When it comes to analyzing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where http://viper.li comes in to play.
Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.
At the time of writing the current list of modules are as follows.
- clear – Clear the console
- close – Close the current session
- delete – Delete the opened file
- export – Export the current session to file or zip
- find – Find a file
- help – Show this help message
- info – Show information on the opened file
- notes – View, add and edit notes on the opened file
- open – Open a file
- projects – List or switch existing projects
- sessions – List or switch sessions
- store – Store the opened file to the local repository
- tags – Modify tags of the opened file
- apk – Parse Android Applications
- cuckoo – Submit the file to Cuckoo Sandbox
- debup – Parse McAfee BUP Files
- editdistance – Edit distance on the filenames
- email – Parse eml and msg email files
- exif – Extract Exif MetaData
- fuzzy – Search for similar files through fuzzy hashing
- html – Parse html files and extract content
- ida – Start IDA Pro
- idx – Parse Java idx files
- image – Perform analysis on images
- jar – Parse Java JAR archives
- office – Office Document Parser
- pdf – Extract PDF Stream Information
- pe – Extract information from PE32 headers
- reports – Online Sandboxes Reports
- shellcode – Search for known shellcode patterns
- strings – Extract strings from file
- virustotal – Lookup the file on VirusTotal
- xor – Search for xor Strings
- yara – Run Yara scan
For this installation I’m going to use a basic Linux server 14.04 install. I wont bother you with setting up linux it should be easy enough to follow the steps.
The setup and installation process for viper is not overly complicated but there are several 3rd party components that we will need in order to enable all the features of Viper.
Lets make sure our ubuntu is up to date and then grab some additional components we are going to need.
sudo apt-get update sudo apt-get upgrade sudo apt-get install build-essential python-dev python-pip git automake libtool libimage-exiftool-perl swig libssl-dev
3rd Party Sources
There are some third-party sources that we need in order to make use of all the available features in viper. For this we need to download and build from a few sources.
I like to store all the temporary build files in one places so I don’t end up with bits and pieces all over the place
from here ill download all the files im going to need. (Please check for the latest versions if your following this guide literally)
Yara – The pattern matching swiss knife for malware researchers (and everyone else)
https://github.com/plusvic/yara/archive/v3.0.0.tar.gz – Must be 2x or greater
tar zxf v3.0.0.tar.gz cd yara-3.0.0/ sudo bash build.sh sudo make install
Test to make sure Yara Runs
yara usage: yara [OPTION]... RULES_FILE FILE | PID options: -t only print rules tagged as . -i only print rules named . -n only print not satisfied rules (negate). -g print tags. . . .
Now lets do the python bindings.
cd yara-python/ sudo python setup.py install
and return to the root of our build dir ready for the next one.
SSDeep – Computing context triggered piecewise hashes. Also called Fuzzy Hashes.
grab the latest version and away we go. Tested with version 2.10
tar zxf ssdeep-2.10.tar.gz cd ssdeep-2.10/ ./configure make sudo make install
Lets install the python bindings to go with it
sudo pip install pydeep
test it works and return to our tmp_build directory
ssdeep -h cd ~/tmp_build/
AndroGuard – Reverse engineering, Malware and goodware analysis of Android applications … and more (ninja !)
If you want to use viper to analyze android APKS and decompile Java class files we need to install androguard. I leave it up to you to decide if you want to include all the androguard dependencies. A basic install of the 1.9 release works fine.
tar zxf androguard-1.9.tar.gz cd androguard-1.9/ sudo python setup.py install
EXIF tool allows us to get meta data from files and can display a wealth of information.
git clone https://github.com/smarnach/pyexiftool cd pyexiftoool sudo python setup.py install
Viper and Python Dependencies
Viper itself has a few extra python dependencies and then each of the modules may have their own as well. For the most part module authors will include them in the requirements.txt file that comes with viper.
cd in to the directory you want to run viper from, and run the following:
git clone https://github.com/botherder/viper cd viper sudo pip install -r requirements.txt
If everything worked we should now be able to run the viper shell.
Ill cover using viper in more detail in some upcoming posts. For now here is a quick example from the main site.
Documentation and Help
The viper Documentation is still being generated but you can find it on http://viper.li If you have any questions or even better if you have something you can contribute head over to the Git Repo or jump on to irc.freenode.net ###viper
As usual Questions Queries Comments below.