fr0gger/MalwareMuncher

GitHub: fr0gger/MalwareMuncher

基于 Frida 框架的恶意软件动态分析工具，通过 API Hook 实时监控恶意行为并支持 GPT 增强的 MITRE ATT&CK 技术识别。

Stars: 46 | Forks: 7

# Malware Muncher Malware Muncher 是一个 Python 概念验证脚本，它利用 Frida 框架实现二进制插桩和 API Hooking。它旨在拦截恶意软件常用的 API 调用，允许用户分析其行为并识别潜在威胁。此外，该脚本可以利用 GPT 来增强分析输出，提供更详细且准确的关于恶意软件活动的见解，并识别潜在的 Mitre ATT&CK 技术。该工具曾在 [墨尔本的恶意软件与逆向工程大会](https://speakerdeck.com/fr0gger/binary-instrumentation-for-malware-analysis) 上进行演示。 *注意：请记住 Malware Muncher 是一个概念验证工具，可能包含错误或局限性。此外，此脚本旨在用于受控环境（例如虚拟机）中。请自行承担使用风险。* ![Malmun](https://static.pigsec.cn/wp-content/uploads/repos/2026/03/a89d1f9bf4123448.gif) ## 安装为确保脚本正确执行，必须确保能够访问 "jsscripts" 文件夹。该文件夹包含在二进制插桩和 API Hooking 过程中使用的必要 Frida 脚本。 ``` git clone https://github.com/fr0gger/MalwareMuncher.git pip install -r requirement.txt ``` ## 用法 ``` python .\malwaremuncher.py -h usage: malwaremuncher.py [-h] [-f FILE] [-d] [-g] [-m] [-r] [-i] [-c] [-w] [-a] [-o] MalwareMuncher version 1.0 by Thomas Roccia optional arguments: -h, --help show this help message and exit -f FILE, --file FILE File to process -d, --dump Dump file from the memory -g, --getproc Deobfuscate API calls -m, --mutex Extract mutex -r, --registry Shows registry modification -i, --internet Shows remote connection -c, --fileactivity Shows file creation and more -w, --wscript Hook wscript.exe for js script -a, --allscripts Run all hooking functions -o, --openai Request GPT for enrichment ``` ``` python .\malwaremuncher.py --dump --file beacon2.exe [+] .\malwaremuncher.py v1.0 by @fr0gger_ [+] Running process: beacon2.exe [!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script [+] VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 03050000 4d 5a e8 00 00 00 00 5b 89 df 52 45 55 89 e5 81 MZ.....[..REU... 03050010 c3 50 81 00 00 ff d3 68 f0 b5 a2 56 68 04 00 00 .P.....h...Vh... 03050020 00 57 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 .W.............. 03050030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................ 03050040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 03050050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno 03050060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS 03050070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... 03050080 af c6 3b f4 eb a7 55 a7 eb a7 55 a7 eb a7 55 a7 ..;...U...U...U. 03050090 56 e8 c3 a7 ea a7 55 a7 f5 f5 d1 a7 c3 a7 55 a7 V.....U.......U. 030500a0 f5 f5 c0 a7 ff a7 55 a7 f5 f5 d6 a7 69 a7 55 a7 ......U.....i.U. 030500b0 cc 61 2e a7 e0 a7 55 a7 eb a7 54 a7 31 a7 55 a7 .a....U...T.1.U. 030500c0 f5 f5 dc a7 27 a7 55 a7 f5 f5 c7 a7 ea a7 55 a7 ....'.U.......U. 030500d0 f5 f5 c4 a7 ea a7 55 a7 52 69 63 68 eb a7 55 a7 ......U.Rich..U. 030500e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 030500f0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ........PE..L... [+] MZ header at address: 0x3050000 [+] Dumped executable: 0x3050000dumped.exe {'type': 'send', 'payload': {'api_call': 'VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20', 'mz_header': 'MZ', 'dumped_exe': '0x3050000dumped.exe'}} ########################################################################### python .\malwaremuncher.py --registry --file demo.exe [+] .\malwaremuncher.py v1.0 by @fr0gger_ [+] Running process: demo.exe [!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script {'type': 'send', 'payload': {'hook': 'RegCreateKey', 'regkey': 'HKEY_CURRENT_USER\\Software\\MRE', 'handle': 720}} ########################################################################### python .\malwaremuncher.py --wscript --file demo.vbs [+] .\malwaremuncher.py v1.0 by @fr0gger_ [+] Running process: demo.vbs Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. {'type': 'send', 'payload': {'name': 'instr', 'hookdata': {'hook': 'shell', 'nshow': 'SW_HIDE', 'cmd': 'C:\\Users\\rever\\AppData\\Local\\Temp\\rad045FA.tmp\\REIIVDoCWfI.exe', 'params': None}}} ########################################################################### python .\malwaremuncher.py --mutex --file beacon2.exe [+] .\malwaremuncher.py v1.0 by @fr0gger_ [+] Running process: beacon2.exe [!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script {'type': 'send', 'payload': {'hook': 'CreateMutex', 'mutex': 'Local\\SM0:7292:168:WilStaging_02'}} ``` ## 致谢 * [Frida.re](https://frida.re/) * [Frida Wshook](https://github.com/OALabs/frida-wshook) * [Hawkeye](https://github.com/n1ght-w0lf/HawkEye) * [Malware Write up](https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks) ## 许可证 [APACHE](https://github.com/fr0gger/MalwareMuncher/blob/main/LICENSE)

标签：AMSI绕过, API Hooking, API去混淆, ATT&CK映射, Beacon Object File, Conpot, DAST, Docker支持, Frida, GPT分析, IP 地址批量处理, Petitpotam, POC, Python, Ruby on Rails, URLScan, Windows安全, 云资产清单, 互斥体提取, 内存转储, 动态二进制插桩, 威胁检测, 工具集, 恶意软件分析, 数据包嗅探, 文件活动监控, 无后门, 无线安全, 沙箱, 注册表监控, 漏洞利用分析, 端点可见性, 网络信息收集, 网络连接监控, 自动化分析, 自定义脚本, 自定义脚本, 自定义脚本, 跨站脚本, 逆向工具, 逆向工程, 速率限制处理