#!/usr/bin/python
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# Greetz to all Darkc0de ,AI,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
#The application can be used to perform intial malware analysis phase.
#Download the PE Module . Else Application won't work:http://code.google.com/p/pefile/
#Some of the deeper Analysis can be perform on Linux OS, so i would prefer to perform analysis on linux OS.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.

#You should have received a copy of the GNU General Public License
#along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os,sys,re,string

def checkconfig():
	try:
		import pefile,peutils

	except(ImportError):
		print "\n[!] PE Module Missing."
		print "\n[!] Download PE Module from [ http://code.google.com/p/pefile/ ]"
		sys.exit(0)


# Say Hello

if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
	SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
	SysCls = 'cls'
else:
	SysCls = 'unknown'

os.system(SysCls)

print "\n|---------------------------------------------------------------|"
print "| beenudel1986[@]gmail[dot]com                                  |"
print "| Malware Analyzer(Static) 1.3                                  |"
print "|   06/2009      analyse_malware.py                             |"
print "|   Do Visit     www.BeenuArora.com                             |"
print "|---------------------------------------------------------------|\n"


INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",
	"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
	"OutputDebugString","GetEnvironmentStrings","LoadLibraryA","WSASocketA", "GetProcAddress",
	"FindWindow","CreateProcess","DuplicateTokenEx","ImpersonateNamedPipeClient","RevertToSelf","signal",
	"IsDebuggerPresent"
	]
INTERESTING_CALLS_DLLS=["KERNEL32.DLL","advapi32.dll","comctl32.dll","gdi32.dll","ole32.dll","oleaut32.dll","user32.dll","wsock32.dll","ntdll.dll"]
INTERESTING_SYS_CALLS=["ping.exe","telnet.exe"]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","autorum.inf"]
ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]

if (len (sys.argv) <2):
	print "\n Usage: ./analyse_malware.py <MALWARE FILENAME>\n"
	print "\t\t Example: ./analyse_malware.py malware.exe\n"
	print "\tFor Help: ./analyse_malware.py --help\n"
	sys.exit(0)

for arg in sys.argv:
	if arg=='--help':
		print "   To Perform Complete Analysis: Usage: ./analyse_malware.py [Malware FIle]\n "
		print "   To Generate ASCII Dump: Usage: ./analyse_malware.py [Malware File] --Ascii\n"
		print "   To View Dlls Loaded: Usage: ./analyse_malware.py [Malware File] --Dll\n"
		print "   To View the PE Areas: Usage: ./analyse_mwlare.py [Malware File] --Header\n"
		print "\n\t   Example: ./analyse_malware.py malware.exe --Dll\n"
		sys.exit(0)
	


malware=sys.argv[1]

try:
	hosts= open(malware,'r').readlines()
except (IOError):
	print " \n\n[!]Malware Missing .Exiting.\n"
	sys.exit(0)

def start_analysis_system_calls():
	performed=[]
	for line in hosts:
		for calls in INTERESTING_CALLS:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Found an Interesting call to: ",calls
					performed.append(calls)
	

def start_analysis_registry():
	for line in hosts:
		for calls in REGISTRY_CALLS:
			if re.search(calls, line):
				print "[+] Malware is Adding a Key at Hive: ",calls
				print line
def calls_to_dlls():
	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
		str="objdump -x "+malware+" | grep DLL >result"
		#print str
		print "\n Since Host OS is Linux. Peforming Deeper Analysis\n"
		details=os.system(str)
		dllresult=open('result','r').readlines()
		print "\n   [+] Dlls Loaded are:\n"
		for line in dllresult:
			print line
		os.system("rm result")
	else:
		for line in hosts:
			for calls in INTERESTING_CALLS_DLLS:
				if re.search(calls, line):
					print "\n[+] Loaded Dll: ",calls
def find_import_table():
	str="objdump -x "+malware+"  | grep \"import table\" >impresult"
	os.system(str)


	importresult=open('impresult','r').readlines()
	for line in importresult:
		print line
	os.system("rm impresult")

def start_address():
	str="objdump -x "+malware+"  | grep \"start address\" >startresult"
	os.system(str)
	stresult=open('startresult','r').readlines()
	for line in stresult:
		print line
	os.system("rm startresult")

def header_info():
	str="objdump -h "+malware+" >header"
	os.system(str)
	headresult=open('header','r').readlines()
	for line in headresult:
		print line
	os.system("rm header")

def generate_dump():
	str="objdump -s "+malware+" >ascii_dump"
	os.system(str)
	headresult=open('ascii_dump','r').readlines()
	for line in headresult:
		print line

def calls_to_syscommand():
	for line in hosts:
		for calls in INTERESTING_SYS_CALLS:
			if re.search(calls, line):
				print "\n[+] Call Made: ",calls
				print "\n\n[!] It Can be Part of DDOS Network.\n"
				
def start_analysis_online():
	performed=[]
	for line in hosts:
		for calls in ONLINE_WORK:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
					performed.append(calls)
def getSignatureForPe(pe):
	try:
		signatures = peutils.SignatureDatabase(PE_SIGNATURE_PATH)
		return signatures.match_all(pe)
	except:
		print ""

def get_pe_signature():
	try:
		pe = pefile.PE(malware)
		signatureInfo = getSignatureForPe(pe)
		peInfo = pe.dump_info()
		print peInfo
	except:
		print "\n\n[!] Download PE Package from google code.\n"
		print "\n[!]Exiting.\n"


def generate_dump():
	filename="ascii_dump_"+malware+".txt"
	str="objdump -s "+malware+" > "+filename
	os.system(str)
	headresult=open(filename,'r').readlines()
	for line in headresult:
		print line
	print "\n Check "+filename+" for the ASCII dump output"
	raw_input("\n Press <Enter> to Exit.\n")
	sys.exit(0)



def checkPE():
	print "\n Analysing if PE file...\n"
	check = file(malware, "rb")
	buff = check.read(2)
	check.close()
	if buff == "MZ":
		print "\n[+] Valid PE file."
		print "\n[+] Malware File Size :" , (os.path.getsize(malware))/1000 ,"KB"
	else: 
		print "[!] Not a Valid PE File. Exiting.!\n"
		sys.exit(0)

def checkargs():
	for arg in sys.argv:
			if arg.lower()=="--ascii":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					generate_dump()
					sys.exit(0)
				else:
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
	
			if arg.lower()=="--dll":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					calls_to_dlls()
					sys.exit(0)
				else :
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
	
			if arg.lower()=="--header":
				if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
					checkPE()
					header_info()
					sys.exit(0)
				else :
					print "\n This Analysis is Applicable on Linux OS only"
					sys.exit(0)
		

def apps_start():
	checkconfig()
	checkPE()
	checkargs()
	print "\n[!] Displaying Interesting System Calls Made.\n"
	start_analysis_system_calls()
	if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
		print "\n[+] Displaying Address of Import Table\n"
		find_import_table()
		print "\n[+] Displaying the Start Address\n"
		start_address()
		print "\n[+] Displaying the Header Sections and File Format"
		header_info()
	print "\n[!] Displaying Registry Hives Edited.\n"
	start_analysis_registry()
	print "\n\n[!] Displaying A Little Online Behaviour.\n"
	start_analysis_online()
	print "\n\n[!] Displaying the Loaded DLLs.\n"
	calls_to_dlls()
	print "\n\n[!] Commands Inside the Malware.\n"
	calls_to_syscommand()
	print "\n\n[!] Displaying the Headers of the Malware.\n"
	get_pe_signature()

apps_start()