Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.
Changelog v2.5
This has now five (5) key functionalities:- Spawn and Hook to Application– This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
- PE validation (with XOR bruteforce)
- Static malware analysis.
- Other options (such as pattern search or dump all)
- Type of hooking (Automatic, Smart or manual)
- Spawn and hook
- Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
- Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
- Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.
- List all running process
- Identify the running process executable path.
- Perform static malware analysis on executable (fetched from process executable path)
- Other options (such as pattern search or dump all)
- Type of hooking (Automatic, Smart or manual)
- Hook to a specific running process
- Hook and continue the process
- PE file validation (with XOR bruteforce)
- CRC and timestamps validation
- PE properties such as Image Base, Entry point, sections, subsystem
- TLS entry detection.
- Entry point verification (if falls in suspicious section)
- Suspicious entry point detection
- Packer detection
- Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
- Import intel scanning.
- Deep search (module)
Online search of MD5 (of executable) on Threat Expert. - String dump (ASCII)
- Executable file information
- Hexdump
- PEfile info dumping
- …and more.
- Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A
More Information: