En la web del proyecto definen Viper como:
"Viper is a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research."
asdd
Normalmente, cuando estamos analizando malware, ya sea por una investigación, for fun, o porque nos interesa analizar una variante en concreto, no sería raro poseer varias muestras para revisar.
Viper nos ayudará en esa tarea de clasificación y revisión de dichas muestras.
Para poder analizarlo, descargaremos la última versión de Github:
root@ecrime:~/tools/malware# git clone https://github.com/botherder/viper
Cloning into 'viper'...
remote: Counting objects: 3054, done.
remote: Total 3054 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3054/3054), 1.28 MiB | 0 bytes/s, done.
Resolving deltas: 100% (1909/1909), done.
Checking connectivity... done.
Una vez hemos descargado viper, instalaremos las librerías necesarias:
root@ecrime:~/tools/malware/viper# pip install -r requirements.txt
Requirement already satisfied (use --upgrade to upgrade): python-magic in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): pefile in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): PrettyTable in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied (use --upgrade to upgrade): pydeep in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 4))
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): SQLAlchemy in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 6))
Requirement already satisfied (use --upgrade to upgrade): pycrypto in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 7))
Downloading/unpacking OleFileIO-PL (from -r requirements.txt (line 8))
Downloading OleFileIO_PL-0.42.1.zip (120kB): 120kB downloaded
Running setup.py (path:/tmp/pip_build_root/OleFileIO-PL/setup.py) egg_info for package OleFileIO-PL
Requirement already satisfied (use --upgrade to upgrade): olefile in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 9))
Requirement already satisfied (use --upgrade to upgrade): BeautifulSoup4 in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 10))
Requirement already satisfied (use --upgrade to upgrade): bottle in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 11))
Requirement already satisfied (use --upgrade to upgrade): pylzma in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 12))
Requirement already satisfied (use --upgrade to upgrade): pyelftools in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 13))
Requirement already satisfied (use --upgrade to upgrade): bitstring in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): dnspython in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 15))
Requirement already satisfied (use --upgrade to upgrade): pyexiftool from git+https://github.com/smarnach/pyexiftool.git in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 16))
Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 17))
Requirement already satisfied (use --upgrade to upgrade): M2Crypto in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 18))
Installing collected packages: OleFileIO-PL
Running setup.py install for OleFileIO-PL
Successfully installed OleFileIO-PL
Cleaning up...
Creando un proyecto con Viper
Lo primero que vamos ha hacer es crear un proyecto con Viper:
Como veis, no tenemos ninguna muestra en el proyecto, ya que acabamos de crearlo.
Ahora, lo que haremos será añadir muestras para analizarlas
Añadiendo nuestras al proyectos Viper |
Si queremos ver los ficheros correspondientes añadidos al proyecto lo podemos hacer:
Buscando los archivos en el proyecto Viper actual |
Viper permite analizar cada archivo en detalle y, obtener información sobre él, vamos ha hacer un ejemplo con uno de ellos:
Detalles de archivo |
Trabajando con el archivo directamente podemos obtener información que obtendríamos con herramientas como pefile!
Extrayendo información de un fichero |
Comprobando hash en Viper |
Proyecto Viper => https://github.com/botherder/viper