31st August 2012 Keith@Blogfreakz · Ruby, Tips, Tutorials · Comments Off

Analyse Executable Files For Malware Using Ruby

We haven’t featured a Ruby-related tutorial for quite a while now so here’s a nice, simple but nonetheless useful snippet of Ruby code from Keiran Smith that is definitely worth sharing with the rest of you here at BlogFreakz. It’s a script that analyses executable files for malware and displays system calls.

ScreenHunter 109 Aug. 31 11.12 Analyse Executable Files For Malware Using Ruby

#!/usr/bin/env ruby
# Malware_Analysis.rb
# A ruby malware analyser for analysing
# executable files and displaying interesting
# system calls.
if RUBY_PLATFORM =~ /win/
 clearCmd = "cls"
else
 clearCmd = "clear"
end
malware = ARGV[0]
system(clearCmd)
puts "+-----------------------------------+"
puts "| Malware Analysis Ruby Script      |"
puts "| http://affix.me                   |"
puts "| Written by Keiran \"affix\" Smith   |"
puts "+-----------------------------------+"
puts ""
def isBinary(fileName)
 begin
 analysis = File.new(fileName, "r")
 type= analysis.read(4)
 if type =~ /MZ/    
 return true
 else
 if type =~ /EL/
 return true
 else
 return false
 end
 end
 rescue Errno::ENOENT
 puts "[!] File Error!"
 end
end
def checkSystem(line)
 systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
 "KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
 "advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",  "OutputDebugString",  "FindWindow", "IsDebuggerPresent"]
 systemCalls.each do | call |
 if line =~ /#{call}/
 puts "[+] System Call made to : #{call}"
 end
 end
end
def checkRegistry(line)
 registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
 registryHives.each do | hive |
 if line =~ /#{hive}/
 puts "[+] Registry Access to Hive : #{hive}"
 end
 end
end
def checkNetwork(line)
 networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
 networkCalls.each do | call |
 if line =~ /#{call}/
 puts "[+] Network Activity Detected : #{call}"
 end
 end
end
if isBinary(malware)
 puts "[+] Valid Executable Found beginning Analysis"
 puts ""
 analysis = File.new(malware, "r:ASCII-8BIT")
 analysis.readlines.each do | line |
 checkSystem(line)
 checkRegistry(line)
 checkNetwork(line)
 end
else
 puts "[!] Not a valid Executable file"
end

Incoming search terms for the article:

About the author

Keith@Blogfreakz

Keith@Blogfreakz

Keith Frias sees himself as an artist whose talent is in a state of coma, and a tech gadget freak who also loves to dabble in photography.

Related Posts

Create Google Play’s Tab Navigation Using jQuery And CSS

0 Comments

PS Advanced Compositioning

0 Comments

How To Create A Triangular Pixelation Effect Using Photoshop

0 Comments

How to Create Subtle Caption Hover Effects

0 Comments