Thursday, December 19, 2013

Hook Analyser 3.0 (with Cyber Threat Intelligence)

Friends,

Here is the new release of Hook Analyser project.


In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -


  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Malware Intelligence (Beta) 2013 (New! - added on 30/12/2013)
  4. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the [Updated - 30/12/2013] Cyber Threat Intelligence dashboard -



To download the project - Click Here

Update - 

  • 08/1/2014: Project development status/update
  • 30/12/2013: Fixed a defect in the ThreatIntel module. Added Malware Intelligence (Beta) into the dashboard.
  •  21/12/2013: Fixed a defect in the ThreatIntel module. Thanks to Darren Fitzpatrick for reporting it.


Wednesday, December 18, 2013

Preview - Hook Analyser 3.0

Mates,

This is probably one of the major releases after a few months. A lot of features have been added, with an additional "Major" feature update.

As I don't want to steal the thunder by myself, I will let you play with it once I release it :)

Friday, September 20, 2013

Hook Analyser 2.6 released

Mates,

I'm glad to announce release of the Hook Analyser v2.6.

 Following is the change log -
  1. Added new signatures (and removed redundant ones) 
  2. Bug fixes - Many thanks for community users to reporting them.
  3. Fixed start-up error.



Download link - Click Here

Sunday, May 12, 2013

Hook Analyser 2.5 Released

Friends - Here is the latest version of Hook Analyser project.

Updates -

  1. Hook Analyser can now perform XOR bruteforce on "encoded/obfuscated" executables. 
  2. Deep search improved (new signatures added).
  3. Bug fixes.

Download link - Click Here


For the project summary, please feel free to browse here

Saturday, March 2, 2013

Hook Analyser 2.4 Released

Friends,

I'm quite excited to announce that the Hook Analyser v2.4 is finally out. There has been quite a lot improvement in this release such as -

  1. Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
  2. The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
  3. Exe extractor - This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
  4. The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
  5. Minor bug fixes.
Download Link - Click Here



Again, I am thankful to the wider community for being complimentary on this project, and perhaps the reason why this release has been expedited. As always, would appreciate your continual support, and please feel free to write me back on beenudel1986@gmail.com if you've any feedback or anything related to security.

To summarise this project -

This has now five (5) key functionalities -

  1. Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
    1. PE validation
    2. Static malware analysis.
    3. Other options (such as pattern search or dump all)
    4. Type of hooking (Automatic, Smart or manual)
    5. Spawn and hook
         Currently, there are three types of hooking being supported –
  • Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
  • Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
  • Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.
    2.  Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –
  1. List all running process
  2. Identify the running process executable path.
  3. Perform static malware analysis on executable (fetched from process executable path)
  4. Other options (such as pattern search or dump all)
  5. Type of hooking (Automatic, Smart or manual)
  6.  Hook to a specific running process
  7. Hook and continue the process
  3.   Static Malware Analysis  - This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -

  1. PE file validation
  2. CRC and timestamps validation
  3. PE properties such as Image Base, Entry point, sections, subsystem
  4. TLS entry detection.
  5. Entry point verification (if falls in suspicious section)
  6. Suspicious entry point detection
  7. Packer detection
  8. Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
  9. Import intel scanning.
  10. Deep search (module)
    Online search of MD5 (of executable) on Threat Expert.
  11. String dump (ASCII)
  12. Executable file information
  13. Hexdump
  14. PEfile info dumping
  15. ...and more.
   4.   Application crash analysis - This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).
  • Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A
  5.   Exe extractor - This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

Wednesday, February 27, 2013

Hook Analyser 2.4 - Preview

Folks,

Thought of sharing some of the updates on the Hook Analyser v2.4. The build is in-progress, and I'm  targeting for first week of March, for the release.

The new version will support the following -

  1. Dll Analysis - Now one could analyse DLL as well. This is part of static malware analysis module.
  2. Exe extractor - This module allows dumping executable from an active process. This also has an option to dump all executables, on running processes. This is a new module, and is in testing phase.
  3. Deep search module - The deep search module has been re-written, and can be used to search for  filename, paths,compiler patterns, backdoor patterns,shellcode etc. This is part of static malware analysis module. 
I will talk more about the modules, once I release it.

Till then, please continue using the  v 2.3 here


Screenshot of the new version (Hook Analyser v2.4) -







Thursday, February 14, 2013

Hook Analyser 2.3 - Released

Folks,

Here is the new release of the Hook Analyser, v2.3.

Some of the updates/modules in the new release -

  1. New digger module - Allows dumping exes, dlls, and drivers from an executable to separate files.
  2. Packer detection module.
  3. Hexdump module.


Features of the project are -

  1. Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it
  2. Hook to a specific running process - The option allows analyst to hook to a running (active) process.
  3. Perform quick static malware analysis - This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executable to identify potential malware traces.
  4. Application crash analysis - This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.  


Project Download - Click Here

Project Paper Download - Click Here

Feel free to write me back (beenudel1986@gmail.com) if you've any feedback or thoughts.

Sunday, January 27, 2013

Hook Analyser 2.3 - Preview

Hi Folks,

Thought of sharing some of the updates I've been working on the new release of Hook Analyser 2.3.

The focus has been primarily on the malware analysis module.

Many thanks to Mila (Home) for reviewing and appreciating this tool.

Some of the updates/modules (and status) in the new release -

  1. New digger module - Allows dumping exes, dlls, and drivers from an executable to separate files - Completed
  2. Packer detection module - Completed
  3. Hexdump module - Completed
  4. Code Analysis - Disassemble an executable- In-testing
  5. Bug fixes and minor improvements. In-progress
  6. Batch analysis - To be started

Here are the screenshots -




In the mean time feel free to give a shot to Hook Analyser 2.2 -  Click Here