Hook Analyser

Sunday, May 12, 2013

Hook Analyser 2.5 Released

Friends - Here is the latest version of Hook Analyser project.

Updates -

Hook Analyser can now perform XOR bruteforce on "encoded/obfuscated" executables.
Deep search improved (new signatures added).
Bug fixes.

Download link - Click Here

For the project summary, please feel free to browse here

Saturday, March 2, 2013

Hook Analyser 2.4 Released

Friends,

I'm quite excited to announce that the Hook Analyser v2.4 is finally out. There has been quite a lot improvement in this release such as -

Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
Exe extractor - This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
Minor bug fixes.

Download Link - Click Here

Again, I am thankful to the wider community for being complimentary on this project, and perhaps the reason why this release has been expedited. As always, would appreciate your continual support, and please feel free to write me back on beenudel1986@gmail.com if you've any feedback or anything related to security.

To summarise this project -

This has now five (5) key functionalities -

Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it. The module flow is as following -

PE validation
Static malware analysis.
Other options (such as pattern search or dump all)
Type of hooking (Automatic, Smart or manual)
Spawn and hook

Currently, there are three types of hooking being supported –

Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.

2. Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –

List all running process
Identify the running process executable path.
Perform static malware analysis on executable (fetched from process executable path)
Other options (such as pattern search or dump all)
Type of hooking (Automatic, Smart or manual)
Hook to a specific running process
Hook and continue the process

3. Static Malware Analysis - This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -

PE file validation
CRC and timestamps validation
PE properties such as Image Base, Entry point, sections, subsystem
TLS entry detection.
Entry point verification (if falls in suspicious section)
Suspicious entry point detection
Packer detection
Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
Import intel scanning.
Deep search (module)
Online search of MD5 (of executable) on Threat Expert.
String dump (ASCII)
Executable file information
Hexdump
PEfile info dumping
...and more.

4. Application crash analysis - This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).

Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A

5. Exe extractor - This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

Wednesday, February 27, 2013

Hook Analyser 2.4 - Preview

Folks,

Thought of sharing some of the updates on the Hook Analyser v2.4. The build is in-progress, and I'm targeting for first week of March, for the release.

The new version will support the following -

Dll Analysis - Now one could analyse DLL as well. This is part of static malware analysis module.
Exe extractor - This module allows dumping executable from an active process. This also has an option to dump all executables, on running processes. This is a new module, and is in testing phase.
Deep search module - The deep search module has been re-written, and can be used to search for filename, paths,compiler patterns, backdoor patterns,shellcode etc. This is part of static malware analysis module.

I will talk more about the modules, once I release it.

Till then, please continue using the v 2.3 here

Screenshot of the new version (Hook Analyser v2.4) -

Thursday, February 14, 2013

Hook Analyser 2.3 - Released

Folks,

Here is the new release of the Hook Analyser, v2.3.

Some of the updates/modules in the new release -

New digger module - Allows dumping exes, dlls, and drivers from an executable to separate files.
Packer detection module.
Hexdump module.

Features of the project are -

Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it
Hook to a specific running process - The option allows analyst to hook to a running (active) process.
Perform quick static malware analysis - This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executable to identify potential malware traces.
Application crash analysis - This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.

Project Download - Click Here

Project Paper Download - Click Here

Feel free to write me back (beenudel1986@gmail.com) if you've any feedback or thoughts.

Sunday, January 27, 2013

Hook Analyser 2.3 - Preview

Hi Folks,

Thought of sharing some of the updates I've been working on the new release of Hook Analyser 2.3.

The focus has been primarily on the malware analysis module.

Many thanks to Mila (Home) for reviewing and appreciating this tool.

Some of the updates/modules (and status) in the new release -

New digger module - Allows dumping exes, dlls, and drivers from an executable to separate files - Completed
Packer detection module - Completed
Hexdump module - Completed
Code Analysis - Disassemble an executable- In-testing
Bug fixes and minor improvements. In-progress
Batch analysis - To be started

Here are the screenshots -

In the mean time feel free to give a shot to Hook Analyser 2.2 - Click Here

Monday, December 24, 2012

Hook Analyser 2.2 - Release

Here is the latest version of the hook analyser for download.

Features of the project are -

Spawn and Hook to Application - This feature allows analyst to spawn an application, and hook into it
Hook to a specific running process - The option allows analyst to hook to a running (active) process.
Perform quick static malware analysis - This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces.
Application crash analysis - This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.

Project Paper - Click Here

Change log -

The UI and modules of the project have been re-written. The interactive mode is more verbose.
The (static) malware analysis module has been enhanced.
Bug fixes and other improvements.

Screenshot -