Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/TeamT5/MalCfgParser

A Lightweight Malware Configuration Parsing Tool
https://github.com/TeamT5/MalCfgParser

Last synced: 3 months ago
JSON representation

A Lightweight Malware Configuration Parsing Tool

Host: GitHub
URL: https://github.com/TeamT5/MalCfgParser
Owner: TeamT5
Created: 2019-10-29T14:43:50.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2019-11-06T07:53:19.000Z (about 5 years ago)
Last Synced: 2024-06-18T06:33:50.878Z (5 months ago)
Language: Python
Size: 113 KB
Stars: 15
Watchers: 7
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-starz - TeamT5/MalCfgParser - A Lightweight Malware Configuration Parsing Tool (Python)

README

        # MalCfgParser

![](https://github.com/teamt5/malcfgparser/raw/master/logo.png)

MalCfgParser is a malware configuration parser that:

- Brute-forcely parses memory -- No need to decode and specify the configuration size!

- Accepts the PID or use process dump files

- Easy to implement your parser by adding yara and malware configuration structs

## Requirements

### Local machine

- VMWare

- python3

- yara-python

> For Windows, the installers are put under `requirements`

### Remote machine: Windows7 on VMware

- python (Any version is OK)

## Configuration

In default.cfg, set up:

```

vmrun=

vmx=

vm_user=

vm_password=

work_folder=

dump_files_folder=

```

## Usage

### Parse by PID in running machine

```

> python3 main.py 

```

Example: 

```

> python3 main.py 6264

[+] work_folder C:\MalCfgParser was already in VM

[+] memdumper.py is transmitted to VM

[+] Memory dump 6264 is OK in VM

[+] Memory dump files from VM are retreived

[+] Detect: phantomivy

password: Ib@1ie

cnc0_type: 0

cnc0_port: 80

cnc0_host: 5.189.173.32

cnc1_type: 0

cnc1_port: 8081

cnc1_host: 5.189.173.32

mutex: C^Xe3(@Yx

```

### Parse by memory dump file

```

> python3 main.py 

```

Example:

```

> python3 main.py test/malware/plugx_0x2d58/memdump/iexplore.exe_0x300000-0x2a000.bin

[+] Detect: plugx_0x724

flag: 1000

installname: Microsoft Malware ProtectionoYS

cnc0_proto: TCP

cnc0_port: 80

cnc0_host: update.olk4.com

cnc1_proto: TCP

cnc1_port: 8080

cnc1_host: update.olk4.com

cnc2_proto: TCP

cnc2_port: 80

cnc2_host: www.olk4.com

cnc3_proto: TCP

cnc3_port: 8080

cnc3_host: www.olk4.com

```

## Add Your Malware Configuration Parser

- Add yara signature for the malware to `yara.txt`

- Use Kaitai (https://ide.kaitai.io) to parse the configuration

- Generate the python file for structure parsing by `kaitai-struct-compiler --target python .ksy`

- Move `.py` to `/structs`

- Add `.py`  to `/parsers`

### Design of Parser

```

class MalParser(MalParserBase):

	def __init__(self):

		super().__init__()

		self.cfg_structs = 

		self.magic = 

		self.cfg_start_offset = 

		self.cfg_size = 

		self.json_key = 


	def make_json(self):

	   # (Required) Implement the parse result shown in json format 

	   pass

	def validate(self):

	   # (Required) To validate the parse result is correct or not

	   pass

	   

	def decode(self):

	   # (Optional) Additional decode on the configuration block

	   pase

```