Session_9_Malware Analysis using pymal & malpimp.pdf

(153 KB) Pobierz

Advanced Malware Analysis Training

MALWARE ANALYSIS USING PYMAL &

MALPIMP

Amit Malik

Idiot @SecurityXploded Research Group

Researcher @Fireeye Labs

Advanced Malware Analysis Training

Agenda

• 

Tools introduction

• 

Malpimp

• 

Conﬁguration ﬁle

• 

Tracing

• 

Demo

• 

Pymal

• 

Features and functions

• 

Demo

• 

More examples

Advanced Malware Analysis Training

Tools Introduction

• 

Malpimp – based on pydbg (pure python debugger)

• 

API tracing, using conﬁguration ﬁle you can conﬁgure the tool according to your needs.

• 

Light weight and very easy, just serves the purpose

• 

PyMal – Python interactive shell for malware analysis

• 

Based on three powerful pure python tools: peﬁle, pydbg, volatility

• 

Pydbg != debugger in pymal

• 

Process manipulation & live memory analysis.

• 

Some powerful features like hook detection (proprietary), Injected code detection.

• 

And full python support

J

Advanced Malware Analysis Training

Malpimp

• 

Second argument on command line is the address from where we want to start tracing. Zero means entry point.

• 

Conﬁguration ﬁle

• 

Fine control over tracing

• 

Loop detection based on return address – believe me this is really a beautiful feature, I saw couple of big

heavy commercial products that are suffering on it. Also this technique is unique to this tool and it greatly

improves the tracing time. [Depending on your conﬁgs it is capable to reduce tracing time from 2 hours to 2

seconds with almost same information.]

• 

Inclusion and exclusion policies

Advanced Malware Analysis Training

Malpimp Conﬁguration

• 

TraceInclude – Apply hooks only on these DLLs or APIs, if this ﬁeld have some value either in DLL

or API then TraceExclude will be ignored.

• 

Syntax : for DLL: simple dll name like : kernel32.dll, user32.dll etc. , for API: DLL!API name e.g: kernel32!VirtualAlloc

• 

TraceExclude works only when we have all ﬁelds empty in TraceInclude policy.

Plik z chomika:

Eroza800

Inne pliki z tego folderu:

Session_7_Malware_Memory_Forensics.pdf (17107 KB)
Session_11 - (Part 2) Dissecting_the_HeartBeat_RAT_Functionalities.pdf (18342 KB)
Session_1_Detection _and_Removal_of_Malwares.pdf (18979 KB)
Session_10 - (Part 1) Reversing & Decrypting_Communications_of_HeartBeat_RAT.pdf (13503 KB)
Session_2_Botnet_Analysis_Part_1.pdf (4307 KB)

Session_9_Malware Analysis using pymal & malpimp.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: