Starting a small thread of malware analysis tools for those times when you NEED INDICATORS YESTERDAY, ie tools I have used that are easy to use and give good leads for further analysis with minimal effort.
First: GarbageMan for .NET binaries, from WithSecure Labs: https://labs.withsecure.com/tools/garbageman
This tool displays the values of objects and relationships between objects inside the .NET runtime’s managed heap memory. It can either work off a memory dump file, or snapshot a running process at regular intervals. It also capture stack traces, and a list of loaded assemblies.
I have done all of the following with it:
Look at all System.Byte[] objects and grab those with values that have the PE headers at the beginning. There’s actually a built in menu option for this (along with tons of other useful searches, such as just grabbing everything that looks remotely like an URL)
Look for “interesting” object types like HttpWebRequest or anything under System.Security.Cryptography, and look at the parents or children of those objects to either find plain text indicators, or to get an idea of how indicators are obfuscated / encrypted
Snapshot a process every 20ms, and look at the list of loaded assemblies in each snapshot to see if / when the binary starts delivering another payload assembly.
Use as a very rough tracing tool by snapshotting at regular intervals, and seeing how the stack trace changes for each snapshot.
Also it persists all of the values of parsed objects to a plain SQLite database
So you can just do arbitrary SQL queries on the results as well. I haven’t even begun exploring this yet.
#malware #malwareanalysis #dotnet #csharp