Total Pageviews

Wednesday, 1 August 2018

malwasm

Offline debugger for malware's reverse engineering.

Folders

  • conf/malwasm.conf - is the configuration file for malwasm
  • core/ - contains malwasm python lib
  • cuckoo/ - contains the cuckoo package that needs to be copied in your cuckoo install folder
  • doc/ - contains some doc
  • pin/ - contains the malwpin dll source code and makefile
  • utils/ - contains scripts to run analysis and data insertion
    • create_db.py - script to force the creation of the database (usefull to reset the db)
    • file2db.py - script to insert sample data into the db
    • db2file.py - script to extract sample data from the db
    • submit.py - all in one script, to submit sample to cuckoo and insert data into malwasm db
  • web/ - contains the webservice python script

Installation

Dependencies

  • python2.7
  • python-psycopg2
  • python-argparse
  • python-flask
  • python-progressbar
  • cuckoo
  • postgresql
  • pintool

To install python dependencies

*sudo apt-get install python-psycopg2 python-flask python-progressbar python-argparse or *pip install psycopg2 flask progressbar argparse

Pintool

Pintool cannot be put directly inside malwasm due to licence issue. You have to download it by yourself.
Once downloaded you have to extract all the .dll and .exe files of the subfolder
  • /pin-2.12-53271-msvc10-windows/ia32/bin/ to the folder:
  • malwasm/cuckoo/analyzer/windows/bin

Cuckoo part

  • You need to have cuckoo correctly set up
  • You have to copy files from malwasm/cuckoo/analyzer/windows/ into your cuckoo installation in the subfolder cuckoo/analyzer/windows/
  • Your cuckoo VM needs to have a share folder with write permission on it
  • Update cuckoo section of conf/malwasm.conf to match your configuration
  • Run cuckoo.py

Database

  • Run your postgresql database
  • The current config in conf/malwasm.conf works with an out of box config of postgresql
  • WARNING: if you want to use the create_db scripts, you have to use the default postgres account otherwise you can use the schema available in conf/schema.sql

Run analysis

  • You can directly run a sample analysis with utils/submit.py
# standard analysis of the a binary
utils/submit.py malware/r.exe

# only start record instruction when it pass on adr-start and stop on adr-stop
utils/submit.py --options adr-start=0x401290,adr-stop=0x401384 malware/r.exe
  • If data insertion into malwasm db failed you can re run the insertion with
utils/file2db -d /tmp/data/13508268572/ # where /tmp/data is the share folder

utils/file2db -d /tmp/data/13508268572/  --pin-param foo # where /tmp/data is the share folder
  • If you want to clean the database you can use
utils/create_db.py --force
  • PS: data insertion can take some serious time, so just be patient!

Webservice

  • To see the report you have to run the webservice
web/malwasm_web.py
from https://github.com/malwarelu/malwasm

No comments:

Post a Comment