Category Archives: Software Releases

HexDive – Preview of a new tool

Posted on by

tl; dr; reduces time needed for strings review by extracting selected strings from analyzed samples omitting lots of junk seen in an output of a typical strings tool + as a bonus gets these strings classified

HexDive is a new toy of mine. I liked the way HAPI worked, but always planned to write something a bit smarter than just exporting known APIs from the analyzed files. HAPI was actually a first test of the idea that I had for a very long time, yet my ongoing research has not been completed by the time I wrote it. What I wanted to write was a tool that generates output that can immediately give an analyst a power to classify file functionality on the spot. This may also help automation that can be driven by cherry picked known-strings from the analyzed file. It may (and hopefully will) help a lot with batch analysis.

Existing, similar projects exist of course, but  their databases are very small. More advanced projects are usually private (AV companies use them). In order to do it right, a large database of good malware-related and good keywords is needed. This can’t be obtained easily as there are literally tones of samples and each contains lots of strings. So, one needs to be selective and decide what strings exported from a sample or a memory dump are the good ones (or bad ones). Often, dynamic analysis is needed with a process instrumentation helping in picking up interesting stuff. This is tough and it took me over a year of collecting different artifacts from 250000 unique samples as well as taking notes from various places on the web or my own system. My notes file contains now lots of data and I am slowly working through it. And just to be clear, the data I am looking for are not file names of known malware, but the stuff that is common amongst malware files – registry keys, etc.

I am finishing the testing and there is a lot of work of updating precompiled foriests of tries (no, it’s not a typo :), but am already happy to present an excerpt from the output from the first beta version. First public version of a tool will be published within a week or so.

--------------------------------------------------------------
  hexdive v0.1 (c) Hexacorn 2012. All rights reserved.
  Visit us at https://www.hexacorn.com
--------------------------------------------------------------
A|ACL|Privileges|SeDebugPrivilege
A|Environment variable|User Profile|%USERPROFILE%
A|Directory|Program Files directory (32-bit)|Program Files
A|Interesting keywords|-|Explorer
A|api|generic|RtlAnsiStringToUnicodeString
A|anti-routine|process name|avp.exe
A|ACL|Privileges|SeDebugPrivilege
A|Interesting keywords|-|Userinit
A|IRC|-|PING
A|IRC|-|PONG
A|IRC|-|JOIN
A|Placeholder|IP|%d.%d.%d.%d
A|Environment variable|Date|%date%
A|File Extension|-|.com
U|anti-routine|process name|avp.exe
U|File Extension|-|.exe
U|Interesting keywords|-|desktop.ini

$MFT scanning for fun and err… Flame

Posted on by

Update 2018-12-15

This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV/EDR software instead. Thanks!

Update 2012-July

Expect this tool to grow over next couple of months.

Old Post

I was toying around with $MFT parsing and came up with a simple demo tool that parses $MFT looking for remnants of malware. Tool is written in x86 assembly so I guess it is forensically sound 😉

At the moment it only scans for flame malware (I used list from all the places I could find including my own research, CrySyS Lab, Kaspersky, BitDefender, malware.lu, kernelmode.info, etc. –  list pasted below).

It should find entries that are both live (existing files) and deleted entries.

This is how it works – if it is bad news for you:

Note: this is an experimental tool – DO NOT test it on production system. You can always use fls.exe from sleuthkit.

The tool can be downloaded here.

This is a list of files it searches for:

  • advnetcfg.ocx
  • Advpck.dat
  • audache
  • audfilter.dat
  • authcfg.dat
  • authpack.ocx
  • boot32drv.sys
  • browse32.ocx
  • ccalc32.sys
  • cmutlcfg.ocx
  • commgr32
  • comspol32.dll
  • comspol32.ocx
  • contents.btr
  • ctrllist.dat
  • dcomm.dat
  • desc.ini
  • dmmsapi.dat
  • dsmgr.ocx
  • dstrlog.dat
  • Ef_trace.log
  • fib32.bat
  • frog.bat
  • gppref32.exe
  • grb9m2.bat
  • guninst32
  • indsvc32.ocx
  • lib.ocx
  • lmcache.dat
  • lss.ocx
  • m4aaux.dat
  • modevga.com
  • mprhlp
  • MSAPackages
  • MSAudio
  • MSAuthCtrl
  • mscrypt.dat
  • msglu32.ocx
  • mssecmgr.ocx
  • MSSecurityMgr
  • MSSndMix
  • mssui.drv
  • mssvc32.ocx
  • netcfgi.ocx
  • ntaps.dat
  • nteps32
  • nteps32.ocx
  • Pcldrvx.ocx
  • rdcvlt32.exe
  • Rpcnc.dat
  • rpcns4.ocx
  • scaud32.exe
  • scsec32.exe
  • sdclt32.exe
  • secindex.dat
  • soapr32.ocx
  • ssitable
  • stamn32
  • svchost1ex.mof
  • Svchostevt.mof
  • target.lnk
  • to961.tmp
  • urpd.ocx
  • watchxb.sys
  • wavesup3.drv
  • winconf32.ocx
  • winrt32.dll
  • winrt32.ocx
  • wlndh32
  • Wpab32.bat
  • wpgfilter.dat
  • wrm3f0
  • zff042
  • ~8C5FF6C.tmp
  • ~a29.tmp
  • ~d43a37b.tmp
  • ~DEB83C.tmp
  • ~DEB93D.tmp
  • ~DF05AC8.tmp
  • ~dfc855.tmp
  • ~DFD85D3.tmp
  • ~DFL*.tmp
  • ~DFL983.tmp
  • ~dra*.tmp
  • ~dra52.tmp
  • ~dra53.tmp
  • ~f28.tmp
  • ~fghz.tmp
  • ~HLV
  • ~HLV*.tmp
  • ~KWI
  • ~KWI988.tmp
  • ~KWI989.tmp
  • ~mso2a0.tmp
  • ~mso2a1.tmp
  • ~mso2a2.tmp
  • ~nms534
  • ~rcf0
  • ~rcj0
  • ~rei524.tmp
  • ~rei525.tmp
  • ~rf288.tmp
  • ~rft374.tmp
  • ~TFL848.tmp
  • ~TFL849.tmp
  • ~ZLM0D1.ocx
  • ~ZLM0D2.ocx