Obfuscated payload extractor for malware samples
Project description
Obfuscated payload extractor for malware samples
Overview
malcarve is a tool for detecting and extracting obfuscated, embedded content from files. In particular it is targeted at extracting malicious payloads such as those contained in malware attack documents and droppers.
A command-line utility is included alongside a simple Python API. Further, a web API is provided as an example scanning web service.
Getting Started
Install using pip:
pip install malcarve
Command-line usage:
malcarve [--extract [--output-dir <output_dir>]] <file1> <file2> ...
Example Webservice:
malcarve-web [-H <interface_address>] [-p port_number]
Config can be updated by copying malcarve/conf/malcarve.conf to ~/.malcarve/malcarve.conf and changing settings as desired.
Running from Source
To run from source code, you will need to manually build the C components too. Here is an example (assuming virtualenv) with dependencies for Ubuntu 18.04:
sudo apt-get install build-essential gcc-multilib mingw-w64 git clone https://github.com/shendo/malcarve.git cd malcarve/malcarve/ext make cd ../.. pip install -e .
History
Malcarve was originally written several years ago. It was predominantly targeted at extracting XOR’ed PE files from Flash, Word and PDF documents, which were commonly being exploited at the time.
After needing a similar capability again recently, I’ve started reviving the code (it’s still a bit of a mess) along with migrating to python3. This also comes with a newer focus towards macro’ed documents and embedded urls/other file types and obfuscation techniques.
This is still a work in progress but has been released in the hope that others may find it useful (no warranty given or implied).
Existing Tools
There are many great tools and published literature already in this space. malcarve borrows heavily, and is inspired from techniques discussed or available in the following:
The motivation in writing yet another deobfuscator was the need to not only detect obfuscated patterns and payloads but to also extract/carve that content automatically.
Some tools already handled this but would only perform a subset of the schemes or file types needed.
Features
Deobfuscation/carving of Windows PE Files, Zip and Ole2 files
Experimental carving of PDF and other formats (check config file)
Obfuscated and embedded URL extraction
Multibyte XOR deobfuscation
XOR modifiers countup, countdown, preserve nulls
Scans inside common stream encodings like base64 and deflate
Future Work:
More than happy for feedback, discussion and pull requests…
Handle various other obfuscation techniques used in VBA macros
Performance enhancements by overhauling pattern checks into single pass
Extraction of general obfuscated scripts (eg. powershell, javascript)
Fix poor performance of deflate and ascii based stream handling
Write proper documentation
Issues
Source code for malcarve is hosted on GitHub. Any bug reports or feature requests can be made using GitHub’s issues system.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
