├── Dump_Labeled_Api_Structure.exe
├── Dump_Labeled_Iat_Memory.exe
└── README.md
/Dump_Labeled_Api_Structure.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AGDCservices/Misc-Malware-Analysis-Tools/bf96ac4f618a8d0b1c2772443c48942336b1d53d/Dump_Labeled_Api_Structure.exe
--------------------------------------------------------------------------------
/Dump_Labeled_Iat_Memory.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AGDCservices/Misc-Malware-Analysis-Tools/bf96ac4f618a8d0b1c2772443c48942336b1d53d/Dump_Labeled_Iat_Memory.exe
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Misc-Malware-Analysis-Tools
2 | This repo contains the following miscellaneous tools to aid in your malware analysis.
3 | ## Dump_Labeled_Iat_Memory.exe
4 | This command line tool will assist in reverse engineering malware which dynamically resolves imports and stores them in global variables. It will read a target module from a running process and dump out a file that contains the RVA and API name for all the resolved APIs found in the module. The output is specifically made to be used with an associated Ghidra script in the "Ghidra Scripts" repo on AGDC Services github page, "Label_Dynamically_Resolved_Iat_Entries.py".
5 |
6 | To use the tool, run the malware until all of the APIs are resolved. Then execute this tool in an elevated cmd prompt to dump out the labeled IAT. That output file can be read in by the "Label_Dynamically_Resolved_Iat_Entries.py" Ghidra script to transfer the resolved API names to a clean Ghidra database so that static analysis can be performed.
7 |
8 | usage: Dump_Labeled_Iat_Memory.exe targetPID targetModuleBaseName outputFileName
9 | targetPID: decimal PID of process to dump resolved IAT from
10 | targetModuleBaseName: module base name inside target process to search
11 | outputFileName: file name to store labeled IAT to
12 |
13 | For a video demonstration of this tool, view the video "Automate Labeling Of Obfuscated APIs In Malware" on the AGDC Services channel of youtube, https://youtu.be/wYiPEDV9IAw
14 | ## Dump_Labeled_Api_Structure.exe
15 | This tools will assist in reverse engineering malware which dynamically resolves imports and stores them in a structure on the heap or stack. It will scan a given memory range from a running process and dump out a C header file for either a structure or enum that contains all of the resolved APIs in the memory range. The output can then be read in by standard disassemblers such as Ghidra or Ida Pro so that the API enum / structure can be applied to the dynamically resolved APIs to allow static analysis to be completed.
16 |
17 | To use the tool, run the malware until all of the APIs are resolved. Then, execute this tool in an elevated cmd prompt to dump out the labeled API structure. Use the built in capability to parse a C header file from your disassembler and then use the resulting API structure to label all structure offsets with the resolved API structure.
18 |
19 | usage: Dump_Labeled_Api_Structure.exe targetPID startAddress endAddress outputType outputFileName
20 | targetPID: decimal PID of process to dump API structure from memory
21 | startAddress: hex address where API structure starts
22 | endAddress: hex address where API structure ends
23 | outputType: [-s | -e] to output either a structure or enum header file
24 | outputFileName: file name to store the created header file to
25 |
26 | For a video demonstration of this tool, view the video "Automate Labeling Of Obfuscated APIs In Malware" on the AGDC Services channel of youtube, https://youtu.be/wYiPEDV9IAw
27 |
--------------------------------------------------------------------------------