Hexacorn | Blog

You are browsing the archive for HexDive.

HexDive 0.6 – new strings and more -Context…

October 18, 2012 in HexDive, Malware Analysis, Software Releases

Update

I have received a question from Pedro about the APIs that are commonly used by keyloggers which I mentioned in a context of one of the screenshots; The APIs I had in mind were MonitorFromPoint and GetMonitorInfoA (used for taking screenshots on multiple monitors) and a few others that can be seen on both screenshot and inside the example_hdive_qC.txt file; this was an ambiguous statement for a few reasons (APIs can be part of a clean framework or unit/module, keylogger is not an infostealer, etc.), so I am clarifying it for the future reader;

Last, but not least – obviously the only way to confirm that any APIs highlighted by HexDive are used for malicious purposes is by doing more in-depth analysis – the only thing HexDive does is identification of APIs and strings of interest for the malware analyst

Old post

New version is 25% larger (what a bloatware! ) as it brings in a huge number of new strings:

PE Section names and other packer identifiers
Installer-related strings
Identifiers of script-to-exe type tools e.g. perl2exe, py2exe, exerb, winbatch
Lots of known CLSID strings

It slowly gets to the point where I wanted it to be when I started writing it. I also think I finally got it right on how to present the data extracted from a file in a way that:

shows as many interesting strings as possible
makes it as readable as possible
with all that it still provides information about the string’s context
allows to quickly find the string in a hex editor
in a full-output mode allows for an easy parsing
avoid missing strings as much as possible

So, with all that said, the new contextual output is introduced in this version.

It works the same way as the old version -c, but it removes keywords and duplicated lines from output (not perfectly, but good enough). I must mention here that contextual output requires a wide screen (terminal at least 120 columns), but I hope if you do malware analysis you have this available (feel free to let me know if you need a more narrower output, so I can accommodate that in a future version).

The new contextual output option is available as capitalized -c i.e. -C – You can run it in many ways, e.g.

hdive -C

hdive -aC

hdive -afC

See example below and as usual, I would be grateful if you let me know if it works for you or if you spot issues.

Example Session

This is a sample of a new malware, downloaded quite recently.

Running hdive on it first:

hdive -C // note capital letter

The file is UPXd, and we can see some Borland strings (Boolean/False/True/Char/etc.).

We can unpack it using upx.exe

upx -d test\sample.exe -o test\sample.exe.unpacked

…and then run hdive again:

hdive -qC test\sample.exe.unpacked

Now it looks much better and it’s definitely Borland.

Scrolling down we can see lots of juicy info – APIs that are commonly used by keyloggers,

then going further, we can see winsock functions and strings, as well as Delphi components (units) listed as well together with ‘username’, ‘password’:

and finally lots of HTTP-related strings, as well as another unit-name from Borland:

There are more interesting strings there – you can see output of the command by viewing all the attached text files; read on.

Out of curiosity, I compared the output of the following commands:

strings -q -n 6 // this is usually a good length allowing removing a lot of junk
hdive -q
hdive -qC

on the very same sample and then compared the file sizes and number of lines in each file.

These are the results:

dir example_*
2012-10-19  01:24            17,185 example_hdive_q.txt
2012-10-19  01:24            61,364 example_hdive_qC.txt
2012-10-19  01:24            58,199 example_strings_qn6.txt

wc -l example*
  1336 example_hdive_q.txt
   529 example_hdive_qC.txt
  3777 example_strings_qn6.tx

It would seem (and mind you, it is a very subjective statement ) that hdive can be quite a time saver! Instead of reviewing over 3.5K, you end up doing 35% of it and immediately getting juicy keywords and their context (this can be of course still improved).

You can download the files here:

hdive.exe or hdive.zip

examples:

example_hdive_q.txt

example_hdive_qC.txt

example_strings_qn6.txt

Enjoy!

Comments Off

HexDive 0.5 – Adding a bit of a context…

October 2, 2012 in HexDive, Malware Analysis, Software Releases

It’s time for a new version of HexDive!

Today’s changes introduce many new keywords and some new features + bug fixes:

Keywords:

Delphi package/library/unit names (I posted some subset of this list previously)
Compiler-related strings (not that really useful for malware analysis, but may help to identify the compiler-specific strings)
Copyright banners (I posted some previously)
Registry key/value names (also posted some previously)
More information stealing-related strings (some more software targeted by infostealers, including some old ones e.g. The Bat, ICQ, AOL, etc.)
Game-related strings (to highlight malware targeting various computer games)
A lot new generic malware strings (from the top of the histogram of all strings extracted from 1M+ samples); many of these strings are not categorized yet, but still – better to have them being picked up than wait for a classification to be complete – use -a option to see what ‘juicy’ stuff is being picked up

New features:

The output produced by -a option now includes physical offsets and may include context (see next point)
I added a new experimental feature that shows context of the strings – basically, some bytes before and after the string in a file; this should help to quickly assess what’s the potential usefulness of the string and its context; it may also help to find other strings that are not picked up by HexDive for various reasons and that are stored inside the file within a close proximity of a found string. To see context, use a new command line options ‘-c’. See example below to see how it works in practice and how to use it to quickly locate strings of interest in a hex viewer.

Bug fixes:

sometimes some strings were not picked up due to a bug in the processing algorithm; this affected strings that were using mixed lower/uppercase; should be fixed now; note: this bugfix introduces a side-effect that makes the output a bit noisier (e.g. New, NEW, NeW are being picked up; I may introduce some filtering of the output if it becomes an issue)
sometimes some strings were printed twice – should be fixed now
strings were not picked up at the end of the file – should be fixed now

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Example of strings with a context

When ran with -c option, HexDive shows a string with a context:

At the moment, it shows a string in one row, then in a next row the actual context of the string and finally 10 hexadecimal values

that you can copy and paste into a Search/Find in your favorite Hex Viewer

to quickly locate the string of interest and it’s context without worrying about Unicode/ANSI/non-printable values:

Comments Off

HexDive 0.4

August 19, 2012 in HexDive, Malware Analysis, Software Releases

It’s been a while since I updated HexDive, so I took some time today to fix a few things + add new keywords.

So, what’s new?

Mainly lots of new keyword sets. Some are just a tip of an iceberg and I will be extending these as I go through a malware collection in the future, but even at this stage these should certainly help in picking up some new interesting stuff, including but not limited to:

new banking-related strings
more information stealing strings (PStore, Firefox, FTP programs, Certificates, etc.)
keystrokes (thx Corey)
anti-sandbox tricks (partially based on an excellent summary post from Joe Security LLC and interesting new technique described by F-Secure)
swearwords
lots of new registry keys related to settings, games, P2P, and lots of other applications
some default passwords occasionally used by worms
generic malware strings (lots of them, I still need to classify them, but at least they are already in the set)

You can download current version of HexDive here. If your .exe download is blocked, you can try a zip file.

p.s.

I still don’t pay too much attention to a Linux version – this is lower priority than a different feature I am currently working on (stay tuned).

Bonus update:

hdive ran over two gauss samples

08D7DDB11E16B86544E0C3E677A60E10_100-dskapi.ocx
5604A86CE596A239DD5B232AE32E02C6_smdk.ocx

Various classes of interesting strings are highlighted:

08D7DDB11E16B86544E0C3E677A60E10_100-dskapi.ocx

CorExitProcess
mscoree.dll
null
null
support
open
support
support
kernel32.dll
local
local
local
default
local
dddd, MMMM dd, yyyy
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
urlmon.dll
SeTakeOwnershipPrivilege
inflate
deflate
abcd
ABCD
abcd
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeRestorePrivilege
LoadLibraryW
kernel32.dll
GetCommandLineW
Sleep
kernel32.dll
FreeLibrary
kernel32.dll
VirtualFree
kernel32.dll
ExitThread
kernel32.dll
DeleteFileA
kernel32.dll
MoveFileExA
kernel32.dll
ntdll.dll
SeRestorePrivilege
SeBackupPrivilege
RegCreateKeyExW
RegSaveKeyW
RegRestoreKeyW
RegOpenKeyExW
RegFlushKey
RegCloseKey
RegSetValueExW
RegDeleteValueW
RegQueryValueExW
ObtainUserAgentString
HttpSendRequestW
InternetQueryOptionW
InternetSetOptionW
InternetCloseHandle
InternetQueryDataAvailable
HttpAddRequestHeadersW
InternetReadFile
HttpQueryInfoW
InternetOpenW
InternetConnectW
HttpOpenRequestW
OpenProcessToken
ImpersonateLoggedOnUser
AdjustTokenPrivileges
LookupPrivilegeValueW
RegDeleteKeyW
SetEntriesInAclW
FreeSid
MoveFileExW
CloseHandle
DeleteFileW
CreateMutexW
Sleep
GetCurrentProcessId
VirtualAlloc
LoadLibraryW
CreateThread
GetModuleFileNameW
VirtualFree
GetCurrentProcess
GetModuleHandleA
OpenProcess
GetLastError
GetFileSize
ReadFile
CreateFileW
GetPrivateProfileStringW
FreeLibrary
GetProcAddress
GetSystemTime
DuplicateHandle
MultiByteToWideChar
LoadResource
SizeofResource
LockResource
GetVersionExW
CreateToolhelp32Snapshot
GetFileAttributesW
GetModuleHandleW
SetFileTime
WriteFile
Process32FirstW
ReadProcessMemory
Process32NextW
WriteProcessMemory
VirtualAllocEx
CreateRemoteThread
VirtualFreeEx
LocalFree
LocalAlloc
LoadLibraryA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
ExitProcess
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapDestroy
HeapCreate
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
GetCPInfo
GetACP
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
SetFilePointer
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
WriteConsoleA
WriteConsoleW
CreateFileA
FlushFileBuffers
GetSystemMetrics

5604A86CE596A239DD5B232AE32E02C6_smdk.ocx

CorExitProcess
mscoree.dll
null
null
support
open
support
support
local
local
local
default
local
kernel32.dll
dddd, MMMM dd, yyyy
england
chinese
chinese
chinese
chinese
GetProcessWindowStation
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
deflate
Jean-loup Gailly
Mark Adler
true
RegOpenKeyW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
TerminateThread
CreateThread
Process32NextW
CreateToolhelp32Snapshot
GetLastError
Process32FirstW
DuplicateHandle
GetCurrentProcess
SetEvent
GetLogicalDriveStringsW
GetSystemTime
DeviceIoControl
CreateFileW
GetDriveTypeW
FindClose
FindFirstFileW
FindNextFileW
LocalAlloc
GetProcAddress
FreeLibrary
LoadLibraryA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetModuleHandleA
Sleep
ExitProcess
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
WriteFile
InitializeCriticalSection
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetFilePointer
WriteConsoleA
WriteConsoleW
CreateFileA
FlushFileBuffers
GetFileSize
GetFileAttributesW

Comments Off

HexDive 0.3

July 5, 2012 in HexDive, Malware Analysis, Software Releases

New version comes with lots of fixes and updates.

New stuff includes:

lots of new malware-specific APIs (I manually walked through thousands of them so over 1600+ APIs commonly used by malware is now being picked up)
banking URLs (all stuff from web injects from Zeus/SpyEye etc.)
domain names commonly changed via hosts file (anti-* routine to block security software, etc.)
minor fixes to existing strings (simple mistakes I spotted)
large files are now supported; it has been implemented since the beginning, but I have not tested it yet; if you come across issues, please let me know
extra option to avoid showing copyright banner (same as in SysInternals tools /q or -q)
better options handling (a’la Linux) so you can now specify -qfa instead of -q -f -a

What’s coming: Currently toying around with porting the code to yasm so elf32 version precompiled for Linux Ubuntu may appear soon

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Note:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings for free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job just let me know what is missing. If you have some features you would like to see, please let me know as well. And if you find any bugs, please also let me know.

Thanks for trying and don’t forget to check our other tools!

Comments Off

HexDive 0.2

June 21, 2012 in HexDive, Malware Analysis

I just released a new version of HexDive. Added really lots of new strings so it should be picking up more juice from malicious samples

New strings include:

pcap (winpcap related strings)
libraries
mime types
charset encodings
formatted strings patterns
OS file names
protocols
IPs
User agents
information-stealing related keywords
and more

Note, at this stage HexDive doesn’t search for any regexes (e.g. URLs/emails/etc ), but it is in the making, so stay tuned.

You can download it here.

If your .exe download is blocked, you can try a zip file.

Note1:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings ofr free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job just let me know what is missing. Thanks!

Note2:

hdive can be ran on static samples (unpacked) and process memory dumps as well; for the benchmark purposes – an example when it is ran on a 27MB file which is a process memory dump of a simple trojan takes 12-13 seconds.

TimeThis : Command Line : hdive malware.DMP
TimeThis : Start Time : Fri Jun 22 20:24:02 2012

TimeThis : Command Line : hdive malware.DMP
TimeThis : Start Time : Fri Jun 22 20:24:02 2012
TimeThis : End Time : Fri Jun 22 20:24:15 2012
TimeThis : Elapsed Time : 00:00:12.683

Comments Off

HexDive – Intelligent String Extractor

June 7, 2012 in HexDive, Malware Analysis, Software Releases

In my last two posts, I mentioned I am working on a new tool. The tool’s idea is to extract a subset of all strings from a given file/sample in order to reduce time needed for finding ‘juicy’ stuff – meaning: any string that can be associated with a) malware b) any other category;

This should help in a quick assessment of a file w/o going through lots of noise coming from typical strings tools (they ‘see’ a few bytes looking like ASCII/Unicode and assume it is a string).

Hopefully the tool will help in batch analysis (on unpacked files, or memory dumps).

This is a first release so expect bugs; for various reasons I stripped part of the database as I am still working on full classification of all keywords (this is a one hell of work).

By default, the tool works like an enhanced HAPI. It extracts interesting strings to the output, but includes not only APIs, but also other stuff .

To see a full categorization and also include _all_ recognized strings use options as described and shown on a few screenshots below.

I hope it works for you and will be useful. If you find any bugs, I will really appreciate if you let me know. Also, if you see some strings being missed, please be patient and wait for next release (and ideally drop me an email listing all the stuff hdive missed; I will add it in a next release).

Thanks for trying!

Update:

elhoim is asking about speed and programing language; it’s x86 assembly, for small files it’s a blitz; for larger e.g. 30MB, there is a short moment of ‘thinking’, but it’s reasonable. Didn’t test on a large collection, but for this I would need to add a processing for directories to speed it up (I have it on todo list). IT searches for over 100K unique keywords at the moment (including both ANSI, Unicode, some case sensitive).

Update #2

Check this nice post about MBR Analysis on http://www.sysforensics.org/2012/06/mbr-malware-analysis.html to see what difference HexDive makes in string analysis.

To Run:

--------------------------------------------------------------
  hexdive v0.1 (c) Hexacorn 2012. All rights reserved.
  Visit us at http://www.hexacorn.com
--------------------------------------------------------------
Usage:
   hdive [-/]<options> <filename>
      where options are:
      - a - show all strings (only malware-related are shown by default)
      - f - show |-separated classification (default output are raw strings)
Example:
   hdive -a malware.exe
   hdive -f malware.exe
   hdive -a -f malware.exe
--------------------------------------------------------------

Gimme a file name!

Examples of use:

hdive c:\Windows\System32\notepad.exe

and

hdive -f c:\Windows\System32\notepad.exe

hdive -a c:\Windows\System32\notepad.exe

hdive -f c:\Windows\System32\notepad.exe

You can download it here.

Comments Off

HexDive – Preview of a new tool (2)

June 5, 2012 in HexDive, Malware Analysis, Software Releases

I thought I will show some more output from the tool – these are malware-specific APIs only (tool outputs more stuff).

atm it’s over 70,000 keywords searched using modified Aho-Corasick algorithm:

Flame memory dump (partial)

Random malware sample:

2 Comments »

HexDive – Preview of a new tool

June 3, 2012 in HexDive, Malware Analysis, Software Releases

tl; dr; reduces time needed for strings review by extracting selected strings from analyzed samples omitting lots of junk seen in an output of a typical strings tool + as a bonus gets these strings classified

HexDive is a new toy of mine. I liked the way HAPI worked, but always planned to write something a bit smarter than just exporting known APIs from the analyzed files. HAPI was actually a first test of the idea that I had for a very long time, yet my ongoing research has not been completed by the time I wrote it. What I wanted to write was a tool that generates output that can immediately give an analyst a power to classify file functionality on the spot. This may also help automation that can be driven by cherry picked known-strings from the analyzed file. It may (and hopefully will) help a lot with batch analysis.

Existing, similar projects exist of course, but their databases are very small. More advanced projects are usually private (AV companies use them). In order to do it right, a large database of good malware-related and good keywords is needed. This can’t be obtained easily as there are literally tones of samples and each contains lots of strings. So, one needs to be selective and decide what strings exported from a sample or a memory dump are the good ones (or bad ones). Often, dynamic analysis is needed with a process instrumentation helping in picking up interesting stuff. This is tough and it took me over a year of collecting different artifacts from 250000 unique samples as well as taking notes from various places on the web or my own system. My notes file contains now lots of data and I am slowly working through it. And just to be clear, the data I am looking for are not file names of known malware, but the stuff that is common amongst malware files – registry keys, etc.

I am finishing the testing and there is a lot of work of updating precompiled foriests of tries (no, it’s not a typo , but am already happy to present an excerpt from the output from the first beta version. First public version of a tool will be published within a week or so.

--------------------------------------------------------------
  hexdive v0.1 (c) Hexacorn 2012. All rights reserved.
  Visit us at http://www.hexacorn.com
--------------------------------------------------------------

A|ACL|Privileges|SeDebugPrivilege
A|Environment variable|User Profile|%USERPROFILE%
A|Directory|Program Files directory (32-bit)|Program Files
A|Interesting keywords|-|Explorer
A|api|generic|RtlAnsiStringToUnicodeString
A|anti-routine|process name|avp.exe
A|ACL|Privileges|SeDebugPrivilege
A|Interesting keywords|-|Userinit
A|IRC|-|PING
A|IRC|-|PONG
A|IRC|-|JOIN
A|Placeholder|IP|%d.%d.%d.%d
A|Environment variable|Date|%date%
A|File Extension|-|.com
U|anti-routine|process name|avp.exe
U|File Extension|-|.exe
U|Interesting keywords|-|desktop.ini

Comments Off

Hexacorn Ltd

You are browsing the archive for HexDive.

HexDive 0.6 – new strings and more -Context…

Example Session

HexDive 0.5 – Adding a bit of a context…

HexDive 0.4

HexDive 0.3

HexDive 0.2

HexDive – Intelligent String Extractor

HexDive – Preview of a new tool (2)

HexDive – Preview of a new tool

View older posts

Categories