Just a repo to organize and version control my bash shenanigans.
git clone https://github.com/whoisroot/malware-analysis-functions.git
ln -s malware-analysis-functions/.analysis-functions.sh ~/.analysis-functions.sh
echo "source \$HOME/.analysis-functions.sh" >> ~/.bashrcTrying to make sense out of this chaos... ┐(´•_•`)┌
| Function | Description |
|---|---|
dwg_macro |
Searches for DWG files containing OLE files, tipically used for VBA macros. |
OLEpuke |
Recursevely search for OLE files (like Microsoft Office documents and files contained in them) and run oleid on them. You can use the --short parameter to only print the info about the files with "HIGH" or "MEDIUM" Risk. |
XMLpuke |
Recursively search for XML files and print them. |
XMLpretty |
Pretty prints the XML file(s). |
hashes |
Calculates the MD5, SHA-1 and SHA-256 hashes for a file. |
multiple_hashes2report |
Eats filenames and spit MarkDown formated hashes for using in the Malware Analysis report. |
meta |
Takes metadata for one or more files. Pretty prints file names, file types and hashes. |
md2html |
Converts my markdown malware analysis reports into pretty HTML pages. |
b64 and b64d |
Encodes to and decodes from base64 encoding. |
url_encode and url_decode |
Encodes to and decodes from url encoded representation. |
noNULLstrings |
Removes nullbytes from the file and then run strings on the file. Could easily be replaced by strings -e l to read UTF-16 strings. |
urlSearch |
Regex search the file for URLs. |
xxdNULL |
Searches for two sequential nullbytes in the file. |
ipinfo |
Queries ipinfo.io for information on the IP address ($1) and filters the response JSON throght jq, optionaly selecting fields ($2). With no parameters it shows information on your public IP. The objects returned depends on what add-ons you purchase for your license. |
myip |
Alias to run ipinfo and filter the response to just return your public IP. |
limpa_safelinks |
Extracts original URL from the secure redirect made by the Defender for Office 365 anti-phishing tool, Safe Links. |
get_redirects |
Curls the given URL, follows all redirects and list them. |
parse_lnks |
Extracts more useful information from the output of lnkparse. |
LNKs |
Alias to run parse_lnks with all lnk files in the current directory. |
VT_query |
Queries the SHA-256 hash of the given file(s) against VirusTotal's database and returns a brief summary of the results of previous analysis. Depends on setting the VT_API_KEY to submit requests. |
VT_scan_file |
Alias to submit the given file to VirusTotal using @sevsec's vt-scan. This alias assumes you have the vt-scan in your path. |
VT_scan_url |
Alias to submit the given URL to VirusTotal using @sevsec's vt-scan. This alias assumes you have the vt-scan in your path. |
VT_scan_domain |
Alias to submit the given domain to VirusTotal using @sevsec's vt-scan. This alias assumes you have the vt-scan in your path. |
VT_scan_ip |
Alias to submit the given ip to VirusTotal using @sevsec's vt-scan. This alias assumes you have the vt-scan in your path. |
VT_wait_analysis |
Receives the base64 identifier from the VT_scan_* functions, then queries the API every 30 seconds to see if the job is still in the queue and displays the results when completed. |
VT_submit-n-wait |
Takes a file as an argument, submits it with VT_scan_file, gets the base64 identifier and calls VT_wait_analysis with it. |
You can change them in the script or re-export them after importing the functions in your .bashrc, whatever you prefer.
| Variable | Description |
|---|---|
color |
A string with ANSI SGR codes separated by semicolons. By default it's 1;4;36, making the text bold, underlined and cyan. I totally understand if you find this uggly, but I like the contrast on the terminal |
XMLLINT_INDENT |
By default a string with 4 spaces, but maybe you want tabs, 2 spaces, I don't know. |
CSS_file |
A file containing all the CSS style rules you want to include in the the rendered HTML generated from the markdown by the md2html function. |
IPINFO_AUTH |
Your ipinfo.io API key. This should be set in your .bashrc to, first and foremost, avoid the annoying "readme": "https://ipinfo.io/missingauth" message on the response JSON when you don't authenticate. Also, with the API key you get more information on your queries according to the add-ons you pay for. You can get a free API key with 50k queries/month by just registering. |
DEBUG |
By default an undefined variable, but if set some functions echo debug information to stderror. I like to set it to 1 when in use, but anything not-null goes, really. |
VT_API_KEY |
VirusTotal API key used to query their database for information on suspicious files. You can obtain your key by registering and, after loging in, retrieving you key. The free API key lets you do 500 lookups per day, if you need more you can subscribe to the premium services for more queries and other, much more useful, features. This should be set in your .bashrc. |
To use this in its full potential, you need to install coreutils (for base64 and hashsum functions), file, python3, lolcat (because colors make it pretty), pandoc (render Markdown to HTML), jq (parse and pretty-print JSON),libxml2-utils (we use xmllint to pretty-print XML), cURL and the python packages lnkparse, oletools and urllib.
Also, most of the VirusTotal interfacing functions depend on @sevsec's vt-scan tool.
Optionally, I also recommend installing bashacks, which contains various nice functions and is a much more mature project.
apt (Debian/Ubuntu/Kali/Mint):
sudo apt install coreutils file python3{,-pip} lolcat pandoc jq libxml2-utils curl pip install urllib3 lnkparse3 oletools wget -O $HOME/.local/bin/vt-scan https://raw.githubusercontent.com/sevsec/vt-scan/master/vt-scan.sh chmod +x $HOME/.local/bin/vt-scan
dnf (Fedora/RHEL/CentOS):
sudo dnf install coreutils file python3{,-pip} lolcat pandoc jq libxml2-utils curl pip install urllib3 lnkparse3 oletools chmod +x $HOME/.local/bin/vt-scan wget -O $HOME/.local/bin/vt-scan https://raw.githubusercontent.com/sevsec/vt-scan/master/vt-scan.sh
pacman (I use Arch, BTW):
pacman -Sy coreutils file python{,-pip} lolcat pandoc jq libxml2-utils curl pip install urllib3 lnkparse3 oletools chmod +x $HOME/.local/bin/vt-scan wget -O $HOME/.local/bin/vt-scan https://raw.githubusercontent.com/sevsec/vt-scan/master/vt-scan.sh