Revision: 57693
Updated Code
at June 6, 2012 04:58 by Affix
Updated Code
#!/usr/bin/env ruby # Malware_Analysis.rb # A ruby malware analyser for analysing # executable files and displaying interesting # system calls. if RUBY_PLATFORM =~ /win/ clearCmd = "cls" else clearCmd = "clear" end malware = ARGV[0] system(clearCmd) puts "+-----------------------------------+" puts "| Malware Analysis Ruby Script |" puts "| http://affix.me |" puts "| Written by Keiran \"affix\" Smith |" puts "+-----------------------------------+" puts "" def isBinary(fileName) begin analysis = File.new(fileName, "r") type= analysis.read(4) if type =~ /MZ/ return true else if type =~ /EL/ return true else return false end end rescue Errno::ENOENT puts "[!] File Error!" end end def checkSystem(line) systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey", "KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", "advapi32.RegCreate", "advapi32.RegSet", "http://","Socket", "OutputDebugString", "FindWindow", "IsDebuggerPresent"] systemCalls.each do | call | if line =~ /#{call}/ puts "[+] System Call made to : #{call}" end end end def checkRegistry(line) registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"] registryHives.each do | hive | if line =~ /#{hive}/ puts "[+] Registry Access to Hive : #{hive}" end end end def checkNetwork(line) networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"] networkCalls.each do | call | if line =~ /#{call}/ puts "[+] Network Activity Detected : #{call}" end end end if isBinary(malware) puts "[+] Valid Executable Found beginning Analysis" puts "" analysis = File.new(malware, "r:ASCII-8BIT") analysis.readlines.each do | line | checkSystem(line) checkRegistry(line) checkNetwork(line) end else puts "[!] Not a valid Executable file" end
Revision: 57692
Initial Code
Initial URL
Initial Description
Initial Title
Initial Tags
Initial Language
at June 6, 2012 04:50 by Affix
Initial Code
#!/usr/bin/env ruby # Malware_Analysis.rb # A ruby malware analyser for analysing # executable files and displaying interesting # system calls. if RUBY_PLATFORM =~ /win/ clearCmd = "cls" else clearCmd = "clear" end malware = ARGV[0] system(clearCmd) puts "+-----------------------------------+" puts "| Malware Analysis Ruby Script |" puts "| http://affix.me |" puts "| Written by Keiran \"affix\" Smith |" puts "+-----------------------------------+" puts "" def isBinary(fileName) begin analysis = File.new(fileName, "r") type= analysis.read(4) if type =~ /MZ/ return true else if type =~ /EL/ return true else return false end end rescue Errno::ENOENT puts "[!] File Error!" end end def checkSystem(line) systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey", "KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", "advapi32.RegCreate", "advapi32.RegSet", "http://","Socket", "OutputDebugString", "FindWindow", "IsDebuggerPresent"] systemCalls.each do | call | if line =~ /#{call}/ puts "[+] System Call made to : #{call}" end end end def checkRegistry(line) registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"] registryHives.each do | hive | if line =~ /#{hive}/ puts "[+] Registry Access to Hive : #{hive}" end end end def checkNetwork(line) networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","POMG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"] networkCalls.each do | call | if line =~ /#{call}/ puts "[+] Network Activity Detected : #{call}" end end end if isBinary(malware) puts "[+] Valid Executable Found beginning Analysis" puts "" analysis = File.new(malware, "r:ASCII-8BIT") analysis.readlines.each do | line | checkSystem(line) checkRegistry(line) checkNetwork(line) end else puts "[!] Not a valid Executable file" end
Initial URL
http://affix.me
Initial Description
A simple script to analyse malware in ruby
Initial Title
Malware Analysis Script
Initial Tags
Initial Language
Ruby