Skip to main content


How to Use WMI to extract fruitful features for malware detection based on ML

  If you are interested in R&D in malware detection using AI: you can use WMI API to extract fruitful information about every malware and build a dataset for malware, specifically file-less malware. Windows Management Instrumentation (WMI) API: is used to monitor windows operating systems. For example monitoring process creations, services, and privileges information for every malware, determining if the malware is packed or not. by checking allocation virtual size. Furthermore, threat actors use WMI in malicious intent, such as developing file-less malware You can write a WMI script using C++/C/ python/Powershell. the attachment image is an example from the collected data. source code: you can extend this code to extract more information using WMI from these links: reference: blackhat python book
Recent posts

Role of Shared code analysis, or similarity analysis in malware analysis

  With growing the malware there is an approach called Shared code analysis, or similarity analysis, that will save tons of reverse engineering work for malware researchers. Shared code analysis is an approach to comparing two malware samples by estimating the percentage of precompilation source code they share. There are four measures to identify similarity between malware samples: 1-instruction sequence based similarity (x86 Assembly instructions). 2-String based similarity . 3- IAT based similarity. 4- Dynamic API Call based similarity (you can collect malicious API Calls from logs) . Benefits of shared code analysis approach: -Determine a new malware sample’s code similarity to thousands of previously seen malware samples, -Identify new malware families based on sharing code. -Visualize malware relationships to know the most common techniques that threat actors use (this benefit is important in building malware detector based ML). -Replacement for manual reverse engineering work. H

Data Execution Prevention (DEP)

  Data Execution Prevention (DEP) is a security feature in the CPU that prevents executing any arbitrary code in non-executable memory regions, this feature attempt to mitigate memory corruption vulnerabilities. Furthermore, DEP prevents malware from running, if the malware executes code in non-executable regions in memory. From a malware analysis perspective, sometimes while debugging malware should turn off DEP, due to the malware authors sometimes pack malware and execute code in non-executable memory. At this time the CPU will raise an error "access violation", therefore you can't debug the malware without disabling DEP. You can disable and enable DEP by searching in the start menu for “Settings > Advanced system Setting> Setting” as shown in the image.

From Digital Forensic perspective TRIM command in SDD is important

  Hard DISK (HD) is an essential source in digital forensics for extracting the evidence of cybercrime, even if the attacker erases the evidence of a crime by deleting the malware for example, in fact, the malware wasn't deleted from the HD, simply OS unlinks any reference to the data block for the malware, this data block is not erased from the HD, it's remaining on the magnetic platters for the HD, at this time you can use forensic tools to retrieve the malware from the HD. Unlike (Solid-state Drive) SDD, which uses a TRIM Command to Clear Unlocated Block to prevent retrieving the data, the use of TRIM can improve the performance of writing and reading data to SSDs and contribute to longer SSD life. So from a Digital Forensic perspective should Disable TRIM Command to be able to handle the incidents and make SSD retrievable. How to disable and enable the TRIM command in SDD? the TRIM command is enabled in SSD by default, but if you like to disable it, open CMD as administrato

Anti-Malware Application for the android system

  on Anti-Malware Application for the android system Agenda: 1-the architecture of the anti-malware application 2-detecting malware based on a hash of the application how to detect based on hash How to update the firebase database automatically using Twitter API. With malware hashes that were detected recently. 3-Detecting based on deep learning dataset DL model integrating the DL model with android using FLASK server 4-conclusion Introduction 0xbyte is an anti-malware application that has built on two detection techniques (detecting based on the hash of application- detection based on the permissions of applications, using deep learning ). This project has built by combining two programming languages (Python-Java). this is the link of GitHub for the project: 1-the architecture of the anti-malware application ِAs we Showed in The below image, the architecture of the application was built .on two techniques. The first is detectin