Awesome
Description
Most antivirus engines rely on strings or other bytes sequences, function exports and big integers to recognize malware. This project helps to automatically recover these signatures.
Project status
Able to automatically find and remove the strings that have the most impact on the AV's verdict.
Setup and usage
Here are the instructions to use this tool.
Dependencies (Python 3)
- python-tqdm
- python-hexdump
- pytest
python3 -m pip install -r requirements.txt
Dependencies (other)
- rabin2 (from radare2)
- loadlibrary: Windows Defender scanner ported to Linux by taviso (3 minutes setup, instructions at https://github.com/taviso/loadlibrary)
Configuration
Fix all the values in config.json
.
Usage
python3 antivirus_debugger.py -h
usage: antivirus_debugger.py [-h] [-s] [-z] [-f FILE] [-e] [-l LENGTH] [-c SECTION] [-g] [-V] [-H HIDE_SECTION] [-S SCANNER]
optional arguments:
-h, --help show this help message and exit
-s, --skip-strings Skip strings analysis
-z, --skip-sections Skip sections analysis
-f FILE, --file FILE path to file
-e, --extensive search strings in all sections
-l LENGTH, --length LENGTH
minimum length of strings
-c SECTION, --section SECTION
Analyze provided section
-g, --globals Analyze global variables in .data section
-V, --virus Virus scan
-H HIDE_SECTION, --hide-section HIDE_SECTION
Hide a section
-S SCANNER, --scanner SCANNER
Antivirus engine. Default = DockerWindowsDefender