Skip navigation.
Home

tools

Malzilla

Well, after a lot of time of development (a couple of months) I've decided to speak in public about my new tool.

Malzilla is a tool for malware-hunters. It contains downloader/HTML browser, JavaScript interpreter based on Mozilla SpiderMonkey, some decoders for various types of encoded data (used on web sites) etc, all in order to find the download link to the malicious file.

Here is the Part 1 of the introduction to Malzilla

ClassAndInterfaceToNames Converter

This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA

Just watch the howto movie for usage.

Download it here.

Malware searching tool

|

Hello all!

im looking for a tool that might automate the use of google in malware search. Does any1 has sth like this or know where to look for it?
In generally i would use very much any "proffesional" advice in this subj.

thanks!

Phydra : PE module investigation tool

|

Hi folks,
here is a python tool for windows PE investigators i've just released.
Phydra uses the pefile module from E.Carrera.

I hope it gonna be useful.
Enjoy!
Anoirel

Download it Here

Desperatly need an assembly code assembler!!!

i reallllllly need an assembler! so if anyone could post a link for any (clean) TASM or MASM, or any disasemblers, would be very much appreciated!

zealot.

MFC42 Ordinal to Function Names Converter for IDA

While analysing a new BZUP variant I came across the situation that IDA in some cases fails to recognize the right MFC42 names, thus just showing something like this:

call MFC42_6648

So I've coded a small IDAPython script which fixes this problem.

Find it here.

Hope it's useful for others as well.

NSRL database queries

|

I have constructed an NSRL (http://www.nsrl.nist.gov/) query page at

http://ionrift.ath.cx/nsrl/

It is loaded with the current release, 2.15. Which may be of some use, especially if you don't happen to have the RDS dataset to hand.

There is also an xml-rpc interface to this, but I think that it would be impractical to use it for querying multiple files in quick succession.

Lastly, the server will not see continuous uptime; it is more of a test / ad-hoc tool.

IDAAPIHelp 0.3

|

IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.

http://www.reconstructer.org/code/IDAAPIHelp%20v0.3.zip

Ripper

I'm dealing with a large amount of files every day (guess which kind of files), and major part are different kind of installers (Wise, Inno Setup, NSIS...).
Some of them can be unpacked by using specialized tools. The problem is that none of those tools are updated recently, or they do not support all the versions of the installer they claim to unpack.
During the time, on my HDD was growing a collection of installers that I could not unpack.

Yesterday I got to an idea :)
Someone here may remember the old DOS days. There was a program named Ripper (latest version I have had was 2.91), that could rip multimedia files from the games.

PEFile: A Portable Executable Parser for Python

|

Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.

Read the full article for all the bugs that have been fixed.

Syndicate content