hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

# Uchambuzi wa Malware

{{#include ../../banners/hacktricks-training.md}}

## Karatasi za Udanganyifu za Forensics

[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)

## Huduma za Mtandaoni

- [VirusTotal](https://www.virustotal.com/gui/home/upload)
- [HybridAnalysis](https://www.hybrid-analysis.com)
- [Koodous](https://koodous.com)
- [Intezer](https://analyze.intezer.com)
- [Any.Run](https://any.run/)

## Zana za Antivirus na Ugunduzi za Offline

### Yara

#### Sakinisha
```bash
sudo apt-get install -y yara
```
#### Andaa sheria

Tumia skripti hii kupakua na kuunganisha sheria zote za yara malware kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda saraka ya _**rules**_ na uitekeleze. Hii itaunda faili inayoitwa _**malware_rules.yar**_ ambayo ina sheria zote za yara za malware.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Skana
```bash
yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa malware na Unda sheria

You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/
```
### ClamAV

#### Sakinisha
```
sudo apt-get install -y clamav
```
#### Scan
```bash
sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)

**Capa** inagundua uwezo wa **hatari** katika executable: PE, ELF, .NET. Hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wa kushangaza kama:

- angalia kosa la OutputDebugString
- endesha kama huduma
- tengeneza mchakato

Pata katika [**Github repo**](https://github.com/mandiant/capa).

### IOCs

IOC inamaanisha Kielelezo cha Kuathiriwa. IOC ni seti ya **masharti yanayobaini** baadhi ya programu zisizohitajika au **malware** iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili za hatari** katika **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inatambuliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia ili kutambua malware hiyo haraka.

Zana ya kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) ili **kutafuta IOCs zilizofafanuliwa kwenye kifaa**.

### Loki

[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Kuathiriwa.\
Ugunduzi unategemea mbinu nne za ugunduzi:
```
1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect

[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa mifumo ya kugundua uvamizi kwenye ukingo wa mtandao ili kutoa malware inayotumika kwa shambulio na kuunda saini za kugundua. Zaidi ya hayo, data za vitisho pia zinatokana na michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware.

### rkhunter

Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) zinaweza kutumika kuangalia mfumo wa faili kwa ajili ya **rootkits** na malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS

[**FLOSS**](https://github.com/mandiant/flare-floss) ni chombo ambacho kitajaribu kupata nyuzi zilizofichwa ndani ya executable kwa kutumia mbinu tofauti.

### PEpper

[PEpper ](https://github.com/Th3Hurrican3/PEpper) inakagua mambo ya msingi ndani ya executable (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).

### PEstudio

[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata taarifa za Windows executables kama vile imports, exports, headers, lakini pia kitakagua virus total na kupata mbinu za Att\&ck zinazoweza kuwa.

### Detect It Easy(DiE)

[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni chombo cha kugundua kama faili ime **encrypted** na pia kupata **packers**.

### NeoPI

[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia mbinu mbalimbali za **statistical methods** kugundua maudhui yaliyofichwa na **encrypted** ndani ya faili za maandiko/script. Kusudi lililokusudiwa la NeoPI ni kusaidia katika **detection of hidden web shell code**.

### **php-malware-finder**

[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inajitahidi sana kugundua **obfuscated**/**dodgy code** pamoja na faili zinazotumia **PHP** functions ambazo mara nyingi hutumiwa katika **malwares**/webshells.

### Apple Binary Signatures

Unapokagua baadhi ya **malware sample** unapaswa kila wakati **check the signature** ya binary kwani **developer** aliyeisaini inaweza kuwa tayari **related** na **malware.**
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Mbinu za Kugundua

### Kuunganisha Faili

Ikiwa unajua kwamba folda fulani inayoshikilia **faili** za seva ya wavuti ilifanywa **kupdate kwa tarehe fulani**. **Angalia** **tarehe** zote za **faili** katika **seva ya wavuti zilizoumbwa na kubadilishwa** na ikiwa tarehe yoyote ni **ya kushangaza**, angalia faili hiyo.

### Msingi

Ikiwa faili za folda **hazipaswi kubadilishwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile za **sasa**. Kila kitu kilichobadilishwa kitakuwa **cha kushangaza**.

### Uchambuzi wa Takwimu

Wakati habari inahifadhiwa katika kumbukumbu unaweza **kuangalia takwimu kama vile ni mara ngapi kila faili ya seva ya wavuti ilifikiriwa kama shell ya wavuti inaweza kuwa moja ya**.

---

## Kuondoa Ufafanuzi wa Mwelekeo wa Kudumu (JMP/CALL RAX Dispatchers)

Familia za kisasa za malware zinatumia sana ufichaji wa Mchoro wa Mwelekeo (CFG): badala ya kuruka/kuita moja kwa moja wanahesabu marudio wakati wa utendaji na kutekeleza `jmp rax` au `call rax`. *Dispatcher* ndogo (kawaida maagizo tisa) inaweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeleaji wa static CFG.

Mbinu hii – iliyowasilishwa na mzigo wa SLOW#TEMPEST – inaweza kushindwa kwa mchakato wa hatua tatu unaotegemea tu IDAPython na emulator ya CPU ya Unicorn.

### 1. Pata kila kuruka / kuita isiyo ya moja kwa moja
```python
import idautils, idc

for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")
```
### 2. Toa byte-code ya dispatcher
```python
import idc

def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s

start = get_dispatcher_start(jmp_ea)
size  = jmp_ea + idc.get_item_size(jmp_ea) - start
code  = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Iiga mara mbili kwa kutumia Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
import struct

def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Kimbia `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya tawi *false* na *true*.

### 4. Rudisha nyuma kuruka moja kwa moja / wito
```python
import struct, ida_bytes

def patch_direct(ea, target, is_call=False):
op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
Baada ya kurekebisha, kulazimisha IDA kuchambua tena kazi ili CFG kamili na matokeo ya Hex-Rays yarudishwe:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Label indirect API calls

Mara tu marudio halisi ya kila `call rax` yanapojulikana unaweza kumwambia IDA ni nini ili aina za parameta na majina ya mabadiliko yaweze kurejeshwa kiotomatiki:
```python
idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
```
### Faida za Kivitendo

* Inarejesha CFG halisi → decompilation inabadilika kutoka *10* mistari hadi maelfu.
* Inaruhusu cross-reference za nyuzi & xrefs, ikifanya ujenzi wa tabia kuwa rahisi.
* Scripts zinaweza kutumika tena: ziacha kwenye loader yoyote iliyo na ulinzi wa hila hiyo hiyo.

---

## Marejeleo

- [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)

{{#include ../../banners/hacktricks-training.md}}