Sécurité Informatique

File Scanning Frameworks for Malware Analysis and Incident Response

This article presents several new open source frameworks meant to simplify static file scanning for malware analysis and incident response: MASTIFF, Viper, IRMA and a few others. Their goal is to provide an extensible framework to integrate many existing scanning tools.

How to convert Signsrch/Clamsrch signatures to Yara

This article explains how I converted Signsrch signatures to Yara rules, in order to include them in my tool Balbuzard. Signsrch signatures are useful for malware analysis, to detect standard constants used in many encryption and compression algorithms, and also some anti-debugging code.

Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR

Balbuzard is a package of malware analysis tools in python to extract patterns from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

Weaponized PDF

This article describes the PDF file format, related security issues and useful resources. [WORK IN PROGRESS]

pyxswf - a python tool to extract SWF (Flash) objects from documents (improved xxxswf)

pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis. It is part of the oletools package. pyxswf is an extension of xxxswf.py published by Alexander Hanel.

rtfobj - a python tool to extract embedded objects from RTF files

rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool. It is part of the oletools package. 

oleid - a python tool to quickly analyze OLE files

oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics that could potentially indicate that the file is suspicious or malicious, in terms of security (e.g. malware). For example it can detect VBA macros, embedded Flash objects, fragmentation. It is part of the oletools package. 

olebrowse - a simple python GUI to browse OLE files and extract streams

olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. It is part of the oletools package.

CherryProxy - a filtering HTTP proxy extensible in Python

CherryProxy is a simple HTTP proxy written in Python 2.x, based on the CherryPy WSGI server and httplib, extensible for content analysis and filtering.

Portable ExeFilter

If you want to test or use ExeFilter on Windows but you cannot or you do not want to install a Python interpreter, Portable ExeFilter is a simple solution. You just need to unzip it in any folder on a hard drive or a USB stick and it should run anywhere.

Syndiquer le contenu