Malware Analysis Script - Ruby Snipplr Social Repository

Revision: 57693

at June 6, 2012 04:58 by Affix

Updated Code

#!/usr/bin/env ruby

# Malware_Analysis.rb
# A ruby malware analyser for analysing
# executable files and displaying interesting
# system calls.


if RUBY_PLATFORM =~ /win/
	clearCmd = "cls"
else
	clearCmd = "clear"
end

malware = ARGV[0]

system(clearCmd)

puts "+-----------------------------------+"
puts "| Malware Analysis Ruby Script      |"
puts "| http://affix.me                   |"
puts "| Written by Keiran \"affix\" Smith   |"
puts "+-----------------------------------+"
puts ""

def isBinary(fileName)
	begin
		analysis = File.new(fileName, "r")
		type= analysis.read(4)
		if type =~ /MZ/	
			return true
		else
			if type =~ /EL/
				return true
			else
				return false
			end
		end
	rescue Errno::ENOENT
		puts "[!] File Error!"
	end
end

def checkSystem(line)
	systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",  "OutputDebugString",  "FindWindow", "IsDebuggerPresent"]
	
	systemCalls.each do | call |
		if line =~ /#{call}/
			puts "[+] System Call made to : #{call}"
		end
	end
end

def checkRegistry(line)
	registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
	
	registryHives.each do | hive |
		if line =~ /#{hive}/
			puts "[+] Registry Access to Hive : #{hive}"
		end
	end
end

def checkNetwork(line)
	networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
	
	networkCalls.each do | call |
		if line =~ /#{call}/
			puts "[+] Network Activity Detected : #{call}"
		end
	end
end

if isBinary(malware)
	puts "[+] Valid Executable Found beginning Analysis"
	puts ""
	analysis = File.new(malware, "r:ASCII-8BIT")
	analysis.readlines.each do | line |
		checkSystem(line)
		checkRegistry(line)
		checkNetwork(line)
	end
else
		puts "[!] Not a valid Executable file"
end

Revision: 57692

at June 6, 2012 04:50 by Affix

Initial Code

#!/usr/bin/env ruby

# Malware_Analysis.rb
# A ruby malware analyser for analysing
# executable files and displaying interesting
# system calls.


if RUBY_PLATFORM =~ /win/
	clearCmd = "cls"
else
	clearCmd = "clear"
end

malware = ARGV[0]

system(clearCmd)

puts "+-----------------------------------+"
puts "| Malware Analysis Ruby Script      |"
puts "| http://affix.me                   |"
puts "| Written by Keiran \"affix\" Smith   |"
puts "+-----------------------------------+"
puts ""

def isBinary(fileName)
	begin
		analysis = File.new(fileName, "r")
		type= analysis.read(4)
		if type =~ /MZ/	
			return true
		else
			if type =~ /EL/
				return true
			else
				return false
			end
		end
	rescue Errno::ENOENT
		puts "[!] File Error!"
	end
end

def checkSystem(line)
	systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",  "OutputDebugString",  "FindWindow", "IsDebuggerPresent"]
	
	systemCalls.each do | call |
		if line =~ /#{call}/
			puts "[+] System Call made to : #{call}"
		end
	end
end

def checkRegistry(line)
	registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
	
	registryHives.each do | hive |
		if line =~ /#{hive}/
			puts "[+] Registry Access to Hive : #{hive}"
		end
	end
end

def checkNetwork(line)
	networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","POMG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
	
	networkCalls.each do | call |
		if line =~ /#{call}/
			puts "[+] Network Activity Detected : #{call}"
		end
	end
end

if isBinary(malware)
	puts "[+] Valid Executable Found beginning Analysis"
	puts ""
	analysis = File.new(malware, "r:ASCII-8BIT")
	analysis.readlines.each do | line |
		checkSystem(line)
		checkRegistry(line)
		checkNetwork(line)
	end
else
		puts "[!] Not a valid Executable file"
end

Initial URL

http://affix.me

Initial Description

A simple script to analyse malware in ruby

Initial Title

Malware Analysis Script

Initial Tags

Initial Language

Ruby

Choose a language for easy browsing: