{"id":21004384,"url":"https://github.com/fr0gger/malwaremuncher","last_synced_at":"2025-05-15T01:33:03.332Z","repository":{"id":187900844,"uuid":"603666703","full_name":"fr0gger/MalwareMuncher","owner":"fr0gger","description":"Malware Muncher is a proof-of-concept Python script that utilizes the Frida framework for binary instrumentation and API hooking, enabling users to conduct malware analysis.","archived":false,"fork":false,"pushed_at":"2023-02-24T03:08:54.000Z","size":733,"stargazers_count":34,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2023-08-12T17:07:45.018Z","etag":null,"topics":["binary-instrumentation","malware-analysis","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fr0gger.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-02-19T07:53:24.000Z","updated_at":"2023-08-12T17:07:46.698Z","dependencies_parsed_at":"2023-08-12T17:18:33.673Z","dependency_job_id":null,"html_url":"https://github.com/fr0gger/MalwareMuncher","commit_stats":null,"previous_names":["fr0gger/malwaremuncher"],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2FMalwareMuncher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2FMalwareMuncher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2FMalwareMuncher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2FMalwareMuncher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fr0gger","download_url":"https://codeload.github.com/fr0gger/MalwareMuncher/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225320344,"owners_count":17455949,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-instrumentation","malware-analysis","reverse-engineering"],"created_at":"2024-11-19T08:34:47.970Z","updated_at":"2024-11-19T08:34:48.532Z","avatar_url":"https://github.com/fr0gger.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Malware Muncher\n\nMalware Muncher is a Python proof-of-concept script that utilizes the Frida framework to enable binary instrumentation and API hooking. It is designed to intercept commonly-used API calls by malware, allowing users to analyze their behavior and identify potential threats. Furthermore, the script can leverage GPT to enhance the analysis output, providing more detailed and accurate insights into the malware's activities and identifying potential Mitre ATT\u0026CK techniques. This tool was demonstrated at the [Malware \u0026 Reverse Engineering conference in Melbourne](https://speakerdeck.com/fr0gger/binary-instrumentation-for-malware-analysis).\n\n*Note: It's important to keep in mind that Malware Muncher is a proof-of-concept tool and may contain bugs or limitations. Additionaly this script is intended for use in a controlled environment such as a virtual machine. Use at your own risk.*\n\n![Malmun](mamun3.gif)\n\n## Installation\n\nTo ensure proper execution of the script, it is necessary to have the \"jsscripts\" folder accessible. This folder contains the necessary Frida scripts that are used during the binary instrumentation and API hooking process.\n\n```bash\ngit clone https://github.com/fr0gger/MalwareMuncher.git\npip install -r requirement.txt\n```\n\n## Usage\n\n```\npython .\\malwaremuncher.py -h\nusage: malwaremuncher.py [-h] [-f FILE] [-d] [-g] [-m] [-r] [-i] [-c] [-w] [-a] [-o]\n\nMalwareMuncher version 1.0 by Thomas Roccia\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -f FILE, --file FILE  File to process\n  -d, --dump            Dump file from the memory\n  -g, --getproc         Deobfuscate API calls\n  -m, --mutex           Extract mutex\n  -r, --registry        Shows registry modification\n  -i, --internet        Shows remote connection\n  -c, --fileactivity    Shows file creation and more\n  -w, --wscript         Hook wscript.exe for js script\n  -a, --allscripts      Run all hooking functions\n  -o, --openai          Request GPT for enrichment\n```\n```none\npython .\\malwaremuncher.py --dump --file beacon2.exe\n[+] .\\malwaremuncher.py v1.0 by @fr0gger_\n[+] Running process: beacon2.exe\n[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script\n[+] VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20\n           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF\n03050000  4d 5a e8 00 00 00 00 5b 89 df 52 45 55 89 e5 81  MZ.....[..REU...\n03050010  c3 50 81 00 00 ff d3 68 f0 b5 a2 56 68 04 00 00  .P.....h...Vh...\n03050020  00 57 ff d0 00 00 00 00 00 00 00 00 00 00 00 00  .W..............\n03050030  00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00  ................\n03050040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68  ........!..L.!Th\n03050050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f  is program canno\n03050060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20  t be run in DOS\n03050070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00  mode....$.......\n03050080  af c6 3b f4 eb a7 55 a7 eb a7 55 a7 eb a7 55 a7  ..;...U...U...U.\n03050090  56 e8 c3 a7 ea a7 55 a7 f5 f5 d1 a7 c3 a7 55 a7  V.....U.......U.\n030500a0  f5 f5 c0 a7 ff a7 55 a7 f5 f5 d6 a7 69 a7 55 a7  ......U.....i.U.\n030500b0  cc 61 2e a7 e0 a7 55 a7 eb a7 54 a7 31 a7 55 a7  .a....U...T.1.U.\n030500c0  f5 f5 dc a7 27 a7 55 a7 f5 f5 c7 a7 ea a7 55 a7  ....'.U.......U.\n030500d0  f5 f5 c4 a7 ea a7 55 a7 52 69 63 68 eb a7 55 a7  ......U.Rich..U.\n030500e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n030500f0  00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00  ........PE..L...\n[+] MZ header at address: 0x3050000\n[+] Dumped executable: 0x3050000dumped.exe\n{'type': 'send', 'payload': {'api_call': 'VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20', 'mz_header': 'MZ', 'dumped_exe': '0x3050000dumped.exe'}}\n\n###########################################################################\npython .\\malwaremuncher.py --registry --file demo.exe\n[+] .\\malwaremuncher.py v1.0 by @fr0gger_\n[+] Running process: demo.exe\n[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script\n{'type': 'send', 'payload': {'hook': 'RegCreateKey', 'regkey': 'HKEY_CURRENT_USER\\\\Software\\\\MRE', 'handle': 720}}\n\n###########################################################################\npython .\\malwaremuncher.py --wscript --file demo.vbs\n[+] .\\malwaremuncher.py v1.0 by @fr0gger_\n[+] Running process: demo.vbs\nMicrosoft (R) Windows Script Host Version 5.812\nCopyright (C) Microsoft Corporation. All rights reserved.\n\n{'type': 'send', 'payload': {'name': 'instr', 'hookdata': {'hook': 'shell', 'nshow': 'SW_HIDE', 'cmd': 'C:\\\\Users\\\\rever\\\\AppData\\\\Local\\\\Temp\\\\rad045FA.tmp\\\\REIIVDoCWfI.exe', 'params': None}}}\n\n###########################################################################\npython .\\malwaremuncher.py --mutex --file beacon2.exe\n[+] .\\malwaremuncher.py v1.0 by @fr0gger_\n[+] Running process: beacon2.exe\n[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script\n{'type': 'send', 'payload': {'hook': 'CreateMutex', 'mutex': 'Local\\\\SM0:7292:168:WilStaging_02'}}\n\n```\n## Acknowledge\n\n* [Frida.re](https://frida.re/)\n* [Frida Wshook](https://github.com/OALabs/frida-wshook)\n* [Hawkeye](https://github.com/n1ght-w0lf/HawkEye)\n* [Malware Write up](https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks)\n\n## License\n\n[APACHE](https://github.com/fr0gger/MalwareMuncher/blob/main/LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffr0gger%2Fmalwaremuncher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffr0gger%2Fmalwaremuncher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffr0gger%2Fmalwaremuncher/lists"}