• Stars
    star
    722
  • Rank 60,555 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created over 7 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.

HaboMalHunter: Habo Linux Malware Analysis System

BlackHat license PRs Welcome Platform

(中文版本请参看这里)

参与贡献

腾讯开源激励计划 鼓励开发者的参与和贡献,期待你的加入。

Introduction

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. The tool help security analyst extracting the static and dynamic features from malware effectively and efficiently. The generated report provides significant information about process, file I/O, network and system calls.

Features

The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.

Static analysis

  1. Basic Information: md5, name, file type, size and SSDEEP.
  2. SO Files Dependency: SO files information (only applied for dynamic linked files).
  3. Strings Information.
  4. ELF Header and Entry Point.
  5. IP and PORTS
  6. ELF Segment, Section and Hash.
  7. Source File Names.

Dynamic analysis

  1. Starting and Termination: Time Stamps and Elapsed Time.
  2. Processes Information: clone, execve and exit etc.
  3. File I/O: open, read, write and delete etc.
  4. Network: TCP, UDP, HTTP and HTTPS etc.
  5. Typical Malicous Actions: self deletion, midification and lock.
  6. API Information: getpid, system, dup and other libc functions.
  7. syscall sequences.

Screenshot

  1. The HTML report.

png22

  1. The JSON report.

png21

Demo

1.Setup Enviroment

The tool will run on the VirtualBox 5.1 with Ubuntu 14.04 LTS.

in order to install thrid party software, please execute the following command after obtaining the code:

root# cd ./util/update_image
root# bash update_image.sh

2.Get Source Code

git clone https://github.com/Tencent/HaboMalHunter.git

3.Compile

Firstly, please upload the source code into the VM. Execute the following command with root permision under the /root directory.

cp -ra /media/sf_Source/* .

source

The command will compile and package the source code, and then will generate two zip files.

bash package.sh

png2

4.Analysis

using ./test/bin/read.32.elf to make a test. The second command will copy report and log outside the VM.

python AnalyzeControl.py -v -l ./test/bin/read.32.elf
cp ./log/output.zip /media/sf_Source/

png3

Among the result, output.static is static analysis result, output.dynamic is dynamic analysis result, and system.log is runtime log. Users can also upload samples to the Habo Malware Analysis System (https://habo.qq.com) to get a brief report.

png4

habo_01

Future Work

  1. [done] Memory Analysis.
  2. More YARA rules (./utils/yara/malware/)
  3. [done] HTML output format

Errors and Issues

  1. Malware Analysis should be done inside a Virtual Machine enviroment and Intel-VT should be enabled on the host's BIOS. We shall not be liable to the damage of the analysed malware.
  2. VirtualBox 5.1 is recommended.
  3. The tool will also generate dynamic log, which contains one error message, for ELF files which can not be executed, such as so files.

哈勃分析系统(HaboMalHunter)

功能描述

HaboMalHunter是哈勃分析系统 (https://habo.qq.com) 的开源子项目,用于Linux平台下进行自动化分析、文件安全性检测的开源工具。使用该工具能够帮助安全分析人员简洁高效的获取恶意样本的静态和动态行为特征。分析报告中提供了进程、文件、网络和系统调用等关键信息。

功能清单

开源代码支持Linux x86/x64 平台上的ELF文件的自动化静态动态分析功能。

静态分析

  1. 基础信息:包括文件md5,名称,类型,大小和SSDEEP等信息。
  2. 依赖so信息:对于动态链接的文件,输出依赖的so信息。
  3. 字符串信息
  4. ELF头信息,入口点
  5. IP和端口信息
  6. ELF段信息,节信息和hash值
  7. 源文件名称

动态分析

  1. 动态运行启动结束信息:耗时等
  2. 进程信息:clone系统调用,execve调用,进程创建结束等
  3. 文件操作信息:打开,读取,修改,删除等文件IO操作
  4. 网络信息:TCP, UDP, HTTP, HTTPS, SSL等信息
  5. 典型恶意行为:自删除,自修改和自锁定等
  6. API信息:getpid, system, dup 等libc函数调用
  7. syscall 序列信息

Demo

1.环境配置

使用哈勃Linux开源版进行病毒分析,需要首先制作用于运行病毒的虚拟机环境。切勿直接在真实环境下运行和分析病毒。项目默认使用VirtualBox 5.1 运行Ubuntu 14.04 LTS 作为分析环境。

安装相关的软件,获取源代码之后,请在虚拟机内以root身份运行如下命令:

root# cd ./util/update_image
root# bash update_image.sh

2.获取源代码

使用git工具获取源代码。

git clone https://github.com/Tencent/HaboMalHunter.git

3.编译源代码

大部分源代码是python, 有一部分c代码需要进行编译和打包。 首先将代码上传到虚拟机中。 使用root身份,在/root/ 目录下使用命令,如图:

cp -ra /media/sf_Source/* .

source

运行命令,进行编译和打包,会输出AnalyzeControl_1129.zip 和test_1129.zip 两个文件, 如图:

bash package.sh

png2

4.进行分析

本次使用测试文件 ./test/bin/read.32.elf 进行测试。使用如下命令: 其中第二条命令会将分析结果拷贝到虚拟机外,用于分析人员阅读。

python AnalyzeControl.py -v -l ./test/bin/read.32.elf
cp ./log/output.zip /media/sf_Source/

png3

分析结果中,output.static 是静态分析结果,output.dynamic 是动态分析结果,system.log是运行时的日志。同时也可以结合哈勃分析系统 (https://habo.qq.com) 中的结果展示进行样本分析。

png4

未来规划

  1. [已完成] 希望使用volatility和LiME进行内存分析
  2. 希望增加更多的病毒规则(./util/yara/malware)
  3. [已完成] 希望将输出的json数据格式转化成为HTML页面进行展示

已知故障和错误列表

  1. 分析病毒请在虚拟机环境下进行,并在BIOS设置中开启Intel-VT功能,对因运行病毒引起的任何软件安全问题,本项目不承担责任。
  2. 推荐使用VirtualBox 5.1以上版本运行虚拟机。
  3. 对于无法运行的ELF文件,例如so文件,哈勃分析系统默认会生成动态日志,但是里面只有无法运行的报错信息。

More Repositories

1

weui

A UI library by WeChat official design team, includes the most useful widgets/modules in mobile web applications.
Less
27,053
star
2

wepy

小程序组件化开发框架
JavaScript
22,396
star
3

ncnn

ncnn is a high-performance neural network inference framework optimized for the mobile platform
C++
19,310
star
4

mars

Mars is a cross-platform network component developed by WeChat.
C++
17,137
star
5

tinker

Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.
Java
17,056
star
6

MMKV

An efficient, small mobile key-value storage framework developed by WeChat. Works on Android, iOS, macOS, Windows, and POSIX.
C++
16,913
star
7

APIJSON

🏆 零代码、全功能、强安全 ORM 库 🚀 后端接口和文档零代码,前端(客户端) 定制返回 JSON 的数据和结构。 🏆 A JSON Transmission Protocol and an ORM Library 🚀 provides APIs and Docs without writing any code.
Java
16,681
star
8

vConsole

A lightweight, extendable front-end developer tool for mobile web page.
TypeScript
16,379
star
9

weui-wxss

A UI library by WeChat official design team, includes the most useful widgets/modules.
Less
14,966
star
10

QMUI_Android

提高 Android UI 开发效率的 UI 库
Java
14,336
star
11

rapidjson

A fast JSON parser/generator for C++ with both SAX/DOM style API
C++
13,803
star
12

secguide

面向开发人员梳理的代码安全指南
13,093
star
13

omi

Web Components Framework - Web组件框架
TypeScript
12,926
star
14

VasSonic

VasSonic is a lightweight and high-performance Hybrid framework developed by tencent VAS team, which is intended to speed up the first screen of websites working on Android and iOS platform.
Java
11,779
star
15

matrix

Matrix is a plugin style, non-invasive APM system developed by WeChat.
Java
11,417
star
16

wcdb

WCDB is a cross-platform database framework developed by WeChat.
C
10,509
star
17

xLua

xLua is a lua programming solution for C# ( Unity, .Net, Mono) , it supports android, ios, windows, linux, osx, etc.
C
9,133
star
18

libco

libco is a coroutine library which is widely used in wechat back-end service. It has been running on tens of thousands of machines since 2013.
C++
7,998
star
19

Hippy

Hippy is designed to easily build cross-platform dynamic apps. 👏
C++
7,840
star
20

Shadow

零反射全动态Android插件框架
Java
7,316
star
21

QMUI_iOS

QMUI iOS——致力于提高项目 UI 开发效率的解决方案
Objective-C
7,030
star
22

MLeaksFinder

Find memory leaks in your iOS app at develop time.
Objective-C
5,399
star
23

lemon-cleaner

腾讯柠檬清理是针对macOS系统专属制定的清理工具。主要功能包括重复文件和相似照片的识别、软件的定制化垃圾扫描、可视化的全盘空间分析、内存释放、浏览器隐私清理以及设备实时状态的监控等。重点聚焦清理功能,对上百款软件提供定制化的清理方案,提供专业的清理建议,帮助用户轻松完成一键式清理。
Objective-C
5,188
star
24

kbone

一个致力于微信小程序和 Web 端同构的解决方案
JavaScript
4,742
star
25

libpag

The official rendering library for PAG (Portable Animated Graphics) files that renders After Effects animations natively across multiple platforms.
C++
4,729
star
26

puerts

PUER(普洱) Typescript. Let's write your game in UE or Unity with TypeScript.
C++
4,661
star
27

GT

GT (Great Tit) is a portable debugging tool for bug hunting and performance tuning on smartphones anytime and anywhere just as listening music with Walkman. GT can act as the Integrated Debug Environment by directly running on smartphones.
Java
4,385
star
28

TNN

TNN: developed by Tencent Youtu Lab and Guangying Lab, a uniform deep learning inference framework for mobile、desktop and server. TNN is distinguished by several outstanding features, including its cross-platform capability, high performance, model compression and code pruning. Based on ncnn and Rapidnet, TNN further strengthens the support and performance optimization for mobile devices, and also draws on the advantages of good extensibility and high performance from existed open source efforts. TNN has been deployed in multiple Apps from Tencent, such as Mobile QQ, Weishi, Pitu, etc. Contributions are welcome to work in collaborative with us and make TNN a better framework.
C++
4,297
star
29

westore

小程序项目分层架构
JavaScript
4,216
star
30

tmagic-editor

TypeScript
4,037
star
31

wujie

极致的微前端框架
TypeScript
3,801
star
32

vap

VAP是企鹅电竞开发,用于播放特效动画的实现方案。具有高压缩率、硬件解码等优点。同时支持 iOS,Android,Web 平台。
Objective-C
3,794
star
33

phxpaxos

The Paxos library implemented in C++ that has been used in the WeChat production environment.
C++
3,301
star
34

WeFlow

A web developer workflow tool by WeChat team based on tmt-workflow, with cross-platform supported and environment ready.
JavaScript
3,224
star
35

cherry-markdown

✨ A Markdown Editor
JavaScript
3,195
star
36

weui.js

A lightweight javascript library for WeUI.
JavaScript
3,157
star
37

spring-cloud-tencent

Spring Cloud Tencent is a Spring Cloud based Service Governance Framework provided by Tencent.
Java
3,116
star
38

tencent-ml-images

Largest multi-label image database; ResNet-101 model; 80.73% top-1 acc on ImageNet
Python
3,046
star
39

tdesign

Enterprise Design System
Vue
3,010
star
40

VasDolly

Android V1 and V2 Signature Channel Package Plugin
Java
2,999
star
41

FaceDetection-DSFD

腾讯优图高精度双分支人脸检测器
Python
2,863
star
42

PhoenixGo

Go AI program which implements the AlphaGo Zero paper
C++
2,863
star
43

Tendis

Tendis is a high-performance distributed storage system fully compatible with the Redis protocol.
C++
2,837
star
44

behaviac

behaviac is a framework of the game AI development, and it also can be used as a rapid game prototype design tool. behaviac supports the behavior tree, finite state machine and hierarchical task network(BT, FSM, HTN)
C#
2,784
star
45

PocketFlow

An Automatic Model Compression (AutoMC) framework for developing smaller and faster AI applications.
Python
2,782
star
46

MSEC

Mass Service Engine in Cluster(MSEC) is opened source by QQ team from Tencent. It is a backend DEV &OPS engine, including RPC,name finding,load balance,monitoring,release and capacity management.
Java
2,745
star
47

phxsql

A high availability MySQL cluster that guarantees data consistency between a master and slaves.
C++
2,463
star
48

OOMDetector

OOMDetector is a memory monitoring component for iOS which provides you with OOM monitoring, memory allocation monitoring, memory leak detection and other functions.
Objective-C++
2,298
star
49

tsf

coroutine and Swoole based php server framework in tencent
PHP
2,179
star
50

tmt-workflow

A web developer workflow used by WeChat team based on Gulp, with cross-platform supported and solutions prepared.
CSS
2,175
star
51

Hardcoder

Hardcoder is a solution which allows Android APP and Android System to communicate with each other directly, solving the problem that Android APP could only use system standard API rather than the hardware resource of system.
C++
2,145
star
52

LKImageKit

A high-performance image framework, including a series of capabilities such as image views, image downloader, memory caches, disk caches, image decoders and image processors.
Objective-C
2,079
star
53

UnLua

A feature-rich, easy-learning and highly optimized Lua scripting plugin for UE.
C++
2,053
star
54

TubeMQ

TubeMQ has been donated to the Apache Software Foundation and renamed to InLong, please visit the new Apache repository: https://github.com/apache/incubator-inlong
2,027
star
55

ObjectDetection-OneStageDet

单阶段通用目标检测器
Python
1,962
star
56

cloudbase-framework

腾讯云开发云原生一体化部署工具 🚀 CloudBase Framework:一键部署,不限框架语言,云端一体化开发,基于Serverless 架构。A front-end and back-end integrated deployment tool. One-click deploy to serverless architecture. https://docs.cloudbase.net/framework/index
JavaScript
1,936
star
57

InjectFix

InjectFix is a hot-fix solution library for Unity
C#
1,933
star
58

TscanCode

A static code analyzer for C++, C#, Lua
C++
1,916
star
59

phxrpc

A simple C++ based RPC framework.
C++
1,905
star
60

soter

A secure and quick biometric authentication standard and platform in Android held by Tencent.
Java
1,902
star
61

phxqueue

A high-availability, high-throughput and highly reliable distributed queue based on the Paxos algorithm.
C++
1,891
star
62

plato

腾讯高性能分布式图计算框架Plato
C++
1,889
star
63

GameAISDK

基于图像的游戏AI自动化框架
C++
1,861
star
64

MedicalNet

Many studies have shown that the performance on deep learning is significantly affected by volume of training data. The MedicalNet project provides a series of 3D-ResNet pre-trained models and relative code.
Python
1,837
star
65

TSW

Tencent Server Web
TypeScript
1,802
star
66

NeuralNLP-NeuralClassifier

An Open-source Neural Hierarchical Multi-label Text Classification Toolkit
Python
1,781
star
67

QMUI_Web

An efficient front-end framework for developers building UI on the web.
JavaScript
1,719
star
68

Biny

Biny is a tiny, high-performance PHP framework for web applications
PHP
1,690
star
69

sluaunreal

lua dev plugin for unreal engine 4 or 5
C++
1,687
star
70

paxosstore

PaxosStore has been deployed in WeChat production for more than two years, providing storage services for the core businesses of WeChat backend. Now PaxosStore is running on thousands of machines, and is able to afford billions of peak TPS.
C++
1,658
star
71

Metis

Metis is a learnware platform in the field of AIOps.
Python
1,644
star
72

CodeAnalysis

Static Code Analysis - 静态代码分析
Python
1,585
star
73

TurboTransformers

a fast and user-friendly runtime for transformer inference (Bert, Albert, GPT2, Decoders, etc) on CPU and GPU.
C++
1,442
star
74

TencentOS-kernel

腾讯针对云的场景研发的服务器操作系统
1,401
star
75

nohost

基于 Whistle 实现的多账号多环境远程配置及抓包调试平台
JavaScript
1,392
star
76

TBase

TBase is an enterprise-level distributed HTAP database. Through a single database cluster to provide users with highly consistent distributed database services and high-performance data warehouse services, a set of integrated enterprise-level solutions is formed.
C
1,372
star
77

WeDemo

WeDemo为微信团队开源项目,用于帮助微信开发者完成微信登录、微信分享等功能的接入和开发。开发者可参考源代码完成开发,也可以直接将代码应用到自己的App开发中,安全、便捷地在App中实现微信分享、微信登录功能。
Objective-C
1,365
star
78

feflow

🚀 A command line tool aims to improve front-end engineer workflow and standard, powered by TypeScript.
TypeScript
1,354
star
79

GAutomator

Automation for mobile games
Objective-C
1,318
star
80

tdesign-vue-next

A Vue3.x UI components lib for TDesign.
TypeScript
1,316
star
81

flare

Flare是广泛投产于腾讯广告后台的现代化C++开发框架,包含了基础库、RPC、各种客户端等。主要特点为易用性强、长尾延迟低。
C++
1,264
star
82

TFace

A trusty face analysis research platform developed by Tencent Youtu Lab
Python
1,236
star
83

LuaPanda

lua debug and code tools for VS Code
Lua
1,219
star
84

FeatherCNN

FeatherCNN is a high performance inference engine for convolutional neural networks.
C++
1,209
star
85

tdesign-miniprogram

A Wechat MiniProgram UI components lib for TDesign.
HTML
1,084
star
86

tgfx

A lightweight 2D graphics library for rendering texts, geometries, and images with high-performance APIs that work across various platforms.
C++
1,011
star
87

TencentPretrain

Tencent Pre-training framework in PyTorch & Pre-trained Model Zoo
Python
985
star
88

RapidView

RapidView is an android ui and lightapp development framework
Java
977
star
89

FAutoTest

A UI automated testing framework for H5 and applets
Python
930
star
90

TencentKona-8

Tencent Kona is a no-cost, production-ready distribution of the Open Java Development Kit (OpenJDK), Long-term support(LTS) with quarterly updates. Tencent Kona serves as the default JDK internally at Tencent Cloud for cloud computing and other Java applications.
Java
909
star
91

tquic

A high-performance, lightweight, and cross-platform QUIC library
Rust
900
star
92

hel

A module federation SDK which is unrelated to tool chain for module consumer. 工具链无关的运行时模块联邦sdk.
JavaScript
888
star
93

tdesign-vue

A Vue.js UI components lib for TDesign.
TypeScript
872
star
94

Pebble

Pebble分布式开发框架
C++
861
star
95

mxflutter

使用 TypeScript/JavaScript 来开发 Flutter 应用的框架。
Dart
834
star
96

Face2FaceTranslator

面对面翻译小程序是微信团队针对面对面沟通的场景开发的流式语音翻译小程序,通过微信同声传译插件提供了语音识别,文本翻译等功能。
JavaScript
822
star
97

tdesign-react

A React UI components lib for TDesign.
TypeScript
787
star
98

LightDiffusionFlow

This extension is developed for AUTOMATIC1111's Stable Diffusion web UI that provides import/export options for parameters.
JavaScript
764
star
99

Real-SR

Real-World Super-Resolution via Kernel Estimation and Noise Injection
Python
753
star
100

DCache

A distributed in-memory NOSQL system based on TARS framework, support LRU algorithm and data persists on back-end database. Users can easily deploy, publish, and scale services on the web interface.
C++
746
star