Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of tool Inhale is. I hope you will get something after reading this article. Let's discuss it together.

Inhale-Malware Inhaler

Inhale is an analysis and classification tool for malware. Security researchers can use Inhale to automate and expand the coverage of many static analysis operations in malware. Please note that the current version of Inhale is still in beta (Beta version), and the great gods of the community are welcome to contribute their code.

From the beginning, Inhale consists of a series of small scripts that can be used to collect and analyze large amounts of malware from a variety of malicious sources. Although there are many frameworks and tools in the community that can do similar work, they do not meet my own workflow tasks, such as quickly discovering, classifying, and storing a large number of malware-related files. In addition, there are many services that require the purchase of API keys and other services, which will also cost us a lot of money.

So I'm going to integrate the scripts I collect and use into a set of tools, and Inhale comes into being, which is easy to install and use, you can use Inhale on a research server, you can use it on your laptop, and you can even use Inhale on a raspberry pie.

Tool installation

The tool currently only supports running on the Linux system platform and requires the use of Python3, ElasticSearch, Radare2, Yara, and Binwalk. In addition, you need to use jq to format the output read from the database.

Python3

Install dependent components:

Python3-m pip install-r requirements.txt install ElasticSearch (Debian) wget-qO-https://artifacts.elastic.co/GPG-KEY-elasticsearch| sudo apt-key add-sudo apt-get install apt-transport-httpsecho "deb https://artifacts.elastic.co/packages/7.x/aptstable main" | sudo tee-a / etc/apt/sources.list.d/elastic-7.x.listsudo apt-get update & & sudo apt-get install elasticsearchsudo service elasticsearch start

In addition, you can also set up a complete ELK stack for data analysis and visualization, but this is only optional for the tool.

Install Radare2

It is important to note that you need to install Radare2 from Radare2's GitHub library and do not use other package installation tools.

Git clone https://github.com/radare/radare2cd radare2sys/install.sh installs Yarasudo apt-get install automake libtool make gccwget https://github.com/VirusTotal/yara/archive/v3.10.0.tar.gztar xvzf v3.10.0.tar.gzcd yara-3.10.0/./bootstrap.sh./configuremakesudo make install

If you receive an error message about the shared object, you can try to run the following command to fix it:

Sudo sh-c 'echo "/ usr/local/lib" > > / etc/ld.so.conf'sudo ldconfig install binwalk

The majority of users can install binwalk directly using the following commands:

Using the git clone https://github.com/ReFirmLabs/binwalkcd binwalksudo python3 setup.py install tool

Specify files that need to be crawled and analyzed based on the target type:

-f infile-d directory-u url-r recursive url other options-t TAGS Additional Tags-b Turn off binwalk signatures with this flag-y YARARULES Custom Yara Rules-o OUTDIR Store scraped files in specific output dir (default:./files//)-i Just print info, sample use of don't add files to database tool

After running inhale.py, the specified file / directory / URL address is analyzed and the analysis results are entered in the terminal window.

View the / bin/ls content, but do not add it to the database:

Python3 inhale.py-f / bin/ls-I

Add the directory 'malwarez' to the database:

Python3 inhale.py-d malwarez

Download the target file and add it to the database:

Python3 inhale.py-u https://thugcrowd.com/chal/skull

Download everything in the remote directory and mark it as "phishing":

Python3 inhale.py-r http://someurl.com/opendir/-t phishingYara rule

You can use the-y parameter to set your own Yara rules.

Query database

Most researchers can use db.sh to quickly query the database:

Db.sh * something* | jq. After reading this article, I believe you have a certain understanding of "what a tool Inhale is". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.