Update: There is an updated version of this list of tools posted to my blog here.
The first step is to build a virtual machine with VMware, VirtualPC, or whatever you prefer. It should be as similar to your corporate image as you can make it, but it should not be on your domain. Also, if you select VMware Server, do not install VMware Tools into the VM. Sure it makes things easier, but it can also make it easy for malware to determine that it's in a VM and prevent it from running. I would also recommend installing your company's AV scanner, but disable real-time scanning by default.
Once you've created your VM, you need add some tools to make analysis possible. Here's the list of stuff in my VM.
Cygwin
- Didier Stevens' SpiderMonkey
- pefile
- Jim Clausing's packerid.py
- My ieget.sh
- Mozilla rhino debugger
GMER
catchme
Mandiant Red Curtain
OSAM Autorun Manager
Mike Lin's Startup Control Panel
HiJackThis / StartupList / ADSSpy
HashCalc
HHD Free Hex Editor
OllyDBG (also: Immunity Debugger)
Plugins:
- AnalyzeThis
- FindCrypt
- Hide Debugger
- OllyDump
- OllyFlow
- OllyDbg PE Dumper
ImportREC
iDEFENSE
- MAP
- SysAnalyzer
- HookExplorer
- SniffHit
- PEiD
SysInternals
- AccessEnum
- autoruns
- Filemon
- procexp
- psexec
- psfile
- psgetsid
- Psinfo
- pskill
- pslist
- psloggedon
- psloglist
- pspasswd
- psservice
- psshutdown
- pssuspend
- Regmon
- RootkitRevealer
- tcpvcon
- Tcpview
Firefox (JavaScript Console mod)
Also, having links to VirusTotal and CWSandbox in your VM is a good idea.
It isn't a tool but it could be useful :
ReplyDeletehttp://www.nothink.org/malware/report/hash-a.html
You can take a look at this one:
ReplyDeleteAMIR: http://www.malwareinfo.org/Utilities/AMIR.zip
AMIR or Advance Malware Identification & Removal is an application that will help you to quickly identify any unwanted process running in your system. Also it will also give you the option to remove them easily. Once AMIR runs in the system, it will highlight the possible suspect programs and also give you a lot of other relevant information about the process. It also give you an opportunity to analyze them and their activities at the click of a button. It shows you PE Details, actual Memory Dumps of the running process and also the various Resources used by the binary. It even has a Heuristic Scanner that can sniff out Malicious code from .vbs, .inf, .bat files. AMIR can also enable Regedit, Task Manager & Folder Option that has been locked by Malware activity. Armed with numerous state of art options, it becomes very easy to detect any kind of Malware running in the system.
This comment has been removed by a blog administrator.
ReplyDeleteHi Paul
ReplyDeleteDoes the software you mentioned in your blog operate separately or as a form complete system?
Thanks!
Each of these tools can operate independently, though some are bundled as part of a suite of tools, and some require others in order to function (i.e. packerid.py requires pefile, which requires Python, which on Win32 requires Cygwin).
ReplyDeleteThat said, I have all of these tools in a VM for performing analysis, so they are part of a single toolbox environment. I've updated and added to the tools I use several times since this original post and could probably post an updated list.