Search: [malware] - code

mimikatz

start

log mimikatz.log

lsadump

cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exit

bash · disk · forensic · hive · malware · trick

Wed Jun 8 15:51:05 2022 * · permalink

http://code.ambau.ovh/snippets/mimikatz.html

forensic - sqlite3

windows notifications

file=/vol6/Users/Angela/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
sqlitebrowser ${file}

SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime,
datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type, HandlerId, Notification.Id, Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordId

bash · forensic · malware · trick

Mon May 30 12:27:13 2022 * · permalink

http://code.ambau.ovh/snippets/forensic-sqlite3.html

cmp

cmp [OPTION]... FILE1 [FILE2 [SKIP1 [SKIP2]]]

Compare two files byte by byte

Special

cmp $file1 $file2 # compare 2 binary files
cmp -l $file1 $file2 | wc -l # get number of diferrences

Usefull

-b, --print-bytes # print differing bytes
-n, --bytes=LIMIT # compare at most LIMIT bytes

All

-b, --print-bytes # print differing bytes
-i, --ignore-initial=SKIP # skip first SKIP bytes of both inputs
-i, --ignore-initial=SKIP1:SKIP2 # skip first SKIP1 bytes of FILE1 and first SKIP2 bytes of FILE2
-l, --verbose # output byte numbers and differing byte values
-n, --bytes=LIMIT # compare at most LIMIT bytes
-s, --quiet, --silent # suppress all normal output

bash · forensic · help · malware

Sat May 28 13:56:35 2022 * · permalink

http://code.ambau.ovh/snippets/cmp.html

forensic - disk

mount

info

file ${file} # show informations

fdisk -x ${file} # show informations

qemu-img info ${file} # show informations on virtual disk

guestfish --rw -a $file
run
list-filesystems

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo qemu-nbd -d /dev/nbd0

parted ${file}
print

losetup -a # show mounted devices in /dev/loopX

resize

qemu-img resize -f raw ${file} 20972568064 # resize disk to 20972568064 bytes (correct disk size)

parted ${file}
select # select disk (interactive menu)
resizepart # resize partition (interactive menu)

mount/umount

guestmount --add %f --mount /dev/sda1 /vms/data
guestunmount /vms/data

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo mount /dev/nbd0p1 /vms/data
sudo umount /vms/data
sudo qemu-nbd -d /dev/nbd0

sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo umount /mnt # umount disk

sudo losetup --find --show ${file} # mount disk in /dev/loopX and show /dev/loopX
sudo losetup --find --show --offset ${offset} ${file} # mount partition/disk with offset in /dev/loopX and show /dev/loopX
sudo losetup -d /dev/loopX # umount disk

bash · disk · forensic · malware · trick

Thu May 26 11:20:44 2022 * · permalink

http://code.ambau.ovh/snippets/forensic-disk.html

xxd

xxd [options] [infile [outfile]]

xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]

ASCII, decimal, hexadecimal, octal dump

Special

xxd -p -c 10000 # export in hexa with 10000 octets by column
xxd -p -u -c 10000 # export in hexa with 10000 octets by column and in uppercase
xxd -s 0x200 -l 0x200 dump.vmdk| xxd -r # print readable content

Usefull

-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-l len # stop after <len> octets
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-u # use upper case hex letters

All

-a # toggle autoskip: A single '*' replaces nul-lines. Default off
-b # binary digit dump (incompatible with -ps,-i,-r). Default hex
-C # capitalize variable names in C include file style (-i)
-c cols # format <cols> octets per line. Default 16 (-i: 12, -ps: 30)
-E # show characters in EBCDIC. Default ASCII
-e # little-endian dump (incompatible with -ps,-i,-r)
-g bytes # number of octets per group in normal output. Default 2 (-e: 4)
-i # output in C include file style
-l len # stop after <len> octets
-o off # add <off> to the displayed file position
-ps # output in postscript plain hexdump style
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-d # show offset in decimal instead of hex
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-u # use upper case hex letters

Install

sudo apt install bsdmainutils

bash · forensic · help · malware

Tue May 24 10:36:23 2022 * · permalink

http://code.ambau.ovh/snippets/xxd.html

pev tools

https://pev.sourceforge.io/doc/manual/en_us/ch06.html

ofs2rva

ofs2rva <offset> FILE

Convert raw file offset to RVA

Example

ofs2rva 0x1b9b8 calc.exe

pedis

pedis OPTIONS FILE

PE sections and functions (by default, until found a RET or LEAVE instruction)

--att # set AT&T syntax
-e, --entrypoint # disassemble entrypoint
-f, --format <text|csv|xml|html> change output format (default: text)
-m, --mode <16|32|64> # disassembly mode (default: auto)
-i, <number> # number of instructions to be disassembled
-n, <number> # number of bytes to be disassembled
-o, --offset <offset> # disassemble at specified file offset
-r, --rva <rva> # disassemble at specified RVA
-s, --section <section_name> # disassemble entire section given

pehash

pehash OPTIONS FILE

Calculate hashes of PE pieces

-f, --format <text|csv|xml|html> # change output format (default: text)
-a, --all # hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash
-c, --content # hash only the file content (default)
-h, --header <dos|coff|optional> # hash only the header with the specified name
-s, --section <section_name> # hash only the section with the specified name
--section-index <section_index> # hash only the section at the specified index (1..n)

peres

peres OPTIONS FILE

Show information about resource section and extract it

-a, --all # Show all information, statistics and extract resources
-i, --info # Show resources information
-s, --statistics # Show resources statistics
-x, --extract # Extract resources
-v, --file-version # Show File Version from PE resource directory

pesec

pesec [OPTIONS] FILE

Check for security features in PE files

-f, --format <text|csv|xml|html> # change output format (default: text)
-c, --certoutform <text|pem> # specifies the certificate output format (default: text)
-o, --certout <filename> # specifies the output filename to write certificates to (default: stdout)

pescan

pescan OPTIONS FILE

Search for suspicious things in PE files

-f, --format <text|html|xml|csv|json>  # change output format (default: text)
-v, --verbose # show more info about items found

readpe

readpe OPTIONS FILE

Show PE file headers

-A, --all # full output (default)
-H, --all-headers # print all PE headers
-S, --all-sections # print all PE sections headers
-f, --format <text|csv|xml|html> change output format (default: text)
-d, --dirs # show data directories
-h, --header <dos|coff|optional> show specific header
-i, --imports # show imported functions
-e, --exports # show exported functions

rva2ofs

rva2ofs <rva> FILE

Convert RVA to raw file offset

Example

rva2ofs 0x12db cards.dll

Install

sudo apt install binwalk

bash · forensic · help · malware

Tue Apr 26 10:00:09 2022 * · permalink

http://code.ambau.ovh/snippets/pev.html

binwalk

binwalk [OPTIONS] [FILE1] [FILE2] ...

tool for searching binary images for embedded files and executable code

https://en.kali.tools/?p=1634

Special

binwalk $file # Get signatures (same as -B)
binwalk --hexdump --red $file1 $file2 # show only different lines
binwalk --raw $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)

binwalk --entropy $str $file # get entropy
binwalk --signature $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)
binwalk --extract $file && tree _${file}.extracted/ # extract files and show files in tree

Usefull

-W, --hexdump # Perform a hexdump / diff of a file or files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files 

-e, --extract # Automatically extract known file types

-E, --entropy # Calculate file entropy

All

Signature Scan Options:                                                                              
-B, --signature # Scan target file(s) for common file signatures
-R, --raw=<str> # Scan target file(s) for the specified sequence of bytes
-A, --opcodes # Scan target file(s) for common executable opcode signatures
-m, --magic=<file> # Specify a custom magic file to use          
-b, --dumb # Disable smart signature keywords              
-I, --invalid # Show results marked as invalid                
-x, --exclude=<str> # Exclude results that match <str>
-y, --include=<str> # Only show results that match <str>

Extraction Options:
-e, --extract # Automatically extract known file types
-D, --dd=<type:ext:cmd> # Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka # Recursively scan extracted files
-d, --depth=<int> # Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> # Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> # Limit the size of each extracted file
-n, --count=<int> # Limit the number of extracted files
-r, --rm # Delete carved files after extraction
-z, --carve # Carve data from files, but don't execute extraction utilities
-V, --subdirs # Extract into sub-directories named by the offset

Entropy Options:

-E, --entropy # Calculate file entropy
-F, --fast # Use faster, but less detailed, entropy analysis
-J, --save # Save plot as a PNG
-Q, --nlegend # Omit the legend from the entropy plot graph
-N, --nplot # Do not generate an entropy plot graph
-H, --high=<float> # Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> # Set the falling edge entropy trigger threshold (default: 0.85)

Binary Diffing Options:

-W, --hexdump # Perform a hexdump / diff of a file or files
-G, --green # Only show lines containing bytes that are the same among all files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files 
-u, --similar # Only display lines that are the same between all files
-w, --terse # Diff all files, but only display a hex dump of the first file

Raw Compression Options:

-X, --deflate # Scan for raw deflate compression streams
-Z, --lzma # Scan for raw LZMA compression streams
-P, --partial # Perform a superficial, but faster, scan
-S, --stop # Stop after the first result

General Options:

-l, --length=<int> # Number of bytes to scan
-o, --offset=<int> # Start scan at this file offset
-O, --base=<int> # Add a base address to all printed offsets
-K, --block=<int> # Set file block size
-g, --swap=<int> # Reverse every n bytes before scanning
-f, --log=<file> # Log results to file
-c, --csv # Log results to file in CSV format
-t, --term # Format output to fit the terminal window
-q, --quiet # Suppress output to stdout
-v, --verbose # Enable verbose output
-h, --help # Show help output
-a, --finclude=<str> # Only scan files whose names match this regex
-p, --fexclude=<str> # Do not scan files whose names match this regex
-s, --status=<int> # Enable the status server on the specified port

Install

sudo apt install binwalk

bash · forensic · help · malware

Tue Apr 26 06:26:09 2022 * · permalink

http://code.ambau.ovh/snippets/binwalk.html

balbuzard

balbuzard [options] <filename> [filename2 ...]

malware analysis tools to extract patterns of interest and crack obfuscation such as XOR

Special

balbuzard $file # resume all founds
balbuzard $file -v|grep ^---- -A2 # show all sections

Usefull

-c CSV, --csv=CSV # export results to a CSV file
-r # find files recursively in subdirectories.

All

-h, --help # show this help message and exit
-c CSV, --csv=CSV # export results to a CSV file
-v # verbose display, with hex view.
-r # find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME # if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)

Install

pip2 install -U balbuzard

bbcrack

bbcrack [options] <filename>

uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms/keys have been used

All

-l LEVEL, --level=LEVEL # select transforms with level 1, 2 or 3 and below
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-k KEEP, --keep=KEEP  number of transforms to keep after stage 1
-s SAVE, --save=SAVE  number of transforms to save to files after stage 2
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+) 
-p # profiling: measure time spent on each pattern.

bbharvest

bbharvest [options] <filename>

extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys. It is especially useful when several keys or several transforms are used in a single file

All

-l LEVEL, --level=LEVEL # select transforms level 1, 2 or 3
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-c CSV, --csv=CSV # export results to a CSV file
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+) 
-p # profiling: measure time spent on each pattern.

bbharvest

bbtrans [options] <filename>

can apply any of the transforms from bbcrack (XOR, ROL, ADD and various combinations) to a file

All

-t TRANSFORM, --transform=TRANSFORM # transform to be applied (or "-t list" to display all available transforms)
-p PARAMS, --params=PARAMS # parameters for transform (comma separated list)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)

bash · forensic · help · malware

Mon Apr 25 20:56:33 2022 * · permalink

http://code.ambau.ovh/snippets/balbuzard.html

hexdump

hexdump [-bcCdovx] [-e format_string] [-f format_file] [-n length] [-s offset] file ...

ASCII, decimal, hexadecimal, octal dump

Special

hexdump -v # do not use * to replace duplicate lines
hexdump -ve '"%02X"' # convert in uppercase hexadecimal
hexdump -ve '8/1 "%02X"' # convert in uppercase hexadecimal in classic format 8bytes
hexdump -e '"%08_ax""|"' -e '16/1 "%02x ""|"' -e '16/1 "%_p""|\n"' # 1 bytes
hexdump -e '"%08_ax""|"' -e '8/2 "%04x ""|"' -e '16/1 "%_p""|\n"' # 2 bytes
hexdump -e '"%08_ax""|"' -e '4/4 "%08x ""|"' -e '16/1 "%_p""|\n"' # 4 bytes

Usefull

-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-n length # Interpret only length bytes of input.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.

All

-b # One-byte octal display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, zero-filled, bytes of input data, in octal, per line.
-c # One-byte character display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, space-filled, characters of input data per line.
-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-d # Two-byte decimal display. Display the input offset in hexadecimal, followed by eight space-separated, five column, zero-filled, two-byte units of input data, in unsigned decimal, per line.
-e format_string # Specify a format string to be used for displaying data.
-f format_file # Specify a file that contains one or more newline separated format strings. Empty lines and lines whose first non-blank character is a hash mark (#) are ignored.
-n length # Interpret only length bytes of input.
-o # Two-byte octal display. Display the input offset in hexadecimal, followed by eight space-separated, six column, zero-filled, two byte quantities of input data, in octal, per line.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number. With a leading 0x or 0X, offset is interpreted as a hexadecimal number, otherwise, with a leading 0, offset is interpreted as an octal number. Appending the character b, k, or m to offset causes it to be interpreted as a multiple of 512, 1024, or 1048576, respectively.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.
-x # Two-byte hexadecimal display. Display the input offset in hexadecimal, followed by eight, space separated, four column, zero-filled, two-byte quantities of input data, in hexadecimal, per line.

Install

sudo apt install bsdmainutils

bash · forensic · help · malware

Mon Apr 25 19:20:31 2022 * · permalink

http://code.ambau.ovh/snippets/hexdump.html

rabin2

rabin2 [-AceghHiIsSMzlpRrLxvhqQTuUwV] [-a arch] [-b bits] [-B addr] [-C fmt:C:[D]] [-D lang sym|-] [-f subbin] [-k query] [-K algo] [-O binop] [-o str] [-m addr] [-@ addr] [-n str] [-X fmt file ...] file

Binary program info extractor

Special

rabin2 -H $file | grep -i timedate # compilation date
rabin2 -H $file | grep -i sizeofcode # size of code
rabin2 -i $file | grep -i " $dll " | wc -l # count imported functions in specific dll
rabin2 -i $file | awk '{print $5}' | grep -v '^\(lib\|\)$' | sort -u # show all imported libs (dll)
rabin2 -s $file | grep -i " $dll " | wc -l # count symbols functions in specific dll
rabin2 -H $file|grep -iA2 debug # debuger detection present
rabin2 -g Program|grep -i debug # details about debuger detection present
rabin2 -z $file | sed -n "/$str1/,/$str2/p" | sed 's/^.* ascii *//' > $fileout # extract data between 2 strings in file

Usefull

-H # Show header fields (see ih command in r2)
-g # Show all possible information
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-U # Show Resources
-z # Show strings inside .data section (like gnu strings does)

-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)

-l # List linked libraries to the binary
-e # Show entrypoints for disk and on-memory

All

-@ addr # Show information (symbol, section, import) of the given address
-A # List sub-binaries and their associated arch-bits pairs
-a arch # Set arch (x86, arm, .. accepts underscore for bits x86_32)
-b bits # Set bits (32, 64, ...)
-B addr # Override baddr
-c # List classes
-cc # List classes in header format
-C [fmt:C[:D]] Create [elf,mach0,pe] # for arm and x86-32/64 tiny binaries where 'C' is an hexpair list of the code bytes and ':D' is an optional concatenation to describe the bytes for the data section.
-d # Show debug/dwarf information
-D lang symbolname # - Demangle symbol name (or - to read from stdin) for lang (cxx, swift, java, cxx, ..)
-e # Show entrypoints for disk and on-memory
-ee # Show constructor/destructors (extended entrypoints)
-f subbin # Select sub-binary architecture. Useful for fat-mach0 binaries
-F binfmt # Force to use that bin plugin (ignore header check)
-g # Show all possible information
-G addr # Load address . offset to header
-h # Show usage help message.
-H # Show header fields (see ih command in r2)
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-j # Output in json
-k query # Perform SDB query on loaded file
-K algo # Select a rahash2 checksum algorithm to be performed on sections listing (and maybe others in the future) i.e 'rabin2 -K md5 -S /bin/ls'
-l # List linked libraries to the binary
-L # List supported bin plugins
-M # Show address of 'main' symbol
-m addr # Show source line reference from a given address
-N minlen:maxlen # Force minimum and maximum number of chars per string (see -z and -zz). if (strlen>minlen && (!maxlen || strlen<=maxlen))
-n str # Show information (symbol, section, import) at string offset
-o str # Output file/folder for write operations (out by default)
-O binop # Perform binary operation on target binary (dump, resize, change sections, ...) see '-O help' for more information
-p # Disable VA. Show physical addresses
-P # Show debug/pdb information
-PP # Download pdb file for binary
-q # Be quiet, just show fewer data
-qq # Show less info (no offset/size for -z for ex.)
-Q # Show load address used by dlopen (non-aslr libs)
-r # Show output in radare format
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-u # Unfiltered (no rename duplicated symbols/sections)
-U # Show Resources
-v # Show version information
-V # Show binary version information
-w # Show try/catch blocks
-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)
-z # Show strings inside .data section (like gnu strings does)
-Z # Guess size of binary program
-zz # Shows strings from raw bins
-zzz # Dump raw strings to stdout (for huge files)

Install

sudo apt install radare2

bash · forensic · help · malware

Mon Apr 25 18:09:15 2022 * · permalink

http://code.ambau.ovh/snippets/rabin2.html

objdump

objdump <option(s)> <file(s)>

Display information from object <file(s)>

Usefull

objdump Program -x|sed -n '1,/.rdata section/p'
objdump Program -s|grep -A1 ^Contents
objdump Program -sj $section # section=".data"

-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-h, --[section-]headers  Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-s, --full-contents # Display the full contents of all sections requested

All

At least one of the following switches must be given:

-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-p, --private-headers # Display object format specific file header contents
-P, --private=OPT,OPT... Display object format specific contents
-h, --[section-]headers  Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-d, --disassemble # Display assembler contents of executable sections
-D, --disassemble-all # Display assembler contents of all sections
--disassemble=<sym>  Display assembler contents from <sym>
-S, --source # Intermix source code with disassembly
--source-comment[=<txt>] Prefix lines of source code with <txt>
-s, --full-contents # Display the full contents of all sections requested
-g, --debugging # Display debug information in object file
-e, --debugging-tags # Display debug information using ctags style
-G, --stabs # Display (in raw form) any STABS info in the file
-W[lLiaprmfFsoRtUuTgAckK] or --dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames, =frames-interp,=str,=loc,=Ranges,=pubtypes, =gdb_index,=trace_info,=trace_abbrev,=trace_aranges, =addr,=cu_index,=links,=follow-links] # Display DWARF info in the file
--ctf=SECTION # Display CTF info from SECTION
-t, --syms # Display the contents of the symbol table(s)
-T, --dynamic-syms # Display the contents of the dynamic symbol table
-r, --reloc # Display the relocation entries in the file
-R, --dynamic-reloc # Display the dynamic relocation entries in the file
@<file> # Read options from <file>
-v, --version # Display this program's version number
-i, --info # List object formats and architectures supported
-H, --help # Display this information

The following switches are optional:

-b, --target=BFDNAME # Specify the target object format as BFDNAME
-m, --architecture=MACHINE # Specify the target architecture as MACHINE
-j, --section=NAME # Only display information for section NAME
-M, --disassembler-options=OPT Pass text OPT on to the disassembler
-EB --endian=big # Assume big endian format when disassembling
-EL --endian=little # Assume little endian format when disassembling
--file-start-context # Include context from start of file (with -S)
-I, --include=DIR # Add DIR to search list for source files
-l, --line-numbers # Include line numbers and filenames in output
-F, --file-offsets # Include file offsets when displaying information
-C, --demangle[=STYLE] # Decode mangled/processed symbol names. The STYLE, if specified, can be `auto', `gnu', `lucid', `arm', `hp', `edg', `gnu-v3', `java' or `gnat'
--recurse-limit # Enable a limit on recursion whilst demangling.  [Default]
--no-recurse-limit # Disable a limit on recursion whilst demangling
-w, --wide # Format output for more than 80 columns
-z, --disassemble-zeroes # Do not skip blocks of zeroes when disassembling
--start-address=ADDR # Only process data whose address is >= ADDR
--stop-address=ADDR # Only process data whose address is < ADDR
--prefix-addresses # Print complete address alongside disassembly
--[no-]show-raw-insn # Display hex alongside symbolic disassembly
--insn-width=WIDTH # Display WIDTH bytes on a single line for -d
--adjust-vma=OFFSET # Add OFFSET to all displayed section addresses
--special-syms # Include special symbols in symbol dumps
--inlines # Print all inlines for source line (with -l)
--prefix=PREFIX # Add PREFIX to absolute paths for -S
--prefix-strip=LEVEL # Strip initial directory names for -S
--dwarf-depth=N # Do not display DIEs at depth N or greater
--dwarf-start=N # Display DIEs starting with N, at the same depth or deeper
--dwarf-check # Make additional dwarf internal consistency checks.
--ctf-parent=SECTION # Use SECTION as the CTF parent
--visualize-jumps # Visualize jumps by drawing ASCII art lines
--visualize-jumps=color # Use colors in the ASCII art
--visualize-jumps=extended-color # Use extended 8-bit color codes
--visualize-jumps=off # Disable jump visualization

Install

sudo apt install binutils-common

bash · forensic · help · malware

Mon Apr 25 16:10:40 2022 * · permalink

http://code.ambau.ovh/snippets/objdump.html

clamscan

clamscan [options] [file/directory/-]

Scan files and directories for viruses

Usefull

-i --infected # Only print infected files
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-f --file-list=FILE FILE # Scan files from FILE

All

-a --archive-verbose # Show filenames inside scanned archives
--stdout # Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary # Disable summary at end of scanning
-i --infected # Only print infected files
--suppress-ok-results -o # Skip printing OK files
--bell # Sound bell on virus detection

--tempdir=DIRECTORY # Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] # Do not remove temporary files
--gen-json[=yes/no(*)] # Generate JSON description of scanned file(s). JSON will be printed and also dropped to the temp directory if --leave-temps is enabled.
-d --database=FILE/DIR FILE/DIR # Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] # Only load official signatures
-l --log=FILE FILE # Save scan report to FILE
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-z --allmatch[=yes/no(*)] # Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] # Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] # Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] # Follow file symlinks (0 = never, 1 = direct, 2 = always)
-f --file-list=FILE FILE # Scan files from FILE
--remove[=yes/no(*)] # Remove infected files. Be careful!
--move=DIRECTORY # Move infected files into DIRECTORY
--copy=DIRECTORY # Copy infected files into DIRECTORY
--exclude=REGEX # Don't scan file names matching REGEX
--exclude-dir=REGEX # Don't scan directories matching REGEX
--include=REGEX # Only scan file names matching REGEX
--include-dir=REGEX # Only scan directories matching REGEX

--bytecode[=yes(*)/no] # Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] # Load unsigned bytecode **Caution**: You should NEVER run bytecode signatures from untrusted sources. Doing so may result in arbitrary code execution.
--bytecode-timeout=N # Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] # Collect and print execution statistics
--detect-pua[=yes/no(*)] # Detect Possibly Unwanted Applications
--exclude-pua=CAT # Skip PUA sigs of category CAT
--include-pua=CAT # Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] # Detect structured data (SSN, Credit Card)
--structured-ssn-format=X # SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N # Min SSN count to generate a detect
--structured-cc-count=N # Min CC count to generate a detect
--structured-cc-mode=X # CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] # Scan mail files
--phishing-sigs[=yes(*)/no] # Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] # Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] # Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] # Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] # Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] # Scan PE files
--scan-elf[=yes(*)/no] # Scan ELF files
--scan-ole2[=yes(*)/no] # Scan OLE2 containers
--scan-pdf[=yes(*)/no] # Scan PDF files
--scan-swf[=yes(*)/no] # Scan SWF files
--scan-html[=yes(*)/no] # Scan HTML files
--scan-xmldocs[=yes(*)/no] # Scan xml-based document files
--scan-hwp3[=yes(*)/no] # Scan HWP3 files
--scan-archive[=yes(*)/no] # Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] # Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] # Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] # Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] # Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] # Alert on encrypted documents
--alert-macros[=yes/no(*)] # Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] # Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] # Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] # Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] # Alert on raw DMG image files containing partition intersections
--nocerts # Disable authenticode certificate chain verification in PE files
--dumpcerts # Dump authenticode certificate chain in PE files

--max-scantime=#n # Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n # Files larger than this will be skipped and assumed clean
--max-scansize=#n # The maximum amount of data to scan for each container file (**)
--max-files=#n # The maximum number of files to scan for each container file (**)
--max-recursion=#n # Maximum archive recursion level for container file (**)
--max-dir-recursion=#n # Maximum directory recursion level
--max-embeddedpe=#n # Maximum size file to check for embedded PE
--max-htmlnormalize=#n # Maximum size of HTML file to normalize
--max-htmlnotags=#n # Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n # Maximum size of script file to normalize
--max-ziptypercg=#n # Maximum size zip to type reanalyze
--max-partitions=#n # Maximum number of partitions in disk image to be scanned
--max-iconspe=#n # Maximum number of icons in PE file to be scanned
--max-rechwp3=#n # Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n # Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n # Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n # Maximum size file to perform PCRE subsig matching.
--disable-cache # Disable caching and cache checks for hash sums of scanned files.

-h --help # Show this help
--debug # Enable libclamav's debug messages
--quiet # Only output error messages
-v --verbose # Be verbose
-V --version # Print version number

Install

sudo apt install clamav

bash · forensic · help · malware

Mon Apr 25 15:57:32 2022 * · permalink

http://code.ambau.ovh/snippets/clamscan.html

pescan

pescan OPTIONS FILE

Search for suspicious things in PE files

Usefull

-f, --format <text|html|xml|csv|json> # change output format (default: text)

All

-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items found

-V, --version # show version and exit
    --help # show this help and exit

Install

sudo apt install pev

bash · forensic · help · malware

Mon Apr 25 15:49:57 2022 * · permalink

http://code.ambau.ovh/snippets/help-pescan.html

strings

strings [option(s)] [file(s)]

Display printable strings in [file(s)] (stdin by default)

Usefull

-s --output-separator=<string> String used to separate strings in output.

All

-a - --all # Scan the entire file, not just the data section [default]
-d --data # Only scan the data sections in the file
-f --print-file-name # Print the name of the file before each string
-n --bytes=[number] # Locate & print any NUL-terminated sequence of at -<number> least [number] characters (default 4)
-t --radix={o,d,x} # Print the location of the string in base 8, 10 or 16
-w --include-all-whitespace Include all whitespace as valid string characters
-o # An alias for --radix=o
-T --target=<BFDNAME> # Specify the binary file format
-e --encoding={s,S,b,l,B,L} Select character size and endianness: s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
@<file> # Read options from <file>

-h --help # Display this information
-v -V --version # Print the program's version number

bash · forensic · help · malware

Mon Apr 25 14:10:35 2022 * · permalink

http://code.ambau.ovh/snippets/strings.html

file

file [OPTION...] [FILE...]

Determine type of FILEs.

Usefull

-z, --uncompress # try to look inside compressed files
-F, --separator STRING # use string as separator instead of `:'

All

-m, --magic-file LIST # use LIST as a colon-separated list of magic number files
-z, --uncompress # try to look inside compressed files
-Z, --uncompress-noreport  only print the contents of compressed files
-b, --brief # do not prepend filenames to output lines
-c, --checking-printout # print the parsed form of the magic file, use in conjunction with -m to debug a new magic file before installing it
-e, --exclude TEST # exclude TEST from the list of test to be performed for file. Valid tests are: apptype, ascii, cdf, compress, csv, elf, encoding, soft, tar, json, text, tokens
-f, --files-from FILE # read the filenames to be examined from FILE
-F, --separator STRING # use string as separator instead of `:'
-i, --mime # output MIME type strings (--mime-type and --mime-encoding)
    --apple # output the Apple CREATOR/TYPE
    --extension # output a slash-separated list of extensions
    --mime-type # output the MIME type
    --mime-encoding # output the MIME encoding
-k, --keep-going # don't stop at the first match
-l, --list # list magic strength
-L, --dereference # follow symlinks (default if POSIXLY_CORRECT is set)
-h, --no-dereference # don't follow symlinks (default if POSIXLY_CORRECT is not set) (default)
-n, --no-buffer # do not buffer output
-N, --no-pad # do not pad output
-0, --print0 # terminate filenames with ASCII NUL
-p, --preserve-date # preserve access times on files
-P, --parameter # set file engine parameter limits
             indir        15 recursion limit for indirection
             name         30 use limit for name/use magic
             elf_notes   256 max ELF notes processed
             elf_phnum   128 max ELF prog sections processed
             elf_shnum 32768 max ELF sections processed
-r, --raw # don't translate unprintable chars to \ooo
-s, --special-files # treat special (block/char devices) files as ordinary ones
-S, --no-sandbox # disable system call sandboxing
-C, --compile # compile file specified by -m
-d, --debug # print debugging messages

    --help # display this help and exit
-v, --version # output version information and exit

bash · forensic · help · malware

Mon Apr 25 13:57:34 2022 * · permalink

http://code.ambau.ovh/snippets/file.html