes that reflect the represented mnemonic instruction.
* Bindiff (bdiff) - Compute a diff on two binary streams and produce a YARA compliant regex.
-m {16,32,64}, --mode {16,32,64}
The hardware mode to use when creating the signature. Relevant in PIC and Mnemonic modes
(Default: 32-bit).
-r RULE_NAME, --rule-name RULE_NAME
The name of the rule you wish to create. Default is [generator]_code_[yara_string_md5]
-va, --force-virtual-address
Force interpretation of the provided offset to be the a virtual address.
--suppress-asm Suppress automatically generated assembly code.
-w, --write Write to disk using the rule name along with the .yara file extension.
-v, --verbose Output additional information when processing (mostly for debugging purposes).
Generate a single strict signature based on a sequence of bytes.
malutil-gensig -f block1.bin -g strict
Generate a single strict signature based on a sequence of bytes from a virtual address (must be a PE file).
malutil-gensig -f block1.bin -s 0x402bcd -e 0x402bda -va
Generate a single PIC signature based on a sequence of bytes.
malutil-gensig -f block1.bin -g pic
Generate multiple mnemonic only signatures based on a sequence of bytes from two files, and write them to disk.
malutil-gensig -f block1.bin block2.bin -g mnem -w
Generate multiple strict signatures based using multiple offsets and suppressing the assembly code comments.
malutil-gensig -f block1.bin block2.bin -s 0x2 0x4 -e 0x12 0x14 --suppress-asm
Generating a bdiff signature from a code block inside a binary stream and writing it to disk.
malutil-gensig -f block1.bin block2.bin -g bdiff -r my_shellcode
Generating a bdiff signature from a code block inside a PE and writing it to disk.
malutil-gensig -f myfile.exe_ myfile2.exe_ -s 0x10001D64 0x100040D7 -e 0x10001D9C 0x10004112 -g bdiff -va -r bad_stuff -w
usage: malutil-guid_recovery [-h] [-v] [FILE ...]
Fetch embedded .NET GUIDs within a binary stream. Like a process dump for example.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
usage: malutil-hashes [-h] [-v] [FILE ...]
Get various hashes on supplied filename.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
Script that detects embedded CAB files where the initial four byte files magic has been removed.
malutil-hiddencab -h
usage: malutil-hiddencab [-h] [-t TARGET_DIRECTORY] [-s] [-v]
[FILE [FILE ...]]
Search for hidden CAB files inside binary.
positional arguments:
FILE Full path to the file to be processed.
optional arguments:
-h, --help show this help message and exit
-t TARGET_DIRECTORY, --target-directory TARGET_DIRECTORY
Target directory to write files. Defaults to executing
directory.
-s, --suppress-write Prevent results from being written to disk. Opting
instead for just a table view of the results.
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
Hidden CAB will use structural attributes unique to CAB files to try and locate embedded ones inside files that do not have normal CAB file magic.
malutil-hiddencab *vt -t cabs/
INFO:__main__:Found 1 hidden cab(s) in 18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92.vt...
INFO:__main__:Writing to directory: cabs/
+----------------------------------+--------+----------+
| MD5 | Size | Offset |
+==================================+========+==========+
| b156cd7d120c7b591fab7f52fb7c71a7 | 16540 | 28848 |
+----------------------------------+--------+----------+
INFO:__main__:Found 1 hidden cab(s) in 1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1.vt...
INFO:__main__:Writing to directory: cabs/
+----------------------------------+--------+----------+
| MD5 | Size | Offset |
+==================================+========+==========+
| 3ccf434e4c0fdfff5a5be44674a57173 | 16574 | 28848 |
+----------------------------------+--------+----------+
INFO:__main__:Found 1 hidden cab(s) in ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee.vt...
INFO:__main__:Writing to directory: cabs/
+----------------------------------+--------+----------+
| MD5 | Size | Offset |
+==================================+========+==========+
| d408c77ad3fc051105a4449daa0bfd57 | 16548 | 28848 |
+----------------------------------+--------+----------+
INFO:__main__:Found 1 hidden cab(s) in c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d.vt...
INFO:__main__:Writing to directory: cabs/
+----------------------------------+--------+----------+
| MD5 | Size | Offset |
+==================================+========+==========+
| 0105ed9bc24474ac6eee342c41a97807 | 16611 | 28848 |
+----------------------------------+--------+----------+
INFO:__main__:Found 1 hidden cab(s) in c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c.vt...
INFO:__main__:Writing to directory: cabs/
+----------------------------------+--------+----------+
| MD5 | Size | Offset |
+==================================+========+==========+
| ed0516e0f1ffad501bbe8bda441aeef8 | 16576 | 28848 |
+----------------------------------+--------+----------+
The extracted files are restored CAB files...
file cabs/ed0516e0f1ffad501bbe8bda441aeef8
cabs/ed0516e0f1ffad501bbe8bda441aeef8: Microsoft Cabinet archive data, 16576 bytes, 1 file
Script patches a single byte to disable ASLR. Makes debugging a PE while referencing IDA base addresses easier.
malutil-killaslr -h
usage: malutil-killaslr [-h] [-o] [-v] [FILE [FILE ...]]
Patch provided PE to disable ASLR. Write new PE with 'noaslr' prefix.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-o, --overwrite Patch existing file instead of creating a new one.
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
KillASLR re-bases Windows PE files with ASLR enabled to their original base address when loaded in memory (aka kills dynamic base protections). This makes it easier to debug files in program in Olly while doing static analysis with disassemblers like IDA.
malutil-killaslr wininet.dll
INFO:__main__:Patching wininet.dll...
INFO:__main__:Patched file written as wininet.dll.noaslr...
It will fail gracefully if the PE does not have ASLR enabled.
malutil-killaslr fffae1c5b8d78749d92816b126448bd314d032db6855f5aa8375225c05ddb4d3.vt
INFO:__main__:Patching fffae1c5b8d78749d92816b126448bd314d032db6855f5aa8375225c05ddb4d3.vt...
INFO:__main__:fffae1c5b8d78749d92816b126448bd314d032db6855f5aa8375225c05ddb4d3.vt was not found to have ASLR enabled...
Simple script for negation of byte values. An obfuscation technique using commonly observed in malware.
malutil-negate -h
usage: malutil-negate [-h] [-v] [-o OFFSET] [-s SIZE] [-sn] infile
Process data stream and negate each byte. Numeric values may be provided as
regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-sn, --skip-nulls When processing the buffer, skip all null ('0x00')
bytes.
This is a simple program that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 8b 97 96 8c df 96 8c df 9e df 8b |................|
00000010 9a 8c 8b 00 00 00 00 00 |........|
Negation of all byte in a sequence...
cat 1.bin | malutil-negate - | hexdump -Cv
00000000 ff ff ff ff ff 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 ff ff ff ff ff |est.....|
Negate all bytes but skip the null values...
cat 1.bin | malutil-negate - -sn | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Targeting the exact data of interest specifying size and offset...
cat 1.bin | malutil-negate - -sn -s 14 -o 5 | hexdump -Cv
00000000 74 68 69 73 20 69 73 20 61 20 74 65 73 74 |this is a test|
usage: malutil-pecarver [-h] [--include-start] [-v] [FILE ...]
Checks for embedded PE files within candidate. Writes result(s) to disk.
positional arguments:
FILE candidate file(s).
optional arguments:
-h, --help show this help message and exit
--include-start For PE files that themselves have embedded PEs, this option will
include the beginnnig PE file among the carved payloads.
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
Take a series of provided files and print the extracted PE debug information if present.
malutil-pepdb -h
usage: malutil-pepdb [-h] [-v] [FILE [FILE ...]]
Take a series of provided files and print the extracted PDB info from them.
positional arguments:
FILE Full path to the file to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
In cases where you are interested in the PDB information of one or more files...
malutil-pepdb *
+-------------------------------------+---------------------+-------------+-------------+--------------------------------------+----------------------------------------+
| Filename | Debug Timestamp | Signature | Revisions | Path | GUID |
+=====================================+=====================+=============+=============+======================================+========================================+
| 35236b1abf8786a3d6a89dbc54ce5468.vt | 2019-05-15 05:06:38 | RSDS | 6 | C:\works\prjs\z3_clt\Rlsexe\clt.pdb | {4b963d6f-682f-4b45-9a96-a0c98854c7ab} |
+-------------------------------------+---------------------+-------------+-------------+--------------------------------------+----------------------------------------+
| f6878e198978770aef3d76caa77a55d7.vt | 2019-05-15 05:06:41 | RSDS | 13 | C:\works\prjs\z3_clt\Release\clt.pdb | {f8307e07-99ba-4168-a8a3-83769ccecf6c} |
+-------------------------------------+---------------------+-------------+-------------+--------------------------------------+----------------------------------------+
| 77c0ea080e51a04242b59033128bb442.vt | 2019-05-23 10:07:22 | RSDS | 9 | C:\works\prjs\z3_clt\Release\clt.pdb | {8c903bf2-d874-4208-9753-c56a5e71eedb} |
+-------------------------------------+---------------------+-------------+-------------+--------------------------------------+----------------------------------------+
Display embedded PE resources and optionally dump them to disk. Entries with '-' are unlabeled.
malutil-peresources -h
usage: malutil-peresources [-h] [-w] [-v] [FILE [FILE ...]]
Dump embedded resources to disk. Entries with '-' are unlabeled.
positional arguments:
FILE Full path to the file(s) to be processed.
optional arguments:
-h, --help show this help message and exit
-w, --write Write the file(s) to disk. Creates a directory with MD5 hash
and '_rsrc' prefix of the provided sample and extracts
payloads there.
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
Sometimes all you want is just a way to show and dump embedded PE resources.
malutil-peresources *
INFO:__main__:Found 21 resources in 4bc743b0f4090cdd0c0fbcebfa996de9.vt...
+----------------------------------+-------------+---------------+--------+------+--------+
| MD5 | Directory | Type | Name | ID | Size |
+==================================+=============+===============+========+======+========+
| a11193b17c2413b106d2b1b629ef044d | TYPELIB | - | IIWW | - | 27176 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 234370a0b4ed333a3405461a263f5a65 | TYPELIB | - | NNKK | - | 7680 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 1fa3769a60d81d7c3d3fe1d93bf44ce4 | TYPELIB | - | PPQQ | - | 66329 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 78b25709cde5e395cd47245f52b83c19 | - | RT_ICON | - | 1 | 1640 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 26c932f21e8010cb50cac4fa4a63044e | - | RT_ICON | - | 2 | 744 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 318b177c5855913ccb77d1055d85d908 | - | RT_ICON | - | 3 | 488 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 3d9700a824ed745a68bcc67e0dad330d | - | RT_ICON | - | 4 | 424 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 618a7ddd36d780ddbfb47a0467f0d853 | - | RT_ICON | - | 5 | 296 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 58c6cb5027004cdb21f55f359aa65c31 | - | RT_ICON | - | 6 | 3752 |
+----------------------------------+-------------+---------------+--------+------+--------+
| e82286b7f617ce3f40554e7e65b987ad | - | RT_ICON | - | 7 | 2216 |
+----------------------------------+-------------+---------------+--------+------+--------+
| d4dd08dca36efb5212f73e39bd7bf79f | - | RT_ICON | - | 8 | 1736 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 93b633b47cb7f53eeccd7209270b6e25 | - | RT_ICON | - | 9 | 1544 |
+----------------------------------+-------------+---------------+--------+------+--------+
| db8ceb39a9a8cec7c84ffaf54f988d7e | - | RT_ICON | - | 10 | 1384 |
+----------------------------------+-------------+---------------+--------+------+--------+
| cae986a63259da377f7eb60ce0b13aa3 | - | RT_ICON | - | 11 | 9640 |
+----------------------------------+-------------+---------------+--------+------+--------+
| fe16914a017893d418c043f9ac883584 | - | RT_ICON | - | 12 | 4264 |
+----------------------------------+-------------+---------------+--------+------+--------+
| cbe22525f5a671518788c5245282bc73 | - | RT_ICON | - | 13 | 2440 |
+----------------------------------+-------------+---------------+--------+------+--------+
| c9983e553c1fca28a8bfa55907ee5cab | - | RT_ICON | - | 14 | 1720 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 861939c4086f263b97a5e272a76ac622 | - | RT_ICON | - | 15 | 1128 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 2432af109978ed18470738c5c83b0979 | - | RT_DIALOG | - | 102 | 232 |
+----------------------------------+-------------+---------------+--------+------+--------+
| b5552771144189571a4666aa805b38d1 | - | RT_GROUP_ICON | - | 128 | 216 |
+----------------------------------+-------------+---------------+--------+------+--------+
| 36b32486358f11c136f215467ff13dc2 | - | RT_VERSION | - | 1 | 888 |
+----------------------------------+-------------+---------------+--------+------+--------+
Take a series of provided files and print the extracted PE timestamps, alongside other information like the filename and MD5.
malutil-petimestamp -h
usage: malutil-petimestamp [-h] [-v] [-b] [-x] [FILE [FILE ...]]
Take a series of provided files and print the extracted timestamps from each
PE; such as the compile, resource, load config, debug, and export timestamps.
positional arguments:
FILE Full path to the file to be processed.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
-b, --brief Just print the 'compile time' only and not the other
timestamp fields.
-x, --extended Also print timestamps from the 'import' and the 'delay load'
directory tables. Useful in limited cases since these
timestamps are created only when the image is bound.
Sometimes all you want to know is the compile times of a group of files sorted by date...
malutil-petimestamp *
+----------------------------------+-------------------------------------+---------------------+-------------------------+-------------------------+-----------------------+---------------------+
| MD5 | Filename | Compile Time | Resource Timestamp(s) | Load Config Timestamp | Debug Timestamp(s) | Export Timestamp |
+==================================+=====================================+=====================+=========================+=========================+=======================+=====================+
| 32239a1957d95987d4abfb124b28faaa | 32239a1957d95987d4abfb124b28faaa.vt | 1988-10-31 18:37:10 | | 1970-01-01 00:00:00 | 2010-11-20 10:58:29 | |
+----------------------------------+-------------------------------------+---------------------+-------------------------+-------------------------+-----------------------+---------------------+
| a2dce3332cf44be980348b787d4f0cda | a2dce3332cf44be980348b787d4f0cda.vt | 1999-02-07 23:08:38 | | 1970-01-01 00:00:00 | 2009-07-13 23:44:14 | 2009-07-13 23:44:14 |
+----------------------------------+-------------------------------------+---------------------+-------------------------+-------------------------+-----------------------+---------------------+
| 1c8b2d1033f776b5c7fbd506bb928245 | 1c8b2d1033f776b5c7fbd506bb928245.vt | 1999-05-31 04:44:33 | | 1970-01-01 00:00:00 | 2010-11-20 09:00:27 | |
| | | | | | 2010-11-20 09:00:27 | |
+----------------------------------+-------------------------------------+---------------------+-------------------------+-------------------------+-----------------------+---------------------+
| 36ab931ac848b21e639f1a5b337d3839 | 36ab931ac848b21e639f1a5b337d3839.vt | 2076-08-13 07:23:01 | | 2095-05-04 14:09:15 | | |
+----------------------------------+-------------------------------------+---------------------+-------------------------+-------------------------+-----------------------+---------------------+
usage: malutil-reverse_bytes [-h] [-v] infile
Reverse data stream and write to STDOUT. That's it.
positional arguments:
infile Data stream to process (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly for
debugging purposes).
Simple module for bitwise rotation of byte values. A technique using commonly observed in malware.
malutil-rotate -h
usage: malutil-rotate [-h] [-v] [-o OFFSET] [-s SIZE] [-r] infile count
Process data stream and rotate each byte. Numeric values may be provided as
regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
count Number of times to perform rotation. Defaults to the
left.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-r, --right Override default rotation direction, and instead
rotate bits to the right.
This is a simple script that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 8e 0d 2d 6e 04 2d 6e 04 2c 04 8e |.......-n.-n.,..|
00000010 ac 6e 8e 00 00 00 00 00 |.n......|
Decode using three rotation to the left...
cat 1.bin | malutil-rotate - 3 | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
May be over-ridden to rotate to the right...
cat 1.bin | malutil-rotate - -r 5 | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Offsets and size information may be provided as well to target specific data.
cat 1.bin | malutil-rotate - -r 5 -o 5 -s 14 | hexdump -Cv
00000000 74 68 69 73 20 69 73 20 61 20 74 65 73 74 |this is a test|
Script that simply retrieves hashes of SSL certificates captured using a range of IP, domain, and port combinations.
usage: malutil-ssl_cert [-h] [-i [IPADDRESS [IPADDRESS ...]]]
[-d [DOMAIN [DOMAIN ...]]] [-p [PORT [PORT ...]]]
[--timeout [TIMEOUT]] [--sni-host [SNI_HOST]] [-w]
[-t TARGET_DIRECTORY] [-v]
Retrieve hashes of SSL certificates.
options:
-h, --help show this help message and exit
-i [IPADDRESS [IPADDRESS ...]], --ipaddress [IPADDRESS [IPADDRESS ...]]
One or more IP addresses to scan. To provide a range,
use CIDR notation.
-d [DOMAIN [DOMAIN ...]], --domain [DOMAIN [DOMAIN ...]]
One or more domains to scan.
-p [PORT [PORT ...]], --port [PORT [PORT ...]]
Range of ports to test per host. May be specified as a
series of integers (80 443 8080), a range (80-9000),
or both.
--timeout [TIMEOUT] How long (in seconds) to wait before timeout for each
connection attempt. Defaults to five seconds.
--sni-host [SNI_HOST]
Apply the given domain as an SNI parameter for all
domain related requests (when given). The provided
domain is used when initiating a TLS/SSL handshake.
This is required for some providers hosting multiple
TLS enabled IPs off a single domain.
-w, --write
Write retrieved DER to disk using [MD5.der] as the filename.
-t TARGET_DIRECTORY, --target-directory TARGET_DIRECTORY
Target directory to write files. Defaults to executing
directory.
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
malutil-ssl_cert -d www.google.com -p 443 --sni-host google.com
{
"Cert Sha256": "065e3b66390a5d3c7ce51f27342242606453b3d98e4d4e97f5b708b59d190a0a",
"Details: {
"Query": "64.233.180.104:443",
"SNI": "google.com"
}
}
Simple script for subtraction of byte values using commonly observed techniques in malware.
malutil-sub -h
usage: malutil-sub [-h] [-v] [-o OFFSET] [-s SIZE] [-c COUNT] [-sn] [-sk]
infile key
Process data stream and subtract each byte by the supplied key. Numeric values
may be provided as regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
key Single or multibyte key value. May be supplied as an
integer or as a hex value with the '0x' prefix.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-c COUNT, --count COUNT
Interval to increment key value on each byte
iteration. Range of 0x00 - 0xff.
-sn, --skip-nulls When processing the buffer, skip all null ('0x00')
bytes.
-sk, --skip-key Skip bytes that match the supplied key value.
This is a simple program that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 23 17 18 22 cf 18 22 cf 10 cf 23 |.....#..".."...#|
00000010 14 22 23 af af af af af |."#.....|
Apply single byte key and perform sub operation on bytes...
cat 1.bin | malutil-sub - 0xaf | hexdump -Cv
00000000 51 51 51 51 51 74 68 69 73 20 69 73 20 61 20 74 |QQQQQthis is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Apply single byte key and skip nulls...
cat 1.bin | malutil-sub - 0xaf -sn | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Skip nulls and skip the key...
cat 1.bin | malutil-sub - 0xaf -sn -sk | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 af af af af af |est.....|
Specify the size and offset of the data to target...
cat 1.bin | malutil-sub - 0xaf -sn -sk -s 14 -o 5| hexdump -Cv
00000000 74 68 69 73 20 69 73 20 61 20 74 65 73 74 |this is a test|
Script for enhanced strings enumeration. Aims to provide users with access to ascii, wide, and stack strings observed in a binary.
malutil-superstrings -h
usage: malutil-superstrings [-h] [-v] [-a] [-u] [-ss] [-o OFFSET] [-s SIZE]
[-i] [-m MODIFIER]
infile
Process data stream and recover desired strings. Numeric values may be
provided as regular integers or hexadecimal with the '0x' prefix. String types
may be specified and combined to filter results. By default all strings
recovered will be displayed. Assembled strings are best effort using regular
expressions on byte patterns.
positional arguments:
infile Data stream to search (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-a, --ascii Specify to search for normal single byte ascii
printables.
-u, --unicode Specify to search for wide unicode characters.
-ss, --stack-strings Specify to search for stack strings.
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-i, --indicators Print only strings contextualized through indicator
regex.
-m MODIFIER, --modifier MODIFIER
Number of consecutive printable characters encountered
before a string is recognized (default is 3).
Superstrings allows analysts to view other kinds of strings beyond normal ascii printables in a binary stream. By default, all string types are shown unless flags are supplied to specify.
Stack string identification is best effort and uses regular expressions for identification. This means that compiler optimizations might prevent complete strings for being recovered.
Show only stack strings...
malutil-superstrings 5ea5df6531d149c1f217509c2d4d864e.vt -ss
0x35cb (stack) %08x.tmp
0x3d4b (stack) ...
0x3f82 (stack) ...**.*
0x442c (stack) ...
0x4771 (stack) ...
0x4e68 (stack) !!!
0x5214 (stack) SYSTEM
0x54c9 (stack) c:\
0x57e0 (stack) winhelp.dat
Show both ascii and unicode...
malutil-superstrings A4320323EF9C282FC24CB46F9C008F21.vt -o 0x1cbb48 -s 0x900 -u -a
0x0 (unicode) VS_VERSION_INFO
0x5c (unicode) StringFileInfo
0x80 (unicode) 040904b0
0x98 (unicode) CompanyName
0xb2 (unicode) Pane
0xc4 (unicode) FileDescription
0xe6 (unicode) Pane
0xf8 (unicode) FileVersion
0x112 (unicode) 1.0.0.1
0x128 (unicode) InternalName
0x142 (unicode) Pane.exe
0x15c (unicode) LegalCopyright
0x17a (unicode) Copyright (C) 2010
0x1a8 (unicode) OriginalFilename
0x1ca (unicode) Pane.exe
0x1e4 (unicode) ProductName
0x1fe (unicode) Pane
0x210 (unicode) ProductVersion
0x22e (unicode) 1.0.0.1
0x244 (unicode) VarFileInfo
0x264 (unicode) Translation
0x282 (ascii) <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
Search and retrieve data from VirusTotal database using private API feature set.
malutil-vtinspect -h
usage: vt-inspect [-h] [-v] {hash,net,bulk} ...
Query VirusTotal database based on supplied indicators such as; md5, sha1,
sha256, IP, domain, or URL. At least one of either is required to use this
script. A '.vt.key' file must also be present in the user home directory with
the format { "key" : "API_KEY_HERE" }
positional arguments:
{hash,net,bulk} Select from a variety of options on how to query the
VirusTotal database.
hash Issue VT queries based on multiple hashes from various
files.
net Issue VT queries various network indicators, such as; IPs,
domains, and URLs.
bulk Execute a search modifier compliant file search query
against VirusTotal. Returns the first 300 matching hits
sorted according to the last submission date in descending
order. Example: 'type:peexe size:90kb+ positives:5+
behaviour:"taskkill"'. Reference:
https://www.virustotal.com/intelligence/help/file-
search/#search-modifiers
optional arguments:
-h, --help show this help message and exit
-v, --verbose Get more verbose output if supported.
VirusTotal Inspect aims to provide a seemless way to integrate with the private API features of VT over the command line.
There are three main kinds of queries you can execute with this script based on various hash values, network indicators, or bulk queries.
Query basic info on one or more hashes (supports MD5/SHA hashes):
malutil-vtinspect hash 6d7ae79cb3a77c82828d3c53e2970831 -i
Get more detailed information to any query where permitted by adding the -v flag.
malutil-vtinspect -v hash 42a2b071bf7b7151c5a9bfc31c1dd3ac -i | less
You can combine flags to get a basic AV report, see user comments, and any Cuckoo Sandbox results.
malutil-vtinspect hash 42a2b071bf7b7151c5a9bfc31c1dd3ac -ibc
Download one or more files based on their hash value. Also get associated PCAPs (if any).
malutil-vtinspect hash 42a2b071bf7b7151c5a9bfc31c1dd3ac -df -dp
Get basic information on one or more domain names.
malutil-vtinspect net -dn 3322.org
Get basic information on two IP addresses.
malutil-vtinspect net -ip 8.8.8.8 8.8.8.4
Pull execute a bulk query and download the first 1000 results to a target directory.
malutil-vtinspect bulk 'type:peexe size:90kb+ positives:5+ behaviour:"taskkill"' -l 1000 -pf -t taskkill_pes
INFO:__main__:Writing to directory: taskkill_pes
INFO:__main__:Compiling search results. This may take some time depending on the search...
INFO:__main__:User defined threshold reached...
Query returned 1000 results. Proceed with collection? (y/n) y
INFO:__main__:Attempting to pull files across 1000 query matches...
0% (3 of 1000) | | Elapsed Time: 0:00:02 ETA: 0:15:50
Apply commonly observed instances of xor encoding to a supplied buffer and return the result.
malutil-xor -h
usage: malutil-xor [-h] [-v] [-o OFFSET] [-s SIZE] [-c COUNT] [-sn] [-sk]
infile key
Process data stream and xor each byte by the supplied key. Numeric values may
be provided as regular integers or hexadecimal with the '0x' prefix.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
key Single or multibyte key value. May be supplied as an
integer or as a hex value with the '0x' prefix.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-c COUNT, --count COUNT
Interval to increment key value on each byte
iteration. Range of 0x00 - 0xff.
-sn, --skip-nulls When processing the buffer, skip all null ('0x00')
bytes.
-sk, --skip-key Skip bytes that match the supplied key value.
This is a simple script that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 25 39 38 22 71 38 22 71 30 71 25 |.....%98"q8"q0q%|
00000010 34 22 25 51 51 51 51 51 |4"%QQQQQ|
Apply single byte key and perform xor operation on bytes...
cat 1.bin | malutil-xor - 0x51 | hexdump -Cv
00000000 51 51 51 51 51 74 68 69 73 20 69 73 20 61 20 74 |QQQQQthis is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Apply single byte key and skip nulls...
cat 1.bin | malutil-xor - -sn 0x51 | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|
Skip nulls and skip the key...
cat 1.bin | malutil-xor - -sn -sk 0x51 | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 51 51 51 51 51 |estQQQQQ|
Specify the size and offset of the data to target...
cat 1.bin | malutil-xor -s 14 -o 5 - -sn -sk 0x51 | hexdump -Cv
00000000 74 68 69 73 20 69 73 20 61 20 74 65 73 74 |this is a test|
You can also specify multibyte keys if required. Below is a simple illustration of the effect with null bytes.
echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | malutil-xor - 0x51468923 | hexdump -Cv
00000000 51 46 89 23 51 46 89 23 51 46 89 23 51 46 89 23 |QF.#QF.#QF.#QF.#|
Keys may increment and decrement upon each key iteration by a specified value. This can apply for single or multi byte keys.
Using a multibyte key sequence with a counter of five...
echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | malutil-xor - 0x51468923 -c 5 | hexdump -Cv
00000000 51 46 89 23 56 4b 8e 28 5b 50 93 2d 60 55 98 32 |QF.#VK.([P.-`U.2|
Single byte counter of five...
echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | malutil-xor - 0x51 -c 5 | hexdump -Cv
00000000 51 56 5b 60 65 6a 6f 74 79 7e 83 88 8d 92 97 9c |QV[`ejoty~......|
Apply pairwise xor encoding technique to a supplied buffer and return the result.
malutil-xor-pairwise -h
usage: malutil-xor-pairwise [-h] [-v] [-o OFFSET] [-s SIZE] [-r]
[-k PW_XOR_KEY]
infile
Instead of a standard single byte xor operation, xor end byte with previous
byte and continue in a decrementing fashion until the final byte is reached at
the beginning.
positional arguments:
infile Data stream to process. (stdin, denoted by a '-').
optional arguments:
-h, --help show this help message and exit
-v, --verbose Output additional information when processing (mostly
for debugging purposes).
-o OFFSET, --offset OFFSET
Starting point within the supplied buffer to begin
processing.
-s SIZE, --size SIZE The total number of bytes to process. Defaults to size
of supplied data.
-r, --reverse Reverse the process, applying pairwise at the
beginning rather than the end.
-k PW_XOR_KEY, --pw-xor-key PW_XOR_KEY
Key to use to start or end the XOR (depending on if
'r' is used). Must be 0x00-0xff. Defaults to 0x00.
This is a simple script that operates on binary data supplied as a file or from STDIN. Examples below draw from the following data.
hexdump -Cv 1.bin
00000000 00 00 00 00 00 74 1c 75 06 26 4f 3c 1c 7d 5d 29 |.....t.u.&O<.}])|
00000010 4c 3f 4b 4b 4b 4b 4b 4b |L?KKKKKK|
cat 1.bin | malutil-xor-pairwise - | hexdump -Cv
00000000 00 00 00 00 00 74 68 69 73 20 69 73 20 61 20 74 |.....this is a t|
00000010 65 73 74 00 00 00 00 00 |est.....|