QuickSand 一个紧凑的C框架来分析可疑的恶意软件文档

QuickSand 一个紧凑的C框架来分析可疑的恶意软件文档

QuickSand.io

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

File Formats For Exploit and Active Content Detection

doc, docx, docm, rtf, etcppt, pptx, pps, ppsx, etcxls, xlsx, etcmime msoeml email

File Formats For Executable Detection

All of the above, plus PDF.Any document format such as HWP.

Lite Version - Mplv2 License

Key dictionary up to 256 byte XORBitwise ROL, ROR, NOTAddition or substraction math cipherExecutable extraction: Windows, Mac, Linux, VBAExploit searchRTF pre processingHex stream extractBase 64 Stream extractEmbedded Zip extractExOleObjstgCompressedAtom extractzLib DecodeMime Mso xml DecodingOpenXML decode (unzip)Yara signatures included: Executables, active content, exploits CVE 2014 and earlier

Example results and more info blog post

Full Version - Commercial License

Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes1 Byte zerospace not replaced brute force XOR searchXOR Look Ahead cipherMore Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identificationTry the full version online at QuickSand.io

Dependencies (not included)

Yara 3.4+zlib 1.2.1+libzip 1.1.1+

Distributed components under their own licensing

MD5 by RSA Data Security, Inc.SHA1 by Paul E. JonesSHA2 by Aaron D. GiffordjWrite by TonyWilk for json outputtinydir by Cong Xu, Baudouin Feildel for directory processing

Quick Start

./build.sh./quicksand.out -h./quicksand.out malware.doc

Documentation

QuickSand.io

Copyright, License, and Trademark

"QuickSand.io" name and the QuickSand application logo are Copyright 2016 Tyler McLellan and Tylabs and their use requires written permission from the author.

Source code quicksand.c, libqs.h, libqs.c and the yara signatures except where noted are Copyright 2016 Tyler McLellan and Tylabs.

See included Mozilla Public License Version 2.0 for licensing information.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。