I'm quite excited to announce that the Hook Analyser v2.4 is finally out. There has been quite a lot improvement in this release such as -
- Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
- The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
- Exe extractor - This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
- The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
- Minor bug fixes.
Again, I am thankful to the wider community for being complimentary on this project, and perhaps the reason why this release has been expedited. As always, would appreciate your continual support, and please feel free to write me back on beenudel1986@gmail.com if you've any feedback or anything related to security.
To summarise this project -
This has now five (5) key functionalities -
- Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
- PE validation
- Static malware analysis.
- Other options (such as pattern search or dump all)
- Type of hooking (Automatic, Smart or manual)
- Spawn and hook
- Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
- Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
- Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.
- List all running process
- Identify the running process executable path.
- Perform static malware analysis on executable (fetched from process executable path)
- Other options (such as pattern search or dump all)
- Type of hooking (Automatic, Smart or manual)
- Hook to a specific running process
- Hook and continue the process
- PE file validation
- CRC and timestamps validation
- PE properties such as Image Base, Entry point, sections, subsystem
- TLS entry detection.
- Entry point verification (if falls in suspicious section)
- Suspicious entry point detection
- Packer detection
- Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
- Import intel scanning.
- Deep search (module)
Online search of MD5 (of executable) on Threat Expert. - String dump (ASCII)
- Executable file information
- Hexdump
- PEfile info dumping
- ...and more.
- Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A