Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/TeamT5/MalCfgParser

A Lightweight Malware Configuration Parsing Tool
https://github.com/TeamT5/MalCfgParser

Last synced: about 1 month ago
JSON representation

A Lightweight Malware Configuration Parsing Tool

Awesome Lists containing this project

README

        

# MalCfgParser

![](https://github.com/teamt5/malcfgparser/raw/master/logo.png)

MalCfgParser is a malware configuration parser that:

- Brute-forcely parses memory -- No need to decode and specify the configuration size!
- Accepts the PID or use process dump files
- Easy to implement your parser by adding yara and malware configuration structs

## Requirements
### Local machine
- VMWare
- python3
- yara-python
> For Windows, the installers are put under `requirements`

### Remote machine: Windows7 on VMware
- python (Any version is OK)

## Configuration
In default.cfg, set up:
```
vmrun=
vmx=
vm_user=
vm_password=
work_folder=
dump_files_folder=
```

## Usage
### Parse by PID in running machine
```
> python3 main.py
```

Example:
```
> python3 main.py 6264
[+] work_folder C:\MalCfgParser was already in VM
[+] memdumper.py is transmitted to VM
[+] Memory dump 6264 is OK in VM
[+] Memory dump files from VM are retreived
[+] Detect: phantomivy
password: Ib@1ie
cnc0_type: 0
cnc0_port: 80
cnc0_host: 5.189.173.32
cnc1_type: 0
cnc1_port: 8081
cnc1_host: 5.189.173.32
mutex: C^Xe3(@Yx
```

### Parse by memory dump file
```
> python3 main.py
```

Example:
```
> python3 main.py test/malware/plugx_0x2d58/memdump/iexplore.exe_0x300000-0x2a000.bin
[+] Detect: plugx_0x724
flag: 1000
installname: Microsoft Malware ProtectionoYS
cnc0_proto: TCP
cnc0_port: 80
cnc0_host: update.olk4.com
cnc1_proto: TCP
cnc1_port: 8080
cnc1_host: update.olk4.com
cnc2_proto: TCP
cnc2_port: 80
cnc2_host: www.olk4.com
cnc3_proto: TCP
cnc3_port: 8080
cnc3_host: www.olk4.com
```

## Add Your Malware Configuration Parser
- Add yara signature for the malware to `yara.txt`
- Use Kaitai (https://ide.kaitai.io) to parse the configuration
- Generate the python file for structure parsing by `kaitai-struct-compiler --target python .ksy`
- Move `.py` to `/structs`
- Add `.py` to `/parsers`

### Design of Parser
```
class MalParser(MalParserBase):
def __init__(self):
super().__init__()
self.cfg_structs =
self.magic =
self.cfg_start_offset =
self.cfg_size =
self.json_key =

def make_json(self):
# (Required) Implement the parse result shown in json format
pass

def validate(self):
# (Required) To validate the parse result is correct or not
pass

def decode(self):
# (Optional) Additional decode on the configuration block
pase
```