decalage2/balbuzard decalage2/balbuzard

  • Stars
    star
    121
  • Rank 293,924 (Top 6 %)
  • Language YARA
  • Created over 8 years ago
  • Updated almost 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
decalage2/balbuzard
github

decalage2

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

Balbuzard

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc).

It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

Quick links: Download/Install - Documentation - Contact - Report issues - Updates on Twitter

Balbuzard tools:

  • balbuzard is a tool to extract patterns of interest from malicious files, such as IP addresses, URLs, embedded files and typical malware strings. It is easily extensible with new patterns, regular expressions and Yara rules.
  • bbcrack uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms/keys have been used.
  • bbharvest extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys. It is especially useful when several keys or several transforms are used in a single file.
  • bbtrans can apply any of the transforms from bbcrack (XOR, ROL, ADD and various combinations) to a file.

When to use these tools:

  • If you need to analyze a new malicious file, you can first try balbuzard to extract strings/patterns of interest and detect embedded files in cleartext.
  • Then if you think the malicious file might use an obfuscation algorithm such as XOR to hide interesting data (e.g. an embedded executable file), try bbcrack to find the algorithm and the key(s).
  • Alternatively, if bbcrack is not successful, or if you think the file may use several algorithms and/or keys, try bbharvest. bbharvest is especially targeted at single strings obfuscated within an executable or malicious file.

5 minutes demo

See the Demo page to see examples and test the tools by yourself in a few minutes using the provided samples.

Help wanted:

  • if you have malware samples or malicious documents with known obfuscation algorithms such as XOR, please contact me. That will help me a lot to improve bbcrack and bbharvest.
  • if you know other strings, patterns, file headers useful for malware analysis that Balbuzard should support, or other obfuscation algorithms, please contact me.

See http://www.decalage.info/python/balbuzard for more info and other tools.

News

Follow all updates and news on Twitter: https://twitter.com/decalage2

  • 2019-06-16 v0.20: added pip entry points to simplify installation and usage
  • 2014-05-22: Balbuzard v0.19 included in REMnux v5, pre-installed and ready to use.
  • 2014-03-23 v0.19: bugfix when Yara is not installed, improved documentation.
  • 2014-02-26 v0.18: Initial release of Balbuzard tools
  • 2013-03-15: added harvest mode (bbharvest)
  • 2011-05-06: added bruteforce functions (bbcrack)
  • 2008-06-06: first public release as reScan for SSTIC08
  • 2007-07-11: first versions of reScan
  • see changelog in source code for more info.

Download and Install

The easiest way is to use pip:

pip2 install -U balbuzard

Notes:

  • For now, balbuzard only runs on Python 2. So you may need to use pip2 instead of pip, if Python 3 is the default on your system.
  • on Linux/Mac/Unix, add sudo -H in front of pip.

See the installation instructions.

How to contribute / report bugs / ask for help:

These are open-source tools developed on my spare time. Any contribution such as code improvements, ideas, bug reports, additional patterns or transforms would be highly appreciated. You may contact me using this online form, by e-mail (decalage at laposte.net) or use the issue page on GitHub to report bugs/ideas, or clone the project then send me pull requests to suggest changes.

License

This license applies to the whole Balbuzard package including balbuzard, bbcrack, bbharvest and bbtrans, apart from the thirdparty and plugins folders which contain third-party files published with their own license.

The Balbuzard package is copyright (c) 2007-2019, Philippe Lagadec (http://www.decalage.info) All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

More Repositories

1

awesome-security-hardening

A collection of awesome security hardening guides, tools and other resources
4,863
star
2

oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
Python
2,706
star
3

ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
Python
1,007
star
4

olefile

olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.
Python
211
star
5

exefilter

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.
Python
63
star
6

oledump-contrib

The oledump-contrib repository contains plugins and enhancements for the oledump tool published by Didier Stevens.
Python
50
star
7

pyhtgen

pyhtgen (formerly HTML.py) provides a few classes to easily generate HTML content such as tables and lists.
HTML
12
star
8

oletools_dll

A DLL to run some oletools functions from any language
C
7
star
9

pywordform

pywordform is a python module to parse Microsoft Word forms in docx format, extractings all field values with their tags into a dictionary. For more information: http://www.decalage.info/python/pywordform
Python
7
star
10

python-crash-course

This is a Python course I have written to quickly teach Python to my colleagues and students, made of slides and samples for hands-on exercises. It takes around four to five hours to present all the slides and to run the hands-on exercises. The original course was based on my mini Python tutorial. (http://www.decalage.info/python/tutorial)
7
star
11

iodeflib

iodeflib is a python library to create, parse and edit cyber incident reports using the IODEF XML format (RFC 5070).
Python
6
star
12

pyxmldsig

pyxmldsig is a Python module to create and verify XML Digital Signatures (XML-DSig). This is a simple interface to the PyXMLSec library, aiming to provide a more pythonic API suitable for Python applications. See http://www.decalage.info/python/pyxmldsig
Python
2
star
13

cherryproxy

CherryProxy is a simple HTTP proxy written in Python 2.x, based on the CherryPy WSGI server and httplib, extensible for content analysis and filtering.
Python
2
star