cialis online pharmacy generic xenical cheap cialis online cialis generic viagra online in canada buy cheap levitra online cialis without a perscription order viagra uk no prescription flagyl cheap generic levitra buying viagra in the uk cheap viagra approved cialis deltasone online buy viagra online without prescription non prescription cialis buy orlistat uk buy cialis in india prednisone 60 mg female viagra online buy viagra without prescription celebrex prescriptions buy cialis canada best prices viagra alternative to prednisone cheapest generic levitra levitra 5mg cheap viagra cialis on line buy xenical without prescription online accutane canadian health care prednisone no prescreption viagra online generic female viagra europe buy cialis low price cheap india viagra

Analyse Executable Files For Malware Using Ruby

We haven’t featured a Ruby-related tutorial for quite a while now so here’s a nice, simple but nonetheless useful snippet of Ruby code from Keiran Smith that is definitely worth sharing with the rest of you here at BlogFreakz. It’s a script that analyses executable files for malware and displays system calls.

#!/usr/bin/env ruby

# Malware_Analysis.rb
# A ruby malware analyser for analysing
# executable files and displaying interesting
# system calls.

if RUBY_PLATFORM =~ /win/
 clearCmd = "cls"
else
 clearCmd = "clear"
end

malware = ARGV[0]

system(clearCmd)

puts "+-----------------------------------+"
puts "| Malware Analysis Ruby Script      |"
puts "| http://affix.me                   |"
puts "| Written by Keiran \"affix\" Smith   |"
puts "+-----------------------------------+"
puts ""

def isBinary(fileName)
 begin
 analysis = File.new(fileName, "r")
 type= analysis.read(4)
 if type =~ /MZ/    
 return true
 else
 if type =~ /EL/
 return true
 else
 return false
 end
 end
 rescue Errno::ENOENT
 puts "[!] File Error!"
 end
end

def checkSystem(line)
 systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
 "KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
 "advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",  "OutputDebugString",  "FindWindow", "IsDebuggerPresent"]

 systemCalls.each do | call |
 if line =~ /#{call}/
 puts "[+] System Call made to : #{call}"
 end
 end
end

def checkRegistry(line)
 registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]

 registryHives.each do | hive |
 if line =~ /#{hive}/
 puts "[+] Registry Access to Hive : #{hive}"
 end
 end
end

def checkNetwork(line)
 networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]

 networkCalls.each do | call |
 if line =~ /#{call}/
 puts "[+] Network Activity Detected : #{call}"
 end
 end
end

if isBinary(malware)
 puts "[+] Valid Executable Found beginning Analysis"
 puts ""
 analysis = File.new(malware, "r:ASCII-8BIT")
 analysis.readlines.each do | line |
 checkSystem(line)
 checkRegistry(line)
 checkNetwork(line)
 end
else
 puts "[!] Not a valid Executable file"
end     

Related Posts

Adding Instagram Badges to Your WordPress Profile

How to Create a Custom WordPress Registration Form with Flat UI

How to Create A Basic Hipster-Style Layout

How to Style Nav Links Using Floats With HTML5 and CSS3